All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Inputs.conf Blacklist - Different Messages on the same line

by in Splunk Search
‎01-12-2022 09:20 AM
‎01-12-2022 09:20 AM
Hi All,    I'm tweaking my inputs.conf file to exclude some events for the Windows Security log. I'm filtering EventCode 4688, by message.  For compatibility reasons, I want to use the same inpu... See more...
Hi All,    I'm tweaking my inputs.conf file to exclude some events for the Windows Security log. I'm filtering EventCode 4688, by message.  For compatibility reasons, I want to use the same inputs.conf file for all windows machines.  But Windows 11 has tweaked a couple event logs, and one of those is 4688. For Windows 10 and below the following blacklist is working as expected: blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)" This filters everything except %%1937. But this won't work for Windows 11, because they have changed the Token Elevation Type to "TokenElevationTypeFull" for the previously "%%1937".  Therefore if a windows10 inputs.conf file ends up on a windows 11, it blacklists all the 4688 logs. So simply, I would like to add the 2 lines together on a single line, so that if either TokenElevationType is found, it goes through.  But the "|" operator doesn't seem to be working, or I'm not doing the correct syntax. blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*%%1937)" blacklist1 = EventCode="4688" Message="Token Elevation Type:(?!\s*TokenElevationTypeFull)"   Can anyone help marry these 2 checks with an OR operator?   Thank you
Labels

Combining Fields from Two Different Seaches

by in Splunk Search
‎01-12-2022 08:14 AM
‎01-12-2022 08:14 AM
I have two searches: Search A index=my_idx sourcetype=my_st Name=conference Message= joined | stats count by _time Paticipant Conference Display Name Location Protocol Search B index=my_idx ... See more...
I have two searches: Search A index=my_idx sourcetype=my_st Name=conference Message= joined | stats count by _time Paticipant Conference Display Name Location Protocol Search B index=my_idx sourcetype=my_st Name=conference Message= disconnected | stats count by _time Participant Conference Duration  DisplayName Location Protocol I would like create a table that combines the Duration field with all the fields from Search A.  I would then like to include a column for the join time and the disconnect time that correlates to the value of Duration. The output would look like this: Seach C Out Come Participant Conference Join_Time Disconnect_Time Duration DisplayName Location Protocol Thank you, Jason H.
Labels

Get the values of response_time from the below raw data

by in Splunk Search
‎01-12-2022 07:37 AM
‎01-12-2022 07:37 AM
i Want to get the value of 200 as status code and response_time in a table format from the below raw data Status Response_Time 200 0.012052 200 0.103866       Log1 :  \"GET /ac... See more...
i Want to get the value of 200 as status code and response_time in a table format from the below raw data Status Response_Time 200 0.012052 200 0.103866       Log1 :  \"GET /actuator HTTP/2.0\" 200 0 1851 \"-\" \"Mozilla/5.0 (WindowsNT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71Safari/537.36 Edg/97.0.1072.55\" \"10.229.62.179:56886\" \"10.55.6.79:61026\" x_forwarded_for:\"10.229.62.179\" x_forwarded_proto:\"https\" vcap_request_id:\"36c0662d-09e7-467f-774b-391ca2ad337a\" response_time:0.012052gorouter_time:0.000224 Log 2: HTTP/2.0\" 200 0 180 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36\" \"10.229.62.179:54696\" \"10.55.6.79:61026\" x_forwarded_for:\"10.229.62.179\" x_forwarded_proto:\"https\" vcap_request_id:\"8b37b42c-f3b2-4103-5ac2-fb12009cad3f\" response_time:0.103866 gorouter_time:0.000265  
Labels

Splunk query to create field which should be true or false if data field value available in lookup table.

