All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

 Hi All, Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below. Sample Log1: \\\":\\\"8E4B381542... See more...
 Hi All, Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below. Sample Log1: \\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{}, Sample Log2: 4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}
Thank you for your reply. I understand it well!
1. Use regex101.com - it's a great tool for testing regexes. 2. Remember to escape backslashes and quotes if you use regex as a sting argument to the rex command. 3. Your regex would match three-di... See more...
1. Use regex101.com - it's a great tool for testing regexes. 2. Remember to escape backslashes and quotes if you use regex as a sting argument to the rex command. 3. Your regex would match three-digit-long parts of request path after the "//rest/" part (which doesn't appear in yiur events anyway), not the http method. 4. You need something like | rex "\\]\\s+(?<ActionTaken>\\S+)\\s/" (If you want to test it on regex101.com, remove extra backslashes)
It's a bit more complicated than that. Forwarder has (oversimplifying a bit) inputs, outputs and some queueing and buffering mechanics in between. Some inputs can (depending on their configuration) ... See more...
It's a bit more complicated than that. Forwarder has (oversimplifying a bit) inputs, outputs and some queueing and buffering mechanics in between. Some inputs can (depending on their configuration) block or not if they have nowhere to send to for further processing because, for example, the output isn't connected to anything and internal queues and buffers are full. Some input's can't (there's no possibility to block, for example, udp packets received from external sources). Typically file inputs block (it doesn't make much sense configuring them otherwise usually) of they have nowhere to send events downstream. But events already read don't have to be immediately sent to downstream receiver(s). They might be held in forwarder buffer. If you want to check the file inputs configuration and their state, do splunk list monitor and splunk list inputstatus
Java version openjdk 21-ea 2023-09-19 OpenJDK Runtime Environment (build 21-ea+23-1988) OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing) Startup flags  java -Dappdynamics.jvm.... See more...
Java version openjdk 21-ea 2023-09-19 OpenJDK Runtime Environment (build 21-ea+23-1988) OpenJDK 64-Bit Server VM (build 21-ea+23-1988, mixed mode, sharing) Startup flags  java -Dappdynamics.jvm.shutdown.mark.node.as.historical=true -Dappdynamics.agent.log4j2.disabled=true -javaagent:/appdynamics/javaagent.jar From what I understand this version of the agent should work with openjdk21 but please correct me if i'm wrong.. any suggestions on what I can do to get this to startup? At startup I see below log. Which to me means the agent can't startup because of an incompatible java version Class with name [com.ibm.lang.management.internal.ExtendedOperatingSystemMXBeanImpl] is not available in classpath, so will ignore export access. java.lang.ClassNotFoundException: Unable to load class io.opentelemetry.sdk.autoconfigure.spi.ResourceProvider at com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader.findClass(Post19AgentClassLoader.java:88) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClassInternal(AgentClassLoader.java:456) at com.singularity.ee.agent.appagent.kernel.classloader.Post17AgentClassLoader.loadClassParentLast(Post17AgentClassLoader.java:81) at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:354) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:497) at java.base/java.lang.Class.forName(Class.java:476) at com.singularity.ee.agent.appagent.AgentEntryPoint.createJava9Module(AgentEntryPoint.java:800) at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:639) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:491) at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:503) [AD Agent init] Fri Aug 30 20:35:48 UTC 2024[DEBUG]: JavaAgent - Setting AgentClassLoader as Context ClassLoader [AD Agent init] Fri Aug 30 20:35:48 UTC 2024[DEBUG]: JavaAgent - Setting AgentClassLoader as Context ClassLoader java.lang.IllegalArgumentException: Unsupported class file major version 65 at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:199) at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:180) at com.appdynamics.appagent/com.singularity.asm.org.objectweb.asm.ClassReader.<init>(ClassReader.java:166) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.services.bciengine.asm.PreTransformer.preTransform(PreTransformer.java:49) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.preloadAgentClassesForDeadlockProneJVM(JavaAgent.java:656) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:404) at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.initialize(JavaAgent.java:347) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at com.singularity.ee.agent.appagent.AgentEntryPoint$1.run(AgentEntryPoint.java:656)
Thanks, that looks like its doing exactly what I was looking to replicate with my join from my older SPL that had fixed values in  the lookup file.
