Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Murali2888
Murali2888
Communicator
Member since:
12-15-2014
03-23-2023
Community Statistics
| Posts | 56 |
| Solutions | 4 |
| Karma Given | 10 |
| Karma Received | 11 |
| Member Since | 12-15-2014 |
Activity Feed
- Posted Re: Is there a way to instruct Splunk to not add quotes when passing searches stored in a lookup table to the map comman on Splunk Search. 03-23-2023 04:44 PM
- Karma Re: Is there a way to instruct Splunk to not add quotes when passing searches stored in a lookup table to the map command? for sjaworski. 03-23-2023 04:43 PM
- Posted Re: Custom Alert Action UI JQuery on Alerting. 04-21-2021 12:07 AM
- Karma Custom Alert Action UI JQuery for rigoreatigax. 04-21-2021 12:06 AM
- Karma Re: Problems with SSL JNDI Lookup against Tibco EMS for Damien_Dallimor. 06-05-2020 12:48 AM
- Karma Re: Problem with SAML cert: "ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem" for rphillips_splk. 06-05-2020 12:48 AM
- Karma Is there a way to use a wildcard in field names when running a search? (ex: field*_name=X for field1_name, field2_name, etc) for splunknewbie05. 06-05-2020 12:47 AM
- Karma Re: How to split a json array into multiple events with separate timestamps? for Gilberto_Castil. 06-05-2020 12:47 AM
- Karma Re: How to join two search events that have a common field without using Join? for dturnbull_splun. 06-05-2020 12:47 AM
- Got Karma for MetaData Values: Is there a difference between DEST_KEY = _MetaData:Index versus DEST_KEY = MetaData:Index?. 06-05-2020 12:47 AM
- Got Karma for MetaData Values: Is there a difference between DEST_KEY = _MetaData:Index versus DEST_KEY = MetaData:Index?. 06-05-2020 12:47 AM
- Got Karma for How to disable REST API access for a user. 06-05-2020 12:47 AM
- Got Karma for How to disable REST API access for a user. 06-05-2020 12:47 AM
- Got Karma for Re: How to create or update KV Store via REST endpoints?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create or update KV Store via REST endpoints?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create or update KV Store via REST endpoints?. 06-05-2020 12:47 AM
- Got Karma for How to disable 'Export Results' for specific users or roles?. 06-05-2020 12:47 AM
- Got Karma for How to disable 'Export Results' for specific users or roles?. 06-05-2020 12:47 AM
- Got Karma for Re: how do I use regular expression search results from one index search and use it in another?. 06-05-2020 12:47 AM
- Got Karma for Re: can PYTHONPATH for splunk be expanded to point to another python lib directory?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
01-28-2016
06:52 PM
Apologies. I missed a bracket there | rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?[^"]*)"
... View more
01-28-2016
06:17 PM
if the NOTIFY_CORRELATION_ID is occurring once per message then you can use
| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^"]"
if there is multiple occurrence per message you can add max_match=0 with the rex command which will extract a multi-value field per event.
... View more
01-28-2016
05:03 PM
This would probably due to eval expression.
Two things you need to check.
1. The timeformat for both Start Time and _time are "%Y-%m-%dT%H:%M:%S.%3N-%z" . If not please modify the format accordingly, so that the strptime can convert it into correct epoch time.
2. Remove single quotes in the eval expression as below.
| eval ticketCreated=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N-%z") | eval ticketClosed=strptime(_time,"%Y-%m-%dT%H:%M:%S.%3N-%z")
The time variable in the strptime must not be quoted. Apologies for multiple changes.
... View more
01-28-2016
03:54 PM
if you would like to have four different single value chart for each Complexity, then you would need to have four search queries. I think you cannot produce four single value charts with one query.
In this case, the single value chart is taking the first value.
... View more
01-28-2016
03:45 PM
the rename command should be rename Level AS Complexity .
Can you try that?
... View more
01-28-2016
03:37 PM
Hi jhoang,
I assume Start Time as the time when the ticket was created and _time as the time when the ticket was closed or resolved.
Can you try the below query?
index=sdp Department="*" "Request Status"=Closed OR "Request Status"=Resolved Level="*" | rename Level as Complexity | eval ticketCreated=strptime('Start Time',"%Y-%m-%dT%H:%M:%S.%3N-%z") | eval ticketClosed=strptime('_time',"%Y-%m-%dT%H:%M:%S.%3N-%z") | eval ResolutionTime = ticketClosed - ticketCreated | stats avg(ResoultionTime) by Complexity
... View more
01-28-2016
03:10 PM
I am glad that it resolved your issue.
... View more
01-27-2016
06:06 PM
Hi cwilmoth,
Can you try the below?
<Base Search> | stats min(ICA_START) as SessionStart min(ICA_END) as SessionEnd by user, id | eval Duration = SessionEnd - SessionStart | table user, id, Duration
You can format the time fields as per your convenience if this is giving you the desired results.
... View more
01-27-2016
04:31 PM
Hi lyndac,
I suppose the problem is with INDEXED_EXTRACTIONS and KV_MODE configurations.
As per the documentation,
INDEXED_EXTRACTIONS = < CSV|W3C|TSV|PSV|JSON >
* Tells Splunk the type of file and the extraction and/or parsing method
Splunk should use on the file.
KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
As per your configuration, when you upload it as a file the timestamp is extracted as you have configured INDEXED_EXTRACTIONS where as when you read off the jms queue, the KV_MODE is set to none and so the json fields are not extracted which eventually nullified TIMESTAMP_FIELDS config.
I would suggest two approaches.
Can you try KV_MODE=json and see if the timestamp is extracted?
You can use the below configuration which we are using for to read SOAP payloads from jms queues.