by in Splunk Search
‎01-12-2022 06:54 AM
‎01-12-2022 06:54 AM
Hi I am trying to create new column in table after extracting information from json data, new column have value "True" or "False" if "toDomain" column data available in  lookup table . Querry: inde... See more...
Hi I am trying to create new column in table after extracting information from json data, new column have value "True" or "False" if "toDomain" column data available in  lookup table . Querry: index="pps_index" sourcetype="pps_messagelog" "filter.routeDirection"=outbound |rex field=envelope.rcpts{} .*@(?<toDomain>.*)|rex field=envelope.from .*@(?<fromDomain>.*)|rename envelope.from as Sender envelope.rcpts{} as Recipient msg.header.subject as Subject msgParts{}.detectedName as Attachment | table Sender Recipient Subject Attachment toDomain lookup file "publicDomain.csv" contains below data as example. publicDomain 123.com 123box.net 123india.com 123mail.cl 123qwe.co.uk 126.com 15meg4free.com 163.com 163.net 169.cc 188.net current output: Sender  Recipient  Subject Attachment toDomain Ruotong_Yin@contractor.amat.com ngarza@littelfuse.com RE: AMAT PO 4513405497 11.26.2021 Littelfuse Inc. text.txt text.html lt po# 4513405497.pdf littelfuse.com Amanda_Mo@amat.com cod.b2b.servicerequest@my344310.mail.crm.ondemand.com RE: [ Ticket: 3018517 ] WF: WF: 25420987000020 & 25420672000020-- 0190-17499W * (1+1) =2EA--- pls create STO from 8665 & 8639 to 8602. thank you! text.txt text.html image005.jpg image006.png image001.jpg image002.jpg image007.jpg my344310.mail.crm.ondemand.com Amanda_Mo@amat.com hfamat.list@bondex.com.cn RE: [ Ticket: 3018517 ] WF: WF: 25420987000020 & 25420672000020-- 0190-17499W * (1+1) =2EA--- pls create STO from 8665 & 8639 to 8602. thank you! text.txt text.html image005.jpg image006.png image001.jpg image002.jpg image007.jpg bondex.com.cn   tme@massgroup.com tme@123box.net Work Order Past Due Notification: WO# 199996 text.txt 123box.net   Desired Output: Sender  Recipient  Subject Attachment toDomain PDVal Ruotong_Yin@contractor.amat.com ngarza@littelfuse.com RE: AMAT PO 4513405497 11.26.2021 Littelfuse Inc. text.txt text.html lt po# 4513405497.pdf littelfuse.com False Amanda_Mo@amat.com cod.b2b.servicerequest@my344310.mail.crm.ondemand.com RE: [ Ticket: 3018517 ] WF: WF: 25420987000020 & 25420672000020-- 0190-17499W * (1+1) =2EA--- pls create STO from 8665 & 8639 to 8602. thank you! text.txt text.html image005.jpg image006.png image001.jpg image002.jpg image007.jpg my344310.mail.crm.ondemand.com False Amanda_Mo@amat.com hfamat.list@bondex.com.cn RE: [ Ticket: 3018517 ] WF: WF: 25420987000020 & 25420672000020-- 0190-17499W * (1+1) =2EA--- pls create STO from 8665 & 8639 to 8602. thank you! text.txt text.html image005.jpg image006.png image001.jpg image002.jpg image007.jpg bondex.com.cn False   tme@massgroup.com tme@123box.net Work Order Past Due Notification: WO# 199996 text.txt 123box.net True   Kindly provide solution to resolve issue.  
Labels

coldToFrozenScript arguments

by in Monitoring Splunk
‎01-12-2022 06:35 AM
‎01-12-2022 06:35 AM
In the coldToFrozenExample.py script there is a --search-files-required argument switch that it looks for, and if found will archive additional files instead of deleting them. I don't want to use th... See more...
In the coldToFrozenExample.py script there is a --search-files-required argument switch that it looks for, and if found will archive additional files instead of deleting them. I don't want to use this, but I would like to add my own switch to the script in order to add make it more widely applicable.  However, I'm not sure how to actually call the script with the arguments.  Here is the line from indexes.conf that specifies the script:         coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/scripts/coldToFrozen.py"         When Splunk actually makes the call, it automatically inserts the bucket to archive after the script name (it has to do this, because the script searches for the bucket name as the first argument).  So I don't know how I would specify a second argument. If anyone can point me in the right direction, I would very much appreciate it.  Thanks so much.   
Labels

Assigning Lat and Lon to multiple locations.

by in Splunk Search
‎01-12-2022 06:27 AM
‎01-12-2022 06:27 AM
Hi, Im having trouble getting the latitude and longitudes for a cluster map to work properly when given computer names with know coordinates. The data in the index doesnt have the lat or lon in it un... See more...
Hi, Im having trouble getting the latitude and longitudes for a cluster map to work properly when given computer names with know coordinates. The data in the index doesnt have the lat or lon in it unfortunately. In this example I am trying to figure out a way to eval against multiple standard naming conventions to assign their latitude and longitude. If i had 5 locations with the corresponding naming conventions where xxxx is a unique identifier within those 5 location and I know the latitude and longitude of each location. How would I go about evaluating every field in the "Computer Name" column for which location it belongs to and then apply the corresponding Lat & Lon so it can be plotted on a cluster map.  See below naming convention and their corresponding Lat and Lon example. Loc1xxxx: Lat 10.1010 Lon -10.10.10, Loc2xxxx: Lat 20.2020 Lon -20.2020, Loc3xxxx: Lat 30.3030 Lon -30.3030, Loc4xxxx: Lat 40.4040 Lon -40.4040, Loc5xxxx: Lat 50.5050 Lon -50.5050 For this example each location with have 5 computers for simplicity sake. Loc10001- Loc10005, etc. Here is what I have so far which will resolve the lat and lon for a single location but I am having trouble figuring out how to expand it to other locations. index="index_name" | dedup "Computer Name" | rename "Computer Name" as WKS | eval lat=if(match(WKS, "Loc1"), "10.1010", "0") | eval lon=if(match(WKS, "Loc1"), "-10.1010", "0") | geostats latfield=lat longfield=lon count  
Labels

