All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Spllunk apps--> splunk app for lookup editing --> select import file, while uploading the file, it is not uploading, no error message.  screen still same import pop options.  Please guide me how t... See more...
Spllunk apps--> splunk app for lookup editing --> select import file, while uploading the file, it is not uploading, no error message.  screen still same import pop options.  Please guide me how to fix this issue.
Example using makeresults command for the Json data | makeresults | eval json_data="{\"pyOptions\":{\"HasTelephonyPriv\":\"true\",\"isSnapshotOnly\":\"\",\"pyAutoLogin\":\"\",\"pyClientHandle\":\"HE... See more...
Example using makeresults command for the Json data | makeresults | eval json_data="{\"pyOptions\":{\"HasTelephonyPriv\":\"true\",\"isSnapshotOnly\":\"\",\"pyAutoLogin\":\"\",\"pyClientHandle\":\"HEWR40W8VLO39ZP5OVIBJKMZKEF8YETH5A\",\"pyDeviceState\":\"\",\"pyNumberOfLines\":\"3\",\"pyPegaCTIError\":\"\",\"pyTelephonyMode\":\"1\",\"pyThisPageAsJSON\":\"\",\"pyUserIdentifier\":\"user1234\",\"pyUserName\":\"\",\"pyUserPassword\":\"\",\"pyWorkMode\":\"Busy\",\"queue\":[\"\"]},\"pyPageExists\":\"false\",\"pyPort\":\"7017\",\"pyPresenceAgent\":\"H-GET\",\"pySelectedLinkName\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1\",\"pySSLProtocolVersion\":\"TLSv1.2\",\"pyStatusMessage\":\"Couldn't connect to server\",\"pyStatusValue\":\"Fail\",\"pySwitchType\":\"Avaya EAS CM\",\"pyVendor\":\"Avaya\",\"pyWorkgroupPhoneBook\":\"true\",\"pzInsKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1\",\"pzLoadTime\":\"May 3, 2024 9:00:35 AM CDT\",\"pzOriginalInstanceKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYA-1\",\"pzPageNameBase\":\"D_CTILinkInfo\",\"LogoutReasonCodes\":[],\"NotReadyReasonCodes\":[],\"pyThisDN\":\"24181\",\"pyWorkMode\":\"Busy\"}" | eval pyUserIdentifier=spath(json_data,"pyOptions{}.pyUserIdentifier") | eval pyStatusMessage=spath(json_data,"pyStatusMessage") | stats count BY pyUserIdentifier,pyStatusMessage If using the spath command the data must be well-formatted as per standards https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath If you are using indexed_extractions=JSON or KV_MODE=JSON in the props.conf file, then you don't need to use the spath command as it auto extract the fields/values for you and you can then use the stats command based on your fields, and this is the preferred option as it auto extract the fields/values for you. If you don't know what this is Speak to your Splunk Admin to onboard the json data correctly.  
Hi @jason_hotchkiss, instead using static values, you could use a search like the following: | makeresults | eval my_field="MyValue1" | append [ | makeresults | eval my_field="MyValue2"... See more...
Hi @jason_hotchkiss, instead using static values, you could use a search like the following: | makeresults | eval my_field="MyValue1" | append [ | makeresults | eval my_field="MyValue2" ] | append [ | makeresults | eval my_field="MyValue3" ] | sort my_field | table my_field in this way, you can use the field "my_field" as the values in the token. Ciao, Giuseppe
Hi @DilipKMondal , please try something ike this: <your_search> | spath | rename pyOptions.pyUserIdentifier AS pyUserIdentifier pyOptions.pyStatusMessage AS pyStatusMessage | stats ... See more...
Hi @DilipKMondal , please try something ike this: <your_search> | spath | rename pyOptions.pyUserIdentifier AS pyUserIdentifier pyOptions.pyStatusMessage AS pyStatusMessage | stats count AS "Count of occurences" BY pyUserIdentifier pyStatusMessage | eval counter=1 | accum counter as "#" | table "#" pyUserIdentifier pyStatusMessage "Count of occurences" Ciao. Giuseppe
I'm starting to think if the Windows HOST has the NetBIOS name then this is what you end up with in Deployment server HOST column, unless during install it doesn’t have the FQDN name (+DNS). I  kno... See more...
