Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About alexandermunce
alexandermunce
Communicator
Member since:
12-06-2016
06-05-2020
Community Statistics
| Posts | 58 |
| Solutions | 2 |
| Karma Given | 66 |
| Karma Received | 5 |
| Member Since | 12-06-2016 |
Activity Feed
- Karma Re: Is it possible to calculate 'responseTime' values in a cumulative stats table? for jeffland. 06-05-2020 12:50 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to split a multivalue field into single values? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How to split a multivalue field into single values? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How to split a multivalue field into single values? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for niketn. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for snoobzilla. 06-05-2020 12:48 AM
- Karma Re: How to get subsearch to return a result which is NOT EQUAL to the returned value? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to get subsearch to return a result which is NOT EQUAL to the returned value? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Alert search query to monitor for fluctuation in system performance times between today and yesterday for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Alert search query to monitor for fluctuation in system performance times between today and yesterday for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Using the 'where' clause as a Custom Alert Trigger condition? for renjith_nair. 06-05-2020 12:48 AM
- Karma Re: Using the 'where' clause as a Custom Alert Trigger condition? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Using the 'where' clause as a Custom Alert Trigger condition? for renjith_nair. 06-05-2020 12:48 AM
- Karma Re: Alert search query to monitor for fluctuation in system performance times between today and yesterday for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Using the 'where' clause as a Custom Alert Trigger condition? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to replace multiple field values with the same replacement value in a search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to replace multiple field values with the same replacement value in a search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Why are some fields from XML data not displayed in search results? for ktugwell_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: How to split a multivalue field into single values?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
12-25-2016
05:38 AM
Exactly what I was after, thank you good sir!
... View more
12-25-2016
05:38 AM
The output you have provided is simply the output of ,y above subquery? Not what I was after sorry
... View more
12-22-2016
04:55 PM
Hi there, currently I am comparing data from two data sources and have achieved some great comparisons in which my subsearch returned field value equaling the matching value eg:
(id=10000) or (id=10001) or (id=10002)
etc..
However I am wondering if it is possible to return something like:
(id!=10000) or (id!=10001) or (id!=10002)
etc..
OR alternatively - can I simply do something like this in my search query:
search query | NOT [subsearch query | return field]
Or perhaps with brackets?
search query | (NOT [subsearch query | return field])
Please help!
... View more
12-20-2016
07:16 PM
However still seem to be getting some strange results - will have to investigate further.
Edit: This was an issue with the data - the REGEX expression seems to be OK.
... View more
12-20-2016
07:08 PM
I believe I have figured out the required REGEX expression - as below:
search query | rex "ab1:search-name>(?<search_name>.+)<" max_match=0
It seems to match as required.
... View more
12-20-2016
05:06 PM
I am working with a datasource which contains multiple instances of an XML value which exists similarly to this:
(WITHOUT THE SPACES)
Sample Event 1:
< ab1:search-name >ABC-123-XYZ < / ab1:ab1:search-name >
< ab1:search-response > YES < / ab1:search-response >
< ab1:search-relevance > 15 < / ab1:search-relevance >
< ab1:analysis / >
< ab1:search-name >ABC-001-PROD < / ab1:search-name >
< ab1:search-response > NO < / ab1:search-response >
< ab1:search-relevance > 25 < / ab1:search-relevance >
< ab1:analysis / >
Sample Event 2:
< ab1:search-name >ABC-123-XYZ < / ab1:search-name >
< ab1:search-response > YES < / ab1:search-response >
< ab1:search-relevance > 10 < / ab1:search-relevance >
< ab1:analysis / >
< ab1:search-name >ABC-001-PROD < / ab1:search-name >
< ab1:search-response > YES < / ab1:search-response >
< ab1:search-relevance > 20 < / ab1:search-relevance >
< ab1:analysis / >
I am wanting to write a REGEX expression to use with the rex command to extract the data contained within the < ab1:search-name > < / ab1:search-name > tags into a new field named search_name.
I understand that as there are multiple instances of this field in each event that the new field will have to be a multivalue field (which will require the rex max_match=0 argument).
Therefore I believe my command should look something similar to the below;
search query | rex [REGEX EXPRESSION] max_match=0
I have tried various REGEX expressions but am having trouble with the fact the data contains characters and symbols.
RELATED QUESTION
As you can see in the data sample above - each instance of the < ab1:search-name > < / ab1:search-name > tag has related values beneath it (search-response, search-relevance, etc).
My question is, once the rex command extracts the field, will there be any way to relate the data which fell beneath each instance of the tag to each individual value - or will the correlation be lost?
... View more
12-19-2016
04:17 PM
1 Karma
After reading various questions/answers on the topic and the relevant Splunk documentation I am still unsure whether the Transaction command is suitable for large volumes of data (say for example 500,000+ events across two sources).
When I have tested this command on my data sources, I notice that it is only seemingly able to process a portion of the search, with the remaining time period returning zero results.
Would this be due to a high demand on the server resources being required?
Related question:
Does the Transaction command actually concatenate the raw data + fields from various events and combine them into a single event in your search results?
What is the benefit of using this command - how does it assist in aggregating related events in terms of the data returned?
Is it not just as feasible to use the stats command to display your related event data (combined with other eval commands such as coalesce)?
