Thanks a lot it worked . Adding to that I m passing two values from lookup as below , if both hosts event count is zero then I need the result to display the host name which are passing from look...
See more...
Thanks a lot it worked . Adding to that I m passing two values from lookup as below , if both hosts event count is zero then I need the result to display the host name which are passing from lookup . Can you help me here .
This is still not working. Data count is not matching. Can you confirm the complete query again:
index=index host=server source="/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filenames>[^\"]*)\"\,\...
See more...
This is still not working. Data count is not matching. Can you confirm the complete query again:
index=index host=server source="/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\""
| eval filenames=split(_raw,"")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
First, a table "row" in CSV is not defined by linefeed in the document. If some of your ingested CSV events do not contain CSV header, you need to focus on fixing the ingestion linebreaker problem. ...
See more...
First, a table "row" in CSV is not defined by linefeed in the document. If some of your ingested CSV events do not contain CSV header, you need to focus on fixing the ingestion linebreaker problem. No amount of regex can save broken ingestion and corrupt raw events.
OK it looks like all your data is in _raw? | eval filenames=split(_raw,"
")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
Thanks for the response @ITWhisperer . It helps to add the value of the schedule in the HTML header but it also shows the result in the panel. Can we hide/remove the panel with the value of the f...
See more...
Thanks for the response @ITWhisperer . It helps to add the value of the schedule in the HTML header but it also shows the result in the panel. Can we hide/remove the panel with the value of the field Schedule. Current code : <row> <panel> <html> <div style="display:inline-block;text-align:right;font-style:bold;color:white;font-size:100%">$schedule$</div> </html> </panel> </row> <row> <panel> <table> <search> <query>| inputlookup T2S-PPE-Calendar.csv | eval today = strftime(now(), "%d/%m/%Y") | where DATE = today | eval Schedule = Schedule." (".today.") in PPE" | fields Schedule</query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> <done> <set token="schedule">$result.Schedule$</set> </done> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>
Okay let me show the exact requirment. Now if you look at the event below. Below data is coming from CSV data. Now 1st event has muliple csv lines, which is creating confusion when counting the data...
See more...
Okay let me show the exact requirment. Now if you look at the event below. Below data is coming from CSV data. Now 1st event has muliple csv lines, which is creating confusion when counting the data. These multile events are counted has one event which is not the case. But if you look at second even which has one row with filename and link. I need to seperate 1st event (which has multple lines) into spereate events and need to use table command to list the data in the dashboard. When I am runing the regex it shows on 24000 records. But in CSV the files line counts are more than 200000 count. Which is not matching. Not sure why splunk is reading mulitple rows into 1 event. Hope this helps.
I am looking for custom index in splunk not audit index used in choice.
I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud i...
See more...
I am looking for custom index in splunk not audit index used in choice.
I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud in checkbox
<form theme="light">
<label>Logical Test</label>
<fieldset submitButton="true" autoRun="false">
<input type="multiselect" token="index">
<label>Index</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>index_name</fieldForLabel>
<fieldForValue>index_name</fieldForValue>
<search>
<query>| REST /services/data/indexes |dedup title | rename title as index_name | table "index_name"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="sourcetype_name">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype_name</fieldForLabel>
<fieldForValue>sourcetype_name</fieldForValue>
<search>
<query>| tstats count WHERE index IN ("$index$") by sourcetype | rename sourcetype as sourcetype_name</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="checkbox" token="field3">
<label>Logical</label>
<choice value="index_name=index AND sourcetype_name=sourcetype">Index AND Sourcetype</choice>
<choice value="index_name=index OR sourcetype_name=sourcetype">Index OR Sourcetype</choice>
<delimiter> </delimiter>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>index=_audit sourcetype=audittrail info!=granted provenance="UI:Search"
| rex field=_raw "search=\'(?<search>.*)\',"
| rex field=search max_match=0 "[\w^]*index=\s*\"*(?<index_name>[^\s\"]+)"
| rex field=search max_match=0 "sourcetype=[\"]?(?<sourcetype_name>[\S]+)"
| where isnotnull(search)
| search $field3$
| rename info as Completion
| table _time index_name sourcetype_name search, user
| rename user as "accessed by"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="time_ago(seconds)">
<option name="precision">0</option>
</format>
<format type="number" field="seconds_ago">
<option name="precision">0</option>
</format>
<format type="number" field="exec_time">
<option name="precision">0</option>
</format>
<format type="number" field="search_lt">
<option name="precision">0</option>
</format>
<format type="number" field="search_et">
<option name="precision">0</option>
<option name="useThousandSeparators">false</option>
</format>
</table>
</panel>
</row>
</form>
It depends on what you events look like i.e. what the fields are called and what is in them. You should give more accurate information as I don't have access to your data and only know what you have ...
See more...
It depends on what you events look like i.e. what the fields are called and what is in them. You should give more accurate information as I don't have access to your data and only know what you have shared so far.
Try something like this <row>
<panel>
<html>
<div style="text-align:center;font-style:bold;color:blue;font-size:150%">Report : <div style="display:inline-block;text-align:center;font-style:bold;colo...
See more...
@ITWhisperer ,
As you are suggesting to use;
index=indexname host=server source="/SEM/Emblinksautomation/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filename>[^\"]*)\"\,\"(?<url>[^\"]*)\""
|...
See more...
@ITWhisperer ,
As you are suggesting to use;
index=indexname host=server source="/SEM/Emblinksautomation/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filename>[^\"]*)\"\,\"(?<url>[^\"]*)\""
| eval filename=split(filename,"")
| mvexpand filename
| rex field=filename "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
Assuming the filenames are in a field called filenames, you could try this | eval filenames=split(filenames,"
")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
@ITWhisperer currently csv raw data refelcting in splunk as mentioed below: If you notice event at 2:48:32.000 AM there are multiple csv lines, which is causing confusion. I am looking for splunk ...
See more...
@ITWhisperer currently csv raw data refelcting in splunk as mentioed below: If you notice event at 2:48:32.000 AM there are multiple csv lines, which is causing confusion. I am looking for splunk out put as mentioned in 2:49:30.000 AM and 2:50:30.000 AM. Hope this helps. 8/5/24 2:48:32.000 AM "filename_Time15151515.html","http://testdata1.html" "filename_Time15151515.html","http://testdata2.gif" "filename_Time15151515.html",""http://testdata3.doc" "filename_Time15151515.html",""http://testdata4.xls" "filename_Time15151515.html",""http://testdata5.aspx" 2:49:30.000 AM "filename_Time15151515.html",""http://testtest.aspx" 2:50:30.000 AM "filename_Time46657555.html",""http://tessttestsest.aspx"