All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| rex field=Body "(?ms).*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"
@ITWhisperer group_name is the raw.location and in the visualisation they are using. I want the same Visualisation as mentioned earlier.
Hello all, Can someone help me with where I can download the Splunk Tools 6.3 package for linux?
Try something like this | rex mode=sed field=errorMessage "s/transactionId=[^:]+:/transactionId=txid:/g"
The visualisation you said you wanted doesn't have raw.location in. Please clarify what you want in your visualisation, what fields you have and how you want to use them
So when an upstream error is logged in our splunk it has two fields that contain all the information about the error. So I created a nice little query to show a simple table of the two fields: stats... See more...
So when an upstream error is logged in our splunk it has two fields that contain all the information about the error. So I created a nice little query to show a simple table of the two fields: stats values(errorMessage) by errorCode However for one of the error messages in the errorMessage field it can contain an id for the current transaction with the server. So when we scale up and release this table will contain hundreds of values for a single error type. Examples of the types of errors (obviously sanitized without actual data): errorCode: Not Required, errorMessage: [Error: Not Required] 400: Downgrade for transactionId=00000000000: type=01 country=GB errorCode: Not Required, errorMessage: [Error: Not Required] 400: Downgrade for transactionId=00000000001: type=01 country=GB errorCode: Invalid Request Parameters, errorMessage: [Error: Invalid Request Parameters] 400: Value of 30 for field not valid errorCode: undefined, errorMessage: [Error: undefined] 400: undefined errorCode: undefined, errorMessage: [Error: undefined] 500: undefined So I would like the values(errorMessage) to group the first two items as a single entry so if I could create a new variable without the transactionId or replacing it with the same value, the information would be much easier to read and present for error triage in our dashboard because the transaction id is not important for seeing an error trend. Not super great with Regex but I feel there is something that would work to just find a field of numbers with a specific length and remove them or replace them. Is that possible? Thanks
@ITWhisperer  No results, I think strcat is working together with location and group_name  
| timechart span=1d count by location
@ITWhisperer  Below is the visualization I am getting after changing from stats to chart.  
Hi @phanTom  how can I map the output datapaths in the app's JSON file ? Is there any document link or video that can be assistance for that matter?
Introspection endpoint descriptions - Splunk Documentation normalized_load_avg_1min Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). Th... See more...
Introspection endpoint descriptions - Splunk Documentation normalized_load_avg_1min Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest.
We have used this app as a solution to add the forwarder name: https://github.com/aholzel/TA-add_forwarder_name 
Thank you so much! This is UUID actually but I have added a pattern and it works perfectly!
Hello, The rex command to catch and group the Accesses multi values are not working even though the results in regex101 are fine. Could you guys tell me what I am missing? Test Log:   12/12/2012 ... See more...
Hello, The rex command to catch and group the Accesses multi values are not working even though the results in regex101 are fine. Could you guys tell me what I am missing? Test Log:   12/12/2012 04:25:13 PM LogName=Security EventCode=5145 EventType=0 ComputerName=test.corp SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=2049592111 Keywords=Audit Success TaskCategory=Detailed File Share OpCode=Info Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: User\Test Account Name: Test Account Domain: Test Logon ID: 0x117974CE Network Information: Object Type: File Source Address: ::1 Source Port: 51234 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Users\Test\Desktop Access Request Information: Access Mask: 0x100081 Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Check Results: -     Splunk Rex Query:   ... | rex field=Body ".*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"     Thanks, Regards,
We have recently switched over from one proxy to another in our organisation, when trying to put the new proxy details in the relevant add-ons like serviceNOW, cisco umbrella etc the data feeds stop,... See more...
We have recently switched over from one proxy to another in our organisation, when trying to put the new proxy details in the relevant add-ons like serviceNOW, cisco umbrella etc the data feeds stop, the Network team inform me that we need to use the CA file that they supply. Does anyone know where this needs to be installed in Splunk? I thought in /etc/auth/ but not sure how we point the config to it.
Assuming only 1 + and user id is in quotes. | rex "(?<userid>[^\"]+\+[^\"]+@[^\"]+)"  
Subsearches execute before main searches (although there are exceptions), therefore trid from the main search is not available in the subsearch. However, you could try something like this stage=it s... See more...
Subsearches execute before main searches (although there are exceptions), therefore trid from the main search is not available in the subsearch. However, you could try something like this stage=it sourcetype=some_type NOT trid="<null>" reqest="POST /as/*/auth *" [ search stage=it sourcetype=another_type | rex field=message "ID=PASSLOG_(?<trid>\d+)" | stats count by trid | fields trid ] Here I have assumed trid is numeric - if not, you should define a pattern that will allow rex to extract the trid from the message field
Try changing | stats count BY location group_name to | chart count BY location group_name then use a stacked column chart
Hello, I would like to ask if there is a way to restore splunk user password. During the deployment of UF on client splunk user has been created to deploy UF. Unfortunately this pass is not working a... See more...
Hello, I would like to ask if there is a way to restore splunk user password. During the deployment of UF on client splunk user has been created to deploy UF. Unfortunately this pass is not working anymore. How to restore password for this user ? What would happen if new version of UF 9.1.2 is deployed ? Does is it help create a new user ?  Thanks in advance
Hi There!    I would like to find the values of host that were in macro 1 but not in macro 2 search 1   `macro 1` | fields host   search 2   `macro 2` | fields host   macro ... See more...
Hi There!    I would like to find the values of host that were in macro 1 but not in macro 2 search 1   `macro 1` | fields host   search 2   `macro 2` | fields host   macro 1 host a b c d macro 2 host a b e f Result Count - 2 because host c and d were not in macro 2 Thanks in Advance!