Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-13-2024
09:05 AM
Hello, How do I obtain an NFR license (or the like)? We have integrations with Splunk but no way to test/evaluate them. The previous parties that handled this are no longer with the company and ...
See more...
Hello, How do I obtain an NFR license (or the like)? We have integrations with Splunk but no way to test/evaluate them. The previous parties that handled this are no longer with the company and we don't have much information.
Labels
- Labels:
-
administration
02-13-2024
09:01 AM
Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an ac...
See more...
Regex is a pattern matching algorithm. The problem with dummy data as you have provided is that if it doesn't accurately enough match the actual data, the regex used will not work. Please share an accurate representation of your events in a code block </> so that formatting is preserved as this is important for pattern recognition.
02-13-2024
09:00 AM
Hi @thaghost99, for a new question is always better to open a new case, so more people can help you. In this case, the only way is to modify the CSS, but I cannot help you in this. Ciao. Giuseppe
02-13-2024
08:50 AM
Hello, have you found how to make the refresh token work ?
02-13-2024
08:48 AM
It' still not working. Below is my full event : c.l.s.d.a.NotificationResourceController : API EXECUTION TIME|field1|field2|field3|field4|field5|field6|field7 field1 - time in ms field2/fiel...
See more...
It' still not working. Below is my full event : c.l.s.d.a.NotificationResourceController : API EXECUTION TIME|field1|field2|field3|field4|field5|field6|field7 field1 - time in ms field2/field3 - mode of comms in caps letter field4 - brand in caps letter field5 - templateName( e.g. XX_YYYYYYY_ZZZ_XXX ) field6 - hashID field7 - responsecode (2xx,3xx,4xx or 5xx)
02-13-2024
08:45 AM
1 Karma
Try something like this index=myindex source="/var/log/nginx/access.log"
| bin _time span=30m
| stats count as total count(eval(status!=200)) as fail by _time
| eval percent= round(fail*100/total,2)
02-13-2024
08:35 AM
| rex field=line "(?<ID>\w+)_ETC_RFG:.*/(?<NUM>\d+)"
| eval ETC="ETC", RFG="RFG"
02-13-2024
08:33 AM
Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate): | rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<...
See more...
Your regex do not match your sample events, for example, the logger1 regex could look like this (assuming your example event is accurate): | rex "\<LoggerName\d\>\|(?<time>\w+)\|(?<Service>\w+)\|(?<Type>\w+)\|(?<brand>\w+)\|(?<template>\w+)\|(?<hashId>[\w-]+)\|(?<Code>\w+)"
02-13-2024
08:32 AM
thank you @gcusello solution accepted.
side question or easy one. i was googling how to increase the width of an input field, but i see mostly html, but i only have <form> on mine
how can i ...
See more...
thank you @gcusello solution accepted.
side question or easy one. i was googling how to increase the width of an input field, but i see mostly html, but i only have <form> on mine
how can i change the width of the below input?
<input type="multiselect" token="field1" searchWhenChanged="true">
<label>Select Hostname</label>
<fieldForLabel>Hostname</fieldForLabel>
<fieldForValue>Hostname</fieldForValue>
<search>
<query>index = 1234 </query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<delimiter> OR </delimiter>
</input>
02-13-2024
08:31 AM
Forgive me, I'm new to this. I've updated the config file and restarted the service. Is there anything else I should be doing to be able to search logs on my instance or do i need to do some sort of ...
See more...
Forgive me, I'm new to this. I've updated the config file and restarted the service. Is there anything else I should be doing to be able to search logs on my instance or do i need to do some sort of registration over on the splunk instance? We're using cloud. Many Thanks!
02-13-2024
08:26 AM
Exactly what have you tried?
02-13-2024
08:26 AM
Hi @thaghost99, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Po...
See more...
Hi @thaghost99, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
02-13-2024
08:18 AM
sorry, if i confused. Yes, ETC and RFG are fixed and need to add in table
Log Line:
05:02:05.213 Txt 46000 008a456b37de5982_ETC_RFG: (Q056) play this message id:announcement/4637825, duration:58 ...
See more...
sorry, if i confused. Yes, ETC and RFG are fixed and need to add in table
Log Line:
05:02:05.213 Txt 46000 008a456b37de5982_ETC_RFG: (Q056) play this message id:announcement/4637825, duration:58
i tired to get result with below query, but not working properly
index=dg_hdgf_yrgt "(Q056) play this message" | rex field=_raw "Txt\s+46000\s+(?<IDvalue>\w+)" | rex field=_raw "announcement/(?<messagefile>\d+)"
| where NOT isnull(messagefile)
| mvexpand IDvalue
| makemv IDvalue delim="_"
| eval IDvalue=mvindex(IDvalue,0)
| eval ENV=mvindex(IDvalue,1)
| eval LOB=mvindex(IDvalue,2)
| search LOB=RFG
| table IDvalue,ENV,LOB,messagefile
02-13-2024
08:04 AM
oh man. you are super fast @gcusello, and it works just how i want it to.. you are amazing. thank you very very much.
02-13-2024
07:53 AM
Logger 1 events: 2024-02-08 16:46:00.353 INFO 54208 ---[XX_XX:XXX-XX-XXX][cutor-thread-22] XXXXXXXXX : <LoggerName1>|17327025|field|field|field|field|field|200 Logger 2 events: 2024-02-13 13:...
See more...
Logger 1 events: 2024-02-08 16:46:00.353 INFO 54208 ---[XX_XX:XXX-XX-XXX][cutor-thread-22] XXXXXXXXX : <LoggerName1>|17327025|field|field|field|field|field|200 Logger 2 events: 2024-02-13 13:58:24.174 INFO 54208 ---[XX_XX:xx-xxx-xxx][utor-thread-XXX] c.l.s.d.a.XXXXXXX : XXX-XXX-20000: XXX: true, XXX: XXXXXXXXXXX0305a8a3f369f518, XXXX: 6shfsgj7601f909<LoggerName2> {notificationDetails={key=XXX, key=hXXXXXn@XX.com , key=XXXXX, key=XXX, key=donotreply@XXX.co.uk, key=XXX63801, key=XXX_20240213, key=XXX_BATCH}, templateVariables={key=XXXX7757, key=9NE, key=Mr, key=Mau}} , 583d6bc3-5e7d-4af8-a626-22db8bb50cb9
02-13-2024
07:46 AM
2 Karma
Hi @thaghost99, please try this regex: (?<my_field>.*ethernet[^\n]+(\n.*){5}) that you can test at https://regex101.com/r/6MlmNV/1 Ciao. Giuseppe
02-13-2024
07:41 AM
hi i would like some help on how to extract the next 5 lines after a keyword where it extracts the full line where the keyword is part of. example below.... where the keyword is the 'ethernet' ...
See more...
hi i would like some help on how to extract the next 5 lines after a keyword where it extracts the full line where the keyword is part of. example below.... where the keyword is the 'ethernet' ********************************************** Redundant-ethernet Information: Name Status Redundancy-group reth0 Down Not configured reth1 Up 1 reth2 Up 1 reth3 Up 1 reth4 Down Not configured reth5 Down Not configured reth6 Down Not configured reth7 Down Not configured reth8 Down Not configured reth9 Up 2 Redundant-pseudo-interface Information: Name Status Redundancy-group lo0 Up 0 ***************************************** example value of a field now would be.. Redundant-ethernet Information: Name Status Redundancy-group reth0 Down Not configured reth1 Up 1 reth2 Up 1 reth3 Up 1 thanks, if it can be generic enough enough so that i can use it for other rex searches that of similar data
Labels
- Labels:
-
regex
02-13-2024
07:28 AM
02-13-2024
07:20 AM
I tried in many ways but I am not getting expected output
02-13-2024
07:16 AM
Hi @MorgenHepton, did you configured your UF to send logs to te Indexer? for more infos see at https://docs.splunk.com/Documentation/Forwarder/9.2.0/Forwarder/Configuretheuniversalforwarder Ciao. ...
See more...
Hi @MorgenHepton, did you configured your UF to send logs to te Indexer? for more infos see at https://docs.splunk.com/Documentation/Forwarder/9.2.0/Forwarder/Configuretheuniversalforwarder Ciao. Giuseppe
