user field is already present in data, but it is giving the wrong info, I want to extract the user field from raw logs. Field name should be "user" The field name "user" which I extracted is not showing up in Interested fields as the field name user is already auto extracted. May I know how to make my extraction work with the field name "user"

Hi Everyone,  Can some one please guide to fix an issue on the below error while installing addon using cli. Used below command to install add on. Error is parameters must be in the form '-parameter value' ./splunk install app splunk-add-on-for-unix-and-linux_701.tar /home/  

Hi, in my index I have a couple time fields that are returned via a simple search _time = 1/20/2022 1:38:55.000 PM (the Splunk-generated time) body.timestamp = 2022-01-20T21:38:45.7774493Z (the transaction time from our log) I am trying to format the time output with the convert function but can only get the first result to return. | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS timestamp = 2022-01-20 21:38:55 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(body.timestamp) AS timestamp2 = none Am I missing something for the second timestamp to be returned? Thanks!

We've installed and configured the Azure add-on, and while it works, the various inputs seem to hang once or twice a day. For us, this is most noticeable with the device and user inputs (sourcetypes azure:aad:device and :user). I've set the add-on to DEBUG level logging, but there's nothing especially obvious. Environment: This add-on is running on a heavy forwarder, that exists almost exclusively to run API-based add-ons like this. It's a relatively-untaxed RHEL 8 VM. We're using version 3.2.0, the now-current version of the add-on. (We had the same problem with 3.1.1 at least. I'm not sure how far back the problem goes, but it's been an intermittent issue for at least a few months.) First: the add-on has what to me looks like a bug in the interval setting. We've set the interval to "300" -- this is labeled as the number of seconds between queries, but the logs show the queries are running closer to every 300 milliseconds. If we set it lower than 300, the time between queries seems to shorten as you would expect, but setting it higher than 300 doesn't seem to work. We've tried setting it to values like 5000, to see if we could trick the add-on to pulling every 5 seconds, but that didn't do what we hoped.) More important, though, is that the input periodically hangs. The normal behavior looks like this: 2022-01-20 16:24:39,314 DEBUG pid=3938342 tid=MainThread file=connectionpool.py:_make_request:461 | https://graph.microsoft.com:443 "GET /v1.0/devices/?$skiptoken=(token 1) HTTP/1.1" 200 None 2022-01-20 16:24:39,476 DEBUG pid=3938342 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ AAD devices nextLink URL (@odata.nextLink): https://graph.microsoft.com/v1.0/devices/?$skiptoken=(token 2) 2022-01-20 16:24:39,477 DEBUG pid=3938342 tid=MainThread file=base_modinput.py:log_debug:288 | _Splunk_ Getting proxy server. 2022-01-20 16:24:39,477 INFO pid=3938342 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled! 2022-01-20 16:24:39,479 DEBUG pid=3938342 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): graph.microsoft.com:443 2022-01-20 16:24:39,741 DEBUG pid=3938342 tid=MainThread file=connectionpool.py:_make_request:461 | https://graph.microsoft.com:443 "GET /v1.0/devices/?$skiptoken=(token 2) HTTP/1.1" 200 None Basically, the add-on makes a request with a given token, part of the output of that is to get a new token, then (interval) milliseconds later, it uses that token and the cycle starts again. Eventually, though, the add-on gets to the fifth line in the above (where it's starting a new connection), and... that's it. The add-on doesn't do anything until one of the Splunk admins gets the alert we set up, that says "hey there haven't been any new events of sourcetype X in index Y for a couple hours, maybe you should take a look". Sometimes, the inputs will hang just a few hours after a restart; sometimes they work just fine for weeks at a time. Logging into the heavy forwarder, and toggling the input to "Disabled" and right back to "Enabled" clears the issue. Presumably disabling the input kills off the underlying Python script, then re-enabling it launches a fresh instance. We've thought about scripting a regular restart of this add-on, but there doesn't seem to be a way in the CLI to do so, short of restarting the whole heavy forwarder. That's a really big hammer for a relatively small nail, so it's not our first choice. And given that the add-on doesn't hang on any predictable schedule, we don't think it's worth the trade-off (Plan 5 or plan 6 would probably be building a new heavy forwarder for JUST the Azure add-on, so a scheduled restart of Splunk as a whole won't impact any other add-ons. But since building a new machine incurs costs to our team, and how it's still an inelegant solution, it's probably the last-resort plan.) Aside from setting the add-on to "DEBUG," is there anything else I can do within the add-on to debug this? Anyone had problems like this before, and if you have, how did you work around them? Is the "interval" thing really a bug, and if so to whom should I report it?