I'm starting to think if the Windows HOST has the NetBIOS name then this is what you end up with in Deployment server HOST column, unless during install it doesn’t have the FQDN name (+DNS). I  know your searches are coming up with FQDN, so I'm stumped as to the hosts  column part not showing FQDN! This setting will change from the GUID setting to the FQDN Names Client Name, in Deployment Server And allow Filter on FQDN deploymentclient.conf [deployment-client] clientName = FQDN This setting will change the instance name in Deployment Server server.conf serverName = FQDN    
Normally we can pass parameter to saved search by args.* form, but how to pass parameter not starting with args. such as $host$. In spl, savedsearch can pass parameter correctly, but if I invoke save... See more...
Normally we can pass parameter to saved search by args.* form, but how to pass parameter not starting with args. such as $host$. In spl, savedsearch can pass parameter correctly, but if I invoke saved search dispatch action by rest api, parameter not starting with args can't be accepted, it will return an error. Sample saved search query with host as one of the parameters that I want to substitute at runtime: index=fooindex sourcetype=foosourcetype host=$args.host$ Sample JS code to dispatch with argument substitution: mySavedSearch.dispatch({"args.host": "foohost"}, function(err, job) {
Hello, @gcusello , thanks for the additional information. I tested this case in my lab environment and it worked! I just want to clarify some small details. I have added the maxQueueSize in the /S... See more...
Hello, @gcusello , thanks for the additional information. I tested this case in my lab environment and it worked! I just want to clarify some small details. I have added the maxQueueSize in the /SplunkUniversalForwarder/etc/apps/SplunkUniversalForwarder/local outputs.conf, for I have configured that file in that path before in order to send logs to Splunk, but I also found this article  Howto configure SPLUNK Universal Forwarder (kura2gurun.blogspot.com) , where it says that we should configure outputs.conf file, located at /opt/splunkforwarder/etc/system/local/.  Is there any impact or difference that I didn't configure outputs in that specific path, but instead did it in the one that I mentioned above? Cheers, SplunkyDiamond
Now you see the importance of illustrating data accurately.  My could only give you channel because the only data snippet I could see has channel.  Now, you can see that accountNumber is a subnode in... See more...
Now you see the importance of illustrating data accurately.  My could only give you channel because the only data snippet I could see has channel.  Now, you can see that accountNumber is a subnode in REQUEST.body.customer, serialNumber is a subnode in REQUEST.body.equipment, while redemptionEquipmentMemory and transactionReferenceNumber are those in RESPONSE.body.model.  Your initial data snippet already established that Channel is a subnode in REQUEST.headers. All this is to say that to write the correct SPL, you need to understand data.  Before trying to render results, use SPL to help analyze data. Now that you know where in the JSON structure each of those fields lies, you can just extract each node.  But doing so usually is too laborious and not good for maintenance and enhancement.  So, I will give a more flexible code   index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST path=headers | spath input=REQUEST path=body output=REQUEST | spath input=RESPONSE path=body output=RESPONSE | foreach headers REQUEST RESPONSE [spath input=<<FIELD>>] ```| spath input=RESPONSE path=headers.set-cookie{} | mvexpand headers.set-cookie{}``` | foreach customer equipment model [rename <<FIELD>>.* AS *] |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber   This is an emulation of your sample data   | makeresults | eval _raw = "2024-05-02 23:40:22.000, ID=\"5e2276d3-7f02-7984-ad4b-e11507580872\", ACCOUNTID=\"5\", ACCOUNTNAME=\"prd\", APPLICATIONID=\"6\", APPLICATIONNAME=\"ws\", REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC00089571590\",\"lineNumber\":\"8604338\"},\"equipment\":{\"serialNumber\":\"359938615394762\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"WVMSKaul\",\"storeNumber\":\"WD227907\",\"dealerNumber\":\"2279\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"65E5519B-F170-4367-AA03-54A33BA29B4E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\", RESPONSE=\"{\"body\":{\"model\":{\"isRedeemed\":true,\"transactionReferenceNumber\":\"6200753992\",\"redeemType\":\"Original\",\"redemptionFailureReasonType\":null,\"redemptionEquipmentMake\":\"Samsung\",\"redemptionEquipmentModel\":\"Galaxy S21 FE 128GB Graphite\",\"redemptionEquipmentMemory\":\"128 