Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-29-2023
11:02 AM
Is there a way to embed the same into this query? rex field=logLine "(Error Occurred During Script|UnhandledException ->)(\s|\S)(?<errorMessage>.*)" This didn't work, but something like this? r...
See more...
Is there a way to embed the same into this query? rex field=logLine "(Error Occurred During Script|UnhandledException ->)(\s|\S)(?<errorMessage>.*)" This didn't work, but something like this? rex field=logLine "(Error Occurred During Script|for job id \'\w*\d*\' :|UnhandledException ->)(\s|\S)(?<errorMessage>.*)"
09-29-2023
10:55 AM
Looks like there is a syntax error "search" keyword I removed it and tried with below, however, the output has all the data from index. We are only interested to output data from index - that i...
See more...
Looks like there is a syntax error "search" keyword I removed it and tried with below, however, the output has all the data from index. We are only interested to output data from index - that is not present in lookup. index=index country_name
| table country_name
| join type=left country_name
[ | inputlookup
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0
09-29-2023
10:50 AM
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm workin...
See more...
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm working on a project to create discreet alerts for EC2-VMs, IAM-identity findings and S3-storage buckets. AWS organizes Findings into three categories: EC2 - VMs IAM - identity findings S3 - storage buckets Eventually, the PNNL CSOC may create additional discreet alerts for each of those categories, but for now, a single "catch-all" alert is utilized to fold in the Findings to the CSOC's workflow. Any help for this project would be greatly appreciated. Thank you, Richie Martinez richie.martinez@pnnl.gov
Labels
- Labels:
-
alert action
09-29-2023
10:39 AM
Couldn't able to test this, but should work. Please let me know if it doesn't work. index=index country_name
| table country_name
| join type=left country_name
[search
| inputlookup
| stats co...
See more...
Couldn't able to test this, but should work. Please let me know if it doesn't work. index=index country_name
| table country_name
| join type=left country_name
[search
| inputlookup
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0
09-29-2023
10:33 AM
There is a potentially rather expensive way to do it. Suppose your raw events are all single lines, you can do something like | eval beginning_of_transaction = mvindex(split(_raw, "
"), 0) ``` u...
See more...
There is a potentially rather expensive way to do it. Suppose your raw events are all single lines, you can do something like | eval beginning_of_transaction = mvindex(split(_raw, "
"), 0) ``` use index -1 for end of transaction ```
| rex field=beginning_of_transaction "<your regex>" If the events are not all single line, but there is a distinct string (including newline) to split them without interfering with your regex, this formula can still work. Update: Your title says to exclude. If exclusion is the goal, I assume that you meant to exclude start AND end, not start or end. This can be achieved with | eval middle_of_transaction = mvindex(split(_raw, "
"), 1, -2)
| rex field=middle_of_transaction "<your regex>"
09-29-2023
10:33 AM
Hi, Try something like this, hope it works. You can hide the table and use the token on your panel title. <row>
<panel>
<table depends="$hide$">
<title>$Time_Period_Start$ $Ti...
See more...
Hi, Try something like this, hope it works. You can hide the table and use the token on your panel title. <row>
<panel>
<table depends="$hide$">
<title>$Time_Period_Start$ $Time_Period_End$</title>
<search>
<query>| makeresults
| addinfo
| eval SearchStart = strftime(info_min_time, "%Y-%m-%d %H:%M:%S"), SearchEnd = strftime(info_max_time, "%Y-%m-%d %H:%M:%S")
| table SearchStart, SearchEnd</query>
<earliest>-7d@d</earliest>
<latest>@d</latest>
<done>
<set token="Time_Period_Start">$result.SearchStart$</set>
<set token="Time_Period_End">$result.SearchEnd$</set>
</done>
</search>
</table>
</panel>
</row>
09-29-2023
10:26 AM
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(countr...
See more...
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(country_name) Brazil Norway Spain ------------------------------------------------------------------ How do I write a query (using join or append)- to output only "Spain" in the results. Thanks!
Labels
- Labels:
-
lookup
09-29-2023
10:22 AM
thanks for your reply, we do have https://splunkbase.splunk.com/app/1724)? that one just need your help to create a dashboard .
09-29-2023
10:13 AM
Hi, Here is the try anywhere query for your requirement. | makeresults
| eval _raw="Script exception for job id 'ABc12345' : Too many rows: 500."
| rex field=_raw ": (?<Extracted>.*)"
09-29-2023
10:11 AM
Hi @Splunk235, please try this regex: | rex "Script exception for job id \'\w*\d*\' : (?<message>[^\.]*)" that you can test at https://regex101.com/r/tJwzeA/1 Ciao. Giuseppe
09-29-2023
10:08 AM
Hi @Praz_123, did you tried the Lookup Editor App (https://splunkbase.splunk.com/app/1724)? Otherwise it's really difficoult to create a dashboard to modify a csv Excel like! Ciao. Giuseppe
09-29-2023
10:05 AM
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks. Sample Log lines: Script exception for job id...
See more...
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks. Sample Log lines: Script exception for job id 'ABc12345' : Too many rows: 500. Script exception for job id 'XyZ78943' : Too many DMLs: 20. Results should be: Too many rows: 500. Too many DMLs: 20.
Labels
- Labels:
-
field extraction
-
regex
-
rex
09-29-2023
10:00 AM
Karma would be appreciate if someone could help us earliest .
09-29-2023
09:58 AM
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more fields name with dynamic values and also empty values . so what we need as i...
See more...
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more fields name with dynamic values and also empty values . so what we need as in dashboard if we make any changes it should be reflect in lookup table and the fields will be dynamic here , and in dashboard we could have text box to update the fileds
Labels
- Labels:
-
dashboard
-
panel
-
simple XML
-
table
-
token
09-29-2023
09:52 AM
I tried installing Add-on on HF and mapped the right source type still no luck. Few events are truncated in the beginning.
09-29-2023
09:49 AM
1 Karma
Yes, you should update a local config file and (almost) never a default file.
09-29-2023
09:09 AM
Hi @Mohammed Saad.Shaikh,
I wanted to share this AppD Docs page that has some info on exporting and importing Health Rules via API.
Let me know if it helps.
09-29-2023
09:01 AM
Hi @Sujal Kumar.Mitra,
Have you seen our AppD Docs pages on Enterprise Console?
09-29-2023
08:42 AM
Yes, that's correct. Taking about Enterprise Console only.