Systemd and manual detention

by in Splunk Enterprise
‎01-12-2022 06:25 AM
‎01-12-2022 06:25 AM
Hello to everyone, on my indexers I just configured Splunk as a service with systemd, start command works fine but stop command (systemctl stop Splunkd), instead, returns some errors: [root@pe-sec-... See more...
Hello to everyone, on my indexers I just configured Splunk as a service with systemd, start command works fine but stop command (systemctl stop Splunkd), instead, returns some errors: [root@pe-sec-idx-02 system]# systemctl status Splunkd ● Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2022-01-12 15:18:32 CET; 9s ago Process: 1462 ExecStop=/opt/splunk/bin/splunk _internal_launch_under_systemd (code=exited, status=1/FAILURE) Process: 31484 ExecStop=/bin/sleep 10 (code=exited, status=0/SUCCESS) Process: 31225 ExecStop=/sbin/runuser -l splunk -c /opt/splunk/bin/splunk edit cluster-config -manual_detention on -auth admin:D1c3mbr3Sec (code=exited, status=0/SUCCESS) Process: 20750 ExecStartPost=/bin/bash -c chown -R 1001:1001 /sys/fs/cgroup/memory/system.slice/%n (code=exited, status=0/SUCCESS) Process: 20746 ExecStartPost=/bin/bash -c chown -R 1001:1001 /sys/fs/cgroup/cpu/system.slice/%n (code=exited, status=0/SUCCESS) Process: 20643 ExecStartPost=/sbin/runuser -l splunk -c /opt/splunk/bin/splunk edit cluster-config -manual_detention off -auth admin:D1c3mbr3Sec (code=exited, status=0/SUCCESS) Process: 19156 ExecStartPost=/bin/sleep 60 (code=exited, status=0/SUCCESS) Process: 19155 ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd (code=exited, status=52) Main PID: 19155 (code=exited, status=52) Jan 12 15:12:20 pe-sec-idx-02 splunk[19155]: All installed files intact. Jan 12 15:12:20 pe-sec-idx-02 splunk[19155]: Done Jan 12 15:12:21 pe-sec-idx-02 splunk[19155]: Checking replication_port port [9887]: 2022-01-12 15:12:21.354 +0100 splunkd started (build 7651b7244cf2) Jan 12 15:13:17 pe-sec-idx-02 systemd[1]: Started Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 12 15:18:03 pe-sec-idx-02 systemd[1]: Stopping Systemd service file for Splunk, generated by 'splunk enable boot-start'... Jan 12 15:18:16 pe-sec-idx-02 systemd[1]: Splunkd.service: control process exited, code=exited status=1 Jan 12 15:18:16 pe-sec-idx-02 splunk[19155]: 2022-01-12 15:18:16.021 +0100 Interrupt signal received Jan 12 15:18:34 pe-sec-idx-02 systemd[1]: Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. Jan 12 15:18:34 pe-sec-idx-02 systemd[1]: Unit Splunkd.service entered failed state. Jan 12 15:18:34 pe-sec-idx-02 systemd[1]: Splunkd.service failed. Despite the output, service stops successfully. As you can see, I added some instructions in the service unit file to put the indexer (which is part of a cluster) in manual detention before stopping it, and also it turns manual detention off once Splunk is started. I say again that stop/start commands work good, but in any case I get the above error messages when I stop the service. Am I doing something wrong? This is my service unit file: #This unit file replaces the traditional start-up script for systemd #configurations, and is used when enabling boot-start for Splunk on #systemd-based Linux distributions. [Unit] Description=Systemd service file for Splunk, generated by 'splunk enable boot-start' After=network.target [Service] Type=simple Restart=always ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd ExecStartPost=/bin/sleep 60 ExecStartPost=/sbin/runuser -l splunk -c '/opt/splunk/bin/splunk edit cluster-config -manual_detention off -auth admin:D1c3mbr3Sec' ExecStop=/sbin/runuser -l splunk -c '/opt/splunk/bin/splunk edit cluster-config -manual_detention on -auth admin:D1c3mbr3Sec' ExecStop=/bin/sleep 10 ExecStop=/opt/splunk/bin/splunk _internal_launch_under_systemd LimitNOFILE=64000 LimitNPROC=16000 SuccessExitStatus=51 52 RestartPreventExitStatus=51 RestartForceExitStatus=52 User=splunk Delegate=true CPUShares=1024 CPUQuota=1400% MemoryLimit=30G PermissionsStartOnly=true ExecStartPost=/bin/bash -c "chown -R 1001:1001 /sys/fs/cgroup/cpu/system.slice/%n" ExecStartPost=/bin/bash -c "chown -R 1001:1001 /sys/fs/cgroup/memory/system.slice/%n" KillMode=mixed KillSignal=SIGINT TimeoutStopSec=10min [Install] WantedBy=multi-user.target  

