Hi @vihshah , I don't know how the fiels is named, maybe "OrderDetails.user_name", see in interesting field its correct name. If instead the issue is the extraction of the field, it seems to be a j...
See more...
Hi @vihshah , I don't know how the fiels is named, maybe "OrderDetails.user_name", see in interesting field its correct name. If instead the issue is the extraction of the field, it seems to be a json log, so you could use spath to extract fields. If instead you want to use a regex, please share a sample of your logs. Ciao. Giuseppe
The issue resolve by manually create the index which we think its automatically created based on command in the documentation. So need to create manually the index and then run the rebuild command ag...
See more...
The issue resolve by manually create the index which we think its automatically created based on command in the documentation. So need to create manually the index and then run the rebuild command again, if facing this similar error message.
I'm appreciative of your response. I tried the one below, but it contains more information than just the credit card number. I'm wondering how I can mask the field value contains the credit card numb...
See more...
I'm appreciative of your response. I tried the one below, but it contains more information than just the credit card number. I'm wondering how I can mask the field value contains the credit card number and expiration date along with some information in the field. Fieldname: abcd field value :n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0002 4786 Expiry Date of HDFC card 02/28 Any other relevant info Thanks and Regards, santhosh. From SEDCMD-accmasking = s/abcd=(.)(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/ But to be honest this part in Splunk I am not bit confident. could you please help me
Would you kindly assist us in hiding the credit card number and expiration date for the following field some ab n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master ca...
See more...
Would you kindly assist us in hiding the credit card number and expiration date for the following field some ab n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0009 2321 Expiry Date of HDFC card 01/26 Any other relevant info Thanks and Regards, Murali. From
Hi @isoutamo , Yes, I can see the Entry data in a separate event, but there are no fields parsed through this. I need fields and values to be parsed like the below table. Field Name Field Valu...
See more...
Hi @isoutamo , Yes, I can see the Entry data in a separate event, but there are no fields parsed through this. I need fields and values to be parsed like the below table. Field Name Field Value Sender Component XYZ Receiver Component ABC Interface Mobile System Error - Waiting 3
<?xml version="1.0" encoding="UTF-8" ?>
<Results xmlns:xsi="http://www.w3.org">
<Result>
<Code>OK</Code>
<Details>LoadMessageOverviewData</Details>
<Text>Successfull</Text>
</Result>
<Data>
<ColumnNames>
<Column>Sender Component</Column>
<Column>Receiver Component</Column>
<Column>Interface</Column>
<Column>System Error</Column>
<Column>Waiting</Column>
</ColumnNames>
<DataRows>
<Row>
<Entry>XYZ</Entry>
<Entry>ABC</Entry>
<Entry>Mobile</Entry>
<Entry>-</Entry>
<Entry>3</Entry>
</Row>
</DataRows>
</Data>
</MessageStatisticsQueryResults> Hi @PickleRick , Above is my xml data, My expected parsed data are below Field Name Field Value Sender Component XYZ Receiver Component ABC Interface Mobile System Error - Waiting 3
Hi, I want to create a search query that looks for users who have received phishing emails, clicked the link, or downloaded a file from the email. Thanks
Joins (with the join command) are generally best avoided as they are slow and have limitations. However, if you want to continue down this route, you should also note that field names are case sensit...
See more...
Joins (with the join command) are generally best avoided as they are slow and have limitations. However, if you want to continue down this route, you should also note that field names are case sensitive, so if you were expecting Host from one set of events to be "joined" with host in the other set of events, they would have to share exactly the same field name. Without you sharing some sample events, it is not easy to determine whether this is your issue.
@gcusello okay, I think I know my issue, my user_name is part object string like below
OrderDetails{userId:"1", user_name:"A"}
if this is the case, how can I search it?
Hi @man03359, probably your search doesn't run because you renamed a field and used the previous field name. Anyway, in general, avoid to use join because it's avery slow search, try using stats: ...
See more...
Hi @man03359, probably your search doesn't run because you renamed a field and used the previous field name. Anyway, in general, avoid to use join because it's avery slow search, try using stats: (index="idx-enterprise-tools" sourcetype="spectrum:alarm:json") OR
(index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER"))
| stats
count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer
BY host Ciao. Giuseppe
Hi guys, Great discussion, it is both interesting and insightful to get to see and "listen in on" experts having both problems and being willing to do so publicly. Thank you. Cheers,
I am noob with Splunk. I am trying to join two indexes in one search - index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9) Second Index - index=idx-sec-c...
See more...
I am noob with Splunk. I am trying to join two indexes in one search - index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9) Second Index - index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER")
| rename custom_details.eventName as EventName custom_details.errorId as ErrorCode custom_details.clusterName as ClusterName custom_details.location as LocationName
| eventstats count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer by summary I am trying like this but I do not see any events where as both the indexes are giving events for same time frame- index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9)
| join host
[ search index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER")
]
| rename custom_details.eventName as EventName custom_details.errorId as ErrorCode custom_details.clusterName as ClusterName custom_details.location as LocationName
| eventstats count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer by summary
Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=*
| table _time reques...
See more...
Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=*
| table _time request_id user_name or sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=* request_id =*
| table _time request_id user_name Ciao. Giuseppe