All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot ha... See more...
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot have capability to send one email to different users with all of them in to fields ? We cannot do that ? Regards, PNV
Lets say i would like to query for message that has a URL field with values other than X,Y,Z added as query parameters , how do i go about this ? TIA
Hi you should check if you have disabled web server. See https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents r. Ismo
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of 'User' not the user field data  
I will look into that - question on it - will that affect other Mysql /MariaDB's that are newer? IE - will they still work with an older driver?
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. ... See more...
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. I suspect the posted data is just a snippet and not the complete event.  But the snippet itself looks compliant.  If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer.  If you don't have that, try set KV_MODE=xml.  If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it. Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)   | makeresults | eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>" ``` data emulation above ``` | spath input=data | fields - data _* | transpose column_name=fieldname | rename "row 1" as fieldvalue   This gives fieldname fieldvalue Event.EventData.Data 157f6670-a34e-4258-8c5a-695a5d47a600 1 1 Event.EventData.Data{@Name} InstanceId MaxRunspaces MinRunspaces Event.System.Channel Microsoft-Windows-PowerShell/Operational Event.System.Computer server.domain Event.System.Correlation{@ActivityID} {157f6670-a34e-4258-8c5a-695a5d47a600} Event.System.EventID 8194 Event.System.EventRecordID 5161615 Event.System.Execution{@ProcessID} 6056 Event.System.Execution{@ThreadID} 5928 Event.System.Keywords 0x0 Event.System.Level 5 Event.System.Opcode 16 Event.System.Provider{@Guid} {a0c1853b-5c40-4b15-8766-3cf1c58f985a} Event.System.Provider{@Name} Microsoft-Windows-PowerShell Event.System.Security{@UserID} S-1-5-21-3521695231-3467208260-910013933-395133 Event.System.Task 1 Event.System.TimeCreated{@SystemTime} 2024-01-25T22:00:11.2420989Z Event.System.Version 1 Event{@xmlns} http://schemas.microsoft.com/win/2004/08/events/event Hope this helps.
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector ... See more...
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector JDBC driver jar mysql-X.jar file needs to be renamed with a compatible driver file under <DBAgent_install_dir>/lib/ folder. We will need to stop DB agent java process and replace current JDBC driver for MySQL in agent lib folder with compatible JDBC driver and start agent again, see if that information helps. Refer to the forum link below  https://stackoverflow.com/questions/37348572/new-mysql-driver-causes-java-sql-sqlnontransientconnectionexception-client-plug
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of User  
Assuming dvc is the ip address you mentioned and duration is reset to 1 after determining a range, how can the max be anything other than 1?
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtu... See more...
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtualization environment like VMware? r. Ismo
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  
I assume by break into single lines you mean expand to multiple events? | rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>" | mvexpand computer
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration)... See more...
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration) by dvc
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Set your anchors either side of the field extraction | rex "duser=(?<User>.*?) dvc"
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.