All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The transpose command has an int argument which defaults to 5 - this is why I have used zero (0) in my suggested solution. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpo... See more...
The transpose command has an int argument which defaults to 5 - this is why I have used zero (0) in my suggested solution. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose  
Just use key::value as your search term. Like index=something somekey::somevalue You can also check if fields are indexed with (an example looking for Protocol) | walklex=your_index type=all | se... See more...
Just use key::value as your search term. Like index=something somekey::somevalue You can also check if fields are indexed with (an example looking for Protocol) | walklex=your_index type=all | search term=" Protocol::*" | table term (Need to give it a quite big time range).
There is no obvious answer. It might indeed require calling support.
When you change the "Wrap results" option, it switches between this CSS .results-table .wrapped-results td, .results-table .wrapped-results th { white-space:pre-wrap; } and the "nowrap" val... See more...
When you change the "Wrap results" option, it switches between this CSS .results-table .wrapped-results td, .results-table .wrapped-results th { white-space:pre-wrap; } and the "nowrap" value. Instead of "nowrap" it probably should use "preserve-spaces" one to be consistent. (or collapse in both cases). The mystery of collapsing spaces in the source view which I showed is still present however.
Yap it makes since now, it worked thanks!
it shouldn't matter. Here is a run anywhere example with multiple events with different number of URL | makeresults | eval _raw="here are some url and http://firsturl.com and some text again url ht... See more...
it shouldn't matter. Here is a run anywhere example with multiple events with different number of URL | makeresults | eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/" | append [| makeresults | eval _raw="here are some url and http://fourth.com and some text again url"] | append [| makeresults | eval _raw="here are some url and http://fifth.com and some text again url and some text again url http://www.sixth.com and again some text http://www.seventh.com and some http://www.moreandmore.com"] | rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"
its a good idea, but in my case i don't know what domains they will be in the _raw, so i cant predict the list. Some events have one domain and it captured but the next event has 5, next will have 12... See more...
its a good idea, but in my case i don't know what domains they will be in the _raw, so i cant predict the list. Some events have one domain and it captured but the next event has 5, next will have 12 and each event has different domains on the raw.
Try adding the max_match parameter Here is a run anywhere example.  Please note that the resulted field from  max_match will be a multivalued field in case you want further operation on the field. ... See more...
Try adding the max_match parameter Here is a run anywhere example.  Please note that the resulted field from  max_match will be a multivalued field in case you want further operation on the field. | makeresults | eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/" | rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"  
Check the folder on the syslog where you configured SYSLOG application to place them.  If the files are not there then there is no forwarding to Indexers. 1) Check for files present 2) Check SYSLOG... See more...
Check the folder on the syslog where you configured SYSLOG application to place them.  If the files are not there then there is no forwarding to Indexers. 1) Check for files present 2) Check SYSLOG config that receiving from WAF will write to proper file location 3) Check netstats or wire capture for incoming connections from WAF source 4) Check network communications path from WAF to SYSLOG
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i c... See more...
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice? SPLQ .............. | rex field=_raw "(?<domain>\w+\.\w+)\/" | rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?" | fillnull value=n/a | stats count by domain domain2 MessageURLs _raw
Yes done....want to check from syslog to UF connection... Please help me in this case?
Hi @Athira , my search correlates the results from both the searches usig ORDERS and displays ORDERS and UNIQUEID, whats missing? Please share an example of data and results. Ciao. Giuseppe
@johnhuang  Changing the wrap results to Yes fix the problem. Thank you so much for your help  
Thank you the below seems to work, however, for some reason the search only shows sys1 thru sys5.   It does not matter which how many rows I put in the data, it won't show more than 5.     | maker... See more...
Thank you the below seems to work, however, for some reason the search only shows sys1 thru sys5.   It does not matter which how many rows I put in the data, it won't show more than 5.     | makeresults format=csv data="field1, field2, field3, field4, field4, field5, field6, field7, field8, field9 sys1,10,a,10,c,20,a,10,20 sys2,20,b,10,c,20,a,10,20 sys3,10,c,10,c,20,a,10,20 sys4,30,d,10,c,20,a,10,20 sys5,40,a,10,c,20,a,10,20 sys6,20,c,10,c,20,a,10,20 sys7,50,d,10,c,20,a,10,20 sys8,10,e,10,c,20,a,10,20" | table field1 field2 field3 field4 field5 field6 field7 field8 field9 | transpose header_field=field1| foreach * [eval _row_values = mvappend(_row_values, <<FIELD>>)] | where mvcount(mvdedup(_row_values)) != 1
124,878 events is not a lot for Splunk to process.  It should not take 3 minutes to search them.  What other activity is happening on the system? I understand one index is being searched, but how ma... See more...
124,878 events is not a lot for Splunk to process.  It should not take 3 minutes to search them.  What other activity is happening on the system? I understand one index is being searched, but how many indexers are conducting that search?  More is better.  Do the indexers meet the minimum hardware specifications?  Are the disks fast enough? Have you tried the query without the join command?
above query produce results for all the ORDERS &UNIQUEID . my subquery fetches ORDERS & UNIQUEID i am trying to match the ORDERS in subquery with the outer query, and result display should be  ORDER... See more...
above query produce results for all the ORDERS &UNIQUEID . my subquery fetches ORDERS & UNIQUEID i am trying to match the ORDERS in subquery with the outer query, and result display should be  ORDERS & UNIQUEID.   the common field in two query i am using is ORDERS 
Hi @splunklearner , did you enabled receiving on the Indexer [Settings > Forwardring and Receiving > Receiving]? check the connectiviti, using telnet from the UF: telnet ip_indexer 9997 Ciao. Gi... See more...
Hi @splunklearner , did you enabled receiving on the Indexer [Settings > Forwardring and Receiving > Receiving]? check the connectiviti, using telnet from the UF: telnet ip_indexer 9997 Ciao. Giuseppe
Hi @Athira , please try this approach: (index=source "status for : * ") OR "Message=Request for : *" | rex field=_raw "status for : (?<ORDERS>.*?)" | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS... See more...
Hi @Athira , please try this approach: (index=source "status for : * ") OR "Message=Request for : *" | rex field=_raw "status for : (?<ORDERS>.*?)" | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | stats count values(UNIQUEID) AS UNIQUEID BY ORDERS or index=source "status for : * " | rex field=_raw "status for : (?<ORDERS>.*?)" | append [ search Message=Request for : * | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | stats count values(UNIQUEID) AS UNIQUEID BY ORDERS The second solution has the limit of 50,000 results for the subsearch. Ciao. Giuseppe  
Already I have given SPL command. No data is coming. Now how to troubleshoot this issue? How to check connectivity? Sorry if I am asking more...thanks for your help