All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: How to extract a filepath after certain folders using regex?

by SplunkTrust in Dashboards & Visualizations
‎09-06-2023 03:08 AM
‎09-06-2023 03:08 AM
Hi @anooshac, I suppose that you have this path in a field, so you could use something like this: | rex field=your_field "^(?<path>\w:\\\w+\\\w+\\\w+\\\w+)" that you can test at https://regex101.c... See more...
Hi @anooshac, I suppose that you have this path in a field, so you could use something like this: | rex field=your_field "^(?<path>\w:\\\w+\\\w+\\\w+\\\w+)" that you can test at https://regex101.com/r/kpyTLl/1 It could be possible that there's an issue for a difference between regex101.com and Splunk, so, if the above regex doesn't run, please try this: | rex field=your_field "^(?<path>\w:\\\\w+\\\\w+\\\\w+\\\\w+)" Ciao. Giuseppe

How to extract a filepath after certain folders using regex?

by in Dashboards & Visualizations
‎09-06-2023 02:55 AM
‎09-06-2023 02:55 AM
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\ab... See more...
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\abc.h. How can i dot it using regex?  
Labels

Re: Splunk shows only 9 months (270 days) data- How do I increase the retention period?

by in Splunk Enterprise
‎09-06-2023 02:18 AM
‎09-06-2023 02:18 AM
To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets. For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will ... See more...
To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets. For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will work. Any other advice would be very helpful.

Re: Rex not yielding result

by in Splunk Search
‎09-06-2023 02:03 AM
‎09-06-2023 02:03 AM
Single field extraction still wondering why it didn't work. 

Re: Rex not yielding result

by SplunkTrust in Splunk Search
‎09-06-2023 01:59 AM
1 Karma
‎09-06-2023 01:59 AM
1 Karma
Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all th... See more...
Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Re: How to split a field having multiple lines into individual lines and finally display in table format

by in Splunk Search
‎09-06-2023 01:59 AM
‎09-06-2023 01:59 AM
@yuanliu - Its not working for this requirement. I see its returning entire output field value multiple times (equal to number of lines in the field.)

Re: JavaAgent start failed on Docker-Container

by in Splunk AppDynamics
‎09-06-2023 01:57 AM
‎09-06-2023 01:57 AM
Hi Megha, I am getting the same error in agent logs. can you please let me know where to pass this argument.

Re: Rex not yielding result

by in Splunk Search
‎09-06-2023 01:50 AM
‎09-06-2023 01:50 AM
Regarding regex suggestion, still have issue.  Error - Regex: missing terminating ] for character class.   Analysing raw data to use spath. Thank you @gcusello @yuanliu 

Re: Beginner issues

by in Installation
‎09-06-2023 01:22 AM
‎09-06-2023 01:22 AM
I have it solved - no idea what it was but after I rebooted all of the machines it start to work... Thanks!  BTW - when my 60 days of test period are done and I go back to the free license. Will th... See more...
I have it solved - no idea what it was but after I rebooted all of the machines it start to work... Thanks!  BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license? I am pretty sure my 3 workstations will not exceed the 500MB / day limit!

Re: Difference in using IN and = when there is only single value?

by SplunkTrust in Splunk Search
‎09-06-2023 01:21 AM
‎09-06-2023 01:21 AM
Hi @Ricco19 , there isn't any difference in the search performances: the IN operator is a simplification in the search writing when there are many values. Ciao. Giuseppe

Difference in using IN and = when there is only single value?

by in Splunk Search
‎09-06-2023 01:18 AM
‎09-06-2023 01:18 AM
Is there any performance impact when used, index IN ("windows_server") OR  index="windows_server"  ?
Labels