Hi, suppose a server with Splunk Forwarder on it, where lots of logs that haven't yet shipped to Splunk. Is there any way to get an output which lists the files/dirs, the current status (e.g. 50% sen... See more...
Hi, suppose a server with Splunk Forwarder on it, where lots of logs that haven't yet shipped to Splunk. Is there any way to get an output which lists the files/dirs, the current status (e.g. 50% sent to Splunk), etc.? I know I can see a list of files which are being monitored, but I'd like to get an idea of how much data the forwarded has yet to ship.
Try something like this (assuming your fields have been extracted already) | lookup FTP-Out FileName as FTPFileName OUTPUTNEW FileName Type Direction weekday | inputlookup FTP-Out append=t | eventst... See more...
Try something like this (assuming your fields have been extracted already) | lookup FTP-Out FileName as FTPFileName OUTPUTNEW FileName Type Direction weekday | inputlookup FTP-Out append=t | eventstats count(FTPFileName) as files by FileName | where files=0 OR isnotnull(FTPFileName) AND isnotnull(FileName) | fields - files  
This is great, thank you!! 
try something like... | rex field=_raw ".*\/rest\/(?<ActionTaken>\w+)"
The existing rex command is searching for 3 digits following "rest", which does not match the sample text.  Try this command | rex "\\\"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"  
I have a standard printed statement that shows something like this: [29/Aug/2024:23:59:48 +0000] "GET /rest/LMNOP [29/Aug/2024:23:59:48 +0000] "POST /rest/LMNOP [29/Aug/2024:23:59:48 +0000] "PUT... See more...
I have a standard printed statement that shows something like this: [29/Aug/2024:23:59:48 +0000] "GET /rest/LMNOP [29/Aug/2024:23:59:48 +0000] "POST /rest/LMNOP [29/Aug/2024:23:59:48 +0000] "PUT /rest/LMNOP [29/Aug/2024:23:59:48 +0000] "DELETE /rest/LMNOP I don't have a defined field called  "ActionTaken" in the sense, was the user doing a put, post or get etc.. Is there a simple regex that would give me something to add to a query that would define a variable called  "ActionTaken" tried this: rex "\//rest/s*(?<ActionTaken>\d{3})"  But it comes back with nothing 
I  am trying to use a lookup of "known good" filenames that are within FTP transfer logs, to add extra data to files that are found in the logs, but also need to show  when files are not found in the... See more...
I  am trying to use a lookup of "known good" filenames that are within FTP transfer logs, to add extra data to files that are found in the logs, but also need to show  when files are not found in the logs, but expected. The lookup has a lookup definition defined, so that FileName can contain wildcards, and this works for matching the wildcarded filename to  existing events, with other SPL. lookup definition with wildcard on FileName for csv: FTP-Out FileName Type Direction weekday File1.txt fixedfilename Out monday File73*.txt variablefilename Out thursday File95*.txt variablefilename Out friday   example events: 8/30/24 9:30:14.000AM FTPFileName=File1.txt Status=Success Size=14kb 8/30/24 9:35:26.000AM FTPFileName=File73AABBCC.txt Status=Success Size=15kb 8/30/24 9:40:11.000AM FTPFileName=File73XXYYZZ.txt Status=Success Size=23kb 8/30/24 9:45:24.000AM FTPFileName=garbage.txt Status=Success Size=1kb current search (simplified): | inputlookup FTP-Out | join type=left FileName [ search index=ftp_logs sourcetype=log:ftp | rename FTPFileName as FileName] results I get: 8/30/24 9:30:14.000AM File1.txt fixedfilename Out monday Success 14kb File73*.txt variablefilename Out thursday File95*.txt variablefilename Out friday desired output: 8/30/24 9:30:14.000AM File1.txt fixedfilename Out monday Success 14kb 8/30/24 9:35:26.000AM File73AABBCC.txt variablefilename Out thursday Success 15kb 8/30/24 9:40:11.000AM File73XXYYZZ.txt variablefilename Out thursday Success 23kb File95*.txt variablefilename Out friday Essentially I want the full filename and results for anything the wildcard in the lookup matches, but also show any time the wildcard filename in the lookup doesn't match an event in the  search window. I've tried various other queries with append/appendcols and transaction and the closest I've gotten  so far is still with the left join, however that doesn't appear to join with wildcarded  fields from a lookup. It also doesn't seem that the where  clause with a join off a lookup  supports like() I'm hoping that someone else might have an idea on how I can get the  matched files as well as missing files in  an  output similar to my desired output above. This is within a splunkcloud deployment not  enterprise.
