All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Neekheal  If the text is literal and same for all logs, then you can include the direct lines inside the rex.  Lets say "CSVSentinfo:L00Show your passport" is a "constant" in all logs, then you... See more...
Hi @Neekheal  If the text is literal and same for all logs, then you can include the direct lines inside the rex.  Lets say "CSVSentinfo:L00Show your passport" is a "constant" in all logs, then you keep it as part of rex command: "(?<PC_sTime>\d{12})CSVSentinfo\:L00Show your passport.*(?P<Field2>rex cmd)" to match newline and/or tab characters, pls include "\n" "\t"  
I am from Japan. Sorry for my poor English and lack of knowledge about Splunk. I received a Splunk Enterprise Trial License and would like to import Palo Alto logs and issue alerts (via email, etc.)... See more...
I am from Japan. Sorry for my poor English and lack of knowledge about Splunk. I received a Splunk Enterprise Trial License and would like to import Palo Alto logs and issue alerts (via email, etc.), but I am not sure how to do this (manually importing past logs succeeded). I wonder if past logs can issue alert. About our environment, I set up all-in-one virtual server in our FJ Cloud (Fujitsu Cloud)is one virtual server and Splunk is running here. There are no forwarders installed on other servers. I would be more than happy if you could let me know. Thank you for your support.
What should be the rex command to skip new lines ,characters or numbers and special characters and then to search and extract  "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport*"  
Hi @Neekheal all the rex commands should be a written as a single rex command.  i mean, after first rex command, pls write rex try to match the extra characters and then write the 2nd rex command an... See more...
Hi @Neekheal all the rex commands should be a written as a single rex command.  i mean, after first rex command, pls write rex try to match the extra characters and then write the 2nd rex command and then write rex command to match the extra characters, etc..  index=khisab_ustri sourcetype=sosnmega "*BP Tank: Bat from surface = *K00C0*" |dedup _time |rex field=_raw "(?ms)(?<time_string>\d{12})BP Tank: Bat from Surface .*K00C0\d{21}(?<kmu_str>\d{2})*" |rex field=_raw "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport*" to index=khisab_ustri sourcetype=sosnmega "*BP Tank: Bat from surface = *K00C0*" |dedup _time |rex field=_raw "(?ms)(?<time_string>\d{12})BP Tank: Bat from Surface .*K00C0\d{21}(?<kmu_str>\d{2}) <<< some rex commands to match >>> "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport*"  
Hi @LearningGuy on the step 2, pls uncheck the "Open in new tab". sometimes this creates the 2 tabs.  thanks. 
Thank you for your input. Proofpoint does not much useful information about this product. We're planning to move away from it so it's not worth the effort. thank you for your input. 
Hi @mmg245 .. troubleshooting this depends on your custom app only.  the only troubleshooting that come to my mind is to check the internal logs for any warnings or errors related to the app or repo... See more...
Hi @mmg245 .. troubleshooting this depends on your custom app only.  the only troubleshooting that come to my mind is to check the internal logs for any warnings or errors related to the app or report.  if nothing works, if its ok, as a last troubleshooting step, maybe try restarting the Splunk, thanks
That's right. I never liked that solution either, and we have plans to move away from it in the near future. Thank you for your input. 
Hi, I am having some problem to understand How to fetch multiline pattern in a single event. I have logfile in which I am searching this pattern which is scattered in multiple lines, 12345678910... See more...
Hi, I am having some problem to understand How to fetch multiline pattern in a single event. I have logfile in which I am searching this pattern which is scattered in multiple lines, 123456789102BP Tank: Bat from Surface = #07789*K00C0**************************************** 00003453534534534 ****after Multiple Lines*** 123456789107CSVSentinfo:L00Show your passport ****after Multiple Lines*** 123456789110CSVSentinfo Data:z800 ****after Multiple Lines*** 123456789113CSVSentinfoToCollege: ****after Multiple Lines*** 123456789117CSVSentinfoFromCollege: ****after Multiple Lines*** 123456789120CSVSentinfo:G7006L ****after Multiple Lines*** 123456789122CSVSentinfo:A0T0 ****after Multiple Lines*** 123456789124BP Tank: Bat to Surface L000passportAccepted   I have tried below query to find all the occurrences but no luck index=khisab_ustri  sourcetype=sosnmega  "*BP Tank: Bat from surface = *K00C0*" |dedup _time |rex field=_raw "(?ms)(?<time_string>\d{12})BP Tank: Bat from Surface .*K00C0\d{21}(?<kmu_str>\d{2})*" |rex field=_raw "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport*" |rex field=_raw "(?<CP_sTime>\d{12})CSVSentinfo Data:z800*" |rex field=_raw "(?<MTB_sTime>\d{12})CSVSentinfoToCollege:*" |rex field=_raw "(?<MFB_sTime>\d{12})CSVSentinfoFromCollege:*" |rex field=_raw "(?