All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try adding the max_match parameter Here is a run anywhere example.  Please note that the resulted field from  max_match will be a multivalued field in case you want further operation on the field. ... See more...
Try adding the max_match parameter Here is a run anywhere example.  Please note that the resulted field from  max_match will be a multivalued field in case you want further operation on the field. | makeresults | eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/" | rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"  
Check the folder on the syslog where you configured SYSLOG application to place them.  If the files are not there then there is no forwarding to Indexers. 1) Check for files present 2) Check SYSLOG... See more...
Check the folder on the syslog where you configured SYSLOG application to place them.  If the files are not there then there is no forwarding to Indexers. 1) Check for files present 2) Check SYSLOG config that receiving from WAF will write to proper file location 3) Check netstats or wire capture for incoming connections from WAF source 4) Check network communications path from WAF to SYSLOG
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i c... See more...
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice? SPLQ .............. | rex field=_raw "(?<domain>\w+\.\w+)\/" | rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?" | fillnull value=n/a | stats count by domain domain2 MessageURLs _raw
Yes done....want to check from syslog to UF connection... Please help me in this case?
Hi @Athira , my search correlates the results from both the searches usig ORDERS and displays ORDERS and UNIQUEID, whats missing? Please share an example of data and results. Ciao. Giuseppe
@johnhuang  Changing the wrap results to Yes fix the problem. Thank you so much for your help  
Thank you the below seems to work, however, for some reason the search only shows sys1 thru sys5.   It does not matter which how many rows I put in the data, it won't show more than 5.     | maker... See more...
Thank you the below seems to work, however, for some reason the search only shows sys1 thru sys5.   It does not matter which how many rows I put in the data, it won't show more than 5.     | makeresults format=csv data="field1, field2, field3, field4, field4, field5, field6, field7, field8, field9 sys1,10,a,10,c,20,a,10,20 sys2,20,b,10,c,20,a,10,20 sys3,10,c,10,c,20,a,10,20 sys4,30,d,10,c,20,a,10,20 sys5,40,a,10,c,20,a,10,20 sys6,20,c,10,c,20,a,10,20 sys7,50,d,10,c,20,a,10,20 sys8,10,e,10,c,20,a,10,20" | table field1 field2 field3 field4 field5 field6 field7 field8 field9 | transpose header_field=field1| foreach * [eval _row_values = mvappend(_row_values, <<FIELD>>)] | where mvcount(mvdedup(_row_values)) != 1
124,878 events is not a lot for Splunk to process.  It should not take 3 minutes to search them.  What other activity is happening on the system? I understand one index is being searched, but how ma... See more...
124,878 events is not a lot for Splunk to process.  It should not take 3 minutes to search them.  What other activity is happening on the system? I understand one index is being searched, but how many indexers are conducting that search?  More is better.  Do the indexers meet the minimum hardware specifications?  Are the disks fast enough? Have you tried the query without the join command?
above query produce results for all the ORDERS &UNIQUEID . my subquery fetches ORDERS & UNIQUEID i am trying to match the ORDERS in subquery with the outer query, and result display should be  ORDER... See more...
above query produce results for all the ORDERS &UNIQUEID . my subquery fetches ORDERS & UNIQUEID i am trying to match the ORDERS in subquery with the outer query, and result display should be  ORDERS & UNIQUEID.   the common field in two query i am using is ORDERS 
Hi @splunklearner , did you enabled receiving on the Indexer [Settings > Forwardring and Receiving > Receiving]? check the connectiviti, using telnet from the UF: telnet ip_indexer 9997 Ciao. Gi... See more...
Hi @splunklearner , did you enabled receiving on the Indexer [Settings > Forwardring and Receiving > Receiving]? check the connectiviti, using telnet from the UF: telnet ip_indexer 9997 Ciao. Giuseppe
Hi @Athira , please try this approach: (index=source "status for : * ") OR "Message=Request for : *" | rex field=_raw "status for : (?<ORDERS>.*?)" | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS... See more...
Hi @Athira , please try this approach: (index=source "status for : * ") OR "Message=Request for : *" | rex field=_raw "status for : (?<ORDERS>.*?)" | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | stats count values(UNIQUEID) AS UNIQUEID BY ORDERS or index=source "status for : * " | rex field=_raw "status for : (?<ORDERS>.*?)" | append [ search Message=Request for : * | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | stats count values(UNIQUEID) AS UNIQUEID BY ORDERS The second solution has the limit of 50,000 results for the subsearch. Ciao. Giuseppe  
Already I have given SPL command. No data is coming. Now how to troubleshoot this issue? How to check connectivity? Sorry if I am asking more...thanks for your help
here is the splunk query i am trying to use, Common field in 2 query is ORDERS   index=source "status for : * " | rex field=_raw "status for : (?<ORDERS>.*?)" | join ORDERS [search Message=Request ... See more...
here is the splunk query i am trying to use, Common field in 2 query is ORDERS   index=source "status for : * " | rex field=_raw "status for : (?<ORDERS>.*?)" | join ORDERS [search Message=Request for : * | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | table ORDERS UNIQUEID    
Hi Ryan, it is stored in the notifications_config table in the controller database. Yes I got my answer. Thank you!!
Hi @splunklearner , having the logs in Splunk you can check if the hosts are sending logs using a simple search: having a lookup (called e.g. perimeter.csv with at least one column called host) wit... See more...
Hi @splunklearner , having the logs in Splunk you can check if the hosts are sending logs using a simple search: having a lookup (called e.g. perimeter.csv with at least one column called host) with all the hosts that must send logs, you could run something like this: | tstats count WHERE index=* BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 Ciao. Giuseppe
Hi @Athira , could you share your two searches? in few words, to correlate events, you need to find a common key, sharing your searches, I could guide you in this. Ciao. Giuseppe
hi , I wanted to search and save result as table from two log statements.  one log statement using regex to extract "ORDERS" and another log statement using regex to extract "ORDERS, UNIQUEID" my... See more...
hi , I wanted to search and save result as table from two log statements.  one log statement using regex to extract "ORDERS" and another log statement using regex to extract "ORDERS, UNIQUEID" my requirement is to use the combine two log statements  on "ORDERS"  and pull the ORDER and UNIQUEID in table  . I am using Join to combine the two log statements on "ORDERS" , but my splunk query not returning any results    
And more quick question, how can we verify whether logs are coming to our syslog server from network devices? If not, how we can troubleshoot and check whether our syslog server is connected to their... See more...
And more quick question, how can we verify whether logs are coming to our syslog server from network devices? If not, how we can troubleshoot and check whether our syslog server is connected to their network device and it's issue from their end? 
@yuanliu Hi, I have made the suggested changes but still _time is not matching with the raw event field (EVENTTS) timestamp. Please suggest me to do the needful.