All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks in Advance Hi Guys, I need to extract limited values from fields: Query : index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp | search NOT message IN ("API:... See more...
Thanks in Advance Hi Guys, I need to extract limited values from fields: Query : index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp | search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") | spath content.payload{} | mvexpand content.payload{} |stats values(content.SourceFileName) as SourceFileName values(content.JobName) as JobName values(content.loggerPayload.archiveFileName) as ArchivedFileName values(message) as message min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId | rex field=message max_match=0 "Expense Extract Process started for (?<FileName>[^\n]+)" | rex field=message max_match=0 "API: START: /v1/expense/extract/ondemand/(?<OtherRegion>[^\/]+)\/(?<OnDemandFileName>\S+)" | eval OtherRegion=upper(OtherRegion) | eval OnDemandFileName=rtrim(OnDemandFileName,"Job") | eval "FileName/JobName"= coalesce(OnDemandFileName,JobName) | eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"%API: START: /v1/expense/extract/ondemand%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled") | eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('tracePoint',"%EXCEPTION%"),"ERROR") | eval Region= coalesce(Region,OtherRegion) | eval OracleRequestId=mvappend("RequestId:",RequestID,"ImpConReqid:",ImpConReqId) | eval Response= coalesce(message,error,errorMessage) | eval StartTime=round(strptime(Logon_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(Logoff_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | eval match=if(SourceFileDTLCount=TotalAPGLRecordsCountStaged,"Match","NotMatch") | rename Logon_Time as Timestamp | table Status JobType Response ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs priority match | where JobType!=" " | search Status="*" In the response field i want to show only.I dont care about the rest : PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 376 Company Code: 200 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 375 Company Code: 209 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 374 Company Code: 210 Operating Unit: US_AB_OU Status Response ArchiveFileName correlationId Success API: START: /v1/expense/extract After calling flow archive-ConcurExpenseFile-SubFlow Before calling flow archive-ConcurExpenseFile-SubFlow Calling s-ebs-api for AP Import process Concur AP/GL File/s Process Status Concur Ondemand Started Expense Extract Processing Starts Extract has no GL Lines to Import into Oracle PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 376 Company Code: 200 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 375 Company Code: 209 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL Extract V.3.02 - APAC ORACLE PAY AP Expense Report. Concur Batch ID: 374 Company Code: 210 Operating Unit: US_AB_OU PRD(SUCCESS): Concur AP/GL File/s Process Status - APAC Records Count Validation Passed EMEA_concur_expenses_ 49cde170-e057-11ee-8125-de5fb5
What do you currently have in your dropdown?
Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that coul... See more...
Hello all, SynApp: 3.0.3 OS: RHEL8 FIPS Splunk 9.0.x I configured this app and changed the index IPs in the local inputs.conf but it isn't working. Obviously there are a lot of things that could be wrong but I am really not seeing any app logging. Is there anyway to configure that? Does this app have a FIPS incompatibility?  The only thing I am finding are these logs in splunkd.log: ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/assessment_data.py" obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ERROR ExecProcessor [1044046 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Synack/bin/vuln_data.py" json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoin... See more...
Upgrade is not an option for now. furthermore, everything goes OK with DB Connect. it will be upgraded with the whole system. I did ask this question precisely because could not find the checkpoint values persistence files for our enable DB Input in folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect
this is perfect, thanks @spavin !
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist v... See more...
can u pls.s give some sample. my requiremnt is i do have two differnt paths index=test (source="/test/log/path/test1.log" ) index=test (source="/test/log/path/test2.log" ) based on dropdownlist value the above the path should be taken in Search string
@kamlesh_vaghela ,  When I add for second column the solution is not working. How is find("a") related? 
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling ... See more...
Hi @CheongKing168 , installing the old version you know that the issue is on the environment and not on the new version. Windows 2016 is a certified  OS, so this shouldn't be the issue. Disabling McAfee, this isn't the issue. I suppose that you already checked the available disk space and the grants of the user used for the installation. as I said, the only hint is to open a case to Splunk Support: they can analyze the installation logs to understand where's the issue. Ciao. Giuseppe  
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: ... See more...
This is my current otel config:   --- service: telemetry: logs: level: "debug" metrics: level: detailed address: ":8888" pipelines: metrics: receivers: - prometheus exporters: - splunk_hec receivers: prometheus: config: scrape_configs: - job_name: jira_dev scrape_interval: 60s static_configs: - targets: [<hidden>:8060] exporters: debug: verbosity: detailed sampling_initial: 5 sampling_thereafter: 200 splunk_hec: token: "<hidden>" endpoint: "https://<hidden>:8088/services/collector" source: "toolchainotel" sourcetype: "toolchain:test:metric" index: "onboarding_metric" tls: insecure_skip_verify: true
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character... See more...
