All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, if you get an app containing the field extractions, like the Apache Web Server app, then set the sourcetype to be the ones to which the field extractions apply to (usually listed in the app docu... See more...
Yes, if you get an app containing the field extractions, like the Apache Web Server app, then set the sourcetype to be the ones to which the field extractions apply to (usually listed in the app documentation or config files), then you will have field extractions.   The other way is to put the logs in json format but that may not work so great with these logs.
Yes, it is active in Cloud Monitoring Console and receive events in _internal
It turns out the cause of my issue was another rex statement down the line that hadn't been updated to match the renamed string. It used  (?<Foo>\D\d*)-0 which matched the string before the repla... See more...
It turns out the cause of my issue was another rex statement down the line that hadn't been updated to match the renamed string. It used  (?<Foo>\D\d*)-0 which matched the string before the replacement, which the statement is now (?<Foo>\D*\d)-0 Apologies for my confusion. I've marked your efforts as the solution as the backslash was indeed not needed. Thank you and have some Karma for your efforts.
Try something like this | foreach * [| eval "<<FIELD>>"=round('<<FIELD>>',2)."%"]
Is there way to change the permissions of all lookups in a app
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | field... See more...
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 Below is the current output I get: _time server1 sevrer3 server4 server5 2024-03-21 13:45:00 3.1049753795247880 2.6818978525900086 3.0970366478143334 2.6279363289367494 2024-03-21 13:46:00 2.9336478352933097 2.4579778020150926 2.9602531790679110 2.9074405642281490 2024-03-21 13:47:00 2.9608714340953393 2.5579155086951600 2.7920194409649772 3.2610313588043978 2024-03-21 13:48:00 3.5946875229937634 2.5006464331193965 3.1106486461269176 3.7073668015974173 2024-03-21 13:49:00 2.8303159134216944 3.5756938476048900 3.4757319466032990 2.9783098006952250 2024-03-21 13:50:00 3.0067950036354420 2.2524125280871740 3.0493445107055930 2.2877333705021860 2024-03-21 13:51:00 2.7526861431818790 2.5427731042748785 3.0946836167596232 2.7477304760698664 2024-03-21 13:52:00 3.4172636751835066 2.730991461075761 2.7698859629286040 2.6296901815909903 2024-03-21 13:53:00 2.5957496530754254 2.1086391909665694 2.6025759149116060 2.4142703772570730 2024-03-21 13:54:00 2.7321368209680920 2.5317849096196980 2.8368213301356677 3.0664957483386470
The search works as shown which probably means there is something different in your environment which hasn't been made clear to us. Please can you provide more details and examples of where this subs... See more...
The search works as shown which probably means there is something different in your environment which hasn't been made clear to us. Please can you provide more details and examples of where this substitution is not working as expected?
Hi,  I need an help with my windows security logs how we can create the lateral movement use case 
You could try using a html panel is some text in using the html codes for arrows, &larr; &rarr; etc
Yeah I tried that first, but other related issues on the boards led me to try it with the backslash. It returns the same results.
You don't need the backslash - here is a runanywhere example showing it working | makeresults | fields - _time | eval ThisField=split("01-g01-0 01-g02-0 01-g03-0"," ") | mvexpand ThisField | rex fie... See more...
You don't need the backslash - here is a runanywhere example showing it working | makeresults | fields - _time | eval ThisField=split("01-g01-0 01-g02-0 01-g03-0"," ") | mvexpand ThisField | rex field=ThisField mode=sed "s/g0/GRN/g"
Hi you should remove \ before G. r. Ismo
Stats combined the unique correlation ID.
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any... See more...
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any guidance to point me in the right direction would be much appreciated. The rex statement in question: | rex field=ThisField mode=sed "s/g0/\GRN/g" Example strings: 01-g01-0 01-g02-0 01-g03-0
Based on your SPL and screenshot it seems to be a MV field. Some yours stats have combined it from several correlationId or what ever you have after by on stats.
Hi Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-... See more...
Hi Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-How-do-I-prevent-unwanted-data/m-p/613039 You have typo on transforms.conf name on your examples, but probably it’s correct on your HF? And you have restarted it after modify those configurations? r. Ismo
Darn. Nope. All those conditions check out OK in my environment. New indexes are where they should be, it's a stand-alone deployment manager, etc..
No, I haven't, thanks!  Missed this in the release notes... Will let you know how it works out.
The condition is not working for me  like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Excep... See more...
The condition is not working for me  like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Exception then it should be SUCCESS.Screen shot attached below index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND message="GLImport Job Already Running, Please wait for the job to complete*") OR ( message="End of GL Import process - No files found for import to ISG") | rename content.File.fstatus as Status | eval Status=case( like('Status' ,"SUCCESS") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", like('tracePoint',"EXCEPTION") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"ERROR"),"ERROR", like('priority',"WARN"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "") | stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" values(message) as message values(timestamp) as timestamp values(content.errorType) as errorType by correlationId | eval ProcessMsg= coalesce(ProcessMsg,errorType,message) | eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId | eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | join correlationId type=left [ search index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (message="API: START: /v1/revpro-to-oracle/onDemand*") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport") OR (message="API: START: /v1/revproGLImport/onDemand*") | eval JobType=case( like('message',"API: START: /v1/revproGLImport/onDemand%"),"OnDemand", like('message',"API: START: /v1/revpro-to-oracle/onDemand%"),"OnDemand", like('message',"API: START: /v1/fin_Zuora_GL_Revpro_JournalImport"),"Scheduled") | table JobType correlationId ] | table Status JobType Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs | where JobType!=" "  
Hi Have you read this https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers ? r. Ismo