All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I would like to ask about problem with parsing log using regex with lookahead. I have this log:   Oct 10 04:18:31 ATLAS Threat Categories|Blocked Host|7|rt=1633832250000 src=122.226.102.59... See more...
Hello, I would like to ask about problem with parsing log using regex with lookahead. I have this log:   Oct 10 04:18:31 ATLAS Threat Categories|Blocked Host|7|rt=1633832250000 src=122.226.102.59 cs3Label=Match Type dpt=23 cn2=13 proto=TCP dst=193.85.146.63 cn1=21129644 spt=39528 cs2Label=Protection Group Name cs1Label=IOC Pattern cn1Label=Element Id cn2Label=Protection Group ID cs7Label=Threat Category cs7=Malware cs6=Telnet Bruteforce cs1=122.226.102.59 cs6Label=Threat Name cs3=ip cs2=Default Protection Group   As you can see, there are a number of parameters for which two fields are always used, eg "cs1Label" (parameter name) and "cs1" (parameter value). My goal is to create a new field in search time parsing phase, which will be the value of the field "cs1Label" and the value will be the value of the field "cs1". For example: IOC Pattern = 122.226.102.59 The problem is that the log does not have a fixed structure, the order of the individual fields changes. Therefore, "normal" regex cannot be used. So I created the following regex using a lookahead that parses the appropriate values ​​(I tested it in a regex101.com tester and it works):   ^(?=.*\bcs1Label=\b((.*?)((\s\w+\=)|($))))(?=.*\bcs1=\b((.*?)((\s\w+\=)|($))))   Unfortunately, when I use it in Splunk, in transforms.conf, it doesn't work. My transforms.conf looks like this:   [combined_field_cs1] SOURCE_KEY = _raw REGEX = ^(?=.\bcs1Label=\b((.?)((\s\w+=)|($))))(?=.\bcs1=\b((.?)((\s\w+=)|($)))) FORMAT = $2::$7   props.conf   REPORT-combined_field_cs1 = combined_field_cs1   Strictly speaking, when I simply want to look at the messages in a given index, the search freezes, it does not display any messages and I have to close it manually. I made some testing and it obvious that REGEX is the problem. It is not clear to me why the regex in Splunk does not work. Or did I choose the completely wrong path and need to use a completely different way to achieve my goal? Could yomeone more experinced help? Any help will be highly appreciated. Best regards Lukas Mecir
I have an event that comes to the index.  | search index = indexname  filed1  field2 field3    I need to write an exception that will discard the field before getting into the index output: ... See more...
I have an event that comes to the index.  | search index = indexname  filed1  field2 field3    I need to write an exception that will discard the field before getting into the index output: | search index = indexname  filed1  field3 
how to include specific rows from a table in a panel into another panel in the same dashboard?
Hello,   Is it possible to show more than one value in Radial Gauge? thanks
Hi - Unable to login to Search Head Web UI using the password set for admin user during the installation.   Could you please let me know how to reset the password for "Admin" user?   Thank You
This is the inputs from the app I created for the windows logs: [WinEventLog://Application] index = replicate3 disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXm... See more...
This is the inputs from the app I created for the windows logs: [WinEventLog://Application] index = replicate3 disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=0 [WinEventLog://Security] index = replicate3 disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=0 [WinEventLog://System] index = replicate3 disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=0   I created a special index for it, but it is not getting any results.  I also have sent over the splunk TA for windows logs, but still nothing is coming in.  The index was created successfully and the apps show on the client.  What else am I missing.
Does the Lookup cmd allow for Where clause to filter the output of Lookup? Or do I need to have an extra sub search with | inputlookup  with the Where clause I need: Ex of what I'd like to do: | ma... See more...
