Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-13-2024
04:41 AM
1 Karma
Hi @karthi2809, if the first field is called app and the second is called OnDemandFileName, you can use this regex: |rex field=message max_match=0 "API: START: \/v1\/expense\/extract\/demand\/(?<ap...
See more...
Hi @karthi2809, if the first field is called app and the second is called OnDemandFileName, you can use this regex: |rex field=message max_match=0 "API: START: \/v1\/expense\/extract\/demand\/(?<app>[^\/]+)\/(?<OnDemandFileName>.*)" that you can test at https://regex101.com/r/uifAqM/1 Ciao. Giuseppe
03-13-2024
04:10 AM
How to extract the two fields from the message ? In this need to extract after API: START: /v1/expense/extract/demand/ nagl as one field . demand _con.csv in another field I am extracting |rex ...
See more...
How to extract the two fields from the message ? In this need to extract after API: START: /v1/expense/extract/demand/ nagl as one field . demand _con.csv in another field I am extracting |rex field=message max_match=0 "API: START: /v1/expense/extract/odemand/ (?<OnDemandFileName>[^\n]\w+\S+)" API: START: /v1/expense/extract/demand/nagl/demand_con.csv
Labels
- Labels:
-
field extraction
-
fields
03-13-2024
04:06 AM
We have had a second instance of this happening overnight. Last nights update is 4.18.24020.7 The previous update that caused this issue was 4.18.23110.3 Both are showing up in event viewer as ...
See more...
We have had a second instance of this happening overnight. Last nights update is 4.18.24020.7 The previous update that caused this issue was 4.18.23110.3 Both are showing up in event viewer as event ID: 2014
03-13-2024
03:54 AM
I know this Question is old and probably not relevant for you anymore, however I stumbled over the same Issue and wanted to share a possible solution. I could not find any documentation on why mvind...
See more...
I know this Question is old and probably not relevant for you anymore, however I stumbled over the same Issue and wanted to share a possible solution. I could not find any documentation on why mvindex is not working with negative values in the Dasboards, however there is a workaround. <eval token="mvIndexValue">mvcount(<mvfield>)-1</eval>
<eval token="lastValue">mvindex(<mvfield>, $mvIndexValue$)</eval> I think it's pretty ugly, but so far I have not found a better solution
03-13-2024
03:53 AM
Hi @spkriyaz , Could you please share the detailed step by step procedure to apply this solution?
03-13-2024
03:48 AM
When adding a Time Range Picker on Dashboard Studio the formatting for Date and Time range is month day year, how do I change this formatting to day month year? How it shows: How I want it t...
See more...
When adding a Time Range Picker on Dashboard Studio the formatting for Date and Time range is month day year, how do I change this formatting to day month year? How it shows: How I want it to show:
Labels
- Labels:
-
Dashboard Studio
03-13-2024
03:18 AM
The delete command "deletes" the events which are in the pipeline - tstats does not return the events so this is unlikely to work. Having said that, I am not sure what happens if you do manage to del...
See more...
The delete command "deletes" the events which are in the pipeline - tstats does not return the events so this is unlikely to work. Having said that, I am not sure what happens if you do manage to delete the events from the index, whether the stats returned by tstats change?
03-13-2024
03:09 AM
@HemanthCR7 Hi Hemanth, It depends on your organization sometimes to encounter this problem when attempting to register using your corporate email. because external emails may be blocked by certa...
See more...
@HemanthCR7 Hi Hemanth, It depends on your organization sometimes to encounter this problem when attempting to register using your corporate email. because external emails may be blocked by certain businesses. Should that be the case, open a support ticket and examine your spam folder.
03-13-2024
03:06 AM
https://regex101.com/r/vFdbh7/1 | rex "\"address\":\"(?<api>[\w\/:]+?)(?=([a-z0-9]+\-[a-z0-9-]+)|$)"
03-13-2024
03:03 AM
@smitbelani Please have a look Notification when a new update is released - Splunk Community
03-13-2024
02:55 AM
Hi @tamir , my solution is to save the extraction in an field extraction, if you want to use the regex in a search, you have to add it to a search: index=your_index
| rex field=source "Snowflake\/...
See more...
Hi @tamir , my solution is to save the extraction in an field extraction, if you want to use the regex in a search, you have to add it to a search: index=your_index
| rex field=source "Snowflake\/(?<folder>[^\/]+)" Ciao. Giuseppe
03-13-2024
02:52 AM
Hi @Deprasad, please try this regex: | rex "\"address\":\"(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)" that you can test at https://regex101.com/r/Umz02I/1 if you already extracted the full APP val...
