All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

[Solution] @patelmc  You can achieve the desired result by modifying the content below slightly. 1. /opt/splunk/etc/apps/myapp/local/transforms.conf [Active_Events] INGEST_EVAL= application=replac... See more...
[Solution] @patelmc  You can achieve the desired result by modifying the content below slightly. 1. /opt/splunk/etc/apps/myapp/local/transforms.conf [Active_Events] INGEST_EVAL= application=replace(_raw, ".*application=(\w+).*", "\1"), APP=json_extract(lookup("APP_COMP.csv", json_object("application", application), json_array("APP")),"APP"), COMP=json_extract(lookup("APP_COMP.csv", json_object("application", application), json_array("COMP")),"COMP")  2. Result
The easiest way to see _raw is open event and select from “event actions” sho source. then you see if there is e.g. some escape characters like \u0022 => “  
So this example shows that the LIKE works with the [ | makeresults | eval _raw="bla bla [\"foobar\"] bla bla" | eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = ... See more...
So this example shows that the LIKE works with the [ | makeresults | eval _raw="bla bla [\"foobar\"] bla bla" | eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table _raw, hasFoobar so there may be something odd with your data. Your example shows table message, not _raw. Can you provide an example of _raw
Hi @bowesmana Can you help me to check it, thanks!
Hello, Bellow is the solution for your question. 1. /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value... See more...
Hello, Bellow is the solution for your question. 1. /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname  3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host, host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value") 5. Result  
@Skins , @moja Hello, Bellow is the solution for your question. 1.  /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv ... See more...
@Skins , @moja Hello, Bellow is the solution for your question. 1.  /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname    3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")   5. Result
Hi @livehybrid  I have tested and it seems working fine, although I got few issues like getting "Invalid array length" (I had to refresh browser to fix this), and table displaying all rows, instea... See more...
Hi @livehybrid  I have tested and it seems working fine, although I got few issues like getting "Invalid array length" (I had to refresh browser to fix this), and table displaying all rows, instead of the number of row I specified (rows displayed = 10). The invalid array length is intermittent I have some follow-up questions just to make sure I understand. Thank you for your help. 1. a. Is there a limitation on the number of data source?      b. In my case,  I need to change like the following, correct?         "ds_index1" : "ds_index1"    (not "search1" : "ds_index1")          Can you explain what this mean: ds_index1" : "ds_index1"?     b. ds_xxxx is a random character created by Splunk, do you usually change it to readable format, or you just leave it?   (which one is best practice)     c. I also need to change $mysearch$ to $datasource_token$, correct? "viz_gE0iilm3": { "dataSources": { "primary": "ds_index1", "ds_index1": "ds_index1", "ds_index2": "ds_index2" }, "options": { "table": "> $datasource_token$" }, "type": "splunk.table" }  I was trying to choose the token when clicking single value. Please let me know if this is correct { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_singlevalue1" }, "title": "Single Value 1", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "datasource_token", "value": "ds_index1" } ] } } ] } { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_singlevalue2" }, "title": "Single Value 2", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "datasource_token", "value": "ds_index2" } ] } } ], }   Also, it doesn't load at the beginning, so I need to put the default token. Is this correct? "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "-24h@h", "earliest": "now" } } } }, "tokens": { "default": { "datasource_token": { "value": "ds_index1" } } }  
I need to find whether the string ["foobar"] exists in a log message.  I have a search query like some stuff | eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = ... See more...
I need to find whether the string ["foobar"] exists in a log message.  I have a search query like some stuff | eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar which gives YESes as expected. If I add a square bracket, whether escaped or not, I only get NOes.  E.g., some stuff | eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar some stuff | eval hasFoobar = case(_raw LIKE "%\[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar   Any advice?  
When a UF sends data via HTTP it uses the Splunk-to-Splunk protocol, which logstash doesn't support.
Can you fully expand an example of the search. I assume Channel a visible field in the event list? Have you explicitly specified Channel as a field in the SPL?
Hello Experts ,  I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document  https://docs.splunk.com/Documentat... See more...
Hello Experts ,  I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document  https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf?_gl=1*1oibtlm*_gcl_aw*R0NMLjE3NDY4NDE5NzEuRUFJYUlRb2JDaE1Jc2Z2dnRPV1hqUU1WaDBwX0FCMlJYQnRjRUFBWUFTQUFFZ0wtNXZEX0J3RQ..*_gcl_au*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*FPAU*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*_ga*NjI5NDg5MjY4LjE3NDQ5MDE2Mjg.*_ga_5EPM2P39FV*czE3NDcxNTY4OTMkbzckZzEkdDE3NDcxNTcxNDIkajAkbDAkaDM4ODI5OTg4OQ..*_fplc*R1FCTFo5ZiUyQnVNQ3gxRlQ2NXVoQW45b0tXS2Z4SiUyRkxpSUYyME04d2hZRGR4b25qaGFMaEhSRG1SYUpoaDhCTG8zc3daRkhXZEhtTjFad0VtcFhoTHBZc0k3eGgzUDVNZzJOaXhkJTJCNGklMkIxbUJpYVRBanhIWUpKdFFtMlpIRVElM0QlM0Q. On UF I have inputs.conf [WinEventLog://Security] disabled = 0 outputs.conf [httpout] httpEventCollectorToken = <token> uri = http://127.0.0.1:8002 compressed = false sendCookedData = false compression = none my logstash.conf ( I want to write the data into a file) input { http { port => 8002 codec => plain } } output { file { path => "C:\logstash_output\uf_debug_raw.txt" } } The file is being created but it holds encoded data like encrypted data , symbols . Can someone suggest if this is even possible  data in the file  {"url":{"domain":"127.0.0.1","port":8002,"path":"/services/collector/s2s"},"@version":"1","event":{"original":"�x��V�n\u001CE\u0010�`@���@\u001C�����%
You could try something like this | rex max_match=0 "(?m)(?<namevalue>(?<=(\]|,)\s).+?(?=\s\-\s)\s-\s[^,]+?(?=,|$))(,|$)" | mvexpand namevalue | rex field=namevalue "(?<name>.+?(?=\s\-\s))\s-\s(?<va... See more...