Hi, In the following log entries, I wanted to extract uri in a specific format: log: a_level="INFO", a_time="null", a_type="type", a_msg="Method=GET,Uri=http://monolith-xxx.abc.com/v2/clients?skip=0top=100,MediaType=null,XRemoteIP=null" log: a_level="INFO", a_time="null", a_type="type", a_msg="Method=GET,Uri=http://monolith-xxx.abc.com/v1/clients/234,MediaType=null,XRemoteIP=null" log: a_level="INFO", a_time="null", a_type="type", a_msg="Method=GET,Uri=http://monolith-xxx.abc.com/v1/users/123,MediaType=null,XRemoteIP=null" For uri, I wanted the full extract until "?" or ",". Also remove and guids and digits from URL except for "/v1/","/v2/" http://monolith-xxx.abc.com/v2/clients http://monolith-xxx.abc.com/v1/clients/ http://monolith-xxx.abc.com/v1/users/ My current splunk query is as below: index=aws_abc env=prd-01 uri Method StatusCode ResponseTimeMs | rex field=log "ResponseTimeMs=(?<ResponseTimeMs>\d+),StatusCode=(?<StatusCode>\d+)" | rex field=log "\"?Method\"?\=(?<Method>[^,]*)" | rex field=log "Uri=(?<uri>[^\,]+)" | rex field=uri mode=sed "s/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|\d*//g" | table uri,Method,StatusCode,ResponseTimeMs I get value in the table for all 4 but uri in table shows as below http://monolith-xxx.abc.com/v/clients?isactive=true http://monolith-xxx.abc.com/v/users/?filter=(Name%startswith%'H') Expected Output: http://monolith-xxx.abc.com/v2/clients http://monolith-xxx.abc.com/v2/users/ Please help. Thanks

Hello, We have an oracle database schema with mutiple tables. All these tables have a column called idversion, and each has a view that shows only the version that was specified into the table sesio_te. So the expected way to work with these tables is to INSERT INTO "XXXX"."SESIO_TE" (sessionvalue, usuario, version_actual) VALUES ('test version', 'splunk', 21)  and then SELECT * FROM "XXXX"."PRESU_IN_AUD_VI" WHERE ... What I want to achieve is a dashboard that shows some data in these tables on demand from the DB. Not indexed data. So if I have multiple users watching this dashboard and they are asking for different versions I need to update the version before quering the views. But if you try to do   INSERT INTO "XXXX"."SESIO_TE" (sessionvalue, usuario, version_actual) VALUES ('test version', 'splunk', 21); SELECT * FROM "XXXX"."PRESU_IN" WHERE ... ; in the same dbxquery command it fails saying java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended. Any ideas how to do this? Thank you in advance.  

Hello, In which direction must firewall openings be configured for indexers and search heads to be able to communicate with the license manager and fetch license etc.? Is it only  <search_head/indexer> --> License manager (on port 8089) or both ways, so <search_head/indexer> --> <License_manager> AND  <License_manager> --> <search_head/indexer> (on port 8089). I have seen network topologies saying different things regarding this. Is one way enough or do we need both ways on port 8089? Thank you!

I have a query that returns a set of hosts that have an event string. index=anIndex sourcetype=aSourceType ("aString1" AND ( host = "aHostName*")) |  stats values(host) AS aServerList1   I have a list of servers ("Server1", "Server2", "Server3")   <-  ServerList2   What im trying to do is to find servers/hosts that are not returned from the initial query. i.e. hosts that exists in ServerList2 but are not in ServerList1 ?

Hello, I have a tab with this field : <p>GET /url1/url2?code1=11&code2=12&code3=13 HTTP/1.1</p> I would like to split this field in 3 field code1, code2 and code3. I tried with this splunk command : <p>| rex field=message.jbosseap.access_log.http_request "codeRegate=(?<codeRegate>.*)""</p> but it is not good. How can I do this ? Thank you!

L.s.,   At our company we deploy the Windows UF on all the vdi machine's. For security reason we make use of the security policy where powershell is prohibited to run. On a vdi machine with the command Get-ExecutionPolicy -List | Format-Table -AutoSize i get below: Scope ExecutionPolicy ----- --------------- MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Restricted The last part is where the problem is.. it restricts the local system account from executing the scripts in the universal forwarder bin folder.  It gives an error for the splunk-powershell.ps1 script and then consumes a lot of cpu.   What can we do to use the scripts and use the secutiry policy? The policy is a demand in our company, so we can't dump that one.   Thanx in advance..

I have a server where logs are generated on daily basis in this format- /ABC/DEF/XYZ/xyz17012022.zip      /ABC/DEF/XYZ/xyz16012022.zip            /ABC/DEF/XYZ/xyz15012022.zip OR  /ABC/DEF/RST/rst17012022.gz      /ABC/DEF/RST/rst16012022.gz               /ABC/DEF/RST/rst15012022.gz   I am getting this error , every time when i am indexing the .gz, .tar or .zip  file - "updated less than 10000ms ago, will not read it until it stops changing ; has stopped changing , will read it now." This problem was earlier addressed in this post,  https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/gz-file-not-getting-indexed-in-splu... As suggested I have used " crcSalt = <SOURCE> " but I am still facing similar errors.   inputs.conf:  [monitor:///ABC/DEF/XYZ/xyz*.zip] index= log_critical disabled = false sourcetype= Critical_XYZ ignoreOlderThan = 2d crcSalt = <SOURCE> I am getting this Event in Internal Logs while ingesting the log file    

Hi, We install Splunk_TA_nix and enabled both cpu.sh and cpu_metrics.sh to capture cpu related logs. Do we have SPL query we can use to calculate the CPU Utilization. I do not have indepth Linux background so I am not sure which fields should be use to calculate the percentage of  CPU Utilization. If you can share the formula or fields I need to use from Splunk_TA_nix , I would appreciate it. Our aim is to check the historical  CPU Utilization of our Splunk Heavy Forwarder. Thanks