... View more
12-19-2016
03:54 PM
All were correct - turns out it was an issue with the lookup table data as summarised in the answer below 🙂
... View more
12-19-2016
03:46 PM
Perfect, thank you kindly!
Looks like there are too many irrelevant fields extracted if I use the xmlkv command, so I think I will have to use the rex command to extract the fields I require!
... View more
12-18-2016
09:55 PM
@gkanapathy
In the second line of your code above:
| eval ticket = coalesce(scnumber,TICKET)
Is the second arguement for the coalesce function correct?
If so, what does TICKET refer to exactly?
... View more
12-18-2016
05:28 PM
My next concern is that I am having troubles with the LOOKUP command - it will not let me check multiple event_fields against the SINGLE lookup_field;
When I try to do a second lookup as below, there is no new field output;
... | lookup sub_ref sub_code AS comp, sub_code AS comp_ID OUTPUT company as Company
Do I need to run the lookup command once for each event field and then output all as the one output field (Company)
... View more
12-18-2016
05:07 PM
and then optionally add the next part on the end:
... | fields - subCode
... View more
12-18-2016
05:06 PM
The solution I have come up with is as follows:
rex field=comp "(?P<subCode>\w{4}).*" | lookup sub_ref sub_code AS subCode OUTPUT company AS Company
... View more
12-18-2016
04:23 PM
1 Karma
You are a gentleman and a scholar, thank you kindly!
Answer accepted and upvoted.
... View more
12-18-2016
04:06 PM
@richgalloway
One other question - I feel that it may likely be the case that only the 2nd or 3rd IP address may be relevant in the end - can I tweak your REGEX code so that it ignore the first and/or second IP and only extracts the third?
... View more
12-18-2016
04:02 PM
@richgalloway
Thank you for your response - quick follow up question - can I extract all three of the values to the SINGLE new field - perhaps similar to the below;
... | rex field=foo "(?<ip_new>[^\s]+)\s(?<ip_new>[^,]+),\s(?<ip_new>.*)" | ...
Also - not sure if you have the time, but care to explain the logic behind your REGEX code?
... View more
12-18-2016
03:47 PM
I have set up a lookup table csv file and this has been uploaded to Splunk, and I have also set up an associated stanza within transforms.conf which looks something like the below;
Table: sub_ref.csv
Fields: sub_code company
ABCD Company 1
ABCC Company 2
ABCA Company 3
And in transforms.conf:
[sub_ref]
sub_ref.csv
Now this would be a fairly simple lookup, however the issue falls in the data.
I am comparing three separate event fields against the sub_ref lookup fields.
For the sake of this example, lets say the event fields are:
- comp
- comp_id
- branch
The third event field (branch) contains values which match exactly the data within the sub_code field in my CSV lookup - ie, 4 characters.
The first two event fields above, however, contain the lookup_field values followed by a trailing number, eg;
comp (event field)
ABCD001
ABCD002
ABCC001
ABCC002
So, obviously as my testing has proven, I am not able to lookup against this event field using my current lookup field data as there is not an exact match.
I have seen there is a way to include wildcards in my CSV lookup, by adding the following to my transforms.conf stanza:
match_type = WILDCARD(sub_code)
However, this requires admin changes which I am trying to avoid at this stage.
What I would rather do is to split up the first two fields into 2 new fields which extract the first 4 characters and then complete the lookup against these new fields - how would I go about this?
Is this the best way to go about this?
... View more
12-18-2016
03:15 PM
I am working with a field < source_ip > containing three IP addresses and am wanting to split the values of that field into individual values.
The field data currently looks like this:
10.1.0.1 192.168.0.1, 192.168.2.1
10.1.0.1 192.168.3.1, 192.168.4.2
As you can see, the first and second IP addresses are separated by a space and the second and third is separated by , (a comma and a space).
I have tried using SPL commands to split this data, but I feel that a command which uses REGEX may be more suitable.
Is it possible to split these IP addresses into individual values in the same field, ie the < source_ip > field will then contain a list of single IP addresses (rather than splitting the three values into three separate fields).
... View more
12-14-2016
08:12 PM
FYI - the props.conf addition is not required unless you require an automatic lookup.
Just to expand on the lookup command you have proposed - I will include the default functions which are implied by your command above:
I will rewrite your command above with annotations to point out notable issues:
lookup L_Sectors.csv**(1)** "Lookup Field" **(2)** OUTPUT Sector**(3)** | table "Lookup Field", Sector
(1) You need to invoke the stanza which you have defined which would be:
lookup sectorlookup etc
(2) The syntax for the lookup command is:
lookup < lookup-table-name > < lookup-field1 > AS < event-field1 >
If you do not specify an < event-field > then it will default to lookup an event field with the same name as the < lookup-field >
(3) Note - if you have a field named Sector already this will will be overwritten.
... View more
12-14-2016
05:13 PM
When I conduct a generic search on one of our Splunk sources, I am looking for relevant data which will assist with categorizing and analyzing the data.
I noticed that this particular batch of data did not have too many unique identifying fields which were useful for my analysis (eg, customer id, etc).
However, when I took a closer look at some of the results XML data, I could see that there was indeed some relevant identifying data which was contained within tags. For example, for the purpose of this question lets say;
< customer-id >0100000< /customer-id >
(Without the spaces)
I am wondering why this