All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. ... See more...
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. I suspect the posted data is just a snippet and not the complete event.  But the snippet itself looks compliant.  If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer.  If you don't have that, try set KV_MODE=xml.  If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it. Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)   | makeresults | eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>" ``` data emulation above ``` | spath input=data | fields - data _* | transpose column_name=fieldname | rename "row 1" as fieldvalue   This gives fieldname fieldvalue Event.EventData.Data 157f6670-a34e-4258-8c5a-695a5d47a600 1 1 Event.EventData.Data{@Name} InstanceId MaxRunspaces MinRunspaces Event.System.Channel Microsoft-Windows-PowerShell/Operational Event.System.Computer server.domain Event.System.Correlation{@ActivityID} {157f6670-a34e-4258-8c5a-695a5d47a600} Event.System.EventID 8194 Event.System.EventRecordID 5161615 Event.System.Execution{@ProcessID} 6056 Event.System.Execution{@ThreadID} 5928 Event.System.Keywords 0x0 Event.System.Level 5 Event.System.Opcode 16 Event.System.Provider{@Guid} {a0c1853b-5c40-4b15-8766-3cf1c58f985a} Event.System.Provider{@Name} Microsoft-Windows-PowerShell Event.System.Security{@UserID} S-1-5-21-3521695231-3467208260-910013933-395133 Event.System.Task 1 Event.System.TimeCreated{@SystemTime} 2024-01-25T22:00:11.2420989Z Event.System.Version 1 Event{@xmlns} http://schemas.microsoft.com/win/2004/08/events/event Hope this helps.
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector ... See more...
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector JDBC driver jar mysql-X.jar file needs to be renamed with a compatible driver file under <DBAgent_install_dir>/lib/ folder. We will need to stop DB agent java process and replace current JDBC driver for MySQL in agent lib folder with compatible JDBC driver and start agent again, see if that information helps. Refer to the forum link below  https://stackoverflow.com/questions/37348572/new-mysql-driver-causes-java-sql-sqlnontransientconnectionexception-client-plug
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of User  
Assuming dvc is the ip address you mentioned and duration is reset to 1 after determining a range, how can the max be anything other than 1?
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtu... See more...
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtualization environment like VMware? r. Ismo
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  
I assume by break into single lines you mean expand to multiple events? | rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>" | mvexpand computer
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration)... See more...
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration) by dvc
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Set your anchors either side of the field extraction | rex "duser=(?<User>.*?) dvc"
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.    
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspec... See more...
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspects. I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?
Hello, I put Table 1 into CSV file called "StudentRank.csv" and tried to use subsearch, it didn't seem to work See below: index=student [search | inputlookup StudentRank.csv | head 2 | table ... See more...
Hello, I put Table 1 into CSV file called "StudentRank.csv" and tried to use subsearch, it didn't seem to work See below: index=student [search | inputlookup StudentRank.csv | head 2 | table StudentID] I also tried to use appendpipe or append, it worked but it showed all students in CSV table (4 student) | append [ | inputlookup StudentRank.csv | head 2 | table StudentID] My goal is similar to | search StudentID=101    ..  repeat until StudentID=102     (N out of Total, in this example, 2 out of 4) The second search is a lot of details Is it possible to pass a token in a scheduled search like when pass a token from a dropdown selection box in Splunk dashboard? Thank you!!
1
Hi, It is possible to generate these types of custom command line metrics using the "smartagent/exec" receiver. https://docs.splunk.com/observability/en/gdi/monitors-databases/exec-input.html It... See more...
Hi, It is possible to generate these types of custom command line metrics using the "smartagent/exec" receiver. https://docs.splunk.com/observability/en/gdi/monitors-databases/exec-input.html It can be tricky to get the format and approach just right, so here are some tips: 1) Put your command in an external script so it's easier to format the output in an acceptable format and it's also easier to format the call from your receiver. The default format is "influx", so an example of the output you want to generate would look like this: printerqueue,printer=myprinter length=5 That output would generate a metric named "printerqueue.length" with a value of 5 and a tagname of "printer" and a tagvalue of "myprinter". Your external script might look like this: #!/bin/sh echo printerqueue,printer=myprinter length=$(lpstat -o | wc -l) 2) You'll need to define a receiver in your OTel config (e.g. agent_config.yaml) receivers: smartagent/exec: type: telegraf/exec command: "/PATH/TO/printerqueue_script.sh" telegrafParser: dataFormat: "influx"   3) Don't forget to place your new receiver in your metrics pipeline and restart your OTel collector: service: pipelines: metrics: receivers: [hostmetrics, otlp, signalfx, smartagent/signalfx-forwarder, smartagent/exec]  
Add the operating system to the list of values returned by stats rather than as one of the group-by options. | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_ev... See more...
Add the operating system to the list of values returned by stats rather than as one of the group-by options. | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events, values(operatingSystem as operatingSystems BY host