arrowecssupport's Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

arrowecssupport's Posts

Getting the issue where we get all lines up to the match. So not just getting the 1 line i want but loads more.
If i run it under field extractor it doesn't show anything up.
My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so. Here is an extract from that long log file of 3 HDDs 1 of which is faulty. ... See more...
My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so. Here is an extract from that long log file of 3 HDDs 1 of which is faulty. 15.5 : DRACKA z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk) 15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed) 15.7 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk) I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor. Extracted field could be called "failed_disk_error" and the result would be 15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
Sorry not it doesn't return the right data. I simply need it so when Splunk reads a multi line event and it find (Failed), it to extract that single line as an extracted value.
Use i'm trying to use the rex in the field extraction. I just -need to get the rex to work, I've done quite a few other extractions using this method but this wont i can't get my head around.
Thank you for the recommendation but this doesn't return anything on my search
Ah i see what you've got that but that's not what i'm after. So where the "event" has 3 lines i ONLY want line 2.
Are you actually running Check Point 4.0?
Sorry for the delay been away. It still returns the the full event not just the line from the multi line event.
Error in 'rex' command: Encountered the following error while compiling the regex '([\r\n])(?[\S\s](?=(Failed))': Regex: missing )
No that has put all lines into 1 event. I only need the line the error is on. afiojsdfiohsdfsdjsdfgiojsdfgoijsdfg 2. ohsdfouhsdfguohsdfg (Failed) osdfhgiosdhfgohisdfgiohjasdfgi So just th... See more...
No that has put all lines into 1 event. I only need the line the error is on. afiojsdfiohsdfsdjsdfgiojsdfgoijsdfg 2. ohsdfouhsdfguohsdfg (Failed) osdfhgiosdhfgohisdfgiohjasdfgi So just the line in bold above
It returns a tick on the extracted field so think it's picking up the (Failed) bit. But the value is still blank. Sorry
It's a multi line event so from our logs so it would be like this. sdfiosdfjgiojsdf dfosdogijsdfiojsdfg (Failed) oisdjfgo[idjsfgoiiojsdfg Extracted value = " 2. dfosdogijsdfiojsdfg (F... See more...
It's a multi line event so from our logs so it would be like this. sdfiosdfjgiojsdf dfosdogijsdfiojsdfg (Failed) oisdjfgo[idjsfgoiiojsdfg Extracted value = " 2. dfosdogijsdfiojsdfg (Failed)"
I'm using this in field extractor. It appears to select the full event not just the line. Thanks for your effort.
So when I get an error with the message "(Failed)" i want the line to be added to an extracted field as a value. 9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed) Any idea how to do the regu... See more...
So when I get an error with the message "(Failed)" i want the line to be added to an extracted field as a value. 9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed) Any idea how to do the regular expression for this.
Where can i see the list of emails sent as a trigger action from an alert. Is this in the audit log or a log file on the cli?
Scenario We process emails looking for order numbers (ON). We need to be able to compare the order numbers we seen in the emails to our database. We're looking for matching and not matching order n... See more...
Scenario We process emails looking for order numbers (ON). We need to be able to compare the order numbers we seen in the emails to our database. We're looking for matching and not matching order numbers. How the data looks. ON_email: 123, 234, 345, 456 ON_database: 123, 098, 456 Order numbers that match (seen in both database and emails): 123, 456 Order numbers only seen in database: 098 Order numbers only seen in emails: 234, 345 index = a OR index = b | table ON_email ON_database << This works and shows all the data. But when i try to compare i can't see any data. Any ideas?
So I've got 2 different values I'm trying to use; letters & numbers. I want to be able to say If letters = a b or c & numbers = 1 2 or 3 index = test letters = "a" OR letters = "b" OR letter... See more...
So I've got 2 different values I'm trying to use; letters & numbers. I want to be able to say If letters = a b or c & numbers = 1 2 or 3 index = test letters = "a" OR letters = "b" OR letters = "c" AND numbers = "1" or numbers = "2" OR numbers = "3" I don't think this is quite right. Any ideas?
From our data we end up with 2 different fields v7serial & v8serial. I want to be able to feed this into a single serial v78serial. Example of data v7serial 987654321 v8serial 123456789 ... See more...
From our data we end up with 2 different fields v7serial & v8serial. I want to be able to feed this into a single serial v78serial. Example of data v7serial 987654321 v8serial 123456789 v78serial 123456789 987654321 I am trying | eval v78serial= toString(v8serial) + ";" + toString(v7serial) | makemv delim=";" allserials | mvexpand v78serial | table v78serial The problem is when i display this data or try to use this field i get "123456789;null" this is because the data has either a v7 or v8 serial never both. So where one field is Null then don't add it to the new field.
I had a problem with my email server