Get data from forward TCP and UDP ports

by in Getting Data In
‎01-12-2022 06:00 AM
‎01-12-2022 06:00 AM
Not getting data ofter configuring TCP 80 port in inputs.conf my stanza is like this [tcp://80] connection_host = dns index = port sourcetype = syslog can you give me any idea on this. thnks in... See more...
Not getting data ofter configuring TCP 80 port in inputs.conf my stanza is like this [tcp://80] connection_host = dns index = port sourcetype = syslog can you give me any idea on this. thnks in advance.
Labels

Dashboard protect/obfuscate source

by in Dashboards & Visualizations
‎01-12-2022 05:59 AM
‎01-12-2022 05:59 AM
Is there any way to protect/obfuscate dashboard xml/scripts source?
Labels

if statement in search query

by in Splunk Search
‎01-12-2022 04:40 AM
‎01-12-2022 04:40 AM
hi all, i would like to ask if it is possible to include IF condition in the search query   if msg="Security Agent uninstallation*" [perform the below] | rex field=msg ":\s+\(*(?<result>[^)]+)" ... See more...
hi all, i would like to ask if it is possible to include IF condition in the search query   if msg="Security Agent uninstallation*" [perform the below] | rex field=msg ":\s+\(*(?<result>[^)]+)" | table _time msg result   if msg="Security Agent uninstallation command sent*" [perform the below] | rex field=msg "^[^;\n]*;\s+\w+:\s+(?P<endpoint>.+)" | table _time msg suser endpoint
Labels

extract text using regex

by in Splunk Search
‎01-12-2022 03:55 AM
‎01-12-2022 03:55 AM
hi, i want to extracted the first word from each variable the index has a field called search_name which has these variables:   Risk - 24 Hour Risk Threshold Exceeded - Rule Endpoint - machine wit... See more...
hi, i want to extracted the first word from each variable the index has a field called search_name which has these variables:   Risk - 24 Hour Risk Threshold Exceeded - Rule Endpoint - machine with possible malware - fffff Network - Possible SQL injection - Rule   i want to perform a regex to extracted the first word out of each variable so the output would be:   risk endpoint network         thanks ^_^
Labels

Who manages Splunk Captain and how?

by in Splunk Enterprise
‎01-12-2022 03:02 AM
‎01-12-2022 03:02 AM
Who manages Splunk Captain and how?
Labels

Create lookup via REST API

by in Getting Data In
‎01-12-2022 02:45 AM
‎01-12-2022 02:45 AM
Hello all I want to create a lookup file with an owner, in a specific App, and vith sharing = App.   I used the command  :  | outputlookup create_context=user  file.csv I'm using the endpoint  : /... See more...
Hello all I want to create a lookup file with an owner, in a specific App, and vith sharing = App.   I used the command  :  | outputlookup create_context=user  file.csv I'm using the endpoint  : /servicesNS/<username>/<namespace>/search/jobs   It creates a lookup file with an owner, in a the specific App but with sharing = Private and the file is not visible to other app users.    Does anyone have a solution to this please ? 
Labels

edit Lookup file permissions

by in Getting Data In
‎01-12-2022 02:24 AM
‎01-12-2022 02:24 AM
Hello all,  is it possible to modify the permissions on a file via the API? Or is there a way to do it different from the classic method?   Thanks all
Labels

How to extract from and To fields For this below Line using Regex?