You could try something like this | rex max_match=0 "(?m)(?<namevalue>(?<=(\]|,)\s).+?(?=\s\-\s)\s-\s[^,]+?(?=,|$))(,|$)" | mvexpand namevalue | rex field=namevalue "(?<name>.+?(?=\s\-\s))\s-\s(?<value>[^,]+?(?=,|$))" | eval {name}=value | stats values(*) as * by _raw
Hi @LearningGuy  It isnt possible to set the token within the dataSources section *however* you can do the following... ... "viz_gE0iilm3": { "dataSources": { "p... See more...
Hi @LearningGuy  It isnt possible to set the token within the dataSources section *however* you can do the following... ... "viz_gE0iilm3": { "dataSources": { "primary": "search1", "search1": "search1", "search2": "search2" }, "options": { "table": "> $mysearch$" }, "type": "splunk.table" } }, "dataSources": { "search1": { "name": "search1", "options": { "query": "| makeresults \n| eval msg=\"Search 1\"" }, "type": "ds.search" }, "search2": { "name": "search2", "options": { "query": "| makeresults \n| eval msg=\"Search2\"" }, "type": "ds.search" } }, ... What we're doing here is defining the references to the searches under the dataSources section of the viz, so mapping "search1" to the relevant ID of search1 (not the name!), so in your case "ds_index1". Important Note: you *must* have a primary otherwise the viz doesnt seem to load, this could be a basic makeresults empty search, or just search1. Then within the table options we set : "table": "> $mysearch$" This defaults to "> primary" but we are overriding with the dataSource we want it to pull from (as defined in the dataSources section of the Viz) Full example: { "title": "testing", "description": "", "inputs": { "input_Ldh6KqEz": { "options": { "items": [ { "label": "Data 1", "value": "search1" }, { "label": "Data 2", "value": "search2" } ], "token": "mysearch" }, "title": "Dropdown Input Title", "type": "input.dropdown" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "visualizations": { "viz_gE0iilm3": { "dataSources": { "primary": "search1", "search1": "search1", "search2": "search2" }, "options": { "table": "> $mysearch$" }, "type": "splunk.table" } }, "dataSources": { "search1": { "name": "search1", "options": { "query": "| makeresults \n| eval msg=\"Search 1\"" }, "type": "ds.search" }, "search2": { "name": "search2", "options": { "query": "| makeresults \n| eval msg=\"Search2\"" }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_Ldh6KqEz" ], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_gE0iilm3", "position": { "h": 300, "w": 830, "x": 10, "y": 30 }, "type": "block" } ], "type": "absolute" } }, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Yes! The token are made like this.  Here are some examples. These tokens are working correctly.   <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> ... See more...
Yes! The token are made like this.  Here are some examples. These tokens are working correctly.   <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=string* by index | table index </query> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ by host |table host</query> </search> </input> What isn't working is the creation of the $channel_token$ made with the drilldown. I think it might be because I'm using an event pane and not a table pane.
Hello, How to change dataSource in table dynamically based on token in Splunk Dashboard Studio? I tried to assign a token on the "primary" field, so it can change dynamically to "Data 1" or "Data... See more...
Hello, How to change dataSource in table dynamically based on token in Splunk Dashboard Studio? I tried to assign a token on the "primary" field, so it can change dynamically to "Data 1" or "Data 2" based on selection. However, this solution does not seem to work.  I've seen a suggestion to use "saved search", but I don't want to use that solution.  Please suggest. Thanks "viz_dynamictable": {     "type": "splunk.table",     "dataSources": {         "primary": "$datasource_token$"          },     "title": "$title_token$" } "dataSources": {      "ds_index1": {                "type": "ds.search",                 "options": {                      "query": "index=index1"                  },             "name": "Data 1"         },       "ds_index2": {                  "type": "ds.search",                  "options": {                      "query": "index=index2"                   } ,             "name": "Data 2"         },
Can you post these tokens? $case_token$ $host_token$ $level_token$ $rule_token$
@ljvc I appreciate the information, this is helpful. Would you be able to share your transforms.conf files against the mc_incidents and mc_notes collections? I'd like to better understand how that co... See more...
@ljvc I appreciate the information, this is helpful. Would you be able to share your transforms.conf files against the mc_incidents and mc_notes collections? I'd like to better understand how that correlation with incident_id is happening between the collections and dumping it into something readable in a lookup.
Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods ... See more...
Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods who has expertise on the AD integration.
Hi! Thank you for the resources! I have been reviewing them, as well as doing other search. I still am unsure, so any specific help you can offer is appreciated.
You can start with this app https://classic.splunkbase.splunk.com/app/1603/ WIth it you can see some examples how you should play with tokens and then try those with your own dashboard.  Here is on... See more...
You can start with this app https://classic.splunkbase.splunk.com/app/1603/ WIth it you can see some examples how you should play with tokens and then try those with your own dashboard.  Here is one UG presentation how to use tokens etc. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf