All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: How to drop some field/values before indexing.

by SplunkTrust in Getting Data In
‎11-15-2023 06:51 AM
1 Karma
‎11-15-2023 06:51 AM
1 Karma
The null queue is for whole events, not individual fields.  One can remove fields using SEDCMD in props.conf. SEDCMD-rm_XYZData = s/XYZData\>.*\<\/XYZData\>//  

Re: buckets - hot/warm and cold on 2 separate volumes

by SplunkTrust in Deployment Architecture
‎11-15-2023 06:47 AM
‎11-15-2023 06:47 AM
Hi @smithy001, the number of volumes isn't so relevant: make a complete Capacity Plan. Ciao. Giuseppe

Re: Splunk left join not returning as expected

by SplunkTrust in Splunk Search
‎11-15-2023 06:44 AM
1 Karma
‎11-15-2023 06:44 AM
1 Karma
Hi @MrJohn230 , at first, if possible try to avoid to use join command! I understand that all of us arrive from SQL, but Splunk isn't a database so join command should be avoided all the times it's... See more...
Hi @MrJohn230 , at first, if possible try to avoid to use join command! I understand that all of us arrive from SQL, but Splunk isn't a database so join command should be avoided all the times it's possible and replaced e.g. with the stats command, because it's a very slow and resource eater command. e.g. try something like this (obviously I cannot check it): index=customer ((name IN (gate-green, gate-blue) msg="*First time: *") OR name IN (cust-blue, cust-green) msg="*COMPLETED *") | rex field=msg "First time: (?<UserId>\d+)" | rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})" | spath input=json path=infoId output=UserId | eval status=if(name IN (gate-green, gate-blue) AND msg="*First time: *","FirstRequest","Completed") | stats dc(status) AS status_count values(status) AS status BY UserId | eval status=if(status_count=2,"both",status) | table UserId status | search UserId IN (125,999,418,208) Then you can define if to maintain all the UserIds or only the ones with both the statuses. About your search, try to use quotes in the IN values. Ciao. Giuseppe

Re: Splunk Secure Gateway Connect to SAML IdP

by in All Apps and Add-ons
‎11-15-2023 06:38 AM
‎11-15-2023 06:38 AM
This was solved with the help of PS. On the Application API in AzureAD add the User.read.All of type Application to the configured permissions.   Remember to add all the users that needs to access... See more...
This was solved with the help of PS. On the Application API in AzureAD add the User.read.All of type Application to the configured permissions.   Remember to add all the users that needs to access Splunk to the Enterprise Application

Re: I have a field from one query that gets appended with another field coming from second query.How do I filter those v

by in Splunk Search
‎11-15-2023 06:36 AM
‎11-15-2023 06:36 AM
    Hi @ITWhisperer  Based on the below  the raw events....I need to filter based on the attribute "suppliedMaterial"  and "version"- get the result of row and then add the columns of sqsSentCount... See more...
    Hi @ITWhisperer  Based on the below  the raw events....I need to filter based on the attribute "suppliedMaterial"  and "version"- get the result of row and then add the columns of sqsSentCount and dataNotFoundIdsCount similar to below objectType version dataNotFoundIdsCount sqsSentCount suppliedMaterial all 1 8 suppliedMaterial latest 3 9 Material all 3 11 Material latest 6 10               supplied material 1st event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"event":{"resource":"/v1/reprocess/id","path":"/support/v1/reprocess/id","httpMethod":"POST","pathParameters":null,"queryStringParameters":null,"body":"{\n \"objectType\": \"suppliedMaterial\",\n \"objectIds\": [\n \"569683\",\n \"564373er\",\n \"569129\"\n ],\n \"version\": \"all\"\n}","requestContext":{"requestId":"","authorizer":{"principalId":"","integrationLatency":0},"domainName":""}},"msg":"reprocess event","time":"2023-11-15T05:47:59.318Z","v":0} 2nd event- 
{"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","dataNotFoundIds":["564373er"],"dataNotFoundIdsCount":1,"msg":"data not found for Ids","time":"2023-11-15T05:47:59.329Z","v":0} 3rd event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","sqsSentCount":8,"msg":"sqs sent count","time":"2023-11-15T05:47:59.364Z","v":0} 4th event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"eventBody":{"objectType":"suppliedMaterial","objectIds":["569683","564373er","669179"],"version":"all"},"msg":"request body","time":"2023-11-15T05:47:59.318Z","v":0} 5 event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"event":{"resource":"/v1/reprocess/id","path":"/support/v1/reprocess/id","httpMethod":"POST","pathParameters":null,"queryStringParameters":null,"body":"{\n \"objectType\": \"suppliedMaterial\",\n \"objectIds\": [\n \"569683\",\n \"564373er\",\n \"669179\"\n ],\n \"version\": \"latest\"\n}","requestContext":{"requestId":"","authorizer":{"principalId":"","integrationLatency":0},"domainName":""}},"msg":"reprocess event","time":"2023-11-15T05:47:59.318Z","v":0} 6 event- 
{"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","dataNotFoundIds":["564373er"],"dataNotFoundIdsCount":3,"msg":"data not found for Ids","time":"2023-11-15T05:47:59.329Z","v":0} 7 event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","sqsSentCount":9,"msg":"sqs sent count","time":"2023-11-15T05:47:59.364Z","v":0} 8 event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"eventBody":{"objectType":"suppliedMaterial","objectIds":["569683","564373er","569129"],"version":"latest"},"msg":"request body","time":"2023-11-15T05:47:59.318Z","v":0} material 1st event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"event":{"resource":"/v1/reprocess/id","path":"/support/v1/reprocess/id","httpMethod":"POST","pathParameters":null,"queryStringParameters":null,"body":"{\n \"objectType\": \"material\",\n \"objectIds\": [\n \"569683\",\n \"564373er\",\n \"469196\"\n ],\n \"version\": \"all\"\n}","requestContext":{"requestId":"","authorizer":{"principalId":"","integrationLatency":0},"domainName":""}},"msg":"reprocess event","time":"2023-11-15T05:47:59.318Z","v":0} 2nd event- 
{"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"material","dataNotFoundIds":["564373er"],"dataNotFoundIdsCount":3,"msg":"data not found for Ids","time":"2023-11-15T05:47:59.329Z","v":0} 3rd event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"material","sqsSentCount":11,"msg":"sqs sent count","time":"2023-11-15T05:47:59.364Z","v":0} 4th event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"eventBody":{"objectType":"material","objectIds":["569683","564373er","569129"],"version":"all"},"msg":"request body","time":"2023-11-15T05:47:59.318Z","v":0} 5 event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"event":{"resource":"/v1/reprocess/id","path":"/support/v1/reprocess/id","httpMethod":"POST","pathParameters":null,"queryStringParameters":null,"body":"{\n \"objectType\": \"suppliedMaterial\",\n \"objectIds\": [\n \"569683\",\n \"564373er\",\n \"569129\"\n ],\n \"version\": \"latest\"\n}","requestContext":{"requestId":"","authorizer":{"principalId":"","integrationLatency":0},"domainName":""}},"msg":"reprocess event","time":"2023-11-15T05:47:59.318Z","v":0} 6 event- 
{"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","dataNotFoundIds":["564373er"],"dataNotFoundIdsCount":6,"msg":"data not found for Ids","time":"2023-11-15T05:47:59.329Z","v":0} 7 event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","sqsSentCount":10,"msg":"sqs sent count","time":"2023-11-15T05:47:59.364Z","v":0} 8event- {"name":"","awsRequestId":"1","hostname":","pid":8,"level":30,"eventBody":{"objectType":"suppliedMaterial","objectIds":["569683","564373er","569129"],"version":"latest"},"msg":"request body","time":"2023-11-15T05:47:59.318Z","v":0}      

