All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$" | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*P... See more...
env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$" | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#" | search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*" | fields IID STEP PKEY STATE MSG0 PROPS _time | table IID STEP PKEY STATE MSG0 PROPS _time | rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction... See more...
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction... See more...
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
Hey @ITWhisperer , You are absolutely right, just have edited the rex . I am not using max_match. This error appears once there are a lots of matching events.  On the other hand rex with less step... See more...
Hey @ITWhisperer , You are absolutely right, just have edited the rex . I am not using max_match. This error appears once there are a lots of matching events.  On the other hand rex with less steps and one property (exclude EXCID) less achieves to retrieve all events and no error thrown. | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#" Thanks! BR, Ivo
I have 1000s of rex Patterns which is already available in a lookup file, but I don't want to put everything into macro. So I thought to update macro only if I start seeing events match any of rex pa... See more...
I have 1000s of rex Patterns which is already available in a lookup file, but I don't want to put everything into macro. So I thought to update macro only if I start seeing events match any of rex pattern in lookup but not in macro. So by doing this I have minimal rex pattern in macro (For now I've 232 rex patterns in macro).
Does your look up have 1000s of patterns or your macro has 1000s of patterns or both? Where do these patterns come from? Please explain with a bit more detail and examples what your usecase is?
Here is an example of a user using index to generate some events at the beginning of a search https://community.splunk.com/t5/Splunk-Enterprise/help-on-append-command-in-a-line-chart/m-p/676700#M186... See more...
Here is an example of a user using index to generate some events at the beginning of a search https://community.splunk.com/t5/Splunk-Enterprise/help-on-append-command-in-a-line-chart/m-p/676700#M18608  
Thanks @ITWhisperer for your valuable info. My lookup has full of rex Patterns (1000s of patterns), but I don't want to dump this in a macro. That's why thought to update macro only if I start seeing... See more...
Thanks @ITWhisperer for your valuable info. My lookup has full of rex Patterns (1000s of patterns), but I don't want to dump this in a macro. That's why thought to update macro only if I start seeing new Patterns in the result event. If you could help me with this specific use-case it would be very much helpful. Thanks in advance.
could you please give me an example?
SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same th... See more...
SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same thing without inputlookup!
Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract th... See more...
Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract the fields. Note that you can't have two columns / fields with the same name as you have shown | spath value{} output=value | mvexpand value | rex field=value "(?<repos>[^:]+):\s*(?<count>\d+):\s*(?<active>\w+):\s*(?<othercount>\d+)" | table repos count active othercount
If there were a way to update a macro, it would likely to have a ReST endpoint, but there doesn't appear to be one. Having said that, even if there were, this sounds like a risky thing to be doing an... See more...
If there were a way to update a macro, it would likely to have a ReST endpoint, but there doesn't appear to be one. Having said that, even if there were, this sounds like a risky thing to be doing anyway. Perhaps a better way would be to update a lookup or kv store with the results from your search so that the macro can use those i.e. keep the processing (defined by the macro) separate from the data (found by the search). What you seem to be asking for smacks of self-modifying code, which, while it may sound like a cool thing to do, is generally not a safe practice.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens  
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macr... See more...
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macro if the lookup has any new values.
The search can return anything between 0 and something but that is not my question. I cannot judge the quality of the received data by its quantity. It is just important that I receive all the data I... See more...
The search can return anything between 0 and something but that is not my question. I cannot judge the quality of the received data by its quantity. It is just important that I receive all the data I'm asking for. Again, my question is, is there a way to detect if a search is dealing with partial results. As a user you been notified when you run the search manually. This I want to detect in the search itself. I will experiment with appendpipe.
Hi @JoseQuintero , you have to ingest the logs from your access points, parse them and search for the username of your user. What technology are you using? Could you share some sample of your acce... See more...
Hi @JoseQuintero , you have to ingest the logs from your access points, parse them and search for the username of your user. What technology are you using? Could you share some sample of your access points logs? Ciao. Giuseppe
Hi @iamtheclient20 , let me understand: you want to find the matches between the index and the lookup, in other words the values present both in the lookup and in the events, so, why doesn't my fir... See more...
Hi @iamtheclient20 , let me understand: you want to find the matches between the index and the lookup, in other words the values present both in the lookup and in the events, so, why doesn't my first solution  match your requisite? It extracts the events from the main search that match the values in the lookup and also the reverse (values in the lookup that match the events in the search). there could be an issue if you want the NOT match condition, but the match condition is reversable. Ciao. Giuseppe
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing withou... See more...
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing without a lookup please? I mean by using an index and an eval command for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map Rgds
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"valu... See more...
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.   my dashboard should look like, repos count active count new-repo 2 yes 17 new-repo-2 30 no 10 new-one-3 15 yes 0 old-repo 10 yes 23 my-repo 10 no 15   I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard. can someone help?   Thanks, Veeresh Shenoy
Hi gcusello, I cannot use this approached because of the limit. Thank you.