Hi, I have one OS index in Splunk where i get the raw data in a tabular format like below. Now I need to extract these fields like PID and that too only for the "java" COMMAND. PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND 7195 user 20 0 1361m 74m 15m S 25.1 0.3 57:32.41 oneagentos 7240 api 20 0 14.1g 1.9g 35m S 5.8 8.1 62:42.81 java 9717 api 20 0 14.1g 1.8g 35m S 3.9 7.8 61:00.56 java 3882 user1 20 0 1530m 34m 8584 S 1.9 0.1 212:28.61 python I would need this data in a lookup because I need to ingest it into another instance of Splunk to compare the charts. Can someone help me extracting these fields and how can i export those to another Splunk? ... View more

Hi, I have few events in splunk like these - 1. "GET /test/materials/components/fields HTTP/1.1" 2. "GET /test1 HTTP/1.1" OR "GET /test2 HTTP/1.1 Now what i want is just to see the events which are like in the 2nd point. My query should ignore the 1st one's. The 2nd type of URL has a pattern that it has only one word after "/". Can some one help? ... View more

Hi, I have a scenario where I need to check if a customer has placed an order when he has been offered an offer. So suppose there are total 100 customers who has been offered a particular offer and 40 of them placed an order but rest of them have not. I need a query to show all those customers session ID in a tabular format and a column at the end which either says "Completed" OR "Not Completed". Here are the 2 queries - 1. This fetches all customer who have this offer in their basket. index=test sourcetype="test_log" OR "Cart: at checkout" "OFFER1" | dedup sessionID 2. This tells if a customer has placed an order index=test sourcetype="test_log" "Order placed for Order num*". I need something like this - sessionID offer STATUS 23455454AXS OFFER1 Completed 45565MCHDA OFFER1 NOT Completed Any help would be much appreciated. ... View more

Hi, I am working on a query where I have to match the responseCode from the search to the responseCode in a lookup I created. That lookup contains the responseCode and its description. Now there are a few cases where the responseCode in the search does not match to anything in the lookup table. I want the count of all responseCodes. If it matches in the lookup then with its description, and if it doesn't match, then the description would be null, but I want the count. My current search is not giving the count of the unmatched responseCode — index="test" sourcetype="test_log" | dedup time,host,source,_raw | lookup Response_Codes_Desc ResponseCode | stats count by ResponseCode Description | sort - count Please could someone help on this? ... View more

Hi, I am trying to mask some data while indexing. Below is one single event where the tag "SecurityQuestion" is occuring multiple times and I want to mask all of its values. Can someone please advice? (SecurityQuestion)Favorite song(SecurityQuestion)(SecurityAnswer)TEST(SecurityAnswer) (SecurityQuestion)Favorite band(SecurityQuestion)(SecurityAnswer)TEST123(SecurityAnswer) ... View more

Hi, I need to join my query with a lookup which contains a field called username. I need to get the users who — exist in both my main query index and the lookup exist in lookup but do not exist in the main query index. This is what my query looks like when i started writing this - index="prod" sourcetype=prod_events | dedup username | eval type="MainIndex" | eval username = lower(username) | fields username type | appendpipe [| inputlookup test.csv | eval type="lookup" | eval username = lower(username) | sort username | fields type username ] Any help is appreciated. Many Thanks ... View more

Hi, What is this field pctIdle which automatically gets extracted when we use multikv command? Is it the avg cpu load? Is it the percentage of time when CPU was idle? If i need to calculate the CPU utilisation % of my 2 host, which query and sourcetype should i use from the below 2 queries? 1. index=os sourcetype=top host="host1" OR host="host2" | timechart span=5m values(pctCPU) by host 2.index=os sourcetype=cpu host="host1" OR host="host2" | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) by host Appreciate if someone can help ... View more

Hi, I am looking for some help regarding Splunk Regular Expression. I have a data something like this in a field "field1" - \P1 S+ box 5.00 Dol\BUNDLE_1 0.00 Dol\ P2 Not applicable 15.00 Dol\ DISCOUNT\ D1 -12.50 Dol\T1_EXISTING 0.00 Dol\ T2_EXISTING\ D2 Fibre 41.75 Dol\ T3_EXISTING\ P3 Mix 26.66 Dol\ T4_EXISTING\ P4 Weekends 0.00 Dol\P5 Vgg box 5.00 Dol\DISC* -15.81 Dol \P6* -5.00 Dol \P7* Phone line 19.00 Dol \P8* C&C 0.00 Dol \TI_PENT* 0.00 Dol \P9* -11.00 Dol \P10* Bundle2 -18.60 Dol \P11* Extra Fee 0.00 Dol. If you observe, there is a product "P1", it's description "S+ box" and Price "5.00 Dol" and like these there are multiple separated by "\". I want to extract these products with their prices so that I can see each product and their associated prices. Basically, I am looking for if any product has got NULL price. Let me know if someone can help. ... View more

Hi, I have a multi value field who has data something like below which has been extracted from some web service. I am looking to find the combination which occurs maximum time - Event 1 Combo 1 - A B C D Event 2 Combo 2 - B C D F Event 3 Combo 3 - G B Q R There could be different combinations. I want to compare these combinations and get the one which occurs in maximum events. ... View more

Hi, I have 2 searches which i need to join using a common field let's say uniqueId. Now in my 1st search I have a username and in the 2nd search I see if the user goes through that request. I want to display the user names who does not triggers any request in the 2nd search. Please note both are different indexes. I am just looking for which user names the request has not been triggered. I have used join and combined the queries where I am getting the common results but I want to display the uncommon results. ... View more

Hi, I am trying to join two of my searches in splunk using a common field uniqueID but I am getting a error in Splunk Job inspector - SubSearch produced more than 50k results, truncating to max out 50k. I can't change limits.conf and I have to use the query to get the desired result. Really appreciate if someone can help on this? My query is something like this - index="A" sourcetype="test*" requested_content="/index" | join uniqueId [ search [search B] ] | timechart span=1h count ... View more