Hi, I am using the following rex command to extract all text in between "....device-group:" and "succeeded ...." for a field called "old" and assigning the extracting values to a new field called "new". | rex field=old "device-group:\s*(?<new>\S+)" Currently, it is extracting all text in between "....device-group:" and "succeeded ...." EXCEPT for cases where there are multiple words with spaces. Examples include: 1) "Panorama push to device:013101009509 for device-group: Austin Cloud DMZ succeeded. JobId=2484595" where the extracted values should be "Austin Cloud DMZ " 2) "Panorama push to device:013101014290 for device-group: Austin Bank Segmentation succeeded. JobId=2482583" where the extracted values should be "Austin Bank Segmentation" Can you please help on extracting  such cases too? Thank you!

Hello, I found a new failure of an App's Setup page (secret storage) on a Splunk Cloud when I tried to register password to secret storage. [SPLUNKD] You (user=<my splunk user>) do not have permission to perform this operation (requires capability: $db_connect_read_app_conf$). Could this be just an account permissions issue ? Can it be proceeded by using admin account  ? Do you have any information for this db_connect_read_app_conf Splunk capability ?? Unfortunately, there was no valuable document and reference for this capability in my search. I'm happy for any information from you. Thank you in advance.

Hi, I have rows that are json based. each row has a field that looks like this: { "students" : [ {"id":"123", "name":"abc"}, {"id":"456", "name":"def"}, {"id":"789", "name":"hij"} ], "student_id" : "456" } each row can have multiple students and always just one student_id. for each row I want to extract the name of the student who's id is equal to the student_id. how can I do that?   I tried this,: |spath path=students{} output=students|mvexpand students | spath input=students|multikv| table id, name, student_id I do get 3 rows like this in the result: id name student_id 123 abc 456 456 def 456 789 hij 456   but when I try to filter the matching row with: | where id = student_id I get 0 rows coming back.   TIA Asaf

I have created custom command *| cloudcidrlookup cloud=azure* but how to change it to be just *| cloudcidrlookup azure* ?     @Configuration() class CloudCidrLookup(GeneratingCommand): cloud = Option(require=False) ... def generate(self): if self.cloud=='azure': ... dispatch(CloudCidrLookup, sys.argv, sys.stdin, sys.stdout, __name__)      

Hi guys, I'm trying to do something that I expected to be very simple, so I guess I'm missing something big. This is my test SPL: | makeresults | eval data=json_object("id", "123")| spath input=data| table data.id I want to be able to refer to the data.id field, but I can't. how do I convert "data" into a parsed json?   TIA Asaf

Hello Splunk Ninjas! I'm new to the group (and to the splunk) and will require your assistance with designing my regex expression. I need to filter for the value of Message in this sample log line:   2022-09-23T13:20:25.765+01:00 [29] WARN Core.ErrorResponse - {} - Error message being sent to user with Http Status code: BadRequest: {"Message":"Sorry, only real values are valid in this environment.","UserMessage":null,"Code":64,"Explanation":null,"Resolution":null,"Category":3}   I will be interested in extracting value of Message, Code, Resolution and Category, Any help, much appreciated! Thanks again

I am pushing DNS logs to Splunk Cloud and I am noticing the QueryType is in numeric format, I would like to see that in string format Sample Log:   {"ColoID":378,"Datetime":"2022-09-23T23:55:23Z","DeviceID":"df34037e","DstIP":"xx.xx.xx.xx","DstPort":0,"Email":"non_identity@ec.com","Location":"London","Policy":"","PolicyID":"","Protocol":"https","QueryCategoryIDs":[26,81],"QueryName":"europe-west9-a-osconfig.googleapis.com","QueryNameReversed":"com.googleapis.europe-west9-a-osconfig","QuerySize":67,"QueryType":28,"RData":[{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIIAAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIHwAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIFQAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIIQAAAAAAACAK"}],"ResolverDecision":"allowedOnNoPolicyMatch","SrcIP":"xx.xx.xx.xx","SrcPort":0,"UserID":"723f7"}     In the above log you would notice "QueryType":28, I'd like to replace 28 with a string - AAAA, other DNS query types can be found in https://en.wikipedia.org/wiki/List_of_DNS_record_types Is there a way I could replace or append the query types string instead of the numeric value that is showing up in the logs by using techniques like lookup or Join? Desired Log: (only QueryType is changed from 28 to AAAA)     {"ColoID":378,"Datetime":"2022-09-23T23:55:23Z","DeviceID":"df34037e","DstIP":"xx.xx.xx.xx","DstPort":0,"Email":"non_identity@ec.com","Location":"London","Policy":"","PolicyID":"","Protocol":"https","QueryCategoryIDs":[26,81],"QueryName":"europe-west9-a-osconfig.googleapis.com","QueryNameReversed":"com.googleapis.europe-west9-a-osconfig","QuerySize":67,"QueryType":AAAA,"RData":[{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIIAAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIHwAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIFQAAAAAAACAK"},{"type":"28","data":"F2V1cm9wZS13ZXN0OS1hLW9zY29uZmlnCmdvb2dsZWFwaXMDY29tAAAcAAEAAADdABAqABRQQAkIIQAAAAAAACAK"}],"ResolverDecision":"allowedOnNoPolicyMatch","SrcIP":"xx.xx.xx.xx","SrcPort":0,"UserID":"723f7"}   Thanks!

My sample logs is: 2022-09-12 34:45:12.456 info  Request uri [/asdff/aii/products] Request patameters [] Request payload [Request body size : : 5678 bytes Request body : : [{\activaterequest\:\ESRTYBBS\*\*, \"addresslines\":[{\"addressLineOrder\":\"NAME\"linevalues\":[\"esmal interger\"]}], \"productsio\":\"IM630\", \"productjourneykey\":\"IM630-p-6789778\",\"lineValues\":[\"sejo guleim ramo versa"]}], \"statusdesc\":\"unknown protocol version. http header [x-aacs-rest-version]. Assuming current version [v1.0]\"}],[{ \number\"4\",\"storePONumber\":\"3456\*}, \"app\",\"message\":\"Action taken when more than 10 points\"}], :[{\"serverstatuscode\":\"400 bad_request\",\"severity\", \"statusdesc\":\"Action taken when more than 10 points\"}], \"number\"6\"] My query: index=axcf   "Action taken when more than 10 points" but i want the following values(productsio, addressLineOrder,  linevalues, storePONumber, message, serverstatuscode, statusdesc  ) in table format. how can i do this??

Hello, My goals is to send rrd file data to a splunk indexer. I have a remote host that currently forwards linux_secure data to the indexer - works fie. I am NEVER able to create an input for any port tcp or otherwise from this dialog window: When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP This setting comes from Settings/Data/Forwarding and receiving I get data to the indexer.  I may be missing something. I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host. How can I get this data to splunk and graph it? I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk, I am open to suggestions and clarification thanks eholz1  

I am trying to create a query that returns a table showing counts of different error codes and percentage of transactions that are failing (error != 0) for each service.  service 0 3100 2000 1200 % Failure Foo 1000 12 0 0 1.2% Bar 100 0 3 2 5.0%   My query which returns the above table is:  index=my_index | where error=0 OR error!=0 | chart count by service, error | eval "% Failure"  = round(('3100'+'2000'+'1200')/('3100'+'2000'+'1200'+'0'),2)."%"   How can I modify this query so that I don't need to hardcode each error code into the last part of the query, as error codes may vary?