All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @tdavison76 , please try this regex: | rex field="alert.message" "On-Prem - (?<your_field>[^\"]+)" that you can test at https://regex101.com/r/RWQr9a/1 Ciao. Giuseppe
1) Can you share the exact SPL search 2) Did you upgrade/refresh the Add On when you upgrade from v8 to v9
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for price... See more...
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com" included.     {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "46f22bab-2964-4294-885e-2a7bd12ddd19", "action": "Close", "productSource": "Opsgenie", "customerDomain": "domain", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "", "type": "ThousandEyes"}, "type": "oec", "receivedAt": 1720795936606, "params": {"type": "oec", "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Close", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "domain", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "receivedAt": 1720795936606, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "", "type": "ThousandEyes"}, "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}}     Here's the actual Search I am running:     Just let me know if more details are needed, and thanks again. Tom  
Awesome information - thank you for demo and tips.
Almost there - try something like this | rex field='alert.message' "On Prem - (?<Name>.*)"
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | ... See more...
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | rex field="alert.message" "\<\=On Prem - (?<Name>.*)" Ciao. Giuseppe
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this?... See more...
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this? I see there is an HTTP alert action that can make a POST, however with this being a lookup (csv) i am not sure it will work correctly. 
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this at... See more...
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this attribute will not return anything. lastLogontimestamp works but is too far out of sync for my requirements on reporting. I have LDAP configuration in the Active Directory add-on set to 3269 and everything else works fine except this one attribute. I setup delegation to read lastLogonTimestamp and then everything so its not a permissions issue from what I can see. Any help would be appreciated. 
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able t... See more...
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.   I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query: source="udp:514" host="$host$.doman.com" but, of course failed, it just get's replaced with "*". I'm sure I'm probably way off on how to do this, but any help would be awesome.   Thanks in advance. Tom
How to identify Stream_event function is called at time interval or during create/edit data input. 
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this i... See more...
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this in regex101 with: (?<=On-Prem - ).* But, I know in splunk we have to give it a field name.  I can't figure out the correct syntax to add the field name so it would work. In example of one I've tried without success: rex field="alert.message" "\?(?<Name><=On Prem - ).*" If possible, could someone help me out with this one ? Thanks for any help, Tom  
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware... See more...
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware) etc. I couldnt find any solid documentation for _introspection index as to under which source, component these variables will be stored also what all data is available in the index.  Can someone please point me to a doumented list of all the data points in the index if any docs exists. Also any specific component/source I can find the KPIs I mentioned above.
Hi @Sailesh6891 , it's a best practive to create a custom add-on containing all the parsing rules for your data, also because I suppose that there are other parsing rules that you need to add. but ... See more...
Hi @Sailesh6891 , it's a best practive to create a custom add-on containing all the parsing rules for your data, also because I suppose that there are other parsing rules that you need to add. but anyway you can also put this two lines in another props.conf. Ciao. Giuseppe
No, I have not used LINE_BREAKING option.  Do I need to create a props.conf under splunk_home$/etc/apps/local/  and mention these 2 lines ?i.e [sourcetype] and LINE_BREAKING =  :::::::::::::::::::
Hi @Sailesh6891 , did you tried to use LINE_BREKING option in props.conf? [your-sourcetype] LINE_BREAKING = ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Ciao. G... See more...
Hi @Sailesh6891 , did you tried to use LINE_BREKING option in props.conf? [your-sourcetype] LINE_BREAKING = ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Ciao. Giuseppe
Hi,  I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below... See more...
Hi,  I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below: xyz asdfoasdf asfanfafd ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: sdfsdfja agf[oija[gfojerg fgoaierr apodsifa[soigaiga[oiga[dogj ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: sadfnasd;fiasfdoiasndf'i dfdf fd garehaehseht shse thse tjst ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: asdf;nafdsknasdf asdfknasdfln asdf;nasdkfnasf asogja'fja foj'apogj aogj agf   When I try searching the log file in splunk, Logs are visible howerver events are not breaking as I expect it to come. I want events to be separated as below   Event 1: xyz asdfoasdf asfanfafd ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Event 2: sdfsdfja agf[oija[gfojerg fgoaierr apodsifa[soigaiga[oiga[dogj :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::   Event 3: sadfnasd;fiasfdoiasndf'i dfdf fd garehaehseht shse thse tjst ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Event 4: asdf;nafdsknasdf asdfknasdfln asdf;nasdkfnasf asogja'fja foj'apogj aogj agf :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::  
Hi @anooshac, you have to coalesce the key fields and then correclate them using stats: if the fields to correlate are field1 and field2 and the fields to display are field3 and field4 from the typ... See more...
Hi @anooshac, you have to coalesce the key fields and then correclate them using stats: if the fields to correlate are field1 and field2 and the fields to display are field3 and field4 from the type1 and field5 from type2 index=your_index sourcetype=your_sourcetype type IN (type1, type2) | eval key=coalesce(field1,field2) | stats values(field3) AS field3 values(field4) AS field4 values(field5) AS field5 BY key Cao. Giuseppe  
Hi all, I have 2 events present in a source type, with different data. There is one field which has same data in both the events but the field names are different. Can anyone suggest a method other ... See more...
Hi all, I have 2 events present in a source type, with different data. There is one field which has same data in both the events but the field names are different. Can anyone suggest a method other than JOIN to combine 2 events? I tried combining the fields by coalesce command, once i combine them i was not able to see the combined fields. I want to combine the events and do some calculations.
The output 1 and 2 are the dynamic values which we get the values from the field "Field1".  I tried with your two queries but no luck. if i removed the condition(where) i can get the results. Seems l... See more...
The output 1 and 2 are the dynamic values which we get the values from the field "Field1".  I tried with your two queries but no luck. if i removed the condition(where) i can get the results. Seems like there is an issue with the condition (output1 and output2)