Hi @ITWhisperer @PickleRick yes, the sample event I gave you earlier, it was output of that event only whole command works as main search but if I put same thing as subsearch, it doesn't work
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to a...
See more...
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash. If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash). so the regex to use in a search is: | rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)" instead the regex to use in the extract field (and regex101) is \\\"submission_id\\\":(?P<submission_id>\d+) In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX. As I said, I asked to solve this bug but they didn't give me a date. Ciao. Giuseppe
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be es...
See more...
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do yo...
See more...
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do you get any results/values in request_id?
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101....
See more...
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.com/r/Usr7Ki/1 However, in Splunk, it doesn't find anything. The command is (just added double quotes to wrap the regex) rex "\"submission_id\\\":(?<subID>\d+)" Any ideas and suggestions are appreciated!
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers....
See more...
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers. Then usually, to avoid a Single Point of Failure, it's better to have two HFs with a Load Balancer in front of them that manages load distribution andfail over Ciao. Giuseppe
Hello @ITWhisperer , I shared the screenshot and Step by step in the reply to @gcusello /splunk/app/test_app/classicdashboard?form.student_token=$student_token$
Hello @gcusello , Here's the screenshot and steps Thank you in advance On Dashboard Studio 1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard ...
See more...
Hello @gcusello , Here's the screenshot and steps Thank you in advance On Dashboard Studio 1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard (classicdashboard) /splunk/app/test_app/classicdashboard?form.student_token=$student_token$ 3) Go to View mode and click the Icon It opened 2 tabs, instead of only 1
Hello! I am trying to send syslogs to splunk from network devices using udp. I have one heavy forwarder and two indexers, does it matter which indexer i set up to listen for the data?
Hi @pm11
please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go to fol...
See more...
Hi @pm11
please follow below steps to reset password go to <SPlunk installation directory>/splunk/etc/ under this location file called passwd rename it to passwd.backup go to following location <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf inside user-seed file add following contents
[user_info]
USERNAME = admin
PASSWORD = <newpassword>
and restart splunk from cmd
<SPlunk installation directory>/splunl/bin/
splunk restart
---- Regards, Sanjay Reddy
---- If this reply helps you, Karma would be appreciated
What is the most elegant way of searching for events where a field is not in a list of values? For example:
index=foo | iplocation foo_src_ip | search Country IN ("France", "United States")
wo...
See more...
What is the most elegant way of searching for events where a field is not in a list of values? For example:
index=foo | iplocation foo_src_ip | search Country IN ("France", "United States")
works great.
But what if I want all events where the IP was not from those countries (the inverse answer), like "Canada", "Mexico".
Thanks for any assistance.
Bob