Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-08-2023
01:54 PM
Thanks Robert. I would like to clarify the search as I need the events less than the p95 duration. Shouldn't the eval section be: | eval search = "dur<"+p95Dur
11-08-2023
01:53 PM
Try this - I'm not the best at regex and someone else may come along and provide a more efficient one. Registrar: (?<registrar>.+[^\s]).+Registrar ID
11-08-2023
01:51 PM
Thanks for your response Rich. Using eventstats took too long to complete to the point it wasn't usable.
11-08-2023
01:41 PM
i am looking for the field registrar to be extracted. There are three spaces after the registrar string - but i cant seem to write my regex to capture the full registrar name up to the three spaces. ...
See more...
i am looking for the field registrar to be extracted. There are three spaces after the registrar string - but i cant seem to write my regex to capture the full registrar name up to the three spaces. I am using this but not getting the full string extracted \sRegistrar:\s(?<registrar>\w+\s\w+)
- Tags:
- ing f
11-08-2023
01:29 PM
Try adding this to your search | rex field=_raw "Registrar ID: (?<registrar_id>\S+)" Update: I misread your post, standby for an updated search to include all three field extraction - unless someo...
See more...
Try adding this to your search | rex field=_raw "Registrar ID: (?<registrar_id>\S+)" Update: I misread your post, standby for an updated search to include all three field extraction - unless someone else beat me to it. You can also use the "Extract New Fields" or "Event Actions" option when you run your search.
11-08-2023
01:17 PM
I masked the IP address in this reply.
11-08-2023
12:55 PM
I am trying to write a regex to extract a field called "registrar" from some data like i have below. Can you please help how i could write this regex to be used in a rex command to extract the field?...
See more...
I am trying to write a regex to extract a field called "registrar" from some data like i have below. Can you please help how i could write this regex to be used in a rex command to extract the field? Below are three example events: Registry Date: 2025-10-08T15:18:58Z Registrar: ABC Holdings, Inc. Registrar ID: 291 Server Name: AD12 Registry Date: 2025-11-08T15:11:58Z Registrar: OneTeam, Inc. Registrar ID: 235 Server Name: AD17 Registry Date: 2025-12-08T15:10:58Z Registrar: appit.com, LLC Registrar ID: 257 Server Name: AD14 I need the regex to use to extract the field called "registrar" which in the above example would have the following three value matches: ABC Holdings, Inc. OneTeam, Inc appit.com, LLC
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
11-08-2023
12:13 PM
lkjnhqaf lkjqq
- Tags:
- fields
- multivalue
11-08-2023
11:59 AM
Hello, Currently, I am using the append command to combine two queries and tabulate the results, but I see only 4999 transactions. Is there any way I can get full results? Thanks in advance!
- Tags:
- query dashboard
Labels
- Labels:
-
table
11-08-2023
11:44 AM
1 Karma
To test parsing you can use regex101.com or use the rex command in a search window. | rex mode=sed "<<sed string to test>>" Creating a User and/or Group field would be a challenge since the cs2 fie...
See more...
To test parsing you can use regex101.com or use the rex command in a search window. | rex mode=sed "<<sed string to test>>" Creating a User and/or Group field would be a challenge since the cs2 field could contain either a user or a group name and Splunk has no way to know which.
11-08-2023
11:32 AM
Jobs should be removed from the dispatch directory automatically once they expire. Some workarounds to consider: Increase the size of the dispatch directory Reduce how frequently datamodel accele...
See more...
Jobs should be removed from the dispatch directory automatically once they expire. Some workarounds to consider: Increase the size of the dispatch directory Reduce how frequently datamodel accelerations run Disable unused DMAs
11-08-2023
11:22 AM
It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or sear...
See more...
It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or search-time extraction (for which you can just brute-force grep all your .conf files if all else fails).
11-08-2023
11:14 AM
As long as you tell us what data you have that should have this information and say how would you detect it from said data. Oh, and firstly please define what do you mean by "half duplex connection ...
See more...
As long as you tell us what data you have that should have this information and say how would you detect it from said data. Oh, and firstly please define what do you mean by "half duplex connection from source to destination".
11-08-2023
11:02 AM
Does anyone know a pattern for detecting half-duplex connections from server/laptop sources to server destinations? not switches, not routers. I am Splunk Cloud Version: 9.0.2305.101
Labels
11-08-2023
10:52 AM
Thanks all. I ended up using a modified version of @FelixLeh ....it works well!
11-08-2023
10:44 AM
Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is...
See more...
Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is created.
11-08-2023
10:43 AM
3 Karma
No, let's not let this one fade out. - the question is relevant - the context is relevant, as is the history - the goal is as trivial now, as then, to achieve - the continued "any day now" feeling is ...
See more...
No, let's not let this one fade out. - the question is relevant - the context is relevant, as is the history - the goal is as trivial now, as then, to achieve - the continued "any day now" feeling is important Bump this one. Maybe it's okay for still-relevant issues to be still-relevant, even if it's hard for a small number of us to value something more than a fortnight old. Thanks for your suggestion.
11-08-2023
10:36 AM
Try something like this index=A (sourcetype=signlogs outcome=failure) OR (sourcetype=accesslogs)
| eval processId=coalesce(processId, SignatureProcessId)
| eventstats values(userId) as userId by pro...
See more...
Try something like this index=A (sourcetype=signlogs outcome=failure) OR (sourcetype=accesslogs)
| eval processId=coalesce(processId, SignatureProcessId)
| eventstats values(userId) as userId by processId
11-08-2023
10:22 AM
Hi, My main goal is to find user id. Index=A sourcetype=signlogs outcome=failure The above search has a field name called processId but it doesn't have the userId which I needed. Index=A sourcet...
See more...
Hi, My main goal is to find user id. Index=A sourcetype=signlogs outcome=failure The above search has a field name called processId but it doesn't have the userId which I needed. Index=A sourcetype=accesslogs -->This search has a SignatureProcessId( which is same as processId in the search1) and also it has userId. So I need to join these 2 query with common field as processId/SignatureProcessId I tried the below query but it results 0 events: Index=A sourcetype=signlogs outcome=failure | dedup processId | rename processId as SignatureProcessId | join type=inner SignatureProcessId [Index=A sourcetype=accesslogs | dedup SignatureProcessId ] | Table _time, SignatureProcessId, userId Someone please help with fixing this query.
11-08-2023
10:20 AM
Are you still having this issue with the latest SSE app v3.7.1?