Splunk left join not returning as expected

by in Splunk Search
‎11-15-2023 06:16 AM
‎11-15-2023 06:16 AM
I have the below code. I know that values exist under the subsearch which are not returning when I run the below query. However, when I uncomment the "where clause" in the sub search the values appea... See more...
I have the below code. I know that values exist under the subsearch which are not returning when I run the below query. However, when I uncomment the "where clause" in the sub search the values appear. I don't know what I have done incorrectly for my results to not show. I've also commented out the |search and it still doesn't show that these values exist in the subsearch.  Any help would be appreciated.  index=customer name IN (gate-green, gate-blue) msg="*First time: *" | rex field=msg "First time: (?<UserId>\d+)" | eval FirstRequest = 1 | join type=left UserId [search index=customer name IN (cust-blue, cust-green) msg="*COMPLETED *" | rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})" | spath input=json path=infoId output=UserId | eval Completed = 1 ```| where UserId IN (125,999,418,208)```] | table UserId, Completed | search UserId IN (125,999,418,208)  
Labels

Re: Read from JSON Array

by SplunkTrust in Getting Data In
‎11-15-2023 06:12 AM
‎11-15-2023 06:12 AM
It looks like spath has a character limit spath - Splunk Documentation Try using rex to extract key/value pairs | rex max_match=0 "(?<keyvalue>\"[^\"]+\":\"[^\"]+\")" | mvexpand keyvalue | rex fiel... See more...
It looks like spath has a character limit spath - Splunk Documentation Try using rex to extract key/value pairs | rex max_match=0 "(?<keyvalue>\"[^\"]+\":\"[^\"]+\")" | mvexpand keyvalue | rex field=keyvalue "\"(?<key>[^\"]+)\":\"(?<value>[^\"]+)\"" | eval {key}=value | fields - keyvalue key value _raw | eval date=strftime(_time,"%F") | untable date name state ```| stats count by name | where count > 1``` | xyseries name date state Btw, you do have a duplicate, assetPortfolio_VerifyAPMPropertyDropdown, uncomment the commented lines and comment out the last line to show it.

Re: search two indexes specifying two matching columns

by in Splunk Search
‎11-15-2023 06:06 AM
‎11-15-2023 06:06 AM
@bowesmanawill give it a try. Thank you.

Re: Uploading dSYM files automatically

by in Splunk AppDynamics
‎11-15-2023 05:38 AM
1 Karma
‎11-15-2023 05:38 AM
1 Karma
Hi Cansel,  Thanks for your response.  Yes, we are uploading the dSYM files as part of build.  I have referred the documents which you shared.  For iOS,  curl -v -H Content-Type:application/octe... See more...
Hi Cansel,  Thanks for your response.  Yes, we are uploading the dSYM files as part of build.  I have referred the documents which you shared.  For iOS,  curl -v -H Content-Type:application/octet-stream --upload-file UISampleApp.app.dSYM.zip --user Example account:Example-License-Key-4e8ec2ae6cfe https://fra-api.eum-appdynamics.com/v2/account/Example+account/ios-dsym This looks like HTTP basic authentication to me. It requires only the account name and license key to authenticate ? Does it not need any user credentials ?  Then, there is no need of generating and using API tokens. Am I right?  Thanks,  Viji

