All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ITWhisperer @PickleRick  yes,  the sample event I gave you earlier, it was output of that event only whole command works  as main search but if I put same thing as subsearch, it doesn't work
Rule of thumb in splunk with rex. Add \-characters until it works
This blows my mind and I'm kinda lost. But this really works!! Thank you!
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to a... See more...
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash. If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash). so the regex to use in a search is: | rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)" instead the regex to use in the extract field (and regex101) is \\\"submission_id\\\":(?P<submission_id>\d+) In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX. As I said, I asked to solve this bug but they didn't give me a date. Ciao. Giuseppe
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be es... See more...
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do yo... See more...
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do you get any results/values in request_id?
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.... See more...
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.com/r/Usr7Ki/1 However, in Splunk, it doesn't find anything. The command is (just added double quotes to wrap the regex) rex "\"submission_id\\\":(?<subID>\d+)"  Any ideas and suggestions are appreciated!
sorry for my typo, it happened while editing atual content. I did exactly with one `=` but still no result
I have to work with what I have so it's going from the hf to the indexers. Thanks for the response @gcusello !!
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers.... See more...
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers. Then usually, to avoid a Single Point of Failure, it's better to have two HFs with a Load Balancer in front of them that manages load distribution andfail over Ciao. Giuseppe
Hello @ITWhisperer , I shared the screenshot and Step by step in the reply to @gcusello    /splunk/app/test_app/classicdashboard?form.student_token=$student_token$        
Hello @gcusello ,  Here's the screenshot and steps Thank you in advance On Dashboard Studio  1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard ... See more...
Hello @gcusello ,  Here's the screenshot and steps Thank you in advance On Dashboard Studio  1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard (classicdashboard)   /splunk/app/test_app/classicdashboard?form.student_token=$student_token$   3) Go to View mode and click the Icon It opened 2 tabs, instead of only 1  
Hello!  I am trying to send syslogs to splunk from network devices using udp. I have one heavy forwarder and two indexers, does it matter which indexer i set up to listen for the data?
Whats the plans on updating the automation?
Hi @pm11  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to fol... See more...
Hi @pm11  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to following location  <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf  inside user-seed file  add following contents  [user_info] USERNAME = admin PASSWORD = <newpassword> and restart splunk from cmd  <SPlunk installation directory>/splunl/bin/   splunk restart  ---- Regards, Sanjay Reddy ---- If this reply helps you, Karma would be appreciated
Try index=foo | iplocation foo_src_ip | search NOT Country IN ("France", "United States")
So the data is duplicated in the raw event?
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") wo... See more...
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") works great.    But what if I want all events where the IP was not from those countries (the  inverse answer), like "Canada", "Mexico". Thanks for any assistance. Bob
@ITWhisperer  in the events only 1 event getting, when you see in statistics getting same 2 values under destination in table.
How can we integrate Atlassian tools like Jira with Splunk. What are the technical details that we need to have in order to connect Jira with Splunk.