The lookup table has a single field "DNS" with all the blocklisted dns requests e.g. bliss.com, sugar.plux.net etc.. The corresponding field in the events could be dns_queries
Now this has fixed (read: removed) on 9.1.1. 2023-08-30 SPL-242093, SPL-242240 Should not create default "splunkfwd" account by Linux RPM/DEB installer during upgrade when Splunk has been manag...
See more...
Now this has fixed (read: removed) on 9.1.1. 2023-08-30 SPL-242093, SPL-242240 Should not create default "splunkfwd" account by Linux RPM/DEB installer during upgrade when Splunk has been managed by another account
Remove these lines (they were only required when you had the extra row (that you originally asked for) | eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)...
See more...
Remove these lines (they were only required when you had the extra row (that you originally asked for) | eval inserts=if(isnull(_time),null(),inserts)
| eval updates=if(isnull(_time),null(),updates)
| eval errors=if(isnull(_time),null(),errors)
Hi @aditsss, is the processor word always present? if yes, please try: ! rex "Processor - (?<field>[^ ]*)" in other words, you have to find a rule to apply to the regex to identify the part to ex...
See more...
Hi @aditsss, is the processor word always present? if yes, please try: ! rex "Processor - (?<field>[^ ]*)" in other words, you have to find a rule to apply to the regex to identify the part to extract. Ciao. Giuseppe
Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract ...
See more...
Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract the numeric version: | rex field=installed ".*(?<version_installed>\d+_\d+)"
| rex field=shouldbe ".*(?<version_shouldbe>\d+_\d+)" so you can compare them. Ciao. Giuseppe
@gcusello It will not always "Triumph.*Processor CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] Cars...
See more...
@gcusello It will not always "Triumph.*Processor CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] Its both CARS and Triumph @gcusello can you provide me regex now.
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be=...
See more...
I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git version if should_be== server_installed_package , the status should updated as Completed , Another case if server_installed_packages is greater than shouldbe to mark as complete 2 < 3 , also it should check for if first number is same , it should check for second digits . it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number . CI Installed shouldbe server_installed_package Status server1 git-2.31.1-3.el8_7 git-2.39.3-1.el8_8 git-3.40.3-1.el8_8 Not complete
Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this. https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-wit...
See more...
Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this. https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-with-SPL/td-p/656201 Can you help me?
Hi @10061987 , in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled. If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccou...
See more...
Hi @10061987 , in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled. If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccounts so you can run a search like this following: index=os sourcetype=Unix:UserAccounts
| eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats dc(_raw) AS raw_count list(timestamp) AS timestamp
| where raw_count>1 Obviously check if you stored Unix logs in the os index. Ciao. Giuseppe
Hi @aditsss, please try the following regex: ! rex "Triumph.*Processor - (?<field>[^ ]*)" that you can test at https://regex101.com/r/XNehPc/1 Ciao. Giuseppe
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] ...
See more...
Hi Team, 2023-08-27 10:34:18.285 [INFO ] [Thread-30] TriumphUnbilledProcessor - TRIM.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-27 07:38:31.688 [INFO ] [Thread-31] TriumphCancelTransferProcessor - TRIM.CNX event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to fetch filenames(bold) from row logs: TRIM.UNBILLED and TRIM.CNX my current query: index="abc"sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "event published to ebnc:" NOT "Utils -" | rex " event published to ebnc: \[\{\"status\":\"(?<status>.*)\",\"description\":\"(?<description>.*)\"\}\]" | eval message="event published to ebnc" | table message status description
But we have some events of job in indexA and some events of job in indexB ,suppose if we want to create a table all events of same job,how can we do that
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY ...
See more...
Try it in Splunk not regex101.com | makeresults
| fields - _time
| eval _raw="command:RESTORE LABELONLY FROM DISK=@P1
command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql'
command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql'
command:RESTORE LABELONLY FROM DISK=@P1
command:sp_addlinkedsrvlogin
command:RESTORE LABELONLY FROM DISK=@P1"
| multikv noheader=t
| fields _raw
| rex "command:(?<firstwords>\w+(\s\w+)?)"