Re: Read from JSON Array

by in Getting Data In
‎11-15-2023 05:32 AM
‎11-15-2023 05:32 AM
Due to character limitation in the blog i removed assetPortfolio_Verify prefix in the name example: "AssetDetailsPage":"passed", should be "assetPortfolio_VerifyAssetDetailsPage":"passed", < { ... See more...
Due to character limitation in the blog i removed assetPortfolio_Verify prefix in the name example: "AssetDetailsPage":"passed", should be "assetPortfolio_VerifyAssetDetailsPage":"passed", < { "AssetDetailsPage":"passed", "AddAsset_OTHERDistributor":"passed", "AddAssetForOthers":"passed", "AddAssetValidationDetailsOboUser":"passed", "AddLocationDetailsFields_SUMAUser":"passed", "AddLocationUIChangesOboUser":"passed", "AddLocationDetailsFields":"passed", "AddAssetValidationDetailsSumaUser":"passed", "AddLocationUIChangesSumaUser":"passed", "AddPropertyValidationDetails":"passed", "NoResultsMessage":"passed", "AssetFilters":"passed", "EditFunctionality":"passed", "APMManageAssetTab":"passed", "AddAssetValidationDetails":"passed", "AddAssetLabels":"passed", "AddLocationUIChanges":"passed", "InvalidFormatOnPurchaseDateFiled":"passed", "APMPropertyDropdown":"passed", "SearchOnManageAsset":"broken", "AddPropertyValidationDetailsForOboUser":"passed", "AddPropertyValidationDetailsForSumaUser":"passed", "AssetDetailsDateFieldsInvalidErrors":"passed", "AssetDetailsDateFieldsInvalidErrors_SUMAUser":"passed", "AssetDetailsToolTipOnAddEditCopyLocation":"broken", "ChangeLocationDetailsFields":"broken", "ChangeLocationDetailsFieldsOboUser":"passed", "ChangeLocationDetailsFieldsSumaUser":"failed", "ChangeLocationUIChangesDetailsFields":"passed", "ChangeLocationUIChangesDetailsFieldsOboUser":"passed", "ChangeLocationUIChangesDetailsFieldsSumaUser":"passed", "CopyLocationAllDetailsFields":"passed", "CopyLocationAllDetailsFieldsOboUser":"passed", "CopyLocationAllDetailsFieldsSumaUser":"passed", "CopyLocationUIChanges":"passed", "CopyLocationUIChangesOboUser":"passed", "CopyLocationUIChangesSumaUser":"passed", "EditAssetValidationDetails":"passed", "EditAssetValidationDetailsOboUser":"passed", "EditAssetValidationDetailsSumaUser":"passed", "EditLocationAllDetailsFields":"passed", "EditLocationAllDetailsFieldsOboUser":"passed", "EditLocationAllDetailsFieldsSumaUser":"passed", "EditLocationUIChanges":"passed", "EditLocationUIChangesOboUser":"passed", "EditLocationUIChangesSumaUser":"passed", "EditPropertyValidationDetails":"passed", "EditPropertyValidationDetailsOboUser":"passed", "EditPropertyValidationDetailsSumaUser":"passed", "FieldSonAddAsset_OTHERDistributor":"passed", "LabelsUnderLocationsWithValues":"broken", "ListOfPropertiesInPropertyTypeDropdown_AddProperty":"passed", "ListOfPropertiesInPropertyTypeDropdown_EditProperty":"passed", "ManufacturerComponentOnManageAssets":"passed", "PerformanceDataFieldsInvalidErrors":"passed", "PerformanceDataFieldsInvalidErrors_SUMAUser":"passed", "PropertiesListInSortedOrder":"passed", "PurchaseDateFiled_AddLocationModal":"passed", "PurchaseDateFiled_CopyLocationModal":"passed", "PurchaseDateFiled_EditLocationModal":"passed", "RemoveLocationUIChanges":"passed", "RemoveLocationUIChangesOboUser":"passed", "RemoveLocationUIChangesSumaUser":"passed", "BulkUploadNarrativeOnAddAssetModal":"passed", "BulkUploadOnManageAssetPage":"passed", "BulkUploadPageDetails":"passed", "BulkUploadPageNameFromManageAssetsPage":"passed", "BulkUploadPageNameFromManageAssetsPage_OBO":"passed", "BulkUploadPageNameFromManageAssetsPage_SUMA":"passed", "BulkUploadTab":"passed", "PageNamesOnBulkUploadPages":"passed", "PageNamesOnBulkUploadPages_OBO":"passed", "PageNamesOnBulkUploadPages_SUMA":"passed", "TabsOnBulkUploadPage":"passed", "AssetCountOnDashboard":"passed", "BETAOnMyAssetManager":"passed", "BETATextOnMyAssetManager_NonAPMUser":"passed", "DashboardAssetLifeStatusNewTable":"passed", "DashboardAssetLifeStatusNewTableOboUser":"broken", "DashboardAssetLifeStatusNewTableSorting":"passed", "DashboardAssetLifeStatusNewTableSortingOboUser":"passed", "DashboardAssetLifeStatusNewTableSortingSumaUser":"broken", "DashboardAssetLifeStatusNewTableSumaUser":"passed", "DashboardAssetLifeStatusReplaceNowTable":"broken", "DashboardAssetLifeStatusReplaceNowTableOboUser":"passed", "DashboardAssetLifeStatusReplaceNowTableSumaUser":"passed", "DashboardAssetLifeStatusReplaceSoonTable":"passed", "DashboardAssetLifeStatusReplaceSoonTableOboUser":"passed", "DashboardAssetLifeStatusReplaceSoonTableSumaUser":"passed", "DashboardAssetLifeStatusStyleCardLayout":"broken", "DashboardAssetLifeStatusStyleCardLayoutOboUser":"broken", "DashboardAssetLifeStatusStyleCardLayoutSumaUser":"broken", "DashboardCategoryFilterFunctionalities":"passed", "DashboardCategoryFilterFunctionalities_OBOUser":"passed", "DashboardCategoryFilterWhenZeroAssets":"passed", "DashboardCategoryFilterWhenZeroAssets_OBOUser":"passed", "DashboardNewTableFunctionality":"passed", "DashboardNewTableFunctionalityOBOUser":"passed", "DashboardNewTableFunctionalitySumaUser":"passed", "DashboardPropertyFilterFunctionalities":"passed", "DashboardPropertyFilterFunctionalities_OBOUser":"passed", "DashboardPropertyFilterWhenZeroAssets":"passed", "DashboardPropertyFilterWhenZeroAssets_OBOUser":"passed", "DashboardReplaceNowTableFunctionality":"broken", "DashboardReplaceNowTableFunctionalityOboUser":"passed", "DashboardReplaceNowTableFunctionalitySumaUser":"passed", "DashboardReplaceNowTableSorting":"passed", "DashboardReplaceNowTableSortingOboUser":"passed", "DashboardReplaceNowTableSortingSumaUser":"passed", "DashboardReplaceSoonTableFunctionality":"passed", "DashboardReplaceSoonTableFunctionalityOboUser":"broken", "DashboardReplaceSoonTableFunctionalitySumaUser":"passed", "DashboardReplaceSoonTableSorting":"passed", "DashboardReplaceSoonTableSortingOboUser":"passed", "DashboardReplaceSoonTableSortingSumaUser":"passed", "AssetNameLinkInWarrantyExpiration":"passed", "DashboardPageRecentlyInstalledTab":"passed", "DashboardPageTabs":"passed", "DashboardWelcomeMessageWhenUserReturns":"passed", "DataDisplayedInRecentlyAdded":"passed", "EmptyStateAssetLifeStatusMessage":"passed", "EmptyStateMessagesOnDashboardPageTabs":"passed", "EmptyStateRecentlyAddedTabAndLinkToAddAssetModal":"passed", "HyperLinkAssetNameInRecentlyAdded":"passed", "ManagePropertyAsset":"passed", "ManufacturerWarrantyTypeInWarrantyExpiration":"passed", "RecentlyAddedTab":"passed", "RecentlyAddedTableColumns":"passed", "RecentlyInstalledTabData":"passed", "RecentlyInstalledTableColumnsData":"passed", "ServiceWarrantyTypeInWarrantyExpiration":"passed", "TopManufacturerSection":"passed", "WarrantyExpirationTabColumnsData":"passed", "SortingOnManageAssetsComponents":"passed", "UserAuthenticationToVideoResourcesPage":"passed", "VideoResourcesTabEspotAndVideoPlayWindow":"passed", "VideoResourcesTabOnMyAssetManager":"passed", "FilterSearchBasedOnCategory":"passed", "FilterSearchBasedOnDistributor":"broken", "IfLocationListEnabledInManageAssets":"passed", "AddLocationFields":"passed", "AddPropertyFields":"passed", "AssetPropertyValidation":"passed", "DisabledFieldsForNoAssets":"passed", "DisabledFieldsForNoLocation":"passed", "FloorPlanForAsset":"passed", "IfFieldUpdated":"passed", "NoResultMessage":"passed", "PLaceHolderText":"passed", "PropertyListTable":"passed", "PropertySorting":"failed", "SearchField":"passed", "TableRecords":"passed", "UpdateAsset":"passed", "APMPropertyDropdown":"passed", "AddLocationForHVAC":"passed", "AddNewLocationList":"passed", "AddNewProperty":"passed", "AscendingOrderInAssetTableColumn":"passed", "CancelBtnOnAddProperty":"passed", "CancelBtnOnEditProperty":"passed", "CloseModelOnAddAsset":"passed", "ComponentsOnManageAssets":"passed", "CopyComponentUnderLocation":"broken", "CreateAssetViewComponent":"broken", "CreatePageNameForManageProperties":"passed", "FloorPlanOnManageAssets":"passed", "LeftNavLink":"passed", "ManageProperties":"passed", "ManagePropertyLeftNavigationLinks":"passed", "MessageForNoLocationAvailable":"passed", "MousePointerAndNoHighlight":"passed", "NewFieldsLocation":"passed", "NewFieldsLocationOnHvac":"passed", "NoAssetAvailable":"passed", "NoPropertyAvailable":"passed", "RemoveLocation":"passed", "SearchOnManageAssetPage":"passed", "SearchWithInvalidCharacter":"passed", "PlaceholderTextSearchBox":"passed" } />

