How to extract values from below log file using rex? Log: {Attribute(name=xyz, values={'1'}), Attribute(name=attempts, values={'2'}), Attribute(name=Count, values={'0'}), Attribute(name=MemberNumber, values={'31234'})}   Result in table: 1 2 0 31234

I have a request that the version of Java on the HFs need to be updated, or have Java removed. Is Java needed to the functional operation of the Heavy Forwarders?   [xxxxxxxxxxxx ~]$ java -version openjdk version "1.8.0_302" OpenJDK Runtime Environment (build 1.8.0_302-b08) OpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)   [xxxxxxxxxx ~]$ which java /usr/bin/java    

More for anyone else who runs into this issue than myself. I experienced an issue where my custom NAV menu on my app was not displaying on my dashboards. (The entire app menu bar was gone actually so it didn't even show the App logo/name). For reference the screen shot below is the portion I am referring to.   I had a nav/default.xml like the following below: <nav> <view name="your_app_3.0_here_dashboard1" default='true' /> <view name="your_app_3.0_here_dashboard2" /> </nav>   I combed through the entire app, permissions, local/default precedence, etc. After hours, I just ended up creating a new app and cloning the dashboard with a random name and the nav menu worked as expected. I did it again but with the original view name and it stopped working again - that's how I came to the solution. The issue was having a . in the view name. I didn't go as far as to identify if it was the view name itself having an issue or the nav xml not recognizing it for whatever reason. Renaming to "your_app_3_here_dashboard1" resolved the issue. TLDR: if your dashboard isn't displaying your nav menu, try getting rid of special characters in your view name.

Hello, I would like to ask about problem with parsing log using regex with lookahead. I have this log:   Oct 10 04:18:31 ATLAS Threat Categories|Blocked Host|7|rt=1633832250000 src=122.226.102.59 cs3Label=Match Type dpt=23 cn2=13 proto=TCP dst=193.85.146.63 cn1=21129644 spt=39528 cs2Label=Protection Group Name cs1Label=IOC Pattern cn1Label=Element Id cn2Label=Protection Group ID cs7Label=Threat Category cs7=Malware cs6=Telnet Bruteforce cs1=122.226.102.59 cs6Label=Threat Name cs3=ip cs2=Default Protection Group   As you can see, there are a number of parameters for which two fields are always used, eg "cs1Label" (parameter name) and "cs1" (parameter value). My goal is to create a new field in search time parsing phase, which will be the value of the field "cs1Label" and the value will be the value of the field "cs1". For example: IOC Pattern = 122.226.102.59 The problem is that the log does not have a fixed structure, the order of the individual fields changes. Therefore, "normal" regex cannot be used. So I created the following regex using a lookahead that parses the appropriate values ​​(I tested it in a regex101.com tester and it works):   ^(?=.*\bcs1Label=\b((.*?)((\s\w+\=)|($))))(?=.*\bcs1=\b((.*?)((\s\w+\=)|($))))   Unfortunately, when I use it in Splunk, in transforms.conf, it doesn't work. My transforms.conf looks like this:   [combined_field_cs1] SOURCE_KEY = _raw REGEX = ^(?=.\bcs1Label=\b((.?)((\s\w+=)|($))))(?=.\bcs1=\b((.?)((\s\w+=)|($)))) FORMAT = $2::$7   props.conf   REPORT-combined_field_cs1 = combined_field_cs1   Strictly speaking, when I simply want to look at the messages in a given index, the search freezes, it does not display any messages and I have to close it manually. I made some testing and it obvious that REGEX is the problem. It is not clear to me why the regex in Splunk does not work. Or did I choose the completely wrong path and need to use a completely different way to achieve my goal? Could yomeone more experinced help? Any help will be highly appreciated. Best regards Lukas Mecir

I have an event that comes to the index.  | search index = indexname  filed1  field2 field3    I need to write an exception that will discard the field before getting into the index output: | search index = indexname  filed1  field3 

Hello Splunksters, I'm new to Splunk and am constructing my first subsearch.  I've read the documentation on subsearches, but am apparently missing something fundamental.  I have a log file that captures and records events based on a GUID.  Obviously GUIDs aren't something one goes searching for directly.  The primary search is by phone number.  So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.  I have the search retrieving the GUID working, and want to use that as the subsearch. Ultimate search I wish to run: index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b   Search retrieving GUID (this works): index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID   What I thought the subsearch should look like: index="myIndex" sourcetype="mySourceType" [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID] Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.  What am I missing? Thank you! Brian