GB\",\"committedPrice\":1,\"additionalFees\":0},\"code\":200,\"messages\":null,\"isSuccess\":true},\"headers\":{\"connection\":\"close\",\"content-type\":\"application/json;charset=utf-8\",\"set-cookie\":[\"AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/\",\"AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None\",\"visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com\",\"nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com\",\"incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com\"],\"content-length\":\"349\",\"server\":\"Jetty(9.4.45.v20220203)\"}}\", RETRYNO=\"0\", ENDPOINT=\"https://apptium.freedommobile.ca/Activation.TradeUp\", OPERATION=\"/FPC/Redemption/Redeem\", METHOD=\"POST\", CONNECTORID=\"0748a993-4566-48ae-9885-2a4dce9de585\", CONNECTORNAME=\"Likewize\", CONNECTORTYPE=\"Application\", CONNECTORSUBTYPE=\"REST\", STARTTIME=\"1714693218282\", ENDTIME=\"1714693222213\", RESPONSETIME=\"3931\", SUCCESS=\"1\", CLIENT=\"eportal-services\", CREATEDDATE=\"2024-05-02 23:40:22\", USERNAME=\"WVMSKaul@wmbd.local\", SESSIONID=\"_027c735b-30ed-472c-99e8-6d0748e5a7d9\", ACTIONID=\"5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b\", TRACKID=\"674e1eed-ba9e-429f-87fc-3b4773b7dd06\"" ``` the above emulates index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" ```   The output from emulated data is accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber DBC00089571590 359938615394762 6 128 GB 6200753992 Finally, I want to illustrate the most inflexible implementation, custom extraction of the needed fields directly   index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST path=headers.Channel output=Channel | spath input=REQUEST path=body.customer.accountNumber output=accountNumber | spath input=REQUEST path=body.equipment.serialNumber output=serialNumber | spath input=RESPONSE path=body.model.redemptionEquipmentMemory output=redemptionEquipmentMemory | spath input=RESPONSE path=body.model.transactionReferenceNumber output=transactionReferenceNumber | table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber   Since 8.1, you can also implement these one-to-one extractions using json_extract.   index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | eval Channel = json_extract(REQUEST, "headers.Channel") | eval accountNumber = json_extract(REQUEST, "body.customer.accountNumber") | eval serialNumber = json_extract(REQUEST, "body.equipment.serialNumber") | eval redemptionEquipmentMemory = json_extract(RESPONSE, "body.model.redemptionEquipmentMemory") | eval transactionReferenceNumber = json_extract(RESPONSE, "body.model.transactionReferenceNumber") | table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber    
@burwell wrote: Thanks @hrawat  The logs are as expected then   05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3... See more...
@burwell wrote: Thanks @hrawat  The logs are as expected then   05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3.4:5678, oneTimeClient=0, _events.size()=993, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0, _lastHBRecvTime=Fri May 3 17:46:48 2024 is using 475826 bytes. Total tcpout queue size is 512000. Warningcount=2001   Yes this is expected. This is providing you early warning that one connection is nearly using all the queue. If that indexer stops or during IDX RR, fwd will not be able to move to next indexer that is free. This log precisely finds a slow connection(indexer/receiver) or low maxQueueSize(Total tcpout queue size). See https://community.splunk.com/t5/Knowledge-Management/Slow-indexer-receiver-detection-capability/m-p/683768#M9963
The actual steps are: 1 find the corrupted bucket location with the dbinspect query 2 enable maintenance-mode on the IDXCM 3 take the indexer offline (where you want to repair the bucket)  4 run ... See more...
The actual steps are: 1 find the corrupted bucket location with the dbinspect query 2 enable maintenance-mode on the IDXCM 3 take the indexer offline (where you want to repair the bucket)  4 run the fsck repair command on the stopped indexer 5 start the indexer when finished 6 disable maintenance-mode on the IDXCM 7 let the IDXCluster heal 8 repeat steps for the next bucket  Large buckets 10G take about 25min to repair Goodluck
The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress". I ran a query        | dbinspect index=windows corruptonly=true | search bucket... See more...
The other day a few alerts surfaced showing I had 6 large windows data buckets stuck "Fixup Task - In Progress". I ran a query        | dbinspect index=windows corruptonly=true | search bucketId IN (windows~nnnn~guid,...) | fields bucketId, path, splunk_server, corruptReason, state       and  found all the primary db_<buckets> from the alerts were corrupt.  You can also see it on the IDXCM bucket status. I tried a few fsck repairs commands on the indexers where the primary buckets resided, but it failed due to error >>> failReason=No bloomfilter then I tried >>>       ./splunk fsck repair --one-bucket --bucket-path=/<path> --index-name=<indexName> --debug --v --backfill-never         After that it cleared and splunkd.log showed  >>> Successfully released lock for bucket with path... I hope this information helps.
