All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Here's what I ended up doing, seems to work! | rex max_match=0 field=Tags "(?<namevalue>[^:, ]+:[^,]+)" | mvexpand namevalue | rex field=namevalue "(?<name>[^:]+):(?<value>.*)" | eval {name}=valu... See more...
Here's what I ended up doing, seems to work! | rex max_match=0 field=Tags "(?<namevalue>[^:, ]+:[^,]+)" | mvexpand namevalue | rex field=namevalue "(?<name>[^:]+):(?<value>.*)" | eval {name}=value The confusion about seeing only one of the fields being extracted was a result of the mvexpand. I didn't realize that created NEW events, one for each field. Makes sense now...thank you!
A subsearch will get executed first and if it completes successfully (which might not happen - subsearches have limitations and throwing heavy raw-data based searches into them is not a good idea) wi... See more...
A subsearch will get executed first and if it completes successfully (which might not happen - subsearches have limitations and throwing heavy raw-data based searches into them is not a good idea) will return a set of conditions or a search string which will get substituted in the main search. So your search as it is will make no sense syntactically because the rex command doesn't take more arguments. If anything you'd need to do <something> | search [ your subsearch here ]  
| spath input=json output=device audit.result.devices{} | mvexpand device | spath input=device whatever.whatever
Unfortunately, I am not the manager of our Splunk installation (and have no access to it), so I can't provide any info about our setup, config files, etc. I'll see if I can get that info to you fr... See more...
Unfortunately, I am not the manager of our Splunk installation (and have no access to it), so I can't provide any info about our setup, config files, etc. I'll see if I can get that info to you from one of our ops folks. - Tim    
Unfortunately, I am not the manager of our Splunk installation (and have no access to it), so I can't provide any info about our setup, config files, etc. I'll see if I can get that info to you from... See more...
Unfortunately, I am not the manager of our Splunk installation (and have no access to it), so I can't provide any info about our setup, config files, etc. I'll see if I can get that info to you from one of our ops folks. - Tim
I am trying to take the results of one search, extract a field from those results (named "id") and take all of those values (deduped) and use them to get results from another search. Unfortunately th... See more...
I am trying to take the results of one search, extract a field from those results (named "id") and take all of those values (deduped) and use them to get results from another search. Unfortunately the second search doesn't have this field name directly in the sourcetype either so it has to be extracted with rex.  I've been having issues with this though. From what I've read I need to use the subsearch to extract the id's for the outer search. It's not working though. Each search is from a competely different data set that has very little in common.   index=index1 source="/somefile.log" uri="/path/with/id/some_id/" | rex field=uri "/path/with/id/(?<some_id>[^/]+)/*" [ search index=index2 source="/another.log"" "condition-i-want-to-find" | rex field=_raw "some_id:(?<some_id>[^,]+),*" | dedup some_id | fields some_id ]   I've tried a bunch of variations of this with no luck. Including renaming field some_id to "search" as  some have said that would help. I don't necessarily need the original uri="/path/with/id/some_id" in the outer search but that would be nice to limit those results.
When you tested in the CLI, did you use Splunk's python interpreter (splunk cmd python ... )?  If not, then there may be differences in environments that prevent the command from running.  Verify all... See more...
When you tested in the CLI, did you use Splunk's python interpreter (splunk cmd python ... )?  If not, then there may be differences in environments that prevent the command from running.  Verify all imported modules are available via Splunk; those that are not should be added to your command's bin/lib directory. Check python.log for messages that might explain why the command isn't working.
@PickleRick - Can you please share sample syntax?
Hi, Please help me in extracting multivalue fields from email body logs: LOG: "Computer Name","Patch List Name","Compliance Status","Patch List Name1","Compliance Status1","OS Type1" "XXXX.e... See more...
