All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try using the correct path |spath input=REQUEST output=Channel path=headers{}.Channel
Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this: field name field value body.customer.accountNumber DBC50012225699 body.customer.... See more...
Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this: field name field value body.customer.accountNumber DBC50012225699 body.customer.lineNumber 5000654224 body.equipment.grade A body.equipment.serialNumber 351643935649535 body.redemptionDetails.dealerNumber GW_STORE body.redemptionDetails.redemptionDate 20240502 body.redemptionDetails.storeNumber WCCA0105 body.redemptionDetails.user BMashiana headers.Accept application/json;charset=UTF-8 headers.ApplicationID 00000411 headers.Authorization Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg== headers.Channel 6 headers.Locale en-US headers.TransactionID E86B7D59-B3CC-401D-977F-65218248367E headers.content-type application/json;charset=UTF-8 where header.Channel has value 6? REQUEST does not contain any array, why the complicated path?  All you need is   | spath input=REQUEST | rename headers.* AS *   Here is an emulation based on your sample data.   | makeresults | eval REQUEST="{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}" ``` the above emulates index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" ``` | spath input=REQUEST | rename headers.* AS * | table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber   The output is accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber     6     Obviously I do not have RESPONSE data.  But play with it and compare with real REQUEST data.
There are multiple issues with this search.  But first, let me clarify your use case.  For events where bucketFolder has exemplified value of "inbound/concur", you want to assign "ConcurFile_Upload" ... See more...
There are multiple issues with this search.  But first, let me clarify your use case.  For events where bucketFolder has exemplified value of "inbound/concur", you want to assign "ConcurFile_Upload" as value of Interface; if bucketFolder is "<blah>inbound<bleh>epm<blih>", you want to assign "EPM" to Interface, and so on.  Is this correct?  In other words, given this dataset bucketFolder correlationId inbound/concur 1 inbound/epm 1 inbound/KPIs 2 inbound/epm 2 you want the output to be Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   ConcurFile_Upload EPM       inbound/concur inbound/epm 1   APEX_File_Upload EPM       inbound/KPIs inbound/epm 2 (Take care to clarify such carefully and in plain language and data illustration the next time you ask a question.  Using SPL to represent use case is often self defeating, even more so when you already know the SPL doesn't give you desired results.  You are basically inviting volunteers to read your mind, and mind-reading is not only painful for volunteers, but most often leads to wrong conclusions.) Assuming that the above is a faithful representation of your requirement, we can discuss SPL problems.  But before that, I want to hammer on use case/requirement even further.  Do you really mean to map ""<blah>inbound<bleh>epm<blih>"" instead of simply "inbound/epm"? In other words, are wildcard uses like   "%inbound%epm%" truly essential to your dataset?  Decisions like this bears a lot of weight on optimal solution, sometimes can change suitable solution, too.  In the following, I will assume that you really, really want wildcards as your original SPL implied. (But I hope that's not the case.) Now, to SPL diagnosis.  The first problem is, you cannot use wildcard in the righthand side of equal sign (=) outside of search context.  case function is not a search context.  Secondly, percent sign (%) is not a wildcard in the righthand side of equal sign.  As such, @tej57 's suggestion of using LIKE is correct.  You can also use searchmatch as @gcusello suggested, but use it directly as boolean AND use asterisk (*) instead of percent sign as wildcard.   | rename bucketFolder as BucketFolder | eval InterfaceName=case(searchmatch("BucketFolder = *inbound*epm*"),"EPM", searchmatch("BucketFolder = *inbound*KPIs*"), "APEX_File_Upload", searchmatch("BucketFolder = *inbound*concur*"), "ConcurFile_Upload", true(),"Unknown") | stats values(InterfaceName) as InterfaceName min(timestamp) as Timestamp values(BucketFolder) as BucketFolder values(Status) as Status by correlationId | table Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   You can also use regex match.   | rename bucketFolder as BucketFolder | eval InterfaceName=case(match(BucketFolder, "inbound.*epm"),"EPM", match(BucketFolder, "inbound.*KPIs"), "APEX_File_Upload", match(BucketFolder, "inbound.*concur"), "ConcurFile_Upload", true(),"Unknown") | stats values(InterfaceName) as InterfaceName min(timestamp) as Timestamp values(BucketFolder) as BucketFolder values(Status) as Status by correlationId | table Status InterfaceName Timestamp FileName Bucket BucketFolder correlationId   Each of these three can give the above illustrated results table using the following emulation that gives the mock data table illustrated above   | makeresults format=csv data="bucketFolder,correlationId inbound/concur,1 inbound/epm,1 inbound/KPIs,2 inbound/epm,2" ``` data emulation above ```   Play with it and compare with real data.  