Re: Field extraction

by SplunkTrust in Getting Data In
‎09-06-2023 01:01 AM
‎09-06-2023 01:01 AM
Hi @smanojkumar , if you have the pair fieldname=fieldvalue, you should already have the extraction. anyway, you could use two regexes like the following: | rex "OS\=\"(?<OS>[^\"]*)" | rex "OSRele... See more...
Hi @smanojkumar , if you have the pair fieldname=fieldvalue, you should already have the extraction. anyway, you could use two regexes like the following: | rex "OS\=\"(?<OS>[^\"]*)" | rex "OSRelease\=\"(?<OSRelease>[^\"]*)"  Ciao. Giuseppe

Field extraction

by in Getting Data In
‎09-06-2023 12:57 AM
‎09-06-2023 12:57 AM
Hi Splunkers!    I need to extract the specific field which dosent consists of sourcetype in logs, Fields to extract - OS, OSRelease     Thanks in Advance, Manoj Kumar S
Labels

Re: Enhancing Data with Field Extraction and Automated Lookups

by SplunkTrust in Splunk Search
‎09-06-2023 12:57 AM
1 Karma
‎09-06-2023 12:57 AM
1 Karma
Based on your illustrated data, the id field seems to have a certain format that can help you extract only location.  For example,   | rex field=id "^[A-Z]{2}_(?<location>\D[^_]*)"   will give yo... See more...
Based on your illustrated data, the id field seems to have a certain format that can help you extract only location.  For example,   | rex field=id "^[A-Z]{2}_(?<location>\D[^_]*)"   will give you id location EF_jblo_fdsfew42_sla jblo EF_space_332312_sla space EF_97324_pewpew_sla   If you can find the correct format and a regex that populates location only when the format is correct, you can use OUTPUTNEW feature in lookup. (Automatic lookup also has OUTPUTNEW feature; I believe it is default.) This way, you do not have to perform the field name acrobat.

Re: How to split a field having multiple lines into individual lines and finally display in table format

by SplunkTrust in Splunk Search
‎09-06-2023 12:41 AM
‎09-06-2023 12:41 AM
The command is called multikv. | rename _raw as temp, output AS _raw | rex mode=sed "s/\|/,/g" | multikv | rename temp as _raw

Re: How to find correct logs to find error count.

by SplunkTrust in Splunk Search
‎09-06-2023 12:27 AM
1 Karma
‎09-06-2023 12:27 AM
1 Karma
First, about data illustration. Always use text illustration; when illustrating structure data such as JSON, always use raw text.  Screenshot is extremely difficult for volunteers to comprehend; th... See more...
First, about data illustration. Always use text illustration; when illustrating structure data such as JSON, always use raw text.  Screenshot is extremely difficult for volunteers to comprehend; they oftentimes also distort characteristics. Always anonymize illustrated data. (One of your screenshots seems to contain information you do not want to divulge.) Illustrate how you envision the output, use mockup. Explain logic between illustrated data and desired output if it is not obvious. (It may be obvious to you but not to volunteers who are not intimately familiar with your data and use case.) This said, your later code suggests that key information "sync/c2v" is contained in the non-JSON part of "message".  You need to extract that first (I'll put it in leadtext), then evaluate Description based on whether that information is present. there is a field properties.correlationId that links ERROR event and INFO events, therefore transaction ID that is also contained in the non-JSON part of message is not needed.  Is this correct? If these guesses are correct, you are looking for something like   index=us_whcrm source=MuleUSAppLogs sourcetype= "bmw-crm-wh-xl-retail-amer-prd-api" ((severity=ERROR "Transatcion") OR (severity=INFO "Received Payload")) | rex field=message "(?<leadtext>[^{]+):\s*(?<payload>{.+})" | eval Description = if(match(leadtext, "flow ended put:\\sync\\c2v"), "COO", "RDR") | spath input=payload | rename properties.correlationId as correlationId processRetailDeliveryReporting.processRetailDeliveryReportingDataArea.retailDeliveryReporting.retailDeliveryReportingVehicleLineItem.vehicle.vehicleID as VinId | eval BMWUnit=replace(BMWUnit,"([file://w%7b3%7d)(/w%7b2%7d]\\w{3})(\\w{2})", "\\1-\\2") | table _time correlationId BMWUnit dealerId Description VinId | stats earliest(_time) as _time values(*) as * by correlationId | where Description == "COO"    Hope this helps

