Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-03-2023
11:49 PM
Thank @yuanliu . I had missed "%FT%" & ":z" when i tried. @ITWhisperer Here are few things i have tried till now : 1. | inputlookup 7days_Trail.csv
| eval time=strptime(_time, "%FT%H:%M:%S.%Q:%...
See more...
Thank @yuanliu . I had missed "%FT%" & ":z" when i tried. @ITWhisperer Here are few things i have tried till now : 1. | inputlookup 7days_Trail.csv
| eval time=strptime(_time, "%FT%H:%M:%S.%Q:%z")
| table time 2xx 4xx 5xx After using the above query, the data looks like below: and the graph looks like where time was not getting updated/populated. 2. Since _time was not getting populated even after formatting, i used table command directly. Looks like its working. Can you please confirm if I can use this approach ?
10-03-2023
11:46 PM
Hi @sarit_s , as I said, I don't know if the solution is acceptable for you, this is a workaround because it isn't possible to group from more than one field. Ciao. Giuseppe
10-03-2023
11:19 PM
Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used index="xyz" sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<...
See more...
Hi, I'm trying to plot graph for previous 2 weekday average. Below is the query used index="xyz" sourcetype="abc" app_name="123" or "456" earliest=-15d@d latest=now | rex field=msg "\"[^\"]*\"\s(?<status>\d+)"
| eval HTTP_STATUS_CODE=case(like(status, "2__"),"2xx")
| eval current_day = strftime(now(), "%A")
| eval log_day = strftime(_time, "%A")
| where current_day == log_day
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%d")
| stats count by hour day HTTP_STATUS_CODE
| chart avg(count) as average by hour HTTP_STATUS_CODE This plots grpah for complete 24hrs. I wanted to know if I can limit the graph to current timestamp. Say now system time is 11AM. I want graph to be plotted only upto 11AM and not entire 24hrs. Can it be done ? Please advice
10-03-2023
10:52 PM
Very good this is what I was looking for. Thank you. Do you know how I can now color each cell depending on the status code? Usually I use the following configuration in the dashboard <format type...
See more...
Very good this is what I was looking for. Thank you. Do you know how I can now color each cell depending on the status code? Usually I use the following configuration in the dashboard <format type="color" field="status">
<colorPalette type="expression">case(value like "5%","#D6563C",value like "4%","#F2B827",value like "3%","#A2CC3E",value like "2%","#65A637",true(),null)</colorPalette>
</format> but it is not working now (I suppose because of the transpose command).
10-03-2023
10:17 PM
Hi, Thank you for your help and suggestion. Sadly _time without the fieldformat does not come out it in the format. This solution works thank you very much.
10-03-2023
09:45 PM
Per my response from October 2020, we found the issue to lie with /tmp being flagged as being "noexec". When we removed this and remount /tmp, the web service started up as expected. My recollectio...
See more...
Per my response from October 2020, we found the issue to lie with /tmp being flagged as being "noexec". When we removed this and remount /tmp, the web service started up as expected. My recollection is that it had something to do with "libffi".
10-03-2023
09:39 PM
@yeahnah even after deleting and recreating the lookup definition wouldn't help. i am still seeing the issue. i tired in GUI.
10-03-2023
09:33 PM
Likely message is not an extracted field then. Try this to extract from the _raw event | rex field=_raw "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)
10-03-2023
09:33 PM
Hi @Sekhar your one line reply will not help us to help you.. pls write your full search query.. provide some more sample log lines..
10-03-2023
09:30 PM
I tried getting empty
10-03-2023
09:30 PM
Hi @Roy_9 Assuming the lookup file is called test.csv, does this command work? | inputlookup test.csv If so, it would indicate a problem with the lookup definition. Maybe try deleting and recr...
See more...
Hi @Roy_9 Assuming the lookup file is called test.csv, does this command work? | inputlookup test.csv If so, it would indicate a problem with the lookup definition. Maybe try deleting and recreating it. Hope that helps
10-03-2023
09:29 PM
1 Karma
Hi @Sekhar ... pls provide some more log lines.. pls check this rex.. Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 sm...
See more...
Hi @Sekhar ... pls provide some more log lines.. pls check this rex.. Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 small videos of rex... completely for splunk newbies and beginners. source="rex.txt" host="laptop" sourcetype="rextest" | rex field=_raw "transactionTraceIdentification\-(?<transactionTraceIdentification>.*)" | table _raw transactionTraceIdentification
10-03-2023
09:23 PM
1 Karma
Hi @Sekhar try this.. | rex field=message "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)" hope that helps
10-03-2023
09:14 PM
Log like. message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate as OTHER BUSINESS REASON r...
See more...