TIME_PREFIX = "stop":
TIME_FORMAT = %s
TRUNCATE = 0
Please do let us know if this has resolved your problem.
... View more
01-24-2016
06:41 PM
1 Karma
You can use the below as well.
host="*rest*" [ search index=ws host="*ws*" sourcetype="WS*" (/service/click) | rex field=_raw "^(?:(nonce)*){10}\s+\w+=(?P<my_nonce>.+)" | rename my_nonce as query | fields query]
For example, if my_nonce has values like foo and bar , the query will return
host=*rest* "foo" OR "bar"
... View more
01-21-2016
04:50 PM
Hi javiergn,
I ran those two searches and both returned no results. This confirms that the data is not indexed twice.
We are running Splunk V6.3.0 in both Search Head and Indexers in a distributed environment. The Search Head and Indexers are in different sites. Indexers are in secured environment for data protection.
We do not have any clustering deployed in SH or in Indexers. It is a single Search Head talking to 4 Indexers in distributed manner.
... View more
01-19-2016
03:48 PM
Hi sjodle,
This may not be what you are looking for, but an alternative option would be to use lookup/outputlookup command.
Below query would do the upserts into kvstore
Base Search | lookup <lookup_name> <lookup_field> OUTPUTNEW _key AS _key | outputlookup <lookup_name> append=true
... View more
01-19-2016
03:23 PM
Hi All,
I came across a weird behavior where a search head displaying duplicate events only in certain scenarios, even though the event is indexed only once. I confirmed the indexing part by checking the metadata and _indextime values for the events.
When I run the Base Search for a month period, a few events are being displayed twice resulting in invalid number of events. However, when I run Base Search | timechart span=1mon count the events are not duplicated and give the correct count.
Has anybody came across this sort of behavior and would like to understand how the search head would render events?
Thanks for your help.
... View more
01-17-2016
08:42 PM
Hi seksit,
In your case, splunk will index the data from the log files ( present in the directory such as /var/log/2016/01, /var/log/2016/02) in the splunk index directory $SPLUNK_HOME/var/lib/splunk/ in compressed format.
In simple words, this is a copy of the source data but the size and format of the data is not same. Splunk stores the data in a series of index files.
For more read on how splunk indexes, please refer http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/HowSplunkstoresindexes
Hope this solves your queries to some extend.
... View more
01-14-2016
06:37 PM
Hi Mus,
Thanks for your comments. Unfortunately, we want to disable the Export option in the default search window for a user.
But its good to know these options 🙂
... View more
01-14-2016
03:48 PM
2 Karma
Hi Splunkers,
I was wondering if there is an option to disable Export Results option for specific users or roles.
Basically, we would like the user not to export the results and use the data in other systems outside the enterprise.
Thanks for your help in advance.
Regards
Murali
... View more
12-22-2015
04:11 PM
i faced the same issue when combining multiple field extractions under one rex. Though i had a work around to split them into multiple rex, I would like to understand if this is a limitation
... View more
12-22-2015
03:27 PM
Hi mprreddy51,
I guess, this is due to multiple time zone issues.
Let me split up your queries.
First to make latency as zero (in an ideal scenario), the indexers timezone and the inputs props.conf timezone should be same. In your case, it seems input timezone is UTC-8:00 where as the Indexer is UTC-11:00.
But in few cases, there would be latency due to various parameters such as network delay between Indexer and Forwarder, Forwarder data rate etc.
Now to the second query, to make the _raw time as _time .
Timezone value TZ in props.conf should be set to UTC and TIME_FORMAT attribute should be configured to take the _time from input data.
... View more
12-21-2015
03:37 PM
Hi sumit29,
Can you try the following?
index=* | stats list(Action) as Attempts, count(eval(match(Action,"Failed"))) as Failed, count(eval(match(Action,"Success"))) as Success by Username | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5
... View more
08-27-2015
10:13 PM
Thanks maciep.
I had this option, but unfortunately the xml structure is quite redundant and complex which would not allow using a single rex command. Nevertheless, I had found some workaround with eval command.
... View more
08-12-2015
05:00 AM
Hi All,
Can you let me know how we can use a named backreference in the subsequent rex command? That is pass the value of the named backreference to the next rex command.
I am trying something like below which is not providing the desired result.
rex "<tag1>(?P<NamedField1>[^<]+" | rex "<tag2>?(P=NamedField1)</tag2><tag3>(?P<NamedField2>)" | table NamedField2
If someone could point out some documentation around this that would be very helpful.
... View more
08-11-2015
10:56 PM
Thanks for your comments woodcock.
I tried creating a parameterised macro, but the macro is not handling the "Field Name" as a parameter.
Instead of populating the value of the field, the macro populates the Field Name itself.
... View more
08-11-2015
12:11 AM
Hi,
I would like to how we can pass a field as a parameter to the rex expression in Splunk.
I am using the below which is not working for some reason.
<Search query> | rex <Field1> | rex "<tag1>?(P=Field1)</tag1><tag2>(?P<Field2>)" | table Field1,Field2
Is there any other way we can pass parameters to a rex expression?
... View more
07-23-2015
06:01 PM
Thanks Iguinn for your comments.
There is no clear documentation available as to which keys need to be prefixed by ( _ ). I was hoping somebody would have some idea around this.
... View more
07-22-2015
09:45 PM
2 Karma
Is there any difference between the two below?
DEST_KEY = _MetaData:Index
DEST_KEY = MetaData:Index
Also, I would like to understand why the host, source, and sourcetype values are shown as MetaData:Host, whereas the index shows _MetaData:Index
Thanks for your help.
Regards
Murali
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-23-2023
10:09 PM
|
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