by in Splunk Enterprise
‎01-12-2022 02:06 AM
‎01-12-2022 02:06 AM
  Info: Bounced: DCID 8413617 MID 19338947 From: <MariaDubois@example.com> To: <abcdef@buttercupgames.com> RID 0 - 5.4.7 - Delivery expired (message too old) ('000', ['timeout']) O/p: from_mail_id... See more...
  Info: Bounced: DCID 8413617 MID 19338947 From: <MariaDubois@example.com> To: <abcdef@buttercupgames.com> RID 0 - 5.4.7 - Delivery expired (message too old) ('000', ['timeout']) O/p: from_mail_id = MariaDubois@example.com to_mail_id = abcdef@buttercupgames.com Please help me with the Solution ,Thanks 
Labels

Bar Chart color change

by in Dashboards & Visualizations
‎01-12-2022 01:56 AM
‎01-12-2022 01:56 AM
Hi, I am not able to change the color of graph , tried multiple options in source code , everytime the same color is reflecting . I want three different colors for 3 different results ( in this case ... See more...
Hi, I am not able to change the color of graph , tried multiple options in source code , everytime the same color is reflecting . I want three different colors for 3 different results ( in this case - succeeded , failed , aborted)  Query  </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">collapsed</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.maximumNumber">500</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"succeeded": 0x425b3c, "failed": 0x5b3c53, "aborted": 0xc98b06}</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">none</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">projects</option> </chart>  
Labels

Servers Search functionality enhancement

by in Splunk AppDynamics
‎01-12-2022 01:30 AM
‎01-12-2022 01:30 AM
Hello, It would be great if the Servers 'search box' feature within the AppD Controller (doesn't have to just be with Servers search) offered more searching options, perhaps being able to 'wildcard'... See more...
Hello, It would be great if the Servers 'search box' feature within the AppD Controller (doesn't have to just be with Servers search) offered more searching options, perhaps being able to 'wildcard' characters so certain servers would show OR even be able to use Regex to highlight a particular list. Would this be the place to recommend further enhancements to the Controller..? Thanks, Tim

Error of Problem replicating config (bundle) to search peer ' 10.10.x.79:8089 ',

by in Splunk Search
‎01-12-2022 01:21 AM
‎01-12-2022 01:21 AM
Greetings!!   I need help!!! am experiencing an error while am doing search, the error is: Search peer Splkidx04 has the following message: The minimum free disk space (5000MB) reached for /opt/... See more...
Greetings!!   I need help!!! am experiencing an error while am doing search, the error is: Search peer Splkidx04 has the following message: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch.   Problem replicating config (bundle) to search peer ' 10.10.x.96:8089 ', HTTP response code 500 (HTTP/1.1 500 Error writing to /opt/splunk/var/run/searchpeers/Splunksh1-1641956462.bundle.4ef204fd344a6181.tmp: No space left on device). Error writing to /opt/splunk/var/run/searchpeers/Splunksh01-1641956462.bundle.4ef204fd344a6181.tmp: No space left on device (Unknown write error) . 1/12/2022, 10:44:22 AM The search process with sid=scheduler__pacyn__search__RMD5837e19b530431259_at_1641973200_94478 on peer=Spkidx4 might have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running the search again. Learn more. 1/12/2022, 9:43:09 AM Search peer Splkidx4 has the following message: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. 1/12/2022, 10:59:00 AM   5 errors has occurred while the search was executing. therefore search results might be incomplete. hide .....   Kindly help me on how i can fix this above issue.  Thank you in advance!    

How to add field from different event for data model purpose

by in Splunk Search
‎01-12-2022 01:05 AM
‎01-12-2022 01:05 AM
Is there a way to add a field to an event from a different event assuming they have a common key using a simple search (without using pipe)? The reason being the resulting event will need to be tagge... See more...
Is there a way to add a field to an event from a different event assuming they have a common key using a simple search (without using pipe)? The reason being the resulting event will need to be tagged via event type (which doesn't allow complex search) so it can be included as part of a data model. For example, Event 1 - field A (common key): ABC, field B: Sunny Event 2 - field A (common key): ABC, field C: Morning Resulting Event 1: field A: ABC, field B: Sunny, field C: Morning The final event will then be tagged so it can be included in the data model. Appreciate any advice/suggestion.

Extracting words in a string with regular expressions

by in Splunk Search
‎01-11-2022 10:54 PM
‎01-11-2022 10:54 PM
Hi, i need help to extract word from a string   string Security agent installation attempted Endpoint: (Not Found) Security agent intstallation attempted Endpoint: hostname   result Not Found... See more...
Hi, i need help to extract word from a string   string Security agent installation attempted Endpoint: (Not Found) Security agent intstallation attempted Endpoint: hostname   result Not Found hostname   how can i construct a regular expression to extract out what i wanted?  
Labels