All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hop... See more...
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for... See more...
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for some reason.  Within the event there is the following: "alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777," I need to create 3 fields from this: Host = FL-NS-VPX-INT-1 ServiceGroup = mobileapist Server = vnetapis003 When trying for Host with:  (?<="alias":")[^|]* It never finds it in Splunk.  Can't figure out why.   Extra credit:   Just kidding.  The last field I need, I can't get either with:   (?<="team","name":")[^"]* "team","name":"Monitoring_Admin"}], Here's the full event as well. INFO[2024-11-13T13:37:23.9114215-05:00] Message body: {"actionType":"custom","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","ownerDomain":"integration","ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","discardScriptResponse":true,"sendCallbackToStreamHub":false,"requestId":"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a","action":"Close","productSource":"Opsgenie","customerDomain":"siteone","integrationName":"Opsgenie Edge Connector","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","customerTransitioningOrConsolidated":false,"source":{"name":"","type":"system"},"type":"oec","receivedAt":1731523037863,"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","params":{"type":"oec","alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","integrationName":"Opsgenie Edge Connector","integrationType":"OEC","customerDomain":"siteone","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","receivedAt":1731523037863,"customerConsolidated":false,"customerTransitioningOrConsolidated":false,"productSource":"Opsgenie","source":{"name":"","type":"system"},"alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf"},"integrationType":"OEC","alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"customerConsolidated":false,"customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"}} messageId=7546739e-2bab-414d-94b5-b0f205208932   Thank you for all the help on this one, Thanks, Tom    
This is in request to add the steps for adding Splunk Enterprise Security to my enterprise account, Thanks.  
Yes, you probably can get a Splunk Cloud stack (more than just a license), but it most likely will not be free beyond the initial (7 days) trial period.
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" fr... See more...
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" free text option, is not working. It used to provide as list as you typed of matching hosts/VMs depending on the dashboard. Now I can't get it to do anything.  Can anyone provide what the data source is for this input? I think I am probably missing a lookup file but cannot find which one.  For example, this shows the radio button that gets you to the text input. The radio button works but the text input does nothing.   
Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run t... See more...
Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run this report for and that list is 100+ names.  I also needs this list to be dynamic so when new customers are onboarded, they automatically appear in the list.  Now the names correspond to a "propertyId" which is what I have to send to the query to use on the data itself.  (Pairing of the names and propertyId's are brought in from an external source and not Splunk event data.)  The people I am designing this dashboard for will not have knowledge of what version that site has so they won't know whether to choose a > or < option.  That's why I want to set up in the background for the dashboard to choose which query to run based on the name chosen from the dropdown box.   I've started looking at some examples of using "choice value=" and pair that with <change> and <condition label=..> but that appears to either force me to create a value= for every since customer name or only have the choice of < versions and >versions.  I'm beginning to think that what I am trying to accomplish cannot be done or at least not done in a dynamic way so that new customers are automatically added.  But I will continue my online research and hopefully there will be an example out there that will spark an idea of another way to accomplish this.   Even though I am not yet successful, I do appreciate your response and attempt to help me out!
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (... See more...
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (longer values are missed without a wildcard). Perhaps you only need to truncate the Message for display purposes.  If so, drop the subsearch and run the eval as a separate command.
I agree.  The combination of stats max(uptime) and where Uptime=0 should show only hosts with zero up time. Is there something pertinent that is not being shared?
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  ... See more...
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  The Message field is very large and I only need the first sentence of the Message.  How can I do this?  We want it in a sub-search to show the sub-search function for our users. This is Splunk Cloud implementation.
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) ... See more...
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) I think I'm very close, but my decoded string has a space between every character looking something like this: \ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *  
There doesn't appear (from what you have shared) to be anything that you are doing wrong
| bin span=3h _time | stats max(uptime) AS Uptime BY _time, component_hostname | where Uptime=0
Please share your full search which is not working for you
Thank you for feedback but yet again this will return uptimes regardless length (0,  1 or more). If I use where Uptime=0 it shows me uptime lengths taking 0 but it does not necessarily mean there ar... See more...
Thank you for feedback but yet again this will return uptimes regardless length (0,  1 or more). If I use where Uptime=0 it shows me uptime lengths taking 0 but it does not necessarily mean there are no 1, 2 or any different lengths while span.    I need my result to return those component_hostnames which had no different length except of 0 nothing else (no 1 or 2 or any different).  This is how I would know component is UP or DOWN during my span. 
Thanks for the reply. I'll check this out and report back!
Does it have to be via REST API?  If not, you can use the ACS API to install and manage apps.  See https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Config/ACSreqs
Hi, thank you for your reply.  I ran the following query: index=_internal source="*.log" "jsm-splunk-plugin", and here is the result.   Correct me if I ran a wrong query.    Thanks
Yes, you said that in the OP, but what is the logic behind that matching?  The query needs an algorithm it can use to pair servers with teams.  Otherwise, you're looking at creating a lookup table th... See more...
Yes, you said that in the OP, but what is the logic behind that matching?  The query needs an algorithm it can use to pair servers with teams.  Otherwise, you're looking at creating a lookup table that does the matching.
It might be helpful if you shared some sample (anonymised) events from your searches, preferably in raw format in codeblocks (using the </> button above)
What is it that you are trying to chart? The values() aggregate function with give you a multivalue field of strings with unique values from your events for each time bucket. You cannot chart strings... See more...
What is it that you are trying to chart? The values() aggregate function with give you a multivalue field of strings with unique values from your events for each time bucket. You cannot chart strings on the y-axis, they need to be numbers.