inputlookup with fuzzy matching

by in Splunk Search
‎11-15-2023 05:22 AM
‎11-15-2023 05:22 AM
Hello, I'm building a query which matches entries in an inputlookup table against a set of log data. The original working query (thanks to @ITWhisperer ) is: dataFeedTypeId=AS [ | inputlookup appr... See more...
Hello, I'm building a query which matches entries in an inputlookup table against a set of log data. The original working query (thanks to @ITWhisperer ) is: dataFeedTypeId=AS [ | inputlookup approvedsenders | fields Value | rename Value as sender] | stats count as cnt_sender by sender | append [inputlookup approvedsenders | fields Value | rename Value as sender] | fillnull cnt_sender | stats sum(cnt_sender) as count BY sender This is correctly providing a list of all of the emails address entries in the lookup file with the number of times they occur in the email address field (sender) of the dataset. However, the "Value" field from the lookup file may contain an email address, an IP address, or a domain name: "Value,description,spoof,spam,heuristic,newsletter training.cloud@bob,Email Tests,Y,Y,Y,Y mk.mimecast.com,mimecast emails,Y,Y,Y,Y blah@yahoo.com,more belgrat,Y,Y,Y,Y bbc.co.uk,BBC sends me lots of useful information,N,Y,Y,Y 81.96.24.195,test IP,Y,Y,Y,Y yahoo.com, Yahoo domain,Y,Y,Y,Y" What I need to do next is to widen the search, at the moment it is doing an exact match on the sender field and I need the entries in the lookup file to be used against a number of fields in the log data. Examples: This query seems to provide the correct results but it does not show the null values as above(n.b. the return 1000 isn't optimal code, I'd prefer it to simply return all of the results): dataFeedTypeId=AS [| inputlookup approvedsenders | fields Value | return 1000 $Value] | stats count as cnt_sender by sender This query also provides the correct results but again does not show the null values (there is no domain field in the log data, I am using an app to extract it from the sender field) dataFeedTypeId=AS | rex field=sender "\@(?<domain_detected>.*)" | eval list="mozilla" | `ut_parse_extended(domain_detected, list)` | lookup approvedsenders Value AS domain_detected OUTPUTNEW description Value | lookup approvedsenders Value AS sender OUTPUTNEW description Value | lookup approvedsenders Value AS senderIp OUTPUTNEW description Value | search description="*" | table subject sender domain_detected senderIP description Value | lookup approvedsenders description OUTPUTNEW Value as Matched | stats count by Matched   My apologies for the long question, thank you for taking the time to read this far.
Labels

Dashboard Studio - Conceal 'action-dropdown-button'

by in Dashboards & Visualizations
‎11-15-2023 05:21 AM
‎11-15-2023 05:21 AM
In a custom app, is there a means of concealing the Actions dropdown button in a Dashboard Studio dashboard if I do not want users to be able to Download PDF, Download PNG, Clone Dashboard? Thanks
Labels

[Splunk Cloud] UTF-8 characters in a log file - how to remove it automatically

by in Getting Data In
‎11-15-2023 04:51 AM
‎11-15-2023 04:51 AM
Hi I have a log file which contains UTF-8 characters "[1;33mWARN  [-dispatcher-6] " and so on. Below regex works perfectly, but how to automate this solution | rex mode=sed "s/\x1... See more...
Hi I have a log file which contains UTF-8 characters "[1;33mWARN  [-dispatcher-6] " and so on. Below regex works perfectly, but how to automate this solution | rex mode=sed "s/\x1B\[[0-9;]*[mK]//g" Thanks for your help.

Best Practice for Automatic Lookups

by in Splunk Enterprise
‎11-15-2023 04:11 AM
‎11-15-2023 04:11 AM
Is there a suggested size of lookup that would be the maximum size of a lookup that should be used for an automatic lookup? Such as if your lookup exceeds more than x rows it would best not to use w... See more...
Is there a suggested size of lookup that would be the maximum size of a lookup that should be used for an automatic lookup? Such as if your lookup exceeds more than x rows it would best not to use with an automatic lookup?    
Labels

MS exchange0365 trace logs in splunk

by in Getting Data In
‎11-15-2023 04:03 AM
‎11-15-2023 04:03 AM
I need MS exchange0365 trace logs in splunk which add-on can provide these logs? It it possible with azure monitor logs? I tried graphAPI add-on but it can only send activity logs not trace messages l... See more...
I need MS exchange0365 trace logs in splunk which add-on can provide these logs? It it possible with azure monitor logs? I tried graphAPI add-on but it can only send activity logs not trace messages logs. Kindly help. Thanks.

Re: inputlookup - count of values including Null

by in Splunk Search
‎11-15-2023 03:57 AM
‎11-15-2023 03:57 AM
@ITWhisperer Thank you so much, that has returned the results I was expecting. 

How to drop some field/values before indexing.

