All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","... See more...
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",   Below is my splunk query: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input. please someone reply as it is very urgent to complete my work  
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST... See more...
Hi, index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body{}.headers{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber |mvexpand transactionReferenceNumber |table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber with this query i was able to retrieve the following as you suggested but the channel alone is missing. It s inside the "body", ->"headers"->"Channel". could you please let me know that alone how to retrive the path so that it wld be helpful for me to complete my work. Thanks in advance
1. Check Your Admin Permissions etc  2. Could it be AV / blocking the action - command?  
The whitelist value must be a list of event IDs or one or more key=regex expressions.  The current value is just a regular expression, which is not supported.
Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updat... See more...
Sorry for the confusion. I tried with your query but am able to retrive only the accountnumber , but channel, serial number , memory (from response) is not retrieving. could you please check my updated query index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |spath input=REQUEST output=serialNumber path=body.customer{}.serialNumber |mvexpand serialNumber |spath input=REQUEST output=Channel path=body.customer{}.Channel |mvexpand Channel |spath input=RESPONSE |spath input=RESPONSE output=redemptionEquipmentMemory path=body.customer{}.redemptionEquipmentMemory |mvexpand redemptionEquipmentMemory |table accountNumber serialNumber Channel redemptionEquipmentMemory
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluste... See more...
Hello @sajo.sam , This error message we see when there is an incorrect controller information passed.  You may check the access key by running this below command. kubectl get secret cluster-agent-secret -n appdynamics -o jsonpath='{.data.controller-key}' | base64 --decode Also please check the network connection Run the following command to check the connection curl -v -k -u singularity-agent@dtvnprod:<access_key> https://dtvnprod.saas.appdynamics.com:443/sim/v2/agent/clusterRegistration Hope this helps. Best Regards, Rajesh Ganapavarapu
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. ... See more...
Hello, I set up a dashboard with ABSOLUTE mode but want to change it to GRID mode. Is that possible?  I am asking because I created a bunch of tables (6) and only 3 of them are showing at the top. The ones at the bottom aren't. I think it has to do with a GRID line around the top 3 and the bottom 3 aren't in that grid line. I need to be able to show all 6 tables. Any help?
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your inten... See more...
There could be several reasons for failure. Please verify whether your environment is utilizing a Docker runtime built on ContainerD or a similar platform. If your intended machine agent is v22.3.0, it only supports Docker runtime exclusively. Additionally, ensure that the user has access to /run/docker.sock . You can check this by running: bash cat /run/docker.sock In past instances, this issue occurred due to either no running containers or permission problems. You can diagnose this with the following command:   sudo curl -s -S -i --unix-socket /var/run/docker.sock http:/info docker info If you're utilizing the containerd runtime, consider upgrading to the latest version, such as 24.3.0 MA. I would recommend you to open a Support ticket for any further help as it involves a lot of debugging. Best Regards, Rajesh Ganapavarapu          
Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV ... See more...
Hi @ITWhisperer  First time its coming when i am trying to refresh the same query i am not find any values   Query which i am trying: index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName=" scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus If i use the query in seperate search its showing the latest correlation values: message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId        
Why have you just ignored my suggestion and not included the rex line I suggested?
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber... See more...
index="wireless_retail" source="create_freedom.transactionlog" OPERATION="/FPC/Redemption/Redeem" |spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber |mvexpand accountNumber |table accountNumber this queryis not displaying any results for me if i run the results are blank 
OK but you already know how to extract these elements as you have shown this in your question
Please provide examples of what is working and what is not working otherwise just saying it is not working is not very helpful!
thanks for the response. But i need to extract only the accountNumber, channel,serialnumber from REQUEST and transactionReferenceNumber from RESPONSE and display in table format
Sorry its not working .Sometimes the values coming but sometimes its not showing any values .
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<R... See more...
Assuming your events all follow the same pattern i.e. REQUEST followed by RESPONSE followed by RETRYNO, you could extract them prior to using spath | rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" | spath input=REQUEST | spath input=RESPONSE
Hi @marco_massari11 , identify the three regexes and collect them using .* Ciao. Giuseppe
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_shar... See more...
Hello @gcusello , you're right, in Splunk I have the following error "The regex '((EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)))' does not extract anything. It should specify at least one named group. Format: (?<name>...)". I tried also to split the regex in two separated whitelist, but I think they are in AND, so it's not working. Have you some solution? Regards, Marco
is there any other way we can do it 
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to... See more...
Have REQUEST and RESPONSE been already extracted successfully? Btw, your event isn't (completely) JSON; it does contain some JSON elements, but unless these have been extracted, you won't be able to use spath on them.