I am trying to create a table with  # pyUserIdentifier pyStatusMessage Count of occurences 1 user1234 Couldn't connect to server 1     Our logs have the following json pattern. Any help is highl... See more...
I am trying to create a table with  # pyUserIdentifier pyStatusMessage Count of occurences 1 user1234 Couldn't connect to server 1     Our logs have the following json pattern. Any help is highly appreciated.     Please see below sample log. JSON log: "pyOptions":"{\"HasTelephonyPriv\":\"true\",\"isSnapshotOnly\":\"\",\"pyAutoLogin\":\"\",\"pyClientHandle\":\"HEWR40W8VLO39ZP5OVIBJKMZKEF8YETH5A\",\"pyDeviceState\":\"\",\"pyNumberOfLines\":\"3\",\"pyPegaCTIError\":\"\",\"pyTelephonyMode\":\"1\",\"pyThisPageAsJSON\":\"\",\"pyUserIdentifier\":\"user1234\",\"pyUserName\":\"\",\"pyUserPassword\":\"\",\"pyWorkMode\":\"Busy\",\"queue\":[ \"\"] }" ,"pyPageExists":"false" ,"pyPort":"7017" ,"pyPresenceAgent":"H-GET" ,"pySelectedLinkName":"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1" ,\"pySSLProtocolVersion\":\"TLSv1.2\",\"pyStatusMessage\":\"Couldn't connect to server\",\"pyStatusValue\":\"Fail\",\"pySwitchType\":\"Avaya EAS CM\",\"pyVendor\":\"Avaya\",\"pyWorkgroupPhoneBook\":\"true\",\"pzInsKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYAPBX1\",\"pzLoadTime\":\"May 3, 2024 9:00:35 AM CDT\",\"pzOriginalInstanceKey\":\"CHANNELSERVICES-ADMIN-CTILINK-LOCAL-JTAPI AVAYA-1\",\"pzPageNameBase\":\"D_CTILinkInfo\",\"LogoutReasonCodes\":[ ],\"NotReadyReasonCodes\":[ ], ,"pyThisDN":"24181" ,"pyWorkMode":"Busy"
here is my complete data : 2024-05-02 23:40:22.000, ID="5e2276d3-7f02-7984-ad4b-e11507580872", ACCOUNTID="5", ACCOUNTNAME="prd", APPLICATIONID="6", APPLICATIONNAME="ws", REQUEST="{"body":{"custome... See more...
here is my complete data : 2024-05-02 23:40:22.000, ID="5e2276d3-7f02-7984-ad4b-e11507580872", ACCOUNTID="5", ACCOUNTNAME="prd", APPLICATIONID="6", APPLICATIONNAME="ws", REQUEST="{"body":{"customer":{"accountNumber":"DBC00089571590","lineNumber":"8604338"},"equipment":{"serialNumber":"359938615394762","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"WVMSKaul","storeNumber":"WD227907","dealerNumber":"2279"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"65E5519B-F170-4367-AA03-54A33BA29B4E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200753992","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Samsung","redemptionEquipmentModel":"Galaxy S21 FE 128GB Graphite","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com","incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com"],"content-length":"349","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714693218282", ENDTIME="1714693222213", RESPONSETIME="3931", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-02 23:40:22", USERNAME="WVMSKaul@wmbd.local", SESSIONID="_027c735b-30ed-472c-99e8-6d0748e5a7d9", ACTIONID="5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b", TRACKID="674e1eed-ba9e-429f-87fc-3b4773b7dd06"
Hi    index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath inpu... See more...
Hi    index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST | rename headers.* AS * |rename body.customer.* AS * |rename body.equipment.serialNumber.* AS * |rename body.model.redemptionEquipmentMemory.* AS * |rename body.model.transactionReferenceNumber.* AS * |table Channel accountNumber serialNumber redemptionEquipmentMemory transactionReferenceNumber I have modified the query as u stated am getting only account number and channel code in my results not the other fields.  
yea it works now thanks for your response
Try using the correct path |spath input=REQUEST output=Channel path=headers{}.Channel
Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this: field name field value body.customer.accountNumber DBC50012225699 body.customer.... See more...
Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this: field name field value body.customer.accountNumber DBC50012225699 body.customer.lineNumber 5000654224 body.equipment.grade A body.equipment.serialNumber 351643935649535 body.redemptionDetails.dealerNumber GW_STORE body.redemptionDetails.redemptionDate 20240502 body.redemptionDetails.storeNumber WCCA0105 body.redemptionDetails.user BMashiana headers.Accept application/json;charset=UTF-8 headers.ApplicationID 00000411 headers.Authorization Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg== headers.Channel 6 headers.Locale en-US headers.TransactionID E86B7D59-B3CC-401D-977F-65218248367E headers.content-type application/json;charset=UTF-8 where header.Channel has value 6? REQUEST does not contain any array, why the complicated path?  All you need is   | spath input=REQUEST | rename headers.* AS *   Here is an emulation based on your sample data.   | makeresults | eval REQUEST="{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}" ``` the above emulates index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" ``` | spath input=REQUEST | rename headers.* AS * | table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber   The output is accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber     6     Obviously I do not have RESPONSE data.  But play with it and compare with real REQUEST data.
There are multiple issues with this search.  But first, let me clarify your use case.  For events where bucketFolder has exemplified value of "inbound/concur", you want to assign "ConcurFile_Upload" ... See more...
There are multiple issues with this search.  But first, let me clarify your use case.  For events where bucketFolder has exemplified value of "inbound/concur", you want to assign "ConcurFile_Upload" as value of Interface; if bucketFolder is "<blah>inbound<bleh>epm<blih>", you want to assign "EPM" to Interface, and so on.  Is this correct?  In other words, given this dataset bucketFolder correlationId inbound/concur 1 inbound/epm 1 inbound/KPIs 2 inbound/epm 2 you want the output to be Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   ConcurFile_Upload EPM       inbound/concur inbound/epm 1   APEX_File_Upload EPM       inbound/KPIs inbound/epm 2 (Take care to clarify such carefully and in plain language and data illustration the next time you ask a question.  Using SPL to represent use case is often self defeating, even more so when you already know the SPL doesn't give you desired results.  You are basically inviting volunteers to read your mind, and mind-reading is not only painful for volunteers, but most often leads to wrong conclusions.) Assuming that the above is a faithful representation of your requirement, we can discuss SPL problems.  But before that, I want to hammer on use case/requirement even further.  Do you really mean to map ""<blah>inbound<bleh>epm<blih>"" instead of simply "inbound/epm"? In other words, are wildcard uses like   "%inbound%epm%" truly essential to your dataset?  Decisions like this bears a lot of weight on optimal solution, sometimes can change suitable solution, too.  In the following, I will assume that you really, really want wildcards as your original SPL implied. (But I hope that's not the case.) Now, to SPL diagnosis.  The first problem is, you cannot use wildcard in the righthand side of equal sign (=) outside of search context.  case function is not a search context.  Secondly, percent sign (%) is not a wildcard in the righthand side of equal sign.  As such, @tej57 's suggestion of using LIKE is correct.  You can also use searchmatch as @gcusello suggested, but use it directly as boolean AND use asterisk (*) instead of percent sign as wildcard.   | rename bucketFolder as BucketFolder | eval InterfaceName=case(searchmatch("BucketFolder = *inbound*epm*"),"EPM", searchmatch("BucketFolder = *inbound*KPIs*"), "APEX_File_Upload", searchmatch("BucketFolder = *inbound*concur*"), "ConcurFile_Upload", true(),"Unknown") | stats values(InterfaceName) as InterfaceName min(timestamp) as Timestamp values(BucketFolder) as BucketFolder values(Status) as Status by correlationId | table Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   You can also use regex match.   | rename bucketFolder as BucketFolder | eval InterfaceName=case(match(BucketFolder, "inbound.*epm"),"EPM", match(BucketFolder, "inbound.*KPIs"), "APEX_File_Upload", match(BucketFolder, "inbound.*concur"), "ConcurFile_Upload", true(),"Unknown") | stats values(InterfaceName) as InterfaceName min(timestamp) as Timestamp values(BucketFolder) as BucketFolder values(Status) as Status by correlationId | table Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   Each of these three can give the above illustrated results table using the following emulation that gives the mock data table illustrated above   | makeresults format=csv data="bucketFolder,correlationId inbound/concur,1 inbound/epm,1 inbound/KPIs,2 inbound/epm,2" ``` data emulation above ```   Play with it and compare with real data.  
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE dom... See more...
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE domain="mydomain" | fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":") | makemv delim=":" uac_details | search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","") | makemv delim="," uac_details | eval mfilt_uac=mvfilter(match(uac_details,"^\w+")) | eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"") | table search] | sort 0 sAMAccountName | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
Thanks @isoutamo. Much appreciated. God bless.