All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am getting this error  Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string When I removed double quotes getting this ouput :           . type . failed on ... See more...
I am getting this error  Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string When I removed double quotes getting this ouput :           . type . failed on num  
I am working with Linux auditd events based on the auditd message and field dictionaries, that we call type and field. (You can access the github site for the .csv files that define message and field... See more...
I am working with Linux auditd events based on the auditd message and field dictionaries, that we call type and field. (You can access the github site for the .csv files that define message and fields.) For example, the macro name AUDIT_ADD_GROUP would be type=add_group and the macros name AUDIT_EXECVE would be type=execve. Now we have fields by type. SGID is the set group ID, so we could have fields called execve.sgid or add_group.sgid depending on the type value of the event. These are just 2 of more than 40 types we are tracking. Now each type will have its own set of applicable fields. For example, there would also be add_group.tty and add_group.proctitle. Is there a way to automatically lop off the prefix of a dot notation field on ingest? We need to standardize these fields to make them CIM compliant for our data model. The only alternative I see for now would be to use COALESCE to solve this problem. (e.g.: eval sgid = coalesce('group_add.sgid', 'execve.sgid')) Doing it this way would see COALESCE expressions with numerous paraeaters.
Hi @Beshoy.Shaher, Thanks for following up and sharing the solution! We love to see it. 
Hi All,   we have our server that's reaching EOL and is currently a deployment server for 4k clients and we need to migrate to new machine. can anyone help to tell the steps to test the connectivi... See more...
Hi All,   we have our server that's reaching EOL and is currently a deployment server for 4k clients and we need to migrate to new machine. can anyone help to tell the steps to test the connectivity with new ds and then ultimately migrate to new ds server 
Hi, I am not sure if this is possible at all or not, but I figured best to ask the experts before I keep spinning in circles. I have created a classic dashboard, and would like to add the ability... See more...
Hi, I am not sure if this is possible at all or not, but I figured best to ask the experts before I keep spinning in circles. I have created a classic dashboard, and would like to add the ability to toggle the visibility of the column chart data by having the user click on any of the desired legend label of the data series, and the columns belonging to that data visibility gets toggled Off or On.  So in the below example, the column chart is displaying 2 labels in the legend, "Used" and "Discount" at the start, and I would like to have the user toggle that view. I do not have access to the backend server and would like to do everything from the GUI. I would like the user to be able to click on the legend "Used" listed entry, and the column chart would remove the "Used" columns, and only display the "Discount" columns preferably expanded to the width of the column chart. I have seen it occur in one of the other column chart within the same dashboard, and  I have not added or modified anything to create that. The Drilldown option is set to None for this panel, and all other panels, yet by some magic the other panels sometimes behave to toggle Off/On the data being display by clicking on the legend labels. The section for this panel xml is below, and any help would be greatly appreciated: <panel> <chart id="chart1"> <title>Titte of the Dashboard</title> <search base="base_search"> <query>| search merchant IN ($merchant$) | chart sum(used) as Used sum(Discount) as Discount over _time by merchant | addcoltotals row=f col=t label="Totals" labelfield=merchant fieldname="Totals" Used Discount</query> </search> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> </chart> </panel>
It seems like you may be able to accomplish what you want with an eval: index=cs | rex "Type=(?<type>[a-z]+)" | eval AResponse.BResponse.Message = replace('AResponse.BResponse.Message', "Ref number... See more...
It seems like you may be able to accomplish what you want with an eval: index=cs | rex "Type=(?<type>[a-z]+)" | eval AResponse.BResponse.Message = replace('AResponse.BResponse.Message', "Ref number \w+ failed on num: ", type." failed on num: ")  
Try using the concatenation operator to include the field from the first regex in the second. index=cs | rex "Type=(?<type>[a-z]+)" | rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w... See more...
Try using the concatenation operator to include the field from the first regex in the second. index=cs | rex "Type=(?<type>[a-z]+)" | rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w+\sfailed on num:*+/" . type . " failed on num: /g"
Was this issue ever resolved? Because I am running into the same issue currently
index=cs | rex "Type=(?<type>[a-z]+)" | rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w+\sfailed on num:*+/NetworkA failed on num: /g" Here I hardcoded NetworkA  in second rex ... See more...
index=cs | rex "Type=(?<type>[a-z]+)" | rex field=AResponse.BResponse.Message mode=sed "s/Ref number+\w+\sfailed on num:*+/NetworkA failed on num: /g" Here I hardcoded NetworkA  in second rex but actually its a dynamic value and it should be changed according to value present in field type How to use type value in second rex 
@PickleRick  Thank you so much for your quick response. However, no changes. I was trying to use props and transforms conf files, but not working as well My props transforms [myprops] REPORT... See more...
@PickleRick  Thank you so much for your quick response. However, no changes. I was trying to use props and transforms conf files, but not working as well My props transforms [myprops] REPORT-mytrans_fields=mytrans_fields [mytrans_fields] REGEX=\<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*) FORMAT=$1::$2 DEST_KEY=_raw   Any recommendations?
Thank you for suggesting, it worked
I've tried both of those. I forgot to put EventCode=  in a couple examples 
From UF installed:- [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip evt_dc_name = evt_dns_name = evt_resolve_ad_obj = 0 host = prdpl2bcl1101 index = default logRetireOldS2S = true l... See more...
From UF installed:- [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip evt_dc_name = evt_dns_name = evt_resolve_ad_obj = 0 host = prdpl2bcl1101 index = default logRetireOldS2S = true logRetireOldS2SMaxCache = 10000 logRetireOldS2SRepeatFrequency = 1d route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue Splunkcloud inputs machine: [root@servername bin]# ./splunk btool inputs list splunktcp [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip host = servername.aligntech.com index = default logRetireOldS2S = true logRetireOldS2SMaxCache = 10000 logRetireOldS2SRepeatFrequency = 1d route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:rulesetQueue;absent_key:_linebreaker:parsingQueue [splunktcp://9997] _rcvbuf = 1572864 connection_host = ip host = servername.aligntech.com index = default
iirc it is when you use "last hour" (for example) as the latest become the string "now" which confuses relative_time although it might also be when you use advanced as you can get an epoch time.
cant we update this query in some way to get both the results in one pie, when using trells it is giving two piechart, which is not helpful.
This is exactly what I'm looking for. Many thanks for your help!
Hi @yuanliu ,    Few results were wrong, I don't know why!   When I'm checking with in search, It is having macro1 as value but when I'm checking with that macro, there we are having that host. ... See more...
Hi @yuanliu ,    Few results were wrong, I don't know why!   When I'm checking with in search, It is having macro1 as value but when I'm checking with that macro, there we are having that host. Thanks in Advance!
I have already done that in the main question.  Here's the sample, just that the fields will be more:   Event data - {"firstName":"John","lastName":"Doe"}
When does it not work? For my intends and purposes it is sufficient! Thank you alot!
Try this - although this doesn't work with all options from time pickers - I haven't found an easy way to deal with all options. <change> <eval token="starttime">relative_time(relative_time(now(),... See more...
Try this - although this doesn't work with all options from time pickers - I haven't found an easy way to deal with all options. <change> <eval token="starttime">relative_time(relative_time(now(),$timepicker.earliest$),"-1h")</eval> <eval token="finishtime">relative_time(relative_time(now(),$timepicker.latest$),"-1h")</eval> </change>