<PR_sTime>\d{12})CSVSentinfo:G7006L*" |rex field=_raw "(?<JR_sTime>\d{12})CSVSentinfo:A0T0*" |rex field=_raw "(?<MR_sTime>\d{12})BP Tank: Bat to Surface =.+L000passportAccepted*" |table (PC_sTime- time_string),(CP_sTime- PC_sTime),(MTB_sTime-CP_sTime),(MFB_sTime-MTB_sTime),(PR_sTime- MFB_sTime),(JR_sTime-PR_sTime),(MR_sTime-JR_sTime) Sample Data is Sample Data: 123456789102BP Tank: Bat from Surface = #07789*K00C0**************************************** 00003453534534534 123456789103UniverseToMachine\0a<Ladbrdige>\0a <SurfaceTake>GOP</Ocnce>\0a <Final_Worl-ToDO>Firewallset</KuluopToset>\0a</ 123456789105SetSurFacetoMost>7</DecideTomove>\0a <TakeaKooch>&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;</SurfaceBggien>\0a <Closethe Work>0</Csloethe Work>\0a 123456789107CSVSentinfo:L00Show your passport 123456789108BP Tank: Bat from Surface = close ticket 123456789109CSVSentinfo:Guide iunit 123456789110CSVSentinfo Data:z800 123456789111CSVGErt Infro"8900 123456789112CSGFajsh:984 123456789113CSVSentinfoToCollege: 123456789114CSVSentinfo Data:z800 123456789115CSVSentinfo Data:z800 123456789116Sem startedfrom Surface\0a<Surafce have a data>\0a <Surfacecame with Data>Ladbrdige</Ocnce>\0a <Ladbrdige>Ocnce</Final_Worl>\0a <KuluopToset>15284</DecideTomove>\0a <SurafceCall>\0a <wait>\0a <wating>EventSent</SurafceCall>\0a </wait>\0a </sa>\0a</Surafce have a data>\0a\0a 123456789117CSVSentinfoFromCollege: 123456789118CSVSentinfo:sadjhjhisd 123456789119CSVSentinfo:Loshy890 123456789120CSVSentinfo:G7006L 123456789121CSVSentinfo:8shhgbve 123456789122CSVSentinfo:A0T0 123456789123CSVSentinfo Data:accepted 123456789124BP Tank: Bat to Surface L000passportAccepted
Dashboard Studio working with Reports and Time Range @sainag_splunk  I am currently using the new dashboard studio interface, they make calls to saved reports in Splunk. Is there... See more...
Dashboard Studio working with Reports and Time Range @sainag_splunk  I am currently using the new dashboard studio interface, they make calls to saved reports in Splunk. Is there a way to have time range work for the dashboard, but also allow it to work with the reports? The issue we face is  we are able to set the reports in the studio dashboard, but the default is that they are stuck as static reports. how can we add in a time range input that will work with the dashboard and the reports? The users who are viewing this dashboard are third party and people that we do not want to give access to the Index (example... outside of the Org users) hence the reason the dashboard used saved reports where its viewable, but like I mentioned we faced the issue of changing the Time range picker since the saved reports are showing in a static, where we wish to make it  change as we specify a time range with the Input. we are trying to not give third party users access to Splunk Indexes Also tried looking into Embedded reports but found " Embedded reports also cannot support real-time searches."
Please share the source code of your dashboard in a code block </>
Yes, really but not 25k. My list is longer than 1000 entries and works just fine in classic dashboards. Users don't have to scroll through the whole list, they can start typing in the dropdown input ... See more...
Yes, really but not 25k. My list is longer than 1000 entries and works just fine in classic dashboards. Users don't have to scroll through the whole list, they can start typing in the dropdown input to filter the list.
i have had an error in the email logs and i have fized it and now im receiving emails correctly in my local mail server but still the alert when triggered it's not shown in the triggered alerts 
From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret. You can't use SAML for REST API authentication. Y... See more...
From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret. You can't use SAML for REST API authentication. You might want to think about integrating an external credentials provider like Conjur and rotating the tokens often
I don't think that's the issue here. The same payload sent to the /raw endpoint would end up looking the same. It's the source formatting the data differently than before.
That's one of the options. But "*/..." makes no sense. It's enough to just use ...
raw endpoint is not an option because it is not supported by the logging-operator
Thanks @PickleRick for suggestion.  Shall I use below config? [source::.../starflow-app-logs*/...]
* matches anything but the path separator 0 or more times. The path separator is '/' on unix, or '\' on Windows. Intended to match a partial or complete directory or filename. So for your ... See more...
* matches anything but the path separator 0 or more times. The path separator is '/' on unix, or '\' on Windows. Intended to match a partial or complete directory or filename. So for your props.conf stanza you should rather use ... recurses through directories until the match is met or equivalently, matches any number of characters.  
Nope, I only included it for clarity while writing this post; it’s not part of my actual configuration. Note: I have removed that part from my post as well.