All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi I did't get why you cannot use that rex which is working? In personally I always prefer to use my own rex than those which are created by field extractor. It's splunk's design decision that if t... See more...
Hi I did't get why you cannot use that rex which is working? In personally I always prefer to use my own rex than those which are created by field extractor. It's splunk's design decision that if there are multiple matches then those are put in mv fields. You can always expand those into individual events if mv fields are not suitable for your use case. | makeresults | eval _raw = "orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, {'NotSecrets!!.txt': 'fileHash': 'a3b9adaee5b83973e8789edd7b04b95f25412c764c8ff29d0c63abf25b772646'}, {}}, 'Secrets!!.txt': 'fileHash': 'c092a4db704b9c6f61d6a221b8f0ea5f719e7f674f66fede01a522563687d24b'}, {}}} orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc," | rex max_match=0 "(?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)" | eval foo = mvzip(attachments,sha256,";-;") | mvexpand foo | eval foo=split(foo,";-;") | eval attachments=mvindex(foo,0) | eval sha256=mvindex(foo,1) | table attachments sha256 r. Ismo
It replace all existing fields so you don’t need to write everything here. You could also add e.g. values(foo*) as bar* and then it takes only those fields which start with foo and put those as a res... See more...
It replace all existing fields so you don’t need to write everything here. You could also add e.g. values(foo*) as bar* and then it takes only those fields which start with foo and put those as a result fields named bar*. This is quite useful and commonly used feature in SPL.
| appendpipe [| stats count | where count==0]
| makeresults format=csv data="raw CSR-345sc453-a2da-4850-aacb-7f35d5127b21 - Sending error response back in 2136 msecs. 00012243asdsfgh - No recommendations from System A. Message - ERROR: System A ... See more...
| makeresults format=csv data="raw CSR-345sc453-a2da-4850-aacb-7f35d5127b21 - Sending error response back in 2136 msecs. 00012243asdsfgh - No recommendations from System A. Message - ERROR: System A | No Matching Recommendations 001b135c-5348-4arf-b3vbv344v - Validation Exception reason - Empty/Invalid Page_Placement Value ::: Input received - Channel1; ::: Other details - 001sss-445-4f45-b3ad-gsdfg34 - Incorrect page and placement found: Channel1; 00assew-34df-34de-d34k-sf34546d :: Invalid requestTimestamp : 2025-01-21T21:36:21.224Z 01hg34hgh44hghg4 - Exception while calling System A - null Exception message - CSR-a4cd725c-3d73-426c-b254-5e4f4adc4b26 - Generating exception because of multiple stage failure - abc_ELIGIBILITY 0013c5fb1737577541466 - Exception message - 0013c5fb1737577541466 - Generating exception because of multiple stage failure - abc_ELIGIBILITY b187c4411737535464656 - Exception message - b187c4411737535464656 - Exception in abc module. Creating error response - b187c4411737535464656 - Response creation couldn't happen for all the placements. Creating error response." | rex field=raw max_match=0 "(\b)(?<words>[A-Za-z'_]+)(\b|$)(?!\-)" | eval words = mvjoin(words, " ")
I think this fixed my issue! thanks! just out of curiosity, what does adding the values(*) do, not sure I have seen that before  
I gotcha, thank you for the info!
The appendcols command rarely is the right answer to an SPL problem.  You probably want append. index="index" <search> earliest=-4h@h latest=@h |stats latest(FieldA) as DataNew earliest(FieldA) as D... See more...
The appendcols command rarely is the right answer to an SPL problem.  You probably want append. index="index" <search> earliest=-4h@h latest=@h |stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3 |append [search index="index" <search> earliest=-3h@h latest=-1@h |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3] ``` Re-group the results ``` | stats values(*) as * by Field1, Field2, Field3 |table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3  The biggest problem with appendcols is that it requires the results be in the exact same sequence as those from the main search - otherwise, gibberish can result.
Hi Splunkers,  This is my first post as I am new to using splunk, but my issue arising when I am trying to pull specific values from a time range within one search. To do this I am using appendcols ... See more...