You might be able to use the change stanza for the input to set up multiple tokens based on the value selected. For example, your value in the drop down could have 3 parts delimited by some character, e.g. colon. The change stanza would then process the value and set 3 different tokens based on the 3 parts of the value.
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$p... See more...
Based on drop down list value how to change search string in each panel eg  for panel to load the search string will vary as below: index=test (source="/test/log/path/test1.log" $param1$ c="$param2$" $dropdownlistvalue1$ $dropdownlistvalue1$) As log path is different all my params vary. so how can i change index based of drop down list value?
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([... See more...
@ITWhisperer @scelikok I created below two regex and I think it is working fine from UI. | rex field=_raw mode=sed "s/Password\>([A-Za-z0-9]+)/Placeholder/g" | rex field=_raw mode=sed "s/UserId\>([A-Za-z0-9]+)/UserID/g" One question, shall I apply in the same regex in transforms.conf ?
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environme... See more...
You are right, I missed to filter again for exceptions. Please try below, you should see only correlationId exceptions that have no SUCCESS. index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages by correlationId | search TracePoints="EXCEPTION" Messages!="*(SUCCESS)*" | fields - TracePoints - Messages | search tracePoint="EXCEPTION" | transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId | eval errorType=coalesce(Error,errorType) | eval Errormsg=coalesce(ErrorMsg,errorMsg) | table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp  
@scelikok  Yes its working But its showing all the timestamp and all the messages. Just i want to show error message not all transaction messages for the correlationId
Could you please share your current otel config with us?
Hi @karthi2809, Can you please try below with eventstats? index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages... See more...
Hi @karthi2809, Can you please try below with eventstats? index="mulesoft" applicationName="s-concur-api" environment=PRD | eventstats values(tracePoint) as TracePoints values(message) as Messages by correlationId | search TracePoints="EXCEPTION" Messages!="*(SUCCESS)*" | fields - TracePoints - Messages | transaction correlationId | rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.ErrorType as Error content.errorType as errorType content.errorMsg as ErrorMsg content.ErrorMsg as errorMsg | eval ErrorType=if(isnull(Error),"Unknown",Error) | dedup CorrelationId | eval errorType=coalesce(Error,errorType) | eval Errormsg=coalesce(ErrorMsg,errorMsg) | table CorrelationId,Timestamp, applicationName, locationInfo.fileName, locationInfo.lineInFile, errorType, message,Errormsg | sort -Timestamp  
Thanks! I have tried your setting, and unfortenatly it still doesn't work.  I have also discovered that xml data from sysmon have the same exact problem, won't pick up the time from the expected fi... See more...
Thanks! I have tried your setting, and unfortenatly it still doesn't work.  I have also discovered that xml data from sysmon have the same exact problem, won't pick up the time from the expected field from the xml data.  sysmon  looks like this, and it matches the text in the xml. [source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] TIME_PREFIX = <Data Name='UtcTime'> TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TZ = UTC I have used btool to look for any other stanzas that would cause this, for example for the common xmlwineventlog sourcetype but haven't found anyting.  Tips for debugging this welcome!  
Check out: Route and filter data - Splunk Documentation If you have more specific questions about your data just ask.
How to keep specific events and discard the rest in props.conf and transforms.conf We are Receiving large amount of data which is onboarded to splunk via tar files. We dont require monitoring a... See more...
How to keep specific events and discard the rest in props.conf and transforms.conf We are Receiving large amount of data which is onboarded to splunk via tar files. We dont require monitoring all the events.,we would need only some events with some data to be monitored and rest all files/sources needed to sent into nullqueue. Please give me some insights on it. Thanks in advance.
@tscroggins  thanks for the steer. I'm close ot getting this working but when I implemenet the transform it drops my event. The even tline looks as follows SOMEDATA NO_CLIENT_SITE: MYSYSTEM 10.15.37... See more...
@tscroggins  thanks for the steer. I'm close ot getting this working but when I implemenet the transform it drops my event. The even tline looks as follows SOMEDATA NO_CLIENT_SITE: MYSYSTEM 10.15.37.48 My props.conf is as follows: [netlogon] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom pulldown_type = 1 TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_to_nullqueue My transforms.conf  [netlogon_send_to_nullqueue] REGEX = ^(?!NO_CLIENT_SITE). DEST_KEY = queue FORMAT = nullQueue Is it the regEx at fault here? I have been playing with it at regex101: build, test, and debug regex but I cannot see the issue.