See more...
Hi @Deprasad, please try this regex: | rex "\"address\":\"(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)" that you can test at https://regex101.com/r/Umz02I/1 if you already extracted the full APP value (and it's called "api_url "), you can use a different regex | rex field=api_url "(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)" Ciao. Giuseppe
03-13-2024
02:39 AM
Is there feature which notifies the new release of Splunk version ? may be via email or subscribing a newsletter or something ?
Labels
- Labels:
-
using Splunk Enterprise
03-13-2024
02:36 AM
1 Karma
Try something like this index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.deta...
See more...
Try something like this index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "•","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| eval problem_classification=if(match(problem_detail,".*email.*"), "email problem", problem_detail)
| stats count by problem_classification
03-13-2024
02:30 AM
I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API. There are multiple versions of same API along with or without user guid which is a unique v...
See more...
I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API. There are multiple versions of same API along with or without user guid which is a unique value. "address":"http://test/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser/delete/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser Looing for a regex which reads the API until the alphanumeric string starts. In short , if I do stats count by API it should give the count as 3.
03-13-2024
02:30 AM
Hi guys, Thank you in advance, Is it possible to use a value of the search result as a parameter in the |sendmail from=" ? " In the | sendmail to="we can use results.mail_to" but in case o...
See more...
Hi guys, Thank you in advance, Is it possible to use a value of the search result as a parameter in the |sendmail from=" ? " In the | sendmail to="we can use results.mail_to" but in case of | sendmail from="results.mail_from" don't work. We already disable the security options for this.
like for example
i
ndex="main"
| eval mail_from = "username@mail.com"
| eval mail_to = "username@mail.com"
| eval subject = "subject"
| table username age country city
| sendemail to=$result.mail_to$ from= $result_mail_from$ subject=$results.subject$ message="This is an example message" sendresults=true inline=true format=table sendcsv=true
Labels
- Labels:
-
using Splunk Enterprise
03-13-2024
02:27 AM
Fair enough. I wish there was a Splunk way to push these changes to system/local that didn't include a third party application. Would you recommend show config vs btool in this case?
03-13-2024
02:26 AM
Hi @kiran_panchavat , could you please help me on this...!!
03-13-2024
02:24 AM
I have the same issue. So, you are saying that from the certifi library, I can extract the path to the SSL certificate bundle and pass it to the post request as an argument, right? Now, I want to cl...
See more...
I have the same issue. So, you are saying that from the certifi library, I can extract the path to the SSL certificate bundle and pass it to the post request as an argument, right? Now, I want to clarify something, the add-on application I have developed needs to be distributed to the clients so, according to this link: https://community.splunk.com/t5/Splunk-Cloud-Platform/How-do-I-go-about-publishing-a-Splunk-Technical-Add-On/m-p/633127#M2081 does the client need to put their bundled certificate themselves into the app directory? And use your code to retrieve the path of the cert and pass it as an argument to the post request?
03-13-2024
02:22 AM
Good Morning
i have a field that i've called problem_detail in our Helpdesk index. it contains all the types of problems that are logged to us. i would like to only merge those that are associated...
See more...
Good Morning
i have a field that i've called problem_detail in our Helpdesk index. it contains all the types of problems that are logged to us. i would like to only merge those that are associated with email queries together. there are about 15 different ones.
index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json
| dedup id
| fillnull value=NULL
| search "problemtype.detailDisplayName"!=*AGRESSO*
| eval problem_detail='problemtype.detailDisplayName'
| eval problem_detail=replace(problem_detail, "•","")
| eval problem_detail=replace(problem_detail, ";","|")
| eval techGroupLevel = 'techGroupLevel.levelName'
| eval techGroupLevel = replace(techGroupLevel, " "," ")
| eval techGroupLevel = replace(techGroupLevel, " ","")
| eval techGroupLevel = replace(techGroupLevel, "Level"," Level")
| eval location_Name = 'location.locationName'
| eval status = 'statustype.statusTypeName'
| eval priority = 'prioritytype.priorityTypeName'
| eval techGroupId = 'techGroupLevel.id'
| eval tech_Name = 'clientTech.displayName'
| stats count by problem_detail
this spl is giving me the full list of 158 problem details and from there i can see around 15 of these relate to email.
Is there away i can combine the totals from all the problem_details that contain 'email' together.
i tried eval and then coalesce but it didnt work ..:(
thank you
