All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have this multivalue fields where i am tring to rex and get particular field value like  "value":"ESC1000",  but instead getting multiple. Tried with this but shows all the fields value  | rex m... See more...
I have this multivalue fields where i am tring to rex and get particular field value like  "value":"ESC1000",  but instead getting multiple. Tried with this but shows all the fields value  | rex max_match=0 "value\":\"(?<ESC>[^\"]+)" "productChanges":[ { "Products":[ { "productSpecContainmentID":"1", "changedCharacteristics":[ { "characteristicID":"2", "value":"SERVICE" }, { "characteristicID":"3", "value":"99" }, { "characteristicID":"4", "value":"monthly" }, { "characteristicID":"5", "value":"ESC1000" }, { "characteristicID":"6", "value":"Discount" }, { "characteristicID":"7", "value":"Escalation" }, { "characteristicID":"8", "value":"AMOUNT" }, { "characteristicID":"9", "value":"9" }, { "characteristicID":"10", "value":"Y" }, { "characteristicID":"11", "value":"N" } ], "temporaryID":"xxxaaaacccc" } ] } ] Is there a way to get the required fields value only like above?
Try this query.  The transpose command "rotates" the results table into the desired format. | makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDA... See more...
Try this query.  The transpose command "rotates" the results table into the desired format. | makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>\" 1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" | eval data=split(data," ") | mvexpand data | eval _raw=data | fields - data ``` Everything above sets up demo data. Delete IRL ``` ``` Extract keys and values ``` | rex max_match=0 "<(?<key>[^>]+)>(?<value>[^<]+)<\/\1>" ``` Match keys and values so they stayed paired during mvexpand ``` | eval pairs=mvzip(key,value) | mvexpand pairs ``` Separate key from value ``` | eval pairs=split(pairs,",") ``` Define key=value result ``` | eval key=mvindex(pairs,0), value=mvindex(pairs,1) | fields key,value | fields - _* | transpose 0 header_field=key
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host | searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*"... See more...
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host | searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host]) | where match(host,"^\w{3}\d+")
How do they appear in Splunk right now?
@richgalloway  Thanks for your support ,it really means a lot
@gcusello  No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf   How to find in SSH o... See more...
@gcusello  No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf   How to find in SSH or in UI
did you resolve this? I am trying 6.1.1 on RHEL 7.9 and using the RHEL 7 install getting the same issue
Did you get this resolved in the end? having the same issue
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be ni... See more...
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be nice to see them in SPL. I would appreciate if anyone can share their search or could tell me how to build one.   Thank you.
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned err... See more...
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned error code 2. Script output = "ERROR Unable to get apikey from firewall: local variable 'username' referenced before assignment ". The Query index=wineventlog host=xxxxxx | mvexpand Security_ID | mvexpand Source_Network_Address | dedup Security_ID Source_Network_Address | search Security_ID!="NULL SID" | rename Security_ID as user | rename Source_Network_Address as src_ip | panuserupdate panorama=x.x.x.x serial=000000000000 | fields user src_ip Brief overview of my data ingestion: Panorama syslog is ingested to splunk cloud through Heavy forwarder. Palo Alto Add on for Splunk is installed on both HF and Splunk Cloud also, but no data is showing on the app. Every data is 0 0.  Also I do have a user account in Panorama with api permissions.
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extra... See more...
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extract field headers and field values from raw data. As to search for SPL query "index=index_name sourcetype=sourcetype |table current, encrypted, keywordp,boriskhan, rolename, prepres, externalFactor, parkeristrator".   so, what i got is field_header as paris and field_values as current=parker,  encrypted=true,  .  .  .  .  paris current=parker encrypted=true keywordp=****** boriskhan=1-CMX_PRTY roleName=ROLE.CustomerManager pepres=false externalFactor=false parkeristrator=true current=parker   What goal is, field_header_1 is current, field_header_2 is encrypted, field_header_3 is keyword as below and to get field_headers showup in Splunk interesting fields with its values. current encrypted keywordp boriskhan roleName pepres externalFactor parker true ****** 1-CMX_PRTY ROLE.CustomerManager false false  
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy... See more...
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy.yy" | stats values(dest_url) AS dest_url values(logs) AS logs sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out | eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024 Ciao. Giuseppe
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression.  The current value is n... See more...
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression.  The current value is neither.
Hi @karimoss, in this case, you have to create a regex to search for ComputerName: something like this: | regex ComputerName!="^?![A-Z]{2}\d{6}" Ciao. Giuseppe
Hi @gcusello , Eg : from  specific src_ip= xx.xx.xx.xx to dest_ip =xx.xx.xx.xx
Hi @gcusello , it does , we are doing indexer level props & trasnforms for other sourcetypes as well & it is working fine.  document also says the same Manage private apps on your Splunk Cloud Pla... See more...
Hi @gcusello , it does , we are doing indexer level props & trasnforms for other sourcetypes as well & it is working fine.  document also says the same Manage private apps on your Splunk Cloud Platform deployment - Splunk Documentation "When you install an app using self-service app installation on Classic Experience, the app is automatically installed on all regular search heads and search head cluster members across your deployment. The app is also installed on indexers"
Hello @gcusello  No, i want to find Computernames that are not conform to a naming convention. The Computer  name should start with the country code (e.g., Italy: IT, France: FR, USA: US), then fo... See more...
Hello @gcusello  No, i want to find Computernames that are not conform to a naming convention. The Computer  name should start with the country code (e.g., Italy: IT, France: FR, USA: US), then followed by 6 digits. Computer Name: US111220 => Good Computer Name: DESKTOP-121 => BAD Computer Name: FR000121 => Good Computer Name: Kali => BAD Best Regards,
  12:49:28 PM WriteRequest Remotexxxxxxxxxx+=0 12:49:28 PM WriteRequest Remotexxxxxxxxxxxxxx-=0 12:49:28 PM WriteRequest xxxxxxxx=ABEMA150   Into One event   12:50:22 PM ChangeItem StatusDevic... See more...
  12:49:28 PM WriteRequest Remotexxxxxxxxxx+=0 12:49:28 PM WriteRequest Remotexxxxxxxxxxxxxx-=0 12:49:28 PM WriteRequest xxxxxxxx=ABEMA150   Into One event   12:50:22 PM ChangeItem StatusDevices.xxxxxxxx=1 12:50:22 PM ChangeItem CurrentTest.DateEnd=25.06.2023 12:50:22 12:50:22 PM ChangeItem CurrentTesxxxxxxx=2   into another event Line_BREAKER= ?   Please help me  
Please tell us more about the automated method you are using.  Which method is it?  Does it specify the maxout parameter? You may find some help at https://hurricanelabs.com/splunk-tutorials/the-bes... See more...
Please tell us more about the automated method you are using.  Which method is it?  Does it specify the maxout parameter? You may find some help at https://hurricanelabs.com/splunk-tutorials/the-best-guide-for-exporting-massive-amounts-of-data-from-splunk
Hi @AL3Z, your request isn't so cliear: you want all the events from a src_ip to a src_ip, then the list of dest_urls and outbound traffic size, is it correct? you should try something like this: ... See more...
Hi @AL3Z, your request isn't so cliear: you want all the events from a src_ip to a src_ip, then the list of dest_urls and outbound traffic size, is it correct? you should try something like this: index=your_index sourcetype=your_sourcetype | stats values(dest_url) AS dest_url values(logs) AS logs sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out BY src_ip dest_ip | eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024 Ciao. Giuseppe