Log like. message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate as OTHER BUSINESS REASON returned by CBIS.", debtor RoutingType="BBAN", debtor Routing Id="013013", creditor RoutingType="BBA 6899-422f-8162-6911da94e619", transactionTraceIdentification-1311b8a21-6d6c-422b-8 22T10:31:42.8152_00306", instrId="null", interactionId="null", interactionOriginators tx_uid-ANZBAU3L_A_TST01_ClrSttlmve01_2023-09-22T10:31:42.8152 00306, txId-ANZBAU3L priority-NORM, addressingType=noAlias, flow-N5XSuspense.receive] How extract the transactionTraceIdentification filed I tried already rex field= message "transactionTraceIdentification=\"(?<transactionTraceIdentification>.*?)\"," Not extraxted the vaule
Labels
- Labels:
-
rex
Hi @SplunkDash I can see a few things... 1. This is a search time extraction so need to be specified it on the search head (maybe you have) - this can be done via the SH UI too 2. You'...
See more...
Hi @SplunkDash I can see a few things... 1. This is a search time extraction so need to be specified it on the search head (maybe you have) - this can be done via the SH UI too 2. You've specified the REGEX like an inline field extraction (see props.conf.EXTRACT) so you would not have to use transforms configuration for this (though I believe it does work in transforms). 3. The regex is not quite right Try this instead (inline or transforms) {"UserID":"(?P<UserID>\w+)","UserType":"(?P<UserType>\w+)","System":"(?P<System>\w+)","UAT":"(?P<UAT>.+?)","EventType":"(?P<EventType>.+?)","EventID":"(?P<EventID>.+?)","Subject":"(?P<Subject>.+?)\","EventStatus":"(?P<EventStatus>.+?)","TimeStamp":"(?P<TimeStamp>.+?)","Device":"(?P<Device>.+?)","Msg":"(?P<Message>.+?)"} Having said that, the example events are a good example of using the power of transforms to match reoccurring patterns and extract them as key value pairs. In that case the transforms.conf settings would be something like this. [fieldEtraction]
REGEX = "([^"]+?)":"([^"]+?)"
FORMAT = $1::$2 The REGEX specifies two capture groups and the FORMAT extracts each group as field = value, repeatedly (up to 10000 times, by default). Some doc links as reference https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Transformsconf#transforms.conf.example https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Propsconf#Field_extraction_configuration Hope that helps
10-03-2023
09:08 PM
Hi @SplunkDash ... on the indexer, pls try to do "Add data" (Settings---->Add Data)... upload the sample log file, and at the 2nd or 3rd step, there is a field extraction task.. in which, Splunk wi...
See more...
Hi @SplunkDash ... on the indexer, pls try to do "Add data" (Settings---->Add Data)... upload the sample log file, and at the 2nd or 3rd step, there is a field extraction task.. in which, Splunk will help/guide you on the rex command for the field extraction. pls try that idea. (dont follow all steps in that "Add Data" and upload the data.. if you do, you will get duplicate logs then.) once you are good with the field extraction, you can copy that rex command use it inside transforms.conf. Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have added 24 small videos of rex... completely for splunk newbies and beginners. thanks.
10-03-2023
09:07 PM
Hello, So I have a below dashboard panel which is populated with lookup. Name Organization Count Bob splunk 2 Matt google 15 smith ...
See more...
Hello, So I have a below dashboard panel which is populated with lookup. Name Organization Count Bob splunk 2 Matt google 15 smith facebook 9 What I'm looking for is. 1. If I click the Bob, it has to open a new search tab with the query "| inputlookup mydetails.csv | search Name=Bob " 2. If I click the Splunk, it has to open a new url with "www.splunk.com" For all the values respectively. How do I achieve this within one ?
10-03-2023
09:00 PM
Anyone have an idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i a...
See more...
Anyone have an idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i am trying to inputlookup i am seeing the error. Initially the lookup definition is set to read everyone and lookup file is set to read admin, so i changed it to everyone this afternoon and tried the below search but i am still getting below error | inputlookup test The lookup table 'test' requires a .csv or KV store lookup definition. The lookup table 'test' is invalid. Btw this is on Production Search head in a clustered environment
10-03-2023
08:58 PM
@inventsekar Do you have any idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app leve...
See more...
@inventsekar Do you have any idea on the below issue? | inputlookup test the lookup table file and definition both are available, both of the permissions are set to read(everyone)- set to app level, but when i am trying to inputlookup i am seeing the error. Initially the lookup definition is set to read everyone and lookup file is set to read admin, so i changed it to everyone and tried the below search but getting below error | inputlookup test The lookup table 'test' requires a .csv or KV store lookup definition. The lookup table 'test' is invalid. Thanks
10-03-2023
08:55 PM
@inventsekar I will schedule a restart and will keep you posted on the errors. Thank you