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE dom... See more...
I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.   | inputlookup AD_Obj_User WHERE domain="mydomain" | fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":") | makemv delim=":" uac_details | search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","") | makemv delim="," uac_details | eval mfilt_uac=mvfilter(match(uac_details,"^\w+")) | eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"") | table search] | sort 0 sAMAccountName | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
Thanks @isoutamo. Much appreciated. God bless.
I have used it in some cases. I need to check how I have configured it when back on my laptop.
Hi @LizAndy123, Following the @gcusello understanding, I added a few more context to the results. | rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?... See more...
Hi @LizAndy123, Following the @gcusello understanding, I added a few more context to the results. | rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?<ToUser>.+?)$"  In these case, I'm supposing that you can tell to the stakeholders the following: User= The person who execute the operation Operation_Type= What operation was did Where= The asset that was changed in this operation ToUSer= The user whom received the permission  
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel:    | makeresults | eval request="REQUEST=\"{... See more...
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel:    | makeresults | eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\"," | rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""   To get only one result for the channel (the first one) by search:   | makeresults | eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\"," | rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""       Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0. I hope it helps you. Happy splunking!
Thanks @hrawat  The logs are as expected then 05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3.4:5678, oneTimeClient=0... See more...
Thanks @hrawat  The logs are as expected then 05-03-2024 17:46:52.999 +0000 WARN AutoLoadBalancedConnectionStrategy [24761 TcpOutEloop] - Current dest host connection 1.2.3.4:5678, oneTimeClient=0, _events.size()=993, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0, _lastHBRecvTime=Fri May 3 17:46:48 2024 is using 475826 bytes. Total tcpout queue size is 512000. Warningcount=2001
I guess no one else is doing this? Thanks and God bless, Genesius
I tried below script in my windows test vm and restarted the splunk. Hostname still shows as the short name in Splunk GUI. The search logs shows the fqdn though . On the deployment server , in the f... See more...
I tried below script in my windows test vm and restarted the splunk. Hostname still shows as the short name in Splunk GUI. The search logs shows the fqdn though . On the deployment server , in the forwarder management client view, how is the hostname column populated? Or where is the hostname column populated from? I need the hostname in the forwarder management client view to show the fqdn of the windows endpoints.  
@Albert_Cyber ,    Kind of, we are in the process of creating custom apps for these use cases and adaptive response actions. The only problem is it really is a pain to create a whole app to just ma... See more...
@Albert_Cyber ,    Kind of, we are in the process of creating custom apps for these use cases and adaptive response actions. The only problem is it really is a pain to create a whole app to just make some very simple api calls and run basic commands like dig against a specified variable. We are following: Create an AR action | Documentation | Splunk Developer Program the guidance from these docs as there isn't much out there on it and I'm more of a bash scripter than a python programmer so it is a very slow process for us. 
Hello @richgalloway , have you any possible solution?
Sorry for the late response on this but this is exactly what we did created a user and role separate from the others exec_view and assigned that role read-only permissions and assigned it to specific... See more...
Sorry for the late response on this but this is exactly what we did created a user and role separate from the others exec_view and assigned that role read-only permissions and assigned it to specific users. Thanks for the information! 
This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post!... See more...
This exact scenario just happened in our environment as well and it turned out a savedsearch with the same name was under a different user. Thank you for providing this old but still applicable post! 
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as ... See more...
I would like to display the Name of a drop down option in the label of a panel.  The token for the drop down filter is $value$.  How would I display the Name, such as MY VALUE 1, MY VALUE 2, etc. as a token?  I tried label.$value$ and that did not work for me.    
Hi @Mandar.Kadam, I see you also created a Support ticket. Can you share the solution from Support here as a reply? This will help others with the same problem in the future  
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","... See more...
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",   Below is my splunk query: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input. please someone reply as it is very urgent to complete my work  
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST... See more...
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}.headers{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber with this query i was able to retrieve the following as you suggested but the channel alone is missing. It s inside the "body", ->"headers"->"Channel". could you please let me know that alone how to retrive the path so that it wld be helpful for me to complete my work. Thanks in advance
1. Check Your Admin Permissions etc  2. Could it be AV / blocking the action - command?