Hi splunk team, I have a question about how to extract the key-value pair from json data. Let's say for example I have two raw data like this: # raw data1:
{
"key1": {
"key2": {
"ke...
See more...
Hi splunk team, I have a question about how to extract the key-value pair from json data. Let's say for example I have two raw data like this: # raw data1:
{
"key1": {
"key2": {
"key3": [
{"data_value": {"aaa": "12345", "bbb": "23456"}}
]
}
}
}
# raw data 2:
{
"key1": {
"key2": {
"key3": [
{"data_value": {"ccc": "34567"}}
]
}
}
} how can I extract the key-value results in all the data_value, to be a table as: node value
aaa 12345
bbb 23456
ccc 34567 I current have a splunk query that could do part of it: ```some search...```
| spath output=pairs path=key1.key2.key3{}.data_value
| rex field=hwids "\"(?<node>[^\"]+)\":\"(?<value>[^\"]+)\""
| table node value pairs but this only gives me the result of all the first data, result would look like below, that ignore the data of "bbb":"23456". Please give me some advice on how to grab all the results, thanks! node value pairs
aaa 12345 {"aaa": "12345", "bbb": "23456"}
ccc 34567 {"ccc": "34567"}
Hi All, Trying to configure an alert that runs on the first Sunday only of every month, specifically at 9:30am. I put this as the cron expression: 30 9 1-7 * 0 If I'm reading the documentation c...
See more...
Hi All, Trying to configure an alert that runs on the first Sunday only of every month, specifically at 9:30am. I put this as the cron expression: 30 9 1-7 * 0 If I'm reading the documentation correctly, that should be it. However, the alert appears to be running every Sunday of every month instead of just the first Sunday of every month. Am I doing something wrong? Can't figure it out.... Thanks!
There is a Proofpoint add-on and we have it installed, but we need kind of bulk processing capabilities. For example, list all messages from a given sender, IP etc.
@gcusello @kiran_panchavat thanks for your help but unfortunately, I can't share any files, sorry. I am in a air-gapped environment. I have already run splunk btool inputs list --debug | grep index ...
See more...
@gcusello @kiran_panchavat thanks for your help but unfortunately, I can't share any files, sorry. I am in a air-gapped environment. I have already run splunk btool inputs list --debug | grep index . but I will try without using "grep index" and see if I can find anything weird. I haven't checked props.conf but I will check it now. As far as I know, I haven't made any change in the props.conf.
Hello, Below is a sample for a single message from Proofpoint log. It looks simple, but I am struggling to write a query to pull sender (env_from value), recipient(s) (env_rcpt values) and IP addres...
See more...
Hello, Below is a sample for a single message from Proofpoint log. It looks simple, but I am struggling to write a query to pull sender (env_from value), recipient(s) (env_rcpt values) and IP address. As far as I understand X and S have the same values for given single message in the logs and will change from message to message. Any help will be greatly appreciated. Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.436109+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_from value=sender@company.com size= smtputf8= qid=44pnhtdtkf-1 tls= routes= notroutes=tls_fallback host=host123.company.com ip=10.10.10.10 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.438453+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=1 value=recipient.two@DifferentCompany.net orcpt=recipient.two@DifferentCompany.NET verified= routes= notroutes=RightFax,default_inbound,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.440714+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mail cmd=env_rcpt r=2 value=recipient.one@company.com orcpt=recipient.one@company.com verified= routes=default_inbound notroutes=RightFax,journal Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446326+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data from=sender@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446383+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.two@DifferentCompany.net suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446405+00:00 host filter_instance1[1394]: rprt s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt=recipient.one@company.com suborg= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.446639+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=data rcpt_routes= rcpt_notroutes=RightFax,journal data_routes= data_notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.450566+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=session cmd=headers hfrom=sender@company.com routes= notroutes= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455141+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint lint= Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455182+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint mime=1 score=0 threshold=100 duration=0.000 Feb 11 10:04:12 host.company.com 2025-02-11T15:04:12.455201+00:00 host filter_instance1[1394]: info s=44pnhtdtkf m=1 x=44pnhtdtkf-1 mod=mimelint cmd=getlint warn=0
i finally fixed this, had to check to make sure the sample folder was in the correct parent folder "destinations". i then went and copied all the sample files over to the splunk/etc/apps/destination...
See more...
i finally fixed this, had to check to make sure the sample folder was in the correct parent folder "destinations". i then went and copied all the sample files over to the splunk/etc/apps/destinations/samples folder (pulled from splunkbase website) then copied the eventgen.conf file over to the correct "local" folder in "Destinations folder" and restarted splunk, pulled up index="main" and it populated data. Hope this helps. took me a while to get this right.
@jkamdar Can you send the inputs.conf and props.conf files? Also, please use the btool command to check if there are any duplicate inputs.conf configurations. To check for duplicate inputs.conf co...
See more...
@jkamdar Can you send the inputs.conf and props.conf files? Also, please use the btool command to check if there are any duplicate inputs.conf configurations. To check for duplicate inputs.conf configurations using the btool command, you can run the following: /opt/splunk/bin/splunk btool inputs list --debug This command will display the full path to each inputs.conf file that Splunk is reading from, making it easier to identify any duplicates.
Hi @jkamdar , it's really difficoult to debug your issue without accessing your conf files and your data! could you share your inputs.conf and props.conf? Ciao. Giuseppe
@gcusello I tried btool commands on my rsyslog server: splunk btool inputs list and splunk btool inputs list --debug | grep index and the files I found are configured properly. Not sure where ...
See more...
@gcusello I tried btool commands on my rsyslog server: splunk btool inputs list and splunk btool inputs list --debug | grep index and the files I found are configured properly. Not sure where to look next.
Continuing to get this error on Palo Alto Networks application v. 8.1.3. TypeError: mvc.createService is not a function at eval (eval at _runScript (dashboard_1.1.js), <anonymous>:40:21) I rem...
See more...
Continuing to get this error on Palo Alto Networks application v. 8.1.3. TypeError: mvc.createService is not a function at eval (eval at _runScript (dashboard_1.1.js), <anonymous>:40:21) I removed the dashboards.js file and still experiencing. Any ideas?
Yes i wanted to be able to upload a conf file from search head into the Deployment Server which would results it being pulled by UFs but as you said it's not possible through the rest api and the GUI...
See more...
Yes i wanted to be able to upload a conf file from search head into the Deployment Server which would results it being pulled by UFs but as you said it's not possible through the rest api and the GUI. Can you provide any references on how to safely use credentials using splunk encryption so i don't leave credentials unprotected ?
Hi @smanojkumar Sorry, I got my wires crossed. It doesnt look like this is possible with XML Dashboards, however you can probably achieve this design much easier with Dashboard Studio dashboard. Is...
See more...
Hi @smanojkumar Sorry, I got my wires crossed. It doesnt look like this is possible with XML Dashboards, however you can probably achieve this design much easier with Dashboard Studio dashboard. Is there anything preventing you switching to a Dashboard Studio dashboard for this? Thanks Will