Hello,  To pull in specific events in splunk i am trying to write a regex to identify lines that matches both the conditions 1: app_protocol=http or https 2. src_ip = starts with 15. or 16. This is what i have , but doesnt seem to be working , am i doing somting wrong ?  .*app_protocol=HTTP|S\s.*(src_ip\=15\.\d+\.\d+\.\d+|16.\.\d+\.\d+\.\d+)*

Hi all, I have an alert that looks for a specific message that includes the record ID. I would like to be able to create a numeric value for that ID that could be used to create a unique ID when raising a ServiceNow ticket.  Therefore, all alerts for the same record ID would write to the same SNow ticket. The record ID is a string of 7 alphanumerics - e.g. abc4efg I would like to be able to change "abc4efg" to "1234567".  Thus the number does not change, but the letters are all the equivalent 1-26 number. The only constant is the length of the record ID which is 7 characters. I've looked at many answers, sadly none provide exactly what I am looking for. Is this something that could be achieved using SED?   Thanks in advance.

Brand new to using the Universal Forwarder, and Splunk in general.   Question: When using the forwarder/monitor, the logs on the forwarding server are still kept locally, correct? They aren't removed/modified in any way?

Hi guys. I'm completly new to Splunk. Sorry if my question seems kinda stupid I have some log-data including a GUID. Those are separated in two kinds: "error" and "times". Sometimes, an error-log has the same GUID as a times-log. I need to count those double GUIDs, for that reason I have to extract the GUIDs from their original field und compare them with each other. I managed to extract them with Regex into two new fields. But now I'm searching for an opportunity to compare every error-GUID with every times-GUID. Thanks for your help!

Running Splunk 8.1.4 and Splunk app for Windows Infrastructure 2.0.1. I tried to upgrade to 2.0.4 and after restart splunk service I get the error 404 when I try to access the App. checking splunkd.log I see the following: ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\customize_features.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\guided_setup.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\host_information.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\infra_home.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\lookup_builder.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\lookup_migrator.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\windows_host_inventory.html: The system cannot find the path specified. 09-03-2021 15:00:03.577 +0200 ERROR PropertiesMap - Cannot open: C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\data\ui\html\windows_perfmon.html: The system cannot find the path specified.   Checking the file system, the folder html is not present . could someone explain me what is happening?   thanks a lot  

Hi all. Background is I have recently acquired a JSON feed via Kafka but the schema was developed with other uses in mind so it's not working particularly well for our logging requirements. For some reason the event type is being used as a key name. It annoys me greatly as there's no way to run a search for a specific event type. Its also playing havoc with extractions as the full path to the required value needs to be known, but can not be in a search as the event type can change. We can get the values if we know a specific event type (eg. Eventtype4.request.someKey), however it's very difficult to return the same value when the specific event type is unknown (eg. *.request.someKey) The second issue is all event types are present in the event but all but one has a null value. This can get very messy when there could be several hundred types of events.... I have tried stripping the first level and extracting the name of a key that has a non-null value but nothing works particularly all that well.  Any assistance will be appreciated. { Eventtype1: null Eventtype2: null Eventtype3: null Eventtype4: {    request: {               "someKey": "helloworld"               "anotherKey": "anothervalue"    }    response: {             "datachunk": "a few values here"    } } header: {               "timestamp": 123456789012               "someid": "323abcd" } }

Hello everybody, I'm using an spl query that extracts some values from a lookup and sends them to a web API via POST request (for this i'm using the WebTools add-on). To send data formatted as reported in the api swagger, I'm using the Splunk command "tojson" to convert Spl query results to Json in my test instance. Since the tojson command is really new (props to Splunk for adding this!) and was introduced from 8.2, is there a way to do the same in previous Splunk versions? Splunk Query: |inputlookup l2d.csv |eventstats values(tp) as id | table id,code | tojson <...curl using raw field from tojson> Json format expected and produced with tojson command: {"id":["id1","id2"],"code":"00001"}    Thank you for the attention, have a nice day,