Hi Splunkers,  This is my first post as I am new to using splunk, but my issue arising when I am trying to pull specific values from a time range within one search. To do this I am using appendcols to add another search, and designate a new value for earliest and latest, then use the "stats latest (field) as 'name' by field, field" command to pull these values out. Here is an example query: index="index" <search> earliest=-4h@h latest=@h |stats latest(FieldA) as DataNew earliest(FieldA) as DataOld by Field1, Field2, Field 3 |appendcols [search index="index" <search> earliest=-3h@h latest=-1@h |stats latest(FieldA) as DataMidOld earliest(FieldA) as DataMidNew by Field1, Field2, Field3] |table DataNew,DataMidNew, DataMidOld, DataOld, Field1, Field2, Field3 In my mind, I see no error with this search, but the values for DataMidOld and DataMidNew do not align with the actual data, and are seemingly random. Any help is appreciated!
On UF you shouldn’t have splunktcp input in inputs.conf. The only exception is when you are using UF as an intermediate forwarder, but this is different story.
One more question @ITWhisperer , how can we ignore the  bunch of letters coming in alphanumeric words delimited by hyphen . Example: CSR-345sc453-a2da-4850-aacb-7f35d5127b21 - Sending error respons... See more...
One more question @ITWhisperer , how can we ignore the  bunch of letters coming in alphanumeric words delimited by hyphen . Example: CSR-345sc453-a2da-4850-aacb-7f35d5127b21 - Sending error response back in 2136 msecs. Expected output - CSR Sending error response back in msecs  OR  Sending error response back in msecs Regex shared by you  is including "aacb" also  but we want to ignore it.  Requirement is to extract the statement without any correlation/context id so as to uniquely identify error statement. 
Admin is same as root *nix world. You could try different tricks to restrict what it can do, but there is always a way to avoid those restrictions! To be honest your company must implement policies ... See more...
Admin is same as root *nix world. You could try different tricks to restrict what it can do, but there is always a way to avoid those restrictions! To be honest your company must implement policies which are mandatory and if someone doesn’t follow it then there is some consequences for those. Otherwise there will be always some surprises time by time. Of course there should be some other ways to motivate your colleagues first to understand why there is policies and why everyone must following those.
Thanks @ITWhisperer  & @bowesmana  for all your help!
That directory probably contains older jQuery files.
We can't see what might be wrong with your search if we can't see the actual events the search is running against. Please share some anonymised events which demonstrate the issue you are facing.
Hi @Brandon.Camp, I wanted to follow up to see if you saw Mario's reply. If the reply helped, please click the "Accept as Solution" button. If not, please keep the conversation going and reply to t... See more...
Hi @Brandon.Camp, I wanted to follow up to see if you saw Mario's reply. If the reply helped, please click the "Accept as Solution" button. If not, please keep the conversation going and reply to this thread.
Alrighty, made an inputs.conf in my splunkuniversalforwarder/etc/system/local that looks like this: [default] host = "computername" [splunktcp:9997] connection_host = ip [WinEventLog://Security]... See more...
Alrighty, made an inputs.conf in my splunkuniversalforwarder/etc/system/local that looks like this: [default] host = "computername" [splunktcp:9997] connection_host = ip [WinEventLog://Security] disabled=0 current_only=1 blacklist1=5447 I'll bother you in a bit to see if it worked haha. I really appreciate your help!
I am not getting it.   you want me to share dashboard output?
Hi @varsh_6_8_6 , you can find many anwers to this question and I proposed it in Splunk ideas to have this feature in fashboards and it's a future prospect, if you think that's interesting, upvote f... See more...
Hi @varsh_6_8_6 , you can find many anwers to this question and I proposed it in Splunk ideas to have this feature in fashboards and it's a future prospect, if you think that's interesting, upvote for it at https://ideas.splunk.com/ideas/EID-I-572  Anyway, in the meantime, only one question before the answer: is messageValue a number or what else? if it's a number, please try: index="xyz" host="*" "total payment count :" | eval messagevalue=mvindex(split(messagevalue,":"),1) | stats latest(messagevalue) AS messagevalue | append [ | makeresults | eval messagevalue=0 | fields messagevalue ] | stats sum(messagevalue) AS messagevalue Ciao. Giuseppe
The following is my query. index="xyz"  host="*"  |fields host,messagevalue | search "total payment count :" |eval messagevalue=mvindex(split(messagevalue,":"),1) |stats latest(messagevalue) ... See more...
The following is my query. index="xyz"  host="*"  |fields host,messagevalue | search "total payment count :" |eval messagevalue=mvindex(split(messagevalue,":"),1) |stats latest(messagevalue) For a given period if there are no events, No results found is displayed. Instead I want zeo to be displayed. I tried using fillnull but no luck.
if my answer, answered your question please "Accept it as Solution". If it helped you anyway, kindly upvote!!!