Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-31-2023
09:31 AM
Name perc date xxx 90 28-Dec-23 yyy 91 28-Dec-23 zzz 92 28-Dec-23 xxx 96 29-Dec-23 yyy 97 29-Dec-23 zzz 98 29-Dec-23 i want to calculate the difference betwe...
See more...
Name perc date xxx 90 28-Dec-23 yyy 91 28-Dec-23 zzz 92 28-Dec-23 xxx 96 29-Dec-23 yyy 97 29-Dec-23 zzz 98 29-Dec-23 i want to calculate the difference between perc column value based on date, for example, xxx have 90 in perc column for 28 dec 2023 and 96 for 29 dec 2023. 96-90= 6 will be the output .can you please help me with solution for my query. additional query is i want to subtract the current date perc with yesterday date perc value. please assist me on this
12-31-2023
08:43 AM
So the approach I took here is to use an EXTRACT in props.conf to target the entire value between pipe 19 and pipe 20. And then use EVALS is props to parse out that extracted value depending on its ...
See more...
So the approach I took here is to use an EXTRACT in props.conf to target the entire value between pipe 19 and pipe 20. And then use EVALS is props to parse out that extracted value depending on its format. Edit: Noticed that there is no need to add an additional EXTRACT to props to get the full value because there is a field already extracted named 'id2' doing the same thing. So an even simpler way of doing this would be, props.conf entry for forcing empty string if they are null. [user_activity]
...
EVAL-oldType = if(NOT (match('id2', "^\s*$") OR isnull(id2)), mvindex(split(id2, "~"), 0), "")
EVAL-newType = if(NOT (match('id2', "^\s*$") OR isnull(id2)), mvindex(split(id2, "~"), 1), "") Evidence of the null values being forced to empty strings props.conf entries for forcing to single whitespace if values are null from _raw [user_activity]
...
EVAL-oldType = if(NOT (match(id2, "^\s*$") OR isnull(id2)), if(mvindex(split(id2, "~"), 0)=="", " ", mvindex(split(id2, "~"), 0)), " ")
EVAL-newType = if(NOT (match(id2, "^\s*$") OR isnull(id2)), if(mvindex(split(id2, "~"), 1)=="", " ", mvindex(split(id2, "~"), 1)), " ") Evidence for the desired values are single whitespaces. I believe this works against the example you provided and you can see in the screenshot below that I have evaluated some boolean value inline in the search to show if the values are actually null or not.
12-31-2023
06:23 AM
If we assume that the Windows Event logs including EventCode 4740 are indeed being indexed into index=winevenlog and sourcetype wineventlog:security (double-check those names!) and that maxwell was i...
See more...
If we assume that the Windows Event logs including EventCode 4740 are indeed being indexed into index=winevenlog and sourcetype wineventlog:security (double-check those names!) and that maxwell was indeed locked out within the past 1 hour, then try doing a keyword search for maxwell to see if you can get the raw log: e.g. index=wineventlog sourcetype=wineventlog:security maxwell 4740 (Hopefully the logs that match the literal words maxwell and 4740 will be the EventCode=4740 for Maxwell, or at least small enough to comb through) After that, progressively re-add those search filters until one of them removes the entry for maxwell, then you can troubleshoot why that search filter is not working. (e.g. field extraction error?)
12-31-2023
04:49 AM
Managed to fix the old and new in props.conf: | rex "^([^\|]*\|){19}(?<OldType>[^\~|\|]*)\~|\|"
| rex "^([^\|]*\|){19}.+~(?<NewType>[^\|]*)\|" Still having trouble with the || (null values)
12-31-2023
04:21 AM
Hi all One of my user lets say maxwell is getting locked frequently. i want to check logs for last 7 days. i am using the below query but i am not getting any output. i have 4 domain controllers(dc...
See more...
Hi all One of my user lets say maxwell is getting locked frequently. i want to check logs for last 7 days. i am using the below query but i am not getting any output. i have 4 domain controllers(dctr01,dctr02,dctr03,dctr04). index=winevenlog sourcetype=wineventlog:security Account_Name=maxwell EventCode=4740 earliest=-h (host="dctr01*" OR host="dctr02*" OR host="dctr03*" OR host="dctr04*") | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name
- Tags:
- lockout
Labels
12-31-2023
03:47 AM
Try something like this | rex "([^\|]*\|){19}(?<oldType>[^~\|]*)~?(?<newType>[^\|]*)"
12-31-2023
03:47 AM
Something is missing. The 'NewType' filed may or may not start with the ~, if no data then it will start with the | In the attached picture the field 'NewType' is missing for the event that has onl...
See more...
Something is missing. The 'NewType' filed may or may not start with the ~, if no data then it will start with the | In the attached picture the field 'NewType' is missing for the event that has only pipes.
12-31-2023
02:41 AM
Hi @michael_vi, using this search, you have two evals (that you can save as calculated fields) that makes the same job: | union
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|1...
See more...