Does the Lookup cmd allow for Where clause to filter the output of Lookup? Or do I need to have an extra sub search with | inputlookup  with the Where clause I need: Ex of what I'd like to do: | makeresults | eval FullName = split("First1 Last1, First2 Last2, First3 Last3",",") |mvexpand FullName | lookup MyNamesFile.csv "emp_full_name" as FullName  OUTPUTNEW Phone as phone ``` HERE I WANT TO FILTER ON SPECIFIC criteria form the lookup file``` | where state="New York" and city="New York" | mvexpand phone   In concept this is the type of filter I need. Obviously the above code doesn't work and I'd like to know what is the best way to achieve filtering out lookup output.
Hello Splunksters, I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that cap... See more...
Hello Splunksters, I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that captures and records events based on a GUID.  Obviously GUIDs aren't something one goes searching for directly.  The primary search is by phone number.  So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.  I have the search retrieving the GUID working, and want to use that as the subsearch. Ultimate search I wish to run: index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b   Search retrieving GUID (this works): index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID   What I thought the subsearch should look like: index="myIndex" sourcetype="mySourceType" [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID] Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.  What am I missing? Thank you! Brian
Hi, Can the image show the status ? is it possible in Splunk? Like below It shows that the toe is up which means the threshold value has not been reached. if the toe is down it means that the thres... See more...
Hi, Can the image show the status ? is it possible in Splunk? Like below It shows that the toe is up which means the threshold value has not been reached. if the toe is down it means that the threshold value has been reached. can anyone help in this ?? thanks in advance.    
Hi there Im trying to filter my search results based on numerical top values of a field. For example. I have 5k events as customer purchases. I want a list of all customers, who have never paid mor... See more...
Hi there Im trying to filter my search results based on numerical top values of a field. For example. I have 5k events as customer purchases. I want a list of all customers, who have never paid more than 10. Or the other way, I want to filter out all customer events of customers, which have a purchase event with a value in a field higher than 10. Which command could I use? delete removes the events from the index. I only want to filter my search results. if i filter for "field<=10" I do only get the events that have purchases, which are smaller than 10, but the list contains customer, which have paid mor than 10 and only removed those specific events.  
I want to know the active user count of an application, the following is the query i created, however its not giving the out put, can someone guide please?   index=application host=Server Name sour... See more...
I want to know the active user count of an application, the following is the query i created, however its not giving the out put, can someone guide please?   index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]" | rex "^\S+ \S+ \S+ \S+ \S+ (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb" | timechart span=15m dc(USER) as Application _User I am getting the following out put: _time                                        application_User 1 2021-11-09 00:00:00        0 2 2021-11-09 00:15:00        0 3 2021-11-09 00:30:00        0 4 2021-11-09 00:45:00        0   The Logs if i run the following query shows that there is the User ID in the output: index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]" Output: 2021-11-09 08:29:12,787 INFO [http-nio-127.0.0.1-8085-exec-101 url: /deploy/viewDeploymentProjectEnvironments.action] [AccessLogFilter] USERID GET application.url.action?id=665059902 4320055kb host = Server source = location = application-prod-console-logs
Hi Team, 1) I am searcing for APPAP100E cyber ark keyword error in splunk. we are not getting output .  2) I am searching for LicenseVerifier perticular word but not getting output. 3) I am searc... See more...
Hi Team, 1) I am searcing for APPAP100E cyber ark keyword error in splunk. we are not getting output .  2) I am searching for LicenseVerifier perticular word but not getting output. 3) I am searching for SSLHandshakeException error  but not getting event details output in splunk UI.4 please help & guide to resolve.   Thanks and regards
Good day, I am having a problem with generating a custom event via a POST request that I am doing. I suspect that the elements that I am using are not entirely correct though and just need some poi... See more...
Good day, I am having a problem with generating a custom event via a POST request that I am doing. I suspect that the elements that I am using are not entirely correct though and just need some pointers on what to tweak so that I can get it to work. POST URL: “https://appd.controller.urlXXX/controller/rest/applications/XXX/events?severity=ERROR&summary= Application Stopped_Test&eventtype=CUSTOM&customeventtype=D_Test&comment=Please_start_application” The response indicates that the event was successfully created: “Successfully created the event id:6665520987”, but when I check in AppD under the events dashboard, I see zero events. However, when I do not specify the event type and custom event, I am able to view the custom event in AppD. It seems that the “eventtype” and customeventtype properties are the problem, any Ideas? Regards, Dean
Hi Team, I am very new to Splunk Dashboard. Do you think we can form some SQL queries from the backend for any of the tasks below so that we can capture them via Splunk dashboard? 1. API Service U... See more...