This is now documented on dev.splunk.com: https://dev.splunk.com/enterprise/reference/modinputs/modinputsmanagerxml/ (sorry for the thread necromancy but I like to leave notes for others who stumble... See more...
This is now documented on dev.splunk.com: https://dev.splunk.com/enterprise/reference/modinputs/modinputsmanagerxml/ (sorry for the thread necromancy but I like to leave notes for others who stumble across the same questions)
THANK YOU!
I've never understood why Spunk doesn't just log the offending .csv file.  
When you use indexed extractions, the events are parsed on the UF and are not touched on subsequent components (with some exceptions which we're not getting into here). So your props on indexers do ... See more...
When you use indexed extractions, the events are parsed on the UF and are not touched on subsequent components (with some exceptions which we're not getting into here). So your props on indexers do not have any effect on parsing. You're interested in TIMESTAMP_FIELDS (along with TIMESTAMP_FORMAT of course) on the UF.
On a Dashboard Studio dashboard I have a dropdown input and a rectangle that can be clicked. When the rectangle is clicked, the token value of the dropdown input token should be changed to a specifi... See more...
On a Dashboard Studio dashboard I have a dropdown input and a rectangle that can be clicked. When the rectangle is clicked, the token value of the dropdown input token should be changed to a specified value. Is that possible in Dashboard Studio?
It actually depends on your network environment and your configuration. The general answer is - you must have network connectivity between the environments and the proper traffic must be allowed on ... See more...
It actually depends on your network environment and your configuration. The general answer is - you must have network connectivity between the environments and the proper traffic must be allowed on local OS-level firewall  In this aspect SOAR and Splunk Enterprise are not different from any other network services - you must have an ability to connect to a port to be able to use it as simple as that. So it's not that I'm trying to be rude or something, it's just that there are so many variables here that it'd be better if you engaged your local network/linux guru to help you because that's something that's not Splunk-specific and local help will be much more responsive than ping-ponging stuff over internet forum.
Splunk has a multi-day class on how to get data into Splunk so I won't be able to cover the whole subject here. Every sourcetype ingested into Splunk should have a props.conf stanza that specifies a... See more...
Splunk has a multi-day class on how to get data into Splunk so I won't be able to cover the whole subject here. Every sourcetype ingested into Splunk should have a props.conf stanza that specifies at the "Great Eight" settings.  They are: SHOULD_LINEMERGE LINE_BREAKER TIME_PREFIX TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD TRUNCATE EVENT_BREAKER_ENABLE EVENT_BREAKER You can read about each of these in the Admin Manual. Often, the time zone associated with an event is included in the timestamp (for example, "8/30/2024 10:52:00Z" or "8/30/2024 10:52:00-0700").  When that's the case, adding "%Z" or "%z" to the TIME_FORMAT setting is all you need.  If the timestamp does not include zone information then adding the TZ setting to props.conf will help. TZ = America/Los_Angeles