I have a regular expression that extract everything that exist between brackets Extraction: (?i) .*? (?P<METHOD>\-\s+\[\w+.*.\])\s+\w+ I'm receiving the following Warning Field extractor name=EXTRACT-METHOD is unusually slow (max single event time=1081ms, probes=5 warning max=1000ms) ... View more

Hello, I have a table with 4 Header: A B C D I need to show A C D column if B is null and B C D column if A is null, how to do that? Search: some selection | table A B C D ... View more

I need to select fields from a log who are between two [ ] Event 1: Some data... [ AAA ] Event 2: Some data... [aa - DD ] I need those fields AAA aa - DD DD How to do that? I'm using this regular expression (?P [^ ]+) but the extraction is incorrect it extract [AAA [aa and this is wrong i don't need the first character [ and need to get all the data between [ ] ... View more

Hello Splunk Expert, I'm writing a regular expression rex to extract a new field from a log with multi line. The log is as following Event 1: 2012/03/20 ERROR ABC - XYX .... multi lines Event 2: 2012/04/20 ERROR ABC - KLM Event 3: 2012/04/29 FATAL CDR - SKL .... multi lines I need to get 2 lines started from "-" or one line if multi lines doesn't exist, so a conditional regular expression: My regular expression example is getting 50 characters if exist after the "-" but if those 50 characters doesn't exist my regular expression didn't extract KLM wich is 3 characters. (? -.{50}) Lines length is varied sometimes more sometimes less than 50 characters. So how to write a regular expression to extract one line after the "-" and 2 lines if exist after the "-"? Thanks, Roy ... View more

Hello I'm using sideview table and i need to know id i can limit the display of a cells for a certain number of characters? Code: <!-- EXAMPLE BEGIN --> <module name="Search" layoutPanel="panel_row1_col1" autoRun="True"> <param name="search"> index=_internal source="*metrics.log" group="per_sourcetype_thruput" | stats avg(eps) by series | sort - avg(eps) </param> <param name="earliest">-12h</param> <module name="Pager"> <param name="count">5</param> <module name="Table"> <module name="HTML"> <param name="html"><![CDATA[ <h2>Showing eps over time for sourcetype $row.fields.series$</h2> ]]></param> </module> <module name="Search"> <param name="search"> index=_internal source="*metrics.log" group="per_sourcetype_thruput" $row.searchTerms$ | timechart max(eps) avg(eps) min(eps) </param> <param name="earliest">-12h</param> <module name="HiddenChartFormatter"> <param name="charting.chart">line</param> <param name="charting.chart.nullValueMode">zero</param> <module name="FlashChart"/> </module> </module> </module> </module> </module> <!-- EXAMPLE END --> ... View more

Hello, The results doesn't change when i pick up a new value from TimeRangePicker, I'm using sideview utils. Any idea how to fix this? The code is the below: <view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html"> <label>Web Services Trends</label> <module name="AccountBar" layoutPanel="appHeader"/> <module name="AppBar" layoutPanel="navigationHeader"/> <module name="SideviewUtils" layoutPanel="appHeader"/> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="clearOnJobDispatch">False</param> <param name="maxSize">1</param> </module> <module name="Message" layoutPanel="messaging"> <param name="filter">splunk.search.job</param> <param name="clearOnJobDispatch">True</param> <param name="maxSize">1</param> </module> <module name="TitleBar" layoutPanel="viewHeader"> <param name="actionsMenuFilter">dashboard</param> </module> <module name="TimeRangePicker" layoutPanel="panel_row1_col1" autoRun="True"> <param name="searchWhenChanged">True</param> <param name="selected">Last 30 days</param> <module name="GenericHeader" layoutPanel="panel_row1_col1" > <param name="label">Online errors summary</param> </module> <module name="SavedSearch" layoutPanel="panel_row1_col1"> <param name="name">LOG_SUMMARY_TABLE</param> <module name="ViewstateAdapter"> <param name="savedSearch">LOG_SUMMARY_TABLE</param> <!--<module name="JobProgressIndicator" /> --> <module name="EnablePreview"> <param name="enable">True</param> <param name="display">False</param> </module> <module name="Table"> </module> </module> </module> </module> </view> ... View more

I have a view of a table inside a timerangepicker where i need to call a HiddenSavedSearch. True Last 30 days LOG_SUMMARY_TABLE avg_range Online log errors summary True True False 100 100 The following error is appearing saying Configuration Error: HiddenSavedSearch is being run as a schedule and it's configured to listen to time picker. Schedule result will not be shown How to remove such error from my dashboard? ... View more

I have this regular expression that select all the lines after a pattern. I was wondering if i can select only a number of characters after a pattern or online 2 lines after the first pattern that appears on a _raw. ?! Extraction: (? Caused by.\n. ) I need to extract a specific number of characters after the pattern ... View more

I have 2 searches with set union and i need to join between those 2 results on a specific column (origine) can i join between 2 set union search ,if yes how? Search 1: | set union [search sourcetype="log4j" | rex field=source "/././(? .)_(? . )(? .).log" | stats count by SEVERITY_WEBAPP, origine | where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY] [search source="/home/splunk/app4_error_core.log" | rex field=source "/././(? . ) (? .)_(? . ).log" | stats count by SEVERITY_CORE , origine | where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ] Search 2: | set union [search sourcetype="log4j" | rex field=source "/././(? .)_(? . )(? .).log" | top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine | where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as COMPONENTS] [search source="/home/splunk/app4_error_core.log" | rex field=source "/././(? . ) (? .)_(? . ).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine | where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as COMPONENTS] ... View more

I'm trying to extract fields from a source name of files, but those extraction are partially saved as a new field on Splunk. How to save those extracted source to be saved and persistent on Splunk if i login/logout. source name example = app4_error_webservices.log command used: sourcetype="log4j" | rex field=source "/././(? .)_(? . )_(? .*).log" The fields that need to be saved always are host_1, logtype , origine. How to do that? any steps? Thanks, Roy ... View more