All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I tried to upload a zip file. It showed "Upload failed ERROR: Read Timeout." I am using Windows. The file size is 1910KB.  Also, I successfully uploaded some files (not zip). But they were not displa... See more...
I tried to upload a zip file. It showed "Upload failed ERROR: Read Timeout." I am using Windows. The file size is 1910KB.  Also, I successfully uploaded some files (not zip). But they were not displaying in the data summary. Please help. Thank you.
The query looks like it would meet the requirements.  The only change I would make is to add userSesnId=* to the base query. What is it about the logs you don't need that makes them match the quer... See more...
The query looks like it would meet the requirements.  The only change I would make is to add userSesnId=* to the base query. What is it about the logs you don't need that makes them match the query?  Can you share them (sanitized)? What is wrong with the one specific log "Request recd"?  It meets the requirements.
  | rex "(?<json>\{.*\})" | spath input=json​ so the above command works fine right for mixed pattern (json and xml) for my example? currently and for upcoming events? is there any other way to hid... See more...
  | rex "(?<json>\{.*\})" | spath input=json​ so the above command works fine right for mixed pattern (json and xml) for my example? currently and for upcoming events? is there any other way to hide this query apart from macro?
I mean that KV_MODE=something works only when the _whole event_ is just a blob of structured data. Without any additional parts to it. So KV_MODE=json will work if your whole even consists of {"my"... See more...
I mean that KV_MODE=something works only when the _whole event_ is just a blob of structured data. Without any additional parts to it. So KV_MODE=json will work if your whole even consists of {"my":"data","is":"json"} but will not work if it's <144>2014-11-11 11:23 Some lousy[24]: pseudo-syslog header with {"json":"data","further":"down","the":street"}
I suspect the HTML entities were due to some copy-pasting magic, not as part of the regexes themselves. As for the regex - I don't understand what @puneetgupz means by "unexpected close tag" When u... See more...
I suspect the HTML entities were due to some copy-pasting magic, not as part of the regexes themselves. As for the regex - I don't understand what @puneetgupz means by "unexpected close tag" When unescaped, the regex works perfectly well in regex101 - https://regex101.com/r/mR5JiJ/1 (you don't need to escape the quotes in regex; just in a string in Splunk). EDIT: OK. Escaping is needed but in another place | rex field=SERVICE_RESPONSE "\"status\"\\s*:\\s*(?P<ERROR_CODE>\\d+)"
Still getting the same error
Hi @PickleRick , Then what is use of KV_MODE = json that needs to be given in props.conf (saw somewhere a while ago). Please let me understand whether my data contains both json and xml or only jso... See more...
Hi @PickleRick , Then what is use of KV_MODE = json that needs to be given in props.conf (saw somewhere a while ago). Please let me understand whether my data contains both json and xml or only json? Because when i am using spath command provided by @ITWhisperer it extracted the fields... is it wrong? (if json and xml both present in my example event) any idea on this?
Unfortunately, for now Splunk cannot perform a structured data extraction if the whole event is not a structured data (in other words - if you have a json or XML data which has some header, like in y... See more...
Unfortunately, for now Splunk cannot perform a structured data extraction if the whole event is not a structured data (in other words - if you have a json or XML data which has some header, like in your example, Splunk cannot automatically extract data from it). There is an idea about it at https://ideas.splunk.com/ideas/EID-I-208 - while it's already as "Future Prospect", you can give your vote to show your support for it. At the moment the only thing you could do would be to cut the whole header away with SEDCMD during ingestion so that all that's left is a valid json structure. But that's not always what you want.
The regex used in the rex command goes through multiple layers of parsing so it needs multiple escape characters for embedded quotation marks. Solution 1: | rex field=SERVICE_RESPONSE "\\\"status\\... See more...
The regex used in the rex command goes through multiple layers of parsing so it needs multiple escape characters for embedded quotation marks. Solution 1: | rex field=SERVICE_RESPONSE "\\\"status\\\"\s*:\s*(?P<ERROR_CODE>\d+)"  Solution 2 won't work because regular expressions don't honor URL encoding.
Hi, I am trying to instrument a service in kubernetes that run on apache. I have looked for docker image I can use, but I could not find it. Point me in the right direction
Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today! The TA is currently on version 4.1.1 To get additional fields to appear in... See more...
Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today! The TA is currently on version 4.1.1 To get additional fields to appear in AD_Obj_User you need to do the following: Edit the macro `ms_obj_admon_base_out_user` and include the fields you want in the SPL for "fields" and "table" Do the same for the macro `ms_obj_user_base_migrate` just in case. The part I was missing for years up until now was you have to edit the KV Store to specify what fields are allowed to be stored. Edit the Lookup (KV Store) AD_Obj_User (Collection name is AD_Obj_User_LDAP_list_kv) and add the desired fields. Rebuild your lookup and you're good to go!
Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today! The TA is currently on version 4.1.1 To get additional fields to appear in... See more...
Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today! The TA is currently on version 4.1.1 To get additional fields to appear in AD_Obj_User you need to do the following: Edit the macro `ms_obj_admon_base_out_user` and include the fields you want in the SPL for "fields" and "table" Do the same for the macro `ms_obj_user_base_migrate` just in case. The part I was missing for years up until now was you have to edit the KV Store to specify what fields are allowed to be stored. Edit the Lookup (KV Store) AD_Obj_User (Collection name is AD_Obj_User_LDAP_list_kv) and add the desired fields. Rebuild your lookup and you're good to go!
Hello; Is there any solution available as of now to get a numeric value for Max Calls Per Minute in a time range? IF so, please explain how to get it. IF Not then please provide a date to implemen... See more...
Hello; Is there any solution available as of now to get a numeric value for Max Calls Per Minute in a time range? IF so, please explain how to get it. IF Not then please provide a date to implement something like this, this is pretty basic and all metrics should have the ability to get Min, Max, Avg at the minimum . Thanks! +Hector
Hi, I am using the Db connect 3.18.1 to collect sql audit logs FROM sys.fn_get_audit_file function.  When I use event_time as the indexing column, no events are collected with no error messages. But... See more...
Hi, I am using the Db connect 3.18.1 to collect sql audit logs FROM sys.fn_get_audit_file function.  When I use event_time as the indexing column, no events are collected with no error messages. But when I changed the indexing to be Current, I got the audit events logged to the indexer. But no logs were collected when I used event_time as indexing column. I did not see any useful or error messages from debug logs.  Appreciate any help or tips.   thanks,
I want to extract error code from the below text but getting unexpected closing tag. The name of the column in the Database is SERVICE_RESPONSE Text: Service execution forgetGCPPauseAndResumeCall F... See more...
I want to extract error code from the below text but getting unexpected closing tag. The name of the column in the Database is SERVICE_RESPONSE Text: Service execution forgetGCPPauseAndResumeCall Failed. Error -> Status Code - > 404, Status Text -> Not Found, Response Body ->{"message":"HTTP 404 Not Found","code":"not found","status":404,"contextId":"c496bcae-115b-456c-a557-3d5e2daae0b8","details":[],"errors":[]}. Check Business audit for more details Solution1: | rex field=SERVICE_RESPONSE "\"status\"\s*:\s*(?P<ERROR_CODE>\d+)" //above expression is giving unexpected close tag   Solution2:  | rex field=SERVICE_RESPONSE "&lt;dqt&gt;status&lt;dqt&gt;\:(?P<ERROR_CODE>.\w+)"
Sadly its still not working all is colored red as the last defined one:   <format type="color"> <colorPalette type="expression"> case(match(value,"logLevel=INFO"),"#4f34eb",match(value,... See more...
Sadly its still not working all is colored red as the last defined one:   <format type="color"> <colorPalette type="expression"> case(match(value,"logLevel=INFO"),"#4f34eb",match(value,"logLevel=WARNING"),"#ffff00",match(value,"logLevel=ERROR"),"#53A051") </colorPalette> </format>  
Try something like this <format type="color"> <colorPalette type="expression"> case(match(value,"logLevel=INFO"),"#4f34eb",match(value,"logLevel=WARNING"),"#ffff00",match(value,"logLevel=ERROR"),"#... See more...
Try something like this <format type="color"> <colorPalette type="expression"> case(match(value,"logLevel=INFO"),"#4f34eb",match(value,"logLevel=WARNING"),"#ffff00",match(value,"logLevel=ERROR"),"#53A051") </colorPalette> </format>
We are having 3 indexers with 2 cluster managers and 3 SH with one Deployer. its multi site cluster. Please help me to configure this setting before on-boarding rather than spath command? Please tell... See more...
We are having 3 indexers with 2 cluster managers and 3 SH with one Deployer. its multi site cluster. Please help me to configure this setting before on-boarding rather than spath command? Please tell me in detail how to perform?
Veryy helpful! Thx! My case is with three conditions , can you help me color different cases as such please? LogLevel : INFO -> Blue LogLevel : WARRNING -> Yellow LogLevel : Error -> Red   ... See more...
Veryy helpful! Thx! My case is with three conditions , can you help me color different cases as such please? LogLevel : INFO -> Blue LogLevel : WARRNING -> Yellow LogLevel : Error -> Red   What I come up with is below but not working      <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>  
Anyone else having trouble implementing this? I have an app, it has the following setting in app.conf, but still when users log into the app, they are forced into light mode, even if their user prefe... See more...
Anyone else having trouble implementing this? I have an app, it has the following setting in app.conf, but still when users log into the app, they are forced into light mode, even if their user preference is dark mode. We are using Splunk 9.2.2. [ui] is_visible = 1 label = MyApp supported_themes = light,dark