Thanks for your response, but I'm sorry I wasn't quite precise. In fact, i extract data from syslog from windows event, and the structure of the data is more complex than the sample i gave. The co...
See more...
Thanks for your response, but I'm sorry I wasn't quite precise. In fact, i extract data from syslog from windows event, and the structure of the data is more complex than the sample i gave. The command field is contained in an xml field like these below. The search : index=app_bisql host=TRUC | rex ".*action_id:(?<action>\S+)*" | where action = "CR" | rex ".*command:(?<command>\w+(\s\w+)?)" | fields command command = sp_addlinkedsrvlogin additional_information I was expecting : command = sp_addlinkedsrvlogin The field concerned in an xml event. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='TRUC$AUDIT'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>3</Task><Keywords>0x80a0000000000000</Keywords><TimeCreated SystemTime='2023-08-31T04:30:01.964529800Z'/><EventRecordID>134063208</EventRecordID><Channel>Security</Channel><Computer>truc.net</Computer><Security UserID='secret'/></System><EventData><Data> audit_schema_version:1 event_time:2023-08-31 04:30:00.9332742 sequence_number:1 action_id:CR succeeded:true is_column_permission:false session_id:53 server_principal_id:272 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:5417128 class_type:SL duration_milliseconds:0 response_rows:0 affected_rows:0 client_ip:100.255.120.234 permission_bitmask:00000000000000000000000000000000 sequence_group_id:93E8C63F-640E-4EC4-B401-76F0ED6947A9 session_server_principal_name:truc server_principal_name:truc server_principal_sid:truc database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:truc database_name:master schema_name: object_name:LSuser command:sp_addlinkedsrvlogin additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><server_name><![CDATA[SWPDFRSQLADM1\MWPADM01]]></server_name></action_info> user_defined_information: application_name:SQLAgent - TSQL JobStep (Job 0x451A71BE3BB91D4DBF2A1A6C12446006 : Step 1) </Data></EventData></Event> Regards
The lookup table has a single field "DNS" with all the blocklisted dns requests e.g. bliss.com, sugar.plux.net etc.. The corresponding field in the events could be dns_queries
Now this has fixed (read: removed) on 9.1.1. 2023-08-30 SPL-242093, SPL-242240 Should not create default "splunkfwd" account by Linux RPM/DEB installer during upgrade when Splunk has been manag...
See more...
Now this has fixed (read: removed) on 9.1.1. 2023-08-30 SPL-242093, SPL-242240 Should not create default "splunkfwd" account by Linux RPM/DEB installer during upgrade when Splunk has been managed by another account
Remove these lines (they were only required when you had the extra row (that you originally asked for) | eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)...
See more...
Remove these lines (they were only required when you had the extra row (that you originally asked for) | eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)
| eval errors=if(isnull(_time),null(),errors)
Hi @aditsss, is the processor word always present? if yes, please try: ! rex "Processor - (?<field>[^ ]*)" in other words, you have to find a rule to apply to the regex to identify the part to ex...
See more...
Hi @aditsss, is the processor word always present? if yes, please try: ! rex "Processor - (?<field>[^ ]*)" in other words, you have to find a rule to apply to the regex to identify the part to extract. Ciao. Giuseppe
Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract ...
See more...
Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract the numeric version: | rex field=installed ".*(?<version_installed>\d+_\d+)"
| rex field=shouldbe ".*(?<version_shouldbe>\d+_\d+)" so you can compare them. Ciao. Giuseppe
@gcusello It will not always "Triumph.*Processor CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] Cars...
See more...
@gcusello It will not always "Triumph.*Processor CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] Its both CARS and Triumph @gcusello can you provide me regex now.
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be=...
See more...
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be== server_installed_package , the status should updated as Completed , Another case if server_installed_packages is greater than shouldbe to mark as complete 2 < 3 , also it should check for if first number is same , it should check for second digits . it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number . CI Installed shouldbe server_installed_package Status server1 git-2.31.1-3.el8_7 git-2.39.3-1.el8_8 git-3.40.3-1.el8_8 Not complete
Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this. https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-wit...
See more...
Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this. https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-with-SPL/td-p/656201 Can you help me?
Hi @10061987 , in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled. If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccou...
See more...
Hi @10061987 , in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled. If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccounts so you can run a search like this following: index=os sourcetype=Unix:UserAccounts
| eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats dc(_raw) AS raw_count list(timestamp) AS timestamp
| where raw_count>1 Obviously check if you stored Unix logs in the os index. Ciao. Giuseppe
Hi @aditsss, please try the following regex: ! rex "Triumph.*Processor - (?<field>[^ ]*)" that you can test at https://regex101.com/r/XNehPc/1 Ciao. Giuseppe
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] ...
See more...
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX my current query: index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc" | table message status description
But we have some events of job in indexA and some events of job in indexB ,suppose if we want to create a table all events of same job,how can we do that
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY ...
See more...
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql'
command:RESTORE LABELONLY FROM DISK=@P1
command:sp_addlinkedsrvlogin
command:RESTORE LABELONLY FROM DISK=@P1"
| multikv noheader=t
| fields _raw
| rex "command:(?<firstwords>\w+(\s\w+)?)"