All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @MVK1 Can you please share some sample event or an example along with expected results to understand the query better.
Hello, I have a splunk query returning my search results     index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_na... See more...
Hello, I have a splunk query returning my search results     index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num     From above table  _raw may have *fail_msg1* or *fail_msg2* I have created a lookup file sample.csv with the following content     Product,Feature,FailureMsg ABC,DEF,fail_msg1 ABC,DEF,fail_msg2     I want to search if FailureMsg field (fail_msg1 OR fail_msg2) is found in _raw of my splunk query search results and return only those matching lines. If they (fail_msg1 OR fail_msg2) are not found, return nothing Could you please share how to write lookup or inputlookup for fetching these results? If those   
Hello @optsplunk I would suggest you having this available as Idea under https://ideas.splunk.com/ for the Splunk Product team to look over
Would you mind sharing the serverclass.conf file?
Yes, filtering by OS.  Rebuilt the DS from scratch, set filters (using the OS filter).  All Linux servers receive the Linux TA.  All Windows Servers receive the Linux TA, and confirmed the OS filter,... See more...
Yes, filtering by OS.  Rebuilt the DS from scratch, set filters (using the OS filter).  All Linux servers receive the Linux TA.  All Windows Servers receive the Linux TA, and confirmed the OS filter, again   
Hi in splunk you can get it like  | makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^... See more...
Hi in splunk you can get it like  | makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>" A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1 When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters  r. Ismo
Hello @tlmayes, How are you whitelisting the hosts? Do you just want to use this nice feature of filtering everything by the OS type? Screenshot below -      With the above way, you can create... See more...
Hello @tlmayes, How are you whitelisting the hosts? Do you just want to use this nice feature of filtering everything by the OS type? Screenshot below -      With the above way, you can create 2 separate server classes for Windows and Linux and whitelist all the hosts. Please accept the solution and hit Karma, if this helps!
Oh we will need to add max_match=0 in rex. Example below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" Can you please have a check... See more...
Oh we will need to add max_match=0 in rex. Example below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" Can you please have a check and me know how it goes?
Great! The 'search' function worked as intended, instead of 'join'.
hi @meetmshah  thanks for your reply. but not working as expected  
Hello @doeboy where are you firing the command (on which instance)? The command you mentioned "./splunk show cluster-bundle-status" is meant for Cluster Manager and not for Peers. Here is the Splunk ... See more...
Hello @doeboy where are you firing the command (on which instance)? The command you mentioned "./splunk show cluster-bundle-status" is meant for Cluster Manager and not for Peers. Here is the Splunk Doc for your reference - https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Updatepeerconfigurations#Use_the_CLI_to_view_the_status_of_the_bundle_push  It feels like you are trying to run the command on Indexer Peers. Can you please run on Cluster Manager and see if you are able to view the status as expected?   Please accept the solution and hit Karma, if this helps!
I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .   Ex:- <abc>WoW<... See more...
I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .   Ex:- <abc>WoW</abc> <xyz>SURE</xyz>   Now, both the lines are in the same event. I want to have two fields called "abc" and "xyz" with the corresponding value WoW and SURE.   Kindly help !!
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"   Please accept the solution and hit Karma, if this he... See more...
Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"   Please accept the solution and hit Karma, if this helps! 
Please create a support case on Splunk Support to ask this option.
Hi @satyaallaparthi, whats the result you're waiting for? do you want to filter the first lookup using the second? in this case try this: | inputlookup unix.csv | eval sys_name = lower(FQDN) | se... See more...
Hi @satyaallaparthi, whats the result you're waiting for? do you want to filter the first lookup using the second? in this case try this: | inputlookup unix.csv | eval sys_name = lower(FQDN) | search [ | inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | fields sys_name ] | table Status sys_name host-ip "DNS Name" If instead you want to take values between both the lookups, yu can use the lookup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandOverview) in this way: | inputlookup unix.csv | eval sys_name = lower(FQDN) | lookup inventory.csv sys_name | table Status sys_name host-ip "DNS Name" My only doubt is that in the two lookups the sys_name has different format. In this case, my hint is to elaborate the lookup to have another lookup with the correct sys_name. Ciao. Giuseppe
Hello @meetmshah  i would like to thank you for your reply. but i am looking to extract 'CmdSet' field. i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" ' bu... See more...
Hello @meetmshah  i would like to thank you for your reply. but i am looking to extract 'CmdSet' field. i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" ' but it is giving output till 1st CmdArgAV value    
Hi @asimsk84 , sorry, but why do you want to use a script to clean old Splunk data files? You can set up a retention time (adding to each index the parameter frozenTimePeriodInSecs) and Splunk auto... See more...
Hi @asimsk84 , sorry, but why do you want to use a script to clean old Splunk data files? You can set up a retention time (adding to each index the parameter frozenTimePeriodInSecs) and Splunk automaticall removes the old buckets in a correct way. Ciao. Giuseppe
I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stat... See more...
I have two lookups, 1 with 460K rows and another with 10K rows.  I used join to get the 10K results from 460K rows, however join is not working and not returning any results.  I used table and stats in both lookups though no results.    Below is the query I used:  | inputlookup unix.csv | eval sys_name = lower(FQDN) | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] &  | inputlookup unix.csv | eval sys_name = lower(FQDN) |stats values(*) as * by sys_name | join sys_name [| inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | table Status sys_name host-ip  "DNS Name"  ] Any help would be greatly appreciated. 
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest p... See more...
Ideally it should be managed locally in system/local - however, have you tried managing it through peer-apps? As peer-apps' Precedence will be as follow -  1. Peer-app local directories -- highest priority 2. System local directory 3. App local directories 4. Peer-app default directories 5. App default directories 6. System default directory -- lowest priority https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only Please accept the solution and hit Karma, if this helps!
Hi @karthi2809, what do you mean with "pass parameters"? have you logs from this website, or what else? Ciao. Giuseppe