How to split a field having multiple lines into individual lines and finally display in table format

by in Splunk Search
‎09-06-2023 12:23 AM
‎09-06-2023 12:23 AM
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basical... See more...
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basically, the requirement is to report this data in table format to users. output = "DbName|CurrentSizeGB|UsedSpaceGB|FreeSpaceGB|ExtractedDate abc|60.738|39.844|20.894|Sep 5 2023 10:00AM def|0.098|0.017|0.081|Sep 5 2023 10:00AM pqr|15.859|0.534|15.325|Sep 5 2023 10:00AM xyz|32.733|0.675|32.058|Sep 5 2023 10:00AM"
Labels

Re: Why is props.conf current date not working?

by in Getting Data In
‎09-06-2023 12:16 AM
‎09-06-2023 12:16 AM
Can you share your props.conf file. i think you are forcing splunk to take _time as processedtime in logs

Splunk UF Centralized Installation on Linux

by in Installation
‎09-05-2023 11:49 PM
1 Karma
‎09-05-2023 11:49 PM
1 Karma
Hi all! Recently there has been a need to implement a centralized Splunk setup on Linux machines. I managed to do this without using ansible, starting from the script by lguinn2 : https://community.... See more...
Hi all! Recently there has been a need to implement a centralized Splunk setup on Linux machines. I managed to do this without using ansible, starting from the script by lguinn2 : https://community.splunk.com/t5/Getting-Data-In/Simple-installation-script-for-Universal-Forwarder/m-p/21517. Today I want to share with everyone, of course, if you have any comments or improvements, please write! I got two slightly different scripts, 1 for CentOS and SuSe, 2 for Ubuntu and Debian. Why, because different installation packages were used. Yes, yes, it was possible to do something differently, I just had to make it as quickly as possible, and the level of knowledge of Linux is also hoarse)  Well, this post is for people like me)) Note. The script has been tested on an Ubuntu distribution, so it is recommended that you work on an Ubuntu machine. Successful completion of work requires SSH access to target devices, the ability to execute ssh and sshpass commands. All target machines must have an identical account with the same password, and this account must be as superuser (with the ability to run commands via sudo). MyForwarders and MyForwarders_U are simple text files for storing IP addresses of target machines: I think for the rest everything is clear from the description, even if there are questions during the time, you will understand everything! 1. #!/bin/bash # Credentials of the user who will connect to the target host and run Splunk. read -p "Enter SSH user name: " username echo -n "Enter SSH user password: " stty -echo read password stty echo echo INSTALLED=False # Logging file for Splunk status STATUS_LOG="/home/zhanali/splunk_status.txt" # File with machine's IPs HOSTS_FILE="/home/zhanali/MyForwarders" # Installation file location INSTALL_FILE="/home/zhanali/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm" PREPARE_COMMANDS=" echo $password | sudo -S -k mkdir /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null " INSTALL_COMMANDS=" echo $password | sudo -S -k chmod 644 /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm 2>/dev/null echo $password | sudo -S -k rpm -i /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd '!@#qweasdZXC' 2>/dev/null echo 'Please wait 10 second....' sleep 10 echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk stop 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk disable boot-start 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk enable boot-start -user $username 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start 2>/dev/null echo $password | sudo -S -k mkdir /home/$username/.splunk 2>/dev/null echo $password | sudo -S -k chmod 777 -R /home/$username/.splunk 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk add forward-server 172.16.30.104:9997 -auth 'admin':'!@#qweasdZXC' 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk set deploy-poll 172.16.30.104:8089 -auth 'admin':'!