Hi @michael_vi, using this search, you have two evals (that you can save as calculated fields) that makes the same job: | union
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||| ~newType|||"]
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228|||||||oldType~newType|||"]
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||||||"]
| rex "^([^\|]*\|){19}(?<OldType>[^\~]*)\~(?<NewType>[^\|]*)"
| eval
OldType=if(isnull(OldType)," ",OldType),
NewType=if(isnull(NewType)," ",NewType)
| table OldType NewType So you can have them in interesting fields. Ciao. Giuseppe
12-31-2023
02:37 AM
@gcusello The problem is that, once props can't extract the field. it won't be shown in extracted fileds. so.. | fillnull value=NULL will not work
12-31-2023
02:33 AM
Hi @michael_vi, using my search, you replace the NULLs with space in SPL, I'm not sure that's possible to do it in props.conf, but you could create a calculated field that automatically transforms ...
See more...
Hi @michael_vi, using my search, you replace the NULLs with space in SPL, I'm not sure that's possible to do it in props.conf, but you could create a calculated field that automatically transforms null in space. Ciao. Giuseppe
12-31-2023
02:16 AM
Good idea to combine... Is it possible to replace the NULL with space w/o using SPL? Within the porps.conf
12-31-2023
01:54 AM
Hi @michael_vi, please try this: | union
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|S...
See more...
Hi @michael_vi, please try this: | union
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||| ~newType|||"]
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228|||||||oldType~newType|||"]
[| makeresults
| eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||||||"]
| rex "^([^\|]*\|){19}(?<OldType>[^\~]*)\~(?<NewType>[^\|]*)"
| fillnull value=" " OldType
| fillnull value=" " NewType
| table OldType NewType You can test the regex at https://regex101.com/r/gETm2b/1 Ciao. Giuseppe
12-31-2023
01:42 AM
Hi all, I have a very specifc regex extraction (search time extraction) _raw data example: | union [| makeresults | eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name...
See more...
Hi all, I have a very specifc regex extraction (search time extraction) _raw data example: | union [| makeresults | eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||| ~newType|||"] [| makeresults | eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228|||||||oldType~newType|||"] [| makeresults | eval _raw = "Dec-28-2023|12:05:46,836|10.150.6.118|148:|some branch|uswer_name|d168a8b9-5647-421b-97ba-f2aa3bceb69a|1:Creation page stack|Success|action_portfolio_forms_c_save.action|8970:PORTFOLIO ONBOARDING - FORMS CAPTURE||3065254228||||||||||"] I want to extract 2 fields from position 19 of the pipe and until 20th position that include (or may not) 2 fields that need to be extracted new: comes right after 19th | and before ~ old: comes after ~ and before 20th | There are 3 option that the data may appear: |<space>~newType| |oldType~newType| |<null><null>| The problem that I have is when no data is presented (3rd option) , then the props.conf doesn't parse it In the end I need to have 2 fields, based on the example above: old new <space> newType oldType newType <space> <space> props.conf [user_activity]
REPORT-bb_extract = REPORT-bb_extract
EXTRACT-oldAccountType = ^(?:[^|]*\|){19}(?<old>[^\~|\|]*)
EXTRACT-newAccountType = (?:[^~]*\~){1}(?<new>[^|]*) transforms.conf [REPORT-bb_extract]
KEEP_EMPTY_VALS = true
DELIMS = "|"
FIELDS = "DATE","TIME","ip","branch","appName","userName","actionID","actionType","actionStatus","actionName","action","srcPortfolioId","refID","currency","TotalAmount","secondPortfolioId","multiTransfer","field18","field19","id2","field21","new","old" 1. How can I extract the field that may or may not include some value 2. How can I fix the the second regex to start with ~ after 19th | Thanks
Labels
- Labels:
-
field extraction
12-31-2023
01:05 AM
Hi @syaseensplunk, let me better understand your architecture, correct me if I'm wrong: you have a Universal Forwarder in your kubernetes or do you take logs using API from an heavy Forwarders? d...
See more...
Hi @syaseensplunk, let me better understand your architecture, correct me if I'm wrong: you have a Universal Forwarder in your kubernetes or do you take logs using API from an heavy Forwarders? does this Universal or Heavy Forwarder send logs to an intermediate Heavy Forwarder or directly to an Indexers? Please describe the flow of your data from kubernetes to the Indexers in terms of machines. Ciao. Giuseppe
12-31-2023
01:01 AM
Hi @munang , as I said, the best approach is to manage all Forwarders (Universal and Heavy) using the Deployment Server. It's a best practive to manage with the DS all the inputs (in apps), but als...
See more...
