Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Citrix get-brokersession

kmm2
Path Finder
‎07-05-2024 07:37 AM

I have a powershell script running get-brokersession which then exports the results to a txt file.   The file is then forwarded via the Universal Forwarder.     Trying to create a search that bases the output data via the session key.   The Citrix add-on app is not allowed at our location.

Labels (1)
Labels
0 Karma
Reply

kmm2
Path Finder
‎07-18-2024 12:26 PM

When we run  get-brokersession  we have a txt file with time stamps in the txt file for events.  We can not get the date and time to show up in splunk.  We can get date only or time only.   When we try to do both, the parsed data stops at a line where a  timestamp is located with no output.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-18-2024 04:53 PM

If you forwarder is not forwarding the complete file, there might be a problem with linebreaker.  This has nothing to do with how to search.  Getting Data In is a better forum.

0 Karma
Reply

kmm2
Path Finder
‎07-19-2024 09:53 AM

The forwarder is forwarding.  The information is broken up in splunk every time it comes across a line with a timestamp.   Then a new field is created after the timestamp line until it hits another timestamp in the txt

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-20-2024 09:56 AM

Let's get back to basics: When your events are broken, using search technique to cope is the last thing to consider.

Can you post sample raw file, the exact event contents Splunk receives, and your properties.conf stanza corresponding to this sourcetype?  Without data, volunteers have nothing to go on.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2024 02:35 AM

And your actual problem with this is...?

So far you told us what you're trying to do. OK, that's a sound approach if you can't use an app apparently containing some sort of scripted/modular input, you're spawning an external script preparing the data that you later ingest with monitor input from an intermediate file. Great.

Now how are we supposed to know what is in your data? And what is the desired result of your search?

Maybe for some very very common types of data (like standard windows event logs) one could expect a farily common knowledge about them but even then it's better to explicitly state your problem.

So - what _is_ your problem?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-05-2024 01:54 PM

To post an answerable question in this forum, it is important to illustrate your input, e.g., raw events (anonymize as needed), illustrate/mock desired output, then explain the logic between illustrated input and desired output including any relevant available fields, data characteristics, etc.

From your description, all volunteers here get is that you have some file ingested via Universal Forwarder and your data contains some sort of session key. 

0 Karma
Reply

kmm2
Path Finder
‎07-08-2024 12:13 PM

Thanks for the reply

0 Karma
Reply

kmm2
Path Finder
‎08-07-2024 07:59 AM

Trying to update the props/transform.conf so that I can created fields for the items listed on the left side of the image below.

 

FIELD_DELIMITER=:
FIELD_NAMES=myfield1,myfield2,myfield3,myfield4

Is what I am working with and have not had success

 

kmm2_0-1723042604402.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...