@#qweasdZXC' 2>/dev/null " echo "In 5 seconds, will run the following script on each remote host:" echo sleep 5 echo "Reading host IPs from $HOSTS_FILE" echo echo "Starting." for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi echo "---------------------------------" | tee -a $STATUS_LOG echo "Starting work with $DST" | tee -a $STATUS_LOG sshpass -p $password ssh -q $username@$DST [[ -f /opt/splunkforwarder/bin/splunk ]] && INSTALLED=True || INSTALLED=False if [ "$INSTALLED" = "True" ]; then echo "Splunk UF is already installed" | tee -a $STATUS_LOG version=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk version | grep 'Splunk Universal Forwarder'" 2>/dev/null) echo "Splunk UF version: $version" | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi INSTALLED=False else echo "Splunk UF is not installed to host $DST" | tee -a $STATUS_LOG echo "Installing..." | tee -a $STATUS_LOG sshpass -p $password ssh $username@$DST "$PREPARE_COMMANDS" sshpass -p $password scp $INSTALL_FILE $username@$DST:/opt/splunkforwarder sshpass -p $password ssh $username@$DST "$INSTALL_COMMANDS" echo "Installation is done" | tee -a $STATUS_LOG echo "Checking..." | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi fi echo "---------------------------------" | tee -a $STATUS_LOG done echo "Done" And 2. #!/bin/bash # Credentials of the user who will connect to the target host and run Splunk. read -p "Enter SSH user name: " username echo -n "Enter SSH user password: " stty -echo read password stty echo echo INSTALLED=False # Logging file for Splunk status STATUS_LOG="/home/zhanali/splunk_status.txt" # File with machine's IPs HOSTS_FILE="/home/zhanali/MyForwarders_U" # Installation file location INSTALL_FILE="/home/zhanali/splunkforwarder-9.1.0.1-77f73c9edb85-linux-2.6-amd64.deb" PREPARE_COMMANDS=" echo $password | sudo -S -k mkdir /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null " INSTALL_COMMANDS=" echo $password | sudo -S -k dpkg -i /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85-linux-2.6-amd64.deb 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd '!@#qweasdZXC' 2>/dev/null echo 'Please wait 10 second....' sleep 10 echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk stop 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk enable boot-start -user $username 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start 2>/dev/null echo 'Please wait 5 second....' sleep 5 echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk add forward-server 172.16.30.104:9997 -auth 'admin':'!@#qweasdZXC' 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk set deploy-poll 172.16.30.104:8089 -auth 'admin':'!@#qweasdZXC' 2>/dev/null " echo "In 5 seconds, will run the following script on each remote host:" echo sleep 5 echo "Reading host IPs from $HOSTS_FILE" echo echo "Starting." for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi echo "---------------------------------" | tee -a $STATUS_LOG echo "Starting work with $DST" | tee -a $STATUS_LOG sshpass -p $password ssh -q $username@$DST [[ -f /opt/splunkforwarder/bin/splunk ]] && INSTALLED=True || INSTALLED=False if [ "$INSTALLED" = "True" ]; then echo "Splunk UF is already installed" | tee -a $STATUS_LOG version=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk version | grep 'Splunk Universal Forwarder'" 2>/dev/null) echo "Splunk UF version: $version" | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi INSTALLED=False else echo "Splunk UF is not installed to host $DST" | tee -a $STATUS_LOG echo "Installing..." | tee -a $STATUS_LOG sshpass -p $password ssh $username@$DST "$PREPARE_COMMANDS" sshpass -p $password scp $INSTALL_FILE $username@$DST:/opt/splunkforwarder sshpass -p $password ssh $username@$DST "$INSTALL_COMMANDS" echo "Installation is done" | tee -a $STATUS_LOG echo "Checking..." | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi fi echo "---------------------------------" | tee -a $STATUS_LOG done echo "Done"  
Labels

Re: Rex not yielding result

by SplunkTrust in Splunk Search
‎09-05-2023 11:43 PM
‎09-05-2023 11:43 PM
Hi @harryhcg, this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) . About your regex,... See more...
Hi @harryhcg, this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) . About your regex, try to add another backslash to your regex: | rex "RETURN\\\\"\:\\\\"(?<Field2>[^\\]+)" Ciao. Giuseppe