Hi, Please help me in extracting multivalue fields from email body logs: LOG: "Computer Name","Patch List Name","Compliance Status","Patch List Name1","Compliance Status1","OS Type1" "XXXX.emea.intra","ACN - Windows Server - PL - Up to Oct24","Compliant","[ACN - Windows Server - PL - Up to Aug24] + [ACN - Windows Server - PL - Sep24]","Compliant","Windows" "XXXX.na.intra","ACN - Windows Server - PL - Up to Oct24","Compliant","[ACN - Windows Server - PL - Up to Aug24] + [ACN - Windows Server - PL - Sep24]","Compliant","Windows" Fields i want to extract are these: "Computer Name","Patch List Name","Compliance Status","Patch List Name1","Compliance Status1","OS Type1" I have applied rex to bring out all the fields  The rex is giving me total number of 3131 computer_names but when i am using mvexpand command to expand in into multiple rows , it is giving me only 1500 results not sure why rest are getting truncated. Attaching the search query and snippet for reference: index=mail "*tanium*" |spath=body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n" |rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n" |eval Computer_name=mvappend(Computer_name,Computer_name2)|table Computer_name |dedup Computer_name | mvexpand Computer_name | makemv Computer_name delim="," index=mail "*tanium*" |spath=body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n" |rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n" |eval Computer_name=mvappend(Computer_name,Computer_name2) |rex field=body max_match=0 "\,(?<Patch_List_Name1>.*)\"\[" |rex field=Patch_List_Name1 max_match=0 "\"(?<Patch_List_Name>.*)\",\"" |rex field=Patch_List_Name1 max_match=0 "\",\""(?<Compliance_status>.*)\" |table Computer_name Patch_List_Name Compliance_status |dedup Computer_name Patch_List_Name Compliance_status | eval tagged=mvzip(Computer_name,Patch_List_Name) | eval tagged=mvzip(tagged,Compliance_status) | mvexpand tagged | makemv tagged delim="," | eval Computer_name=mvindex(tagged,0) | eval Patch_List_Name=mvindex(tagged,1) |eval Compliance_status=mvindex(tagged,-1) |table Computer_name Patch_List_Name Compliance_status      
Hi @mwolfe , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Try using single quotes for each parameter. This is how I fixed my error. Example: >./splunk add monitor /var/log -index 'main' -sourcetype 'linux'
  Hello @Strangertinz  Have you checked this?  https://community.splunk.com/t5/Getting-Data-In/Why-is-Windows-event-log-message-data-being-truncated-and-only/td-p/231310 Do you have any  other i... See more...
  Hello @Strangertinz  Have you checked this?  https://community.splunk.com/t5/Getting-Data-In/Why-is-Windows-event-log-message-data-being-truncated-and-only/td-p/231310 Do you have any  other issue with your sourcetype? If this is not working, please work with Splunk support, they might ask you generate a diag with DEBUG options to look out for the TRUNCATE message.   If this Helps, Please UpVote.
Inorder to get the response in json you want to add ?output_mode=json at the end of your rest api call url. Or you can add it as part of the payload.
@jbanAtSplunk Are you just seeing this errors on internal logs or are you stuck with the upgrade ( you cannot login)? (Thats telemetry information should've fixed in 9.3) Definitely you should reach... See more...
@jbanAtSplunk Are you just seeing this errors on internal logs or are you stuck with the upgrade ( you cannot login)? (Thats telemetry information should've fixed in 9.3) Definitely you should reach out to splunk support to get this checked. If this Helps, Please Upvote.    
Hi @abi2023 , It is not so clear to me if you want to apply color to the cells in the "user" column only if in a specific format and shape, so if you can clarify it would be nice. You can apply... See more...
Hi @abi2023 , It is not so clear to me if you want to apply color to the cells in the "user" column only if in a specific format and shape, so if you can clarify it would be nice. You can apply that to the table section in your XML code by adding the Format tag with type color. Under that, you specify the type of coloring logic that can be dynamic, range, scale, etc... For example, for a rule that will color the cells of User column whenever there is a value with a light green cell color: <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> Green will be valid values, red will be empty/null value cells. Is something like that you're looking for? Full sample: <dashboard version="1.1" theme="dark"> <label>My Dashboard</label> <row> <panel> <table> <search> <query>MySearchString</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> </table> </panel> </row> </dashboard>  
Hi,  I am dealing with an issue where I am ingesting some logs that contains a few regular line then followed by xml data, but I am only seeing 1 event show up properly with the regular lines and ... See more...
Hi,  I am dealing with an issue where I am ingesting some logs that contains a few regular line then followed by xml data, but I am only seeing 1 event show up properly with the regular lines and 2 other events get cut short after ingesting the first few lines (examples below).  So each event is meant to be structured like event1 however they are cut and when I check the actual log file everything is present.  I tried changing the limits.conf and including maxKBps to 0 but no luck. [thruput] maxKBps = 0 Any other ideas as to what could be causing the issue?  Event1: 2024-11-01 10:04:24,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx DateTime:2024-11-01 10:04:24 RequestBody: <?xml version="1.0" encoding="utf-16"?>........<closing tag> Event2: 2024-11-01 10:04:26,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Event3:  2024-11-01 10:04:28,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
FYI: the Baboon REST API is not free but it isn't expensive. We have used and it worked fine. As mentioned above, it is recommended to install and test it on a dev HF. 
I gave splunk table dashboard view. I need to highlight the "user" field all value with green. all these field value in number and letter. how do I highlight all the value with green. When select Col... See more...
I gave splunk table dashboard view. I need to highlight the "user" field all value with green. all these field value in number and letter. how do I highlight all the value with green. When select Color "values" I can only Automatic but it giving random color. how do I give only green.
@ITWhisperer  I couldn't paste the whole JSON so here is the sample.
There is no such thing as "corresponding value" between different multivalued fields. In case like yours you need to firstly parse out whole array into a multivalued field of json strings, do mvexpa... See more...
There is no such thing as "corresponding value" between different multivalued fields. In case like yours you need to firstly parse out whole array into a multivalued field of json strings, do mvexpand on that field and only then parse out single fields from those results.