Hi @munang , as I said, the best approach is to manage all Forwarders (Universal and Heavy) using the Deployment Server. It's a best practive to manage with the DS all the inputs (in apps), but also other configurations as outputs.conf (addressing the Indexers) or deploymentclient.conf (addressing the Deployment Server). The problem is that DS can mange only conf files in the $SPLUNK_HOME/etc/apps folder, so it cannot manage conf files in $SPLUNK_HOME/etc/system/local. It's important to manage all Forwarders using the DS especially when you have very many of them, and all configurations: e.g. if you have to add an Indexer or change the DS: if you have these conf files in a custom app, you can easily change them by the DS, if instead they are in $SPLUNK_HOME/etc/system/local, you have to manualy update them. I usually create a custom app (called e.g. TA_Forwarders) containing three conf files: app.conf: describing the name and the purpose of the app, outputs.conf: addressing the Indexers, deploymentclient.conf: addressin g the Deployment Server. Ciao. Giuseppe
12-30-2023
10:37 PM
the same stanzan's is what I had been trying, but no luck
12-30-2023
04:44 AM
1 Karma
Hi I don’t know why those inputs and outputs conf are placed to different places with same splunk cli command. Maybe someone from splunk dev can tell that. It’s a best practice to use/create your o...
See more...
Hi I don’t know why those inputs and outputs conf are placed to different places with same splunk cli command. Maybe someone from splunk dev can tell that. It’s a best practice to use/create your own apps to collect configurations of one app/issue to one place. Then you could/should put it into git and get version control on place. You could also utilize deployment server/manager node/deployer tp distribute it to correct places. You cannot use those tools with files under etc/system/local. r. Ismo
12-30-2023
04:07 AM
@gcusello Hello. Thank you very much for your kind reply. May I ask one more question? I understood what you were saying to mean that it is more appropriate to directly update the .conf file u...
See more...
@gcusello Hello. Thank you very much for your kind reply. May I ask one more question? I understood what you were saying to mean that it is more appropriate to directly update the .conf file under $SPLUNK_HOME/etc/apps/<your_app>/local and manage it as a distribution server rather than using the add command. Is there a reason why you don't recommend writing to the $SPLUNK_HOME/etc/system/local folder?
12-30-2023
03:05 AM
Looks like the installer on Windows is hitting the MAX_PATH limitation in Windows itself just had a look at the splunkd.log output. Untarring into etc/apps seems to work fine. 2-30-2023 14:29:5...
See more...
Looks like the installer on Windows is hitting the MAX_PATH limitation in Windows itself just had a look at the splunkd.log output. Untarring into etc/apps seems to work fine. 2-30-2023 14:29:56.212 +0400 WARN Pathname [3268 TcpChannelThread] - Pathname 'C:\Program Files\Splunk\var\run\splunk\bundle_tmp\e1dd8fe8ca2eeba4\Splunk_SA_Scientific_Python_windows_x86_64\bin\windows_x86_64\Lib\site-packages\caffe2\python\serialized_test\data\operator_test\collect_and_distribute_fpn_rpn_proposals_op_test.test_collect_and_dist.zip' larger than MAX_PATH, callers: call_sites=[0x100f9b8, 0xdf3670, 0xdf1884, 0x8e9215, 0x8f0141, 0x8ef770, 0x8cc811, 0x8b2c61, 0xffcd08, 0x1083908, 0xfa45c3] 12-30-2023 14:29:56.212 +0400 WARN LocalAppsAdminHandler [3268 TcpChannelThread] - File length is greater than 260, File creation may fail for C:\Program Files\Splunk\var\run\splunk\bundle_tmp\e1dd8fe8ca2eeba4\Splunk_SA_Scientific_Python_windows_x86_64\bin\windows_x86_64\Lib\site-packages\caffe2\python\serialized_test\data\operator_test\collect_and_distribute_fpn_rpn_proposals_op_test.test_collect_and_dist.zip 12-30-2023 14:29:56.212 +0400 WARN LocalAppsAdminHandler [3268 TcpChannelThread] - Failed to create file C:\Program Files\Splunk\var\run\splunk\bundle_tmp\e1dd8fe8ca2eeba4\Splunk_SA_Scientific_Python_windows_x86_64\bin\windows_x86_64\Lib\site-packages\caffe2\python\serialized_test\data\operator_test\collect_and_distribute_fpn_rpn_proposals_op_test.test_collect_and_dist.zip while untarring C:\WINDOWS\TEMP\tmpfgko5w2i: The system cannot find the path specified.
12-29-2023
11:23 PM
2 Karma
Hi @munang, the command is always the same (splunk) bt the action is a different action, recorded ina different conf file: ./splunk add monitor /var/log adda new input and inputs are recorded in t...
See more...
Hi @munang, the command is always the same (splunk) bt the action is a different action, recorded ina different conf file: ./splunk add monitor /var/log adda new input and inputs are recorded in the inputs.conf file, ./splunk add forward-server a.a.a.a:9997 ad a new destination and it's recorded in outputs.conf. In other words, the "splunk add" command updates a conf file, but the updated conf file depends on the object to update (inputs, outputs and so on). I hope to be sufficiently clear. Anyway, instead of using CLI commands, that writes updated in the $SPLUNK_HOME/etc/system/local folder, make your updates directly in the conf files in dedicated apps in $SPLUNK_HOME/etc/apps/<your_app>/local, so you can manage them using the Deployment Server (DS cannot manage conf files in $SPLUNK_HOME/etc/system/local). Ciao. Giuseppe
