All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Rule of thumb in splunk with rex. Add \-characters until it works
This blows my mind and I'm kinda lost. But this really works!! Thank you!
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to a... See more...
Hi @syk19567, it's a bug that I requested to solve for one of our biggest customers: if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash. If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash). so the regex to use in a search is: | rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)" instead the regex to use in the extract field (and regex101) is \\\"submission_id\\\":(?P<submission_id>\d+) In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX. As I said, I asked to solve this bug but they didn't give me a date. Ciao. Giuseppe
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be es... See more...
You need to double up on some of your backslashes | rex "\\\"submission_id\\\\\":(?<subID>\d+)" Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do yo... See more...
You need to start breaking it down to find where the problem is - start with just sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" Do you get any results/values in request_id?
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.... See more...
Hi community, I'm using rex to get some strings. The log is like \"submission_id\":337901 The regex I'm using is: \"submission_id\\\":(?<subID>\d+) It works well on regex101: https://regex101.com/r/Usr7Ki/1 However, in Splunk, it doesn't find anything. The command is (just added double quotes to wrap the regex) rex "\"submission_id\\\":(?<subID>\d+)"  Any ideas and suggestions are appreciated!
sorry for my typo, it happened while editing atual content. I did exactly with one `=` but still no result
I have to work with what I have so it's going from the hf to the indexers. Thanks for the response @gcusello !!
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers.... See more...
Hi @jmrubio , usually Heavy Forwarder are used to ingest syslogs. Then your HF should forward data to both the Indexers. Then you should also have a Search Head to search data on the two indexers. Then usually, to avoid a Single Point of Failure, it's better to have two HFs with a Load Balancer in front of them that manages load distribution andfail over Ciao. Giuseppe
Hello @ITWhisperer , I shared the screenshot and Step by step in the reply to @gcusello    /splunk/app/test_app/classicdashboard?form.student_token=$student_token$        
Hello @gcusello ,  Here's the screenshot and steps Thank you in advance On Dashboard Studio  1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard ... See more...
Hello @gcusello ,  Here's the screenshot and steps Thank you in advance On Dashboard Studio  1) Put an icon and go to configuration 2) On configuration, I set a link to a second dashboard (classicdashboard)   /splunk/app/test_app/classicdashboard?form.student_token=$student_token$   3) Go to View mode and click the Icon It opened 2 tabs, instead of only 1  
Hello!  I am trying to send syslogs to splunk from network devices using udp. I have one heavy forwarder and two indexers, does it matter which indexer i set up to listen for the data?
Whats the plans on updating the automation?
Hi @pm11  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to fol... See more...
Hi @pm11  please follow below steps to reset password go to  <SPlunk installation directory>/splunk/etc/  under this location file called passwd  rename it to passwd.backup  go to following location  <SPlunk installation directory>/splunk/etc/system/local create new file user-seed.conf  inside user-seed file  add following contents  [user_info] USERNAME = admin PASSWORD = <newpassword> and restart splunk from cmd  <SPlunk installation directory>/splunl/bin/   splunk restart  ---- Regards, Sanjay Reddy ---- If this reply helps you, Karma would be appreciated
Try index=foo | iplocation foo_src_ip | search NOT Country IN ("France", "United States")
So the data is duplicated in the raw event?
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") wo... See more...
What is the most elegant way of searching for events where a field is not in a list of values?   For example: index=foo | iplocation foo_src_ip | search Country IN ("France", "United States") works great.    But what if I want all events where the IP was not from those countries (the  inverse answer), like "Canada", "Mexico". Thanks for any assistance. Bob
@ITWhisperer  in the events only 1 event getting, when you see in statistics getting same 2 values under destination in table.
How can we integrate Atlassian tools like Jira with Splunk. What are the technical details that we need to have in order to connect Jira with Splunk.   
Yuanliu thank you very much for taking your time to write and help. Below is my response 1. lets forget about outputlookup 2. original main (outer) search of network index is fast by itself give... See more...
Yuanliu thank you very much for taking your time to write and help. Below is my response 1. lets forget about outputlookup 2. original main (outer) search of network index is fast by itself given the code that includes bucket, eval and output in stats.  So the delay is not here. 3. dashboard input is account_Name and source_network_address (but i can use tokens to pass network_address) 4. since we are no longer doing lookup table it's a moot point to answer subsequent bullet items.  I'm Sorry. Someone pointed out that its possible to reduce network output by passing parameter to the outer main search using "format" While that code drastically reduces returned set of data from network, query I now need to rethink how to move forward from produced output. I think it a step in a right direction. Let me show what was proposed: Let me explain data structure a bit: snat and client is in a form IP:PORT So we need to match IP:PORT from network and ad indexes as well as time stamp that those events match on. output is just client_ip. i don't need to make any evaluations of count i just want to know how many client_IP we have of each New proposed code is below.  If you look at splunk logging its interesting to see how format appends to network search in form of (snat=ip1 OR snat=ip2 OR ....) index=_network sourcetype=f5 irule=* [| search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..) | eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:")) | eval SourceIP = Source_Network_Address | eval snat = SourceIP+":"+Source_Port | fields snat | format ] ```passes formated string to main search for _network to find only those snats``` | table client snat _time ```| join type=inner snat _time [ search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..) | eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:")) | eval SourceIP = Source_Network_Address | eval client = SourceIP+":"+Source_Port | table snat_time] | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" | stats values(client_ip)```