All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,   Thank you for your help and suggestion. Sadly _time without the fieldformat does not come out it in the format.  This solution works thank you very much.
Per my response from October 2020, we found the issue to lie with /tmp being flagged as being "noexec".  When we removed this and remount /tmp, the web service started up as expected.  My recollectio... See more...
Per my response from October 2020, we found the issue to lie with /tmp being flagged as being "noexec".  When we removed this and remount /tmp, the web service started up as expected.  My recollection is that it had something to do with "libffi".  
@yeahnah even after deleting and recreating the lookup definition wouldn't help. i am still seeing the issue. i tired in GUI.
Likely message is not an extracted field then.  Try this to extract from the _raw event | rex field=_raw "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)  
Hi @Sekhar your one line reply will not help us to help you.. pls write your full search query..  provide some more sample log lines.. 
I tried getting empty 
Hi @Roy_9  Assuming the lookup file is called test.csv, does this command work? | inputlookup test.csv If so, it would indicate a problem with the lookup definition.  Maybe try deleting and recr... See more...
Hi @Roy_9  Assuming the lookup file is called test.csv, does this command work? | inputlookup test.csv If so, it would indicate a problem with the lookup definition.  Maybe try deleting and recreating it. Hope that helps
Hi @Sekhar ... pls provide some more log lines..  pls check this rex..  Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 sm... See more...
Hi @Sekhar ... pls provide some more log lines..  pls check this rex..  Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 small videos of rex... completely for splunk newbies and beginners. source="rex.txt" host="laptop" sourcetype="rextest" | rex field=_raw "transactionTraceIdentification\-(?<transactionTraceIdentification>.*)" | table _raw transactionTraceIdentification
Hi @Sekhar  try this.. | rex field=message "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)"   hope that helps
Log like. message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate as OTHER BUSINESS REASON r... See more...
Log like. message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate as OTHER BUSINESS REASON returned by CBIS.", debtor RoutingType="BBAN", debtor Routing Id="013013", creditor RoutingType="BBA 6899-422f-8162-6911da94e619", transactionTraceIdentification-1311b8a21-6d6c-422b-8 22T10:31:42.8152_00306", instrId="null", interactionId="null", interactionOriginators tx_uid-ANZBAU3L_A_TST01_ClrSttlmve01_2023-09-22T10:31:42.8152 00306, txId-ANZBAU3L priority-NORM, addressingType=noAlias, flow-N5XSuspense.receive]     How extract the transactionTraceIdentification filed    I tried already rex field= message "transactionTraceIdentification=\"(?<transactionTraceIdentification>.*?)\","   Not extraxted the vaule
Hi @SplunkDash  I can see a few things... 1. This is a search time extraction so need to be specified it on the search head (maybe you have)      - this can be done via the SH UI too 2.  You'... See more...
Hi @SplunkDash  I can see a few things... 1. This is a search time extraction so need to be specified it on the search head (maybe you have)      - this can be done via the SH UI too 2.  You've specified the REGEX like an inline field extraction (see props.conf.EXTRACT) so you would not have to use transforms configuration for this (though I believe it does work in transforms). 3. The regex is not quite right Try this instead (inline or transforms)    {"UserID":"(?P<UserID>\w+)","UserType":"(?P<UserType>\w+)","System":"(?P<System>\w+)","UAT":"(?P<UAT>.+?)","EventType":"(?P<EventType>.+?)","EventID":"(?P<EventID>.+?)","Subject":"(?P<Subject>.+?)\","EventStatus":"(?P<EventStatus>.+?)","TimeStamp":"(?P<TimeStamp>.+?)","Device":"(?P<Device>.+?)","Msg":"(?P<Message>.+?)"}   Having said that, the example events are a good example of using the power of transforms to match reoccurring patterns and extract them as key value pairs.   In that case the transforms.conf settings would be something like this.   [fieldEtraction] REGEX = "([^"]+?)":"([^"]+?)" FORMAT = $1::$2   The REGEX specifies two capture groups and the FORMAT extracts each group as field = value, repeatedly (up to 10000 times, by default). Some doc links as reference https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Transformsconf#transforms.conf.example https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Propsconf#Field_extraction_configuration Hope that helps
Hi @SplunkDash ... on the indexer, pls try to do "Add data" (Settings---->Add Data)... upload the sample log file, and at the 2nd or 3rd step, there is a field extraction task..  in which, Splunk wi... See more...
Hi @SplunkDash ... on the indexer, pls try to do "Add data" (Settings---->Add Data)... upload the sample log file, and at the 2nd or 3rd step, there is a field extraction task..  in which, Splunk will help/guide you on the rex command for the field extraction. pls try that idea. (dont follow all steps in that "Add Data" and upload the data.. if you do, you will get duplicate logs then.) once you are good with the field extraction, you can copy that rex command use it inside transforms.conf.    Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 small videos of rex... completely for splunk newbies and beginners. thanks. 
Hello, So I have a below dashboard panel which is populated with lookup.  Name     Organization    Count Bob            splunk                 2 Matt           google                15 smith  ... See more...
Hello, So I have a below dashboard panel which is populated with lookup.  Name     Organization    Count Bob            splunk                 2 Matt           google                15 smith          facebook            9  What I'm looking for is.  1. If I click the Bob, it has to open a new search tab with the query "| inputlookup mydetails.csv | search Name=Bob " 2. If I click the Splunk, it has to open a new url with "www.splunk.com" For all the values respectively.  How do I achieve this within one ?
Anyone have an idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i a... See more...
Anyone have an idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i am trying to inputlookup i am seeing the error. Initially the lookup definition is set to read everyone and lookup file is set to read admin, so i changed it to everyone this afternoon and tried the below search but i am still getting below error | inputlookup test The lookup table 'test' requires a .csv or KV store lookup definition. The lookup table 'test' is invalid. Btw this is on Production Search head in a clustered environment
@inventsekar  Do you have any idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app leve... See more...
@inventsekar  Do you have any idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i am trying to inputlookup i am seeing the error. Initially the lookup definition is set to read everyone and lookup file is set to read admin, so i changed it to everyone and tried the below search but getting below error | inputlookup test The lookup table 'test' requires a .csv or KV store lookup definition. The lookup table 'test' is invalid.     Thanks
@inventsekar I will schedule a restart and will keep you posted on the errors.   Thank you
i am not sure of whether this requires restart or not..  just give it some more time...  also this internal errors are not a big issue.. it can wait. it wont impact splunk indexing and searching/pe... See more...
i am not sure of whether this requires restart or not..  just give it some more time...  also this internal errors are not a big issue.. it can wait. it wont impact splunk indexing and searching/performance.. so no need to worry much.  if you are having a service restart within two/three weeks or within a month, you can wait until that service restart and then verify this one. hope you understood .. thanks.   
yes i have updated the dashboards this afternoon but i am still seeing the errors till now but the errors are showing up exactly at 30 min interval. Does this change needs a rolling restart on SHC... See more...
yes i have updated the dashboards this afternoon but i am still seeing the errors till now but the errors are showing up exactly at 30 min interval. Does this change needs a rolling restart on SHC? yes this is a production Search head
Ok thank you, I have a problem with another lookup  | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, ... See more...
Ok thank you, I have a problem with another lookup  | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i am trying to inputlookup i am seeing the error The lookup table 'test' requires a .csv or KV store lookup definition. The lookup table 'test' is invalid.
Thank you! Search is returning some results, but hangs indefinitely.