Hi Team, I am very new to Splunk Dashboard. Do you think we can form some SQL queries from the backend for any of the tasks below so that we can capture them via Splunk dashboard? 1. API Service UP/ Down 2. Response Time by UI API 3. Frequent Users 4. CPU Utilization 5. Mem Utilization 6. Login Statistics 7. API Error Report Database we use: HDFS   Regards, Harish
Hi All, I have query which return all the events for two Hybris pods. When I am using stats it shows the number of events under each pod but when I try to check events for particular pods it shows 0... See more...
Hi All, I have query which return all the events for two Hybris pods. When I am using stats it shows the number of events under each pod but when I try to check events for particular pods it shows 0 events are there.  Attaching Snippet for better understanding. Please provide your suggestions.
I have a concern about indexer discovery. Will the forwarders learn the IP of the indexers, or will it learn the hostname/fqdn?  
I have a field 'Value'  in dashboard that is being validated by an external .js . When the validation match fails it shows the error message "Please input a valid Value". But when I ignore that mess... See more...
I have a field 'Value'  in dashboard that is being validated by an external .js . When the validation match fails it shows the error message "Please input a valid Value". But when I ignore that message and hit submit button, it anyways submits that record. I want the dashboard not to submit, until I input the field with correct values and no validation message comes. I have so many input fields , but I am validating only the 'Value' field. And I don't want the user to be able to submit record while ignoring the validation message. =================================================== <input type="text" token="value" id="tkn_value_id" searchWhenChanged="true" depends="$some_condition$"> <label>Value</label> ======================================== require([ 'underscore', 'splunkjs/mvc', 'jquery', "splunkjs/mvc/simplexml/ready!" ], function(_, mvc, $) { var tkn_value = splunkjs.mvc.Components.getInstance("tkn_value_id"); tkn_value.on("change", function(e) { console.log(e) // e.preventDefault(); if (!isValueValid(e)) { alert("Enter Valid Value") return false; } }) function isValueValid(userInput) { console.log(userInput) var res = userInput.match(/(^\s|\"|\s$)/g) if (res == null) return true; else return false; } ======================================================== })
Hello there. I was wondering... is there any way to generate _events_ in search? I mean, I know of the makeresults command of course but it generates stats results, not events per se. Is there any... See more...
Hello there. I was wondering... is there any way to generate _events_ in search? I mean, I know of the makeresults command of course but it generates stats results, not events per se. Is there any way to generate events search-time, to - for example - test parsing rules? Something like (pseudocode): | <generate_my_events> | eval _raw="blah blah" | eval source="syslog" | eval sourcetype="whatever:syslog"
Hi All, I have created a Tools button (as shown in the below screenshot). I need to add the Edit,Export and ... button(Highlighted in yellow) inside of the Tools button.     When Tools button... See more...
Hi All, I have created a Tools button (as shown in the below screenshot). I need to add the Edit,Export and ... button(Highlighted in yellow) inside of the Tools button.     When Tools button is clicked, the Edit,Export and ... should appear as a drop down under it. Please help with a jquery/XML for achieving this please.   Thank you!
Hi all, I'm planning an architecture with a redundant Heavy Forwarder and double Syslog collector Servers. Where do i place a Load Balancer? and how do these Components communicate in terms of Port... See more...
Hi all, I'm planning an architecture with a redundant Heavy Forwarder and double Syslog collector Servers. Where do i place a Load Balancer? and how do these Components communicate in terms of Ports and Firewalls? What do i need to plan?  I cant find the right places to read about this in the documentation. Thank you for your help in advance. Oj.