by in Getting Data In
‎11-15-2023 03:48 AM
‎11-15-2023 03:48 AM
Hello everyone, need your help! We have a data source which is sending huge logs and thus we want to drop useless field values before indexing, we have installed an add-on which extracts a field fro... See more...
Hello everyone, need your help! We have a data source which is sending huge logs and thus we want to drop useless field values before indexing, we have installed an add-on which extracts a field from raw logs (example: ProductName) and assigns the value of this field as source to the raw logs and similarly uses the same props and transforms to extract rest of the field/values till this part everything works smooth, now the issue is among those extracted fields there is a field which i want to drop before indexing, i understand that there is way to send particular field/value to a nullqueue using props and transforms, below is a sample configuration i tried but it didn't work. Your support in this is highly appreciated.   Props: [test:syslog] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true TRANSFORMS-test_source = test_source, test_format_source TRANSFORMS-nullQ=nullFilter REPORT-regex_field_extraction = test_regex_field_extraction, test_file_name_file_path REPORT-dvc = test_dvc Transforms: [test_source] REGEX = ProductName="([^"]+)" DEST_KEY = MetaData:Source FORMAT = source::$1 [test_format_source] INGEST_EVAL = source=replace(lower(source), "\s", "_") [test_dvc] REGEX = ^<\d+>\d\s[^\s]+\s([^\s]+) FORMAT = dvc::"$1" [nullFilter] REGEX = (?mi)XYZData\>(.*)?=\<*?\/XYZData\> FORMAT = remove_field::$1 DEST_KEY = queue FORMAT = nullQueue [test_regex_field_extraction] REGEX = <([\w-]+)>([^<]+?)<\/\1> FORMAT = $1::$2 CLEAN_KEYS = false [test_file_name_file_path] REGEX = ^(.+)[\\/]([^\\/]+)$ FORMAT = source_process_name::$2 source_process_path::$1 SOURCE_KEY = SourceProcessName [test_severity_lookup] filename = test_severity.csv [test_action_lookup] filename = test_action_v110.csv case_sensitive_match = false [drop_useless_fields] INGEST_EVAL = random:=null()   ## Below is the sample raw log, i want to drop the field <XYZData> Sample raw data: <29>1 2023-11-09T18:34:02.0Y something testEvents - EventFwd [agentInfo@ioud tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="x\y"] <?xml version="x.0"?> <test_hjgd><MachineInfo><AgentGUID>{iolkiu-5d9b-89iu-3e19-jjkiuhygtf}</AgentGUID><MachineName>something</MachineName><RawMACAddress>xyxyxyxyxz</RawMACAddress><IPAddress>xx.xx.xx.xx</IPAddress><AgentVersion>x.x.x.xx</AgentVersion><OSName>GGG</OSName><TimeZoneBias>-333</TimeZoneBias><UserName>xxx</UserName></MachineInfo><EventList ProductName="something" ProductVersion="xx.x" ProductFamily="Secure"><Event><Time>2023-11-09T18:34:38</Time><Severity/><EventID>jkiuj</EventID><XYZData>T1BHoQUAAAAAAAADQg0AAO0dXVNbu1E/JZP3xNyElJsZ13cA24kbwB7bhPaJMdiAG8DUNjehnf737of26ONIOrID0zycyWCfo13trlar1WolOU31h/qh7tSteqX+VDO1VCs1Vwt1r/6qXqvf1Fu1A9+vAHKvLqF8CtB7dU3QUzVWXfUGsP5COCu1VhOATuHzlmjMCO8enhH+h2qppjoA6AogbfhG/AHwXMDTDOivNe+hegQKM9Uhme6h/BX8PakHeOsBfZbtI/ztwhNSNZhjjfeKZF3B8y1weVIn8HmnJeqor+qcPjtQPobnsfoHSNKBpwFwtyH78L2vjgA+At4jKOnCew9KOtAG5P4bydJUjYAUrmyfSC8XpJ8e1G6p/6grtad+h3/voHwXIKjPD0DvPTztgvax/A2Uf4RSLHsPpXtQ6wpoTqHeDpTvge7+60lQ5tWEti3gbQ7YT6RH5L/j/XuT+eT/Y/5lDi7XIUj3J/UL93QLavr1yjguDenJVqmmDdkHK2VNfHXsmvvrLfztwOcuyY504vjcg3NoDY+CGfT9Ar4nhb2iDc+gR+YwllpFP2xSA8fSIfzNtfw4pj7qPn8Hnx+gp5Guj9eEN6R3X4wf5ItjZUSja10xEg5VH95PQF6k2oO292gsnEP9MehkTGOiDzbfhTb0CPN10WvVvKUnrqm917oU6z2SrrGlov04TqgH5uRvECbPHfIZdwmP8Tvo0fYYNsXN/AaOKPQQh6Qf4z2wdGz5B8Qewr8+/DF0BHVe6x4OWYrvOWxYC/r/HuS5oJZiCxfw+UD2egXPS5D0FfA6BG7ojy/JH4e4IHWbU8N7C+s0ZtumL3DsPpAkaz1TsH+fQl9eUq/EtYt+d0CaGpOlfdLeuA96OyX79L0z6nGXZKriy3b4QHznpBWU/DNgoOT3hd84AV5H1JfHuhc/qTMYgWyj1fVDXHpAD/t7D+i8hT/2Pm9p9voQocx1mmAtOAqWVMYt+kGedaD7Ig1vQ+lKa8T1PT6dXMwOze+o6TlZhKEQg5gZaUg8cGaPz+fv9OiUCGAFlNnL3VLcgF75iry9kVJwOiDpJdmBD0HOEyu+KHN/T/PBa92DBjPHK6DNYpzAHhT96Tn89T1fGaKK3E4o+im3SrQto31aUPJLUzSee35PSdsmS7TLdrRt+eVN0NMKRhha+yNFKIJbLq/i+jfAXAWhEmE9rwaq+GHbcAyLh1xv1JMj8uk4D3aBwi3ZyI4e6WWI62+RL3uvQ239C4dCHi73QrgFl1D3yRpfXwD+9AI6TvFKSeJGhnl4bdDLsRe3voTdxPjgPDyB+epluNq0zXxwAt9r9Z1s4RtY1g1gLbU+TimqaeloU54PCS72MKexuXoBeWN87DkqJX2oz/N9OEd0Q4rmjC830V0XYAPLp6e42bPYy/StSx37iD3TAlr1mWa8qV7JNAr4HdWZ6Gh9VtAY0ep+aXmLXGzxLPb8yp5spjMKvCao1v5IR3bDYg2CUWAXYK8tL+hS5bXhkviasl2IIz7C50eIsffo+YNeK/qYqBWJuW61H7ZnavSEGFn7ccHzxgPVcrCGV5W8DylfgauSo2IF4kqC8fM+6JHf+uAR7fVcrgytDHxbd8YPjWj0NrRGH8leU9GdX+eYYJcw6pGfWOQZ9egNtOce3p8AC+vO9Zwp7duurhnHomn0OQvwQLzSwHamIpTGT9YPeZmuHm8La3z7s7bd2pXuhQWtzG89GHrU74DxRq/Gq/CatA6dq39Bu2YlPjt67ohjxOpjjLPUWmklqPh4aJnskaY6fjS9bFqVxgrFPWW5D2n+Rs9oVhe2zbfJUicUocm8lYYPaX29IK82tWYzod6IrKCkrrynxpCxOzOOcuvG6thR+jb1c8a+Xbcd9HkSGcRg///obkDtuSmylebNHdfY+xI7NAqfuaSs5Jpm3BuylEnS/2Puaag+URbqnHJNn3Uu4zxg3ZhxM94/xs/NaoRW3mGoyCVYZzRip+T5xuRfzYojDpOoLy1BGsuXRLBTElXjdEg7OJLZs8yB81zrdhWcrXJqGBxembG3wJbuw/Oa/P5NkZEz/nbzejavEYzGC/VPxZncvGyL1D2gPNvThrVCUm3HN9cTlSm4UfJmdUckM9cNZbP21HslGaU2xeTcH2Jdbon9fkr7Y8sApg3Zzh82Ii2Ity2nto1jMDCKCNm5GY0+zbwatqUfbsghr4ZtY5vzyK1jamy6eym56dgeJu4z4C7lKeCMnfVqnKNk5WwfdQy97O7P2tmrXGyf7gg+r9V9gpaL4dcvz5thKiE8n9YA5spBNsU4NsfWBtMetX6sKavxy43wD+B9sxp27OzODo+65xckBVMux9t5dewatkz5fHJrpTRcrdMcLTYCfOIztcstjufzjGO61mbLNoae5VXBDcWY0yLncpOw180ocMuPI9gmSkzhsFaqaKRxRGNVVKqwwhmvatk2qRPm0SPvxRmyvLb8LBW77+z5tLoX09h2f+bQzcV2+ziHcj5+qt/z2rBd7c1sYVtJtqNn535k/2jlnLEwdpHCsunIOoN9GM7Z/4bnLyBVmVoKt5lYoTQSMCOhT6+RgNk75rxHLZllv9ysE208t4xPJi0tDZp3zoEvdb7axMipMwbhGk0rL+TG4+FyzrNg33NWyc1BpKADnVdbkwQSG8r85EL9c1gxGPK7olKzqimXcZaMV3GnAD9ysmd+Oa7VsL9MziSdFT9SfajdLk6UjIsTT/4ezwGU/N3JifucXP68cr7SI820sArDzhWlcEX37q5XTqtPKAt0RidqvmS0vEc7B32wSj59Y3QQ5u1mL2UfO0eyIdl+H9Yu+6DvI9XJkK5cx8gXlyIsI66Pl8o+cfo80rbhaeiV9enM3gF9n+gTozGpy3KZ7BpS7Og9/Ee1tnIT6Xxgr9DegCTZ93alxnrnbezsTaU5Sqx6SlHzI2Gz10N/ckjzz0KPfxOX5mAzXfHep9SmBeVobEphOHrJbxRXnwHsInnC2Hj9/BrxfFk5N+JD21D6UMjt+9Uh1PsehUo5nm/iGVTOptrnmzhGQI2ylwxnIF1YF57yzz126fRzdZbBpiqzxoLmVcyt2buCPsT0cgjCufSljgFSddNYHKctCxzRrzufVeP0aca7Vnxm7jZCJwera/l7d66OQb6qmc5Ky3zjl5TPPzYCZeHstpzolHUujk60bcQ8ohpGSzHYKfCS81vm+bOaUFzKo8k9Wyo5Kv/EaY1X470EXsOxxtA8Z86cNSrg7shyx489Ml1I2c8Z3yjrjNp71t6z9p413q+G9yt4z2ofKf6Cs0joSy5ICvukUhondnYtfg48dsdtkxooOXrPWaLWGKA/it7YDD+O1bdOmdnzwiY1/Hsrtk+OQUxf2tih0vK6Wc7GT+j0SltrUzgs9VzBmalV5O7Ju2K3/vnukmIe5SvdHu05K/9t7ok+73ml+p6oua8Vv/f5q90KlZOV9R1Q+96hyYG85M3DWLbjuW4emrzbtjcMwxTqm4T1TcL6JmF9k7C+SVjfJPwZrvVNwvomYX2TsL5JWN8kRHnrm4T1TcL6JmF9k7C+SbjpTULTS5+g3+Yvkl0M8bA5pywgB2uk4wa02BMawxfKnPxLQQ8ossqPI9uKf22Mf2fsALxY3hkcl4+/j8IWxZjl8qaTQbdxy+VNkujA0prx2n55kyKHvpNV2VQDPSrrW1H1KKGFMj/WhHhezCFOqHckPxCH2ZB4D++UqKSswdanrMVHoIUVjeK7re2kq3r6nOKIfrdyTCM3x25yJZIZ7A7e2MteOCuIRhLao75YWzlKqRWDhCIXzilKTlhGXy4m5t6vyUdNiavcrfRP3bneIVS66TkMW8e8Er0kCzHytkp9EccbkKVdR/YKYlCOmx6SdVMYEgX9zD4c96ucmTzWWuK6vSKSqsLgs4+8nuAdg6mSnZVvRe/K6gjjhhuiG9mnfoY5BmwW9WGYyDhdN5cto9pwkDz3TcSbrG237iHoCVxa41kBKuEY38Z1ND7lfq7kew0u6FXapvZPcSy37sE1r5fCRe52on0fFtxa24VxFx925ex4tclzW1bbo91k5aktHmfnYbX2z1twLqaach824HTqnhfrImW2kDv6mqb/mj9GzJYvpD1fKFxriRhnuiTg/+ojFJOzLjQ3IGjBUblPoV8QkeA/goJhd3Vm3T7EIZjq/UJbmDD7DM2u/WNHltDuGE74ZImfXF7RCvc2IHWL3RPq0M3yUFTekZShLOSYveU9y8T7C5nKO4XufIkDZu91c0rIcHJ8MvP3+aumwzrnOOo6sGyGxyNTnwDHmLUnDdoy/TS35Rhci8dAE5FkVmVV/PygMx9UL7vhhyguikjio7lTKj0xrFHt/wl1m9lDi5X/w5cGCK3OXjt/zKShnj4nH0PHYO5EP90i7sOq8Z0NdZWchZjp6QzA3Pr5N2s26e12Cllg91zUCPKDw8pc5AzMkO8Q9nIseIzwddqpvd4zKiqxizbl7FsvgUks4RAYr/uIr8kbvCFvl9S/fsvjQjvll7Nb/N/JrTU/wA=</XYZData><UserInfo>T1BHoQUAAAAAAAADJwEAAIWSTW+CYBCE56eQ3lv10vRANQ1Yw6EfSfXSm1HbmgAlgE35933ehYooxgvszszusLv4muhXiWJ5+tFGuQpt9a1U97rSSDca8vZgUq3A17CpPo1daK5HXaO6NU2hUkvYNc/YemxMlxI7fqKxfE3xWaB1XhHcBhjhytguUMLKK6dr7DeUTkamZURAotHnSykO8pqIzxrPTMM6FLrTvPPTCLm2aHf3lUdZ6r+5XNBnaWfcGte30v6d4OJmrjGVtx3hk1A0Pm1JfM8N+9m0/ptwSJG7abB/RK6OWuUjWKUyykl8tz+iZ26XI/ST/zZNVLpnNXrLWnWLDfYt5x72KBzdPybfZOnDV4G79w/XozETtyriuyoakOEV+veGztv93aFPHRnS7xfX/qWH8=</UserInfo><DestinationUserInfo>T1BHoQUAAAAAAAADJwEAAIWSTW+CYBCE56eQ3lv10vRANQ1Yw6EfSfXSm1HbmgAlgE35933ehYooxgvszszusLv4muhXiWJ5+tFGuQpt9a1U97rSSDca8vZgUq3A17CpPo1daK5HXaO6NU2hUkvYNc/YemxMlxI7fqKxfE3xWaB1XhHcB6xHhhjhuyfgfr7DeUTkamZURAotHnSykO8pqIzxrPTMM6FLrTvPPTCLm2aHf3lUdZ6r+hjhhyujte30v6d4OJmrjGVtx3hk1A0Pm1JfM8N+9m0/ptwSJG7abB/RK6OWuUjWKUyykl8tz+iZ26XI/ST/zZNVLpnNXrLWnWLDfYt5x72KBzdPybfZOnDV4G79w/XozETtyriuyoakOEV+veGztv93aFPHRnS7xfX/qWH8=</DestinationUserInfo><ThreatName/><PolicyName/><TimeSZone>+00</TimeSZone></Event></EventList></XYYPREV_1100>
Labels

Re: inputlookup - count of values including Null

by SplunkTrust in Splunk Search
‎11-15-2023 03:35 AM
1 Karma
‎11-15-2023 03:35 AM
1 Karma
If sender is the field in the dataset, then it should be something like this dataFeedTypeId=AS [ | inputlookup approvedsenders | fields Value | rename Value as sender] | stats count as cnt_sender by... See more...
If sender is the field in the dataset, then it should be something like this dataFeedTypeId=AS [ | inputlookup approvedsenders | fields Value | rename Value as sender] | stats count as cnt_sender by sender | append [ inputlookup approvedsenders | fields Value | rename Value as sender] | fillnull cnt_sender | stats sum(cnt_sender) as count BY sender

Re: inputlookup - count of values including Null

by in Splunk Search
‎11-15-2023 03:29 AM
‎11-15-2023 03:29 AM
@ITWhisperer at the moment it is just a simple lookup, there are values in the table which match the log data exactly. The first example does return the correct results (without the null values). Va... See more...
@ITWhisperer at the moment it is just a simple lookup, there are values in the table which match the log data exactly. The first example does return the correct results (without the null values). Value is the information from the lookup file.  sender is the information from the main dataset cnt_sender is a variable used within the code Is that how it should be?

Re: Search and count by multiple specific substrings in a field

by in Splunk Search
‎11-15-2023 03:28 AM
‎11-15-2023 03:28 AM
This is simple search, which give me this result. Result contains fields which contains "mobilePhoneNumber" OR "countryCode" OR "mobilePhoneNumber AND countryCode"   I want to return count (in ... See more...
This is simple search, which give me this result. Result contains fields which contains "mobilePhoneNumber" OR "countryCode" OR "mobilePhoneNumber AND countryCode"   I want to return count (in one line) of all fields which contains both, mobilePhoneNumber and countryCode ("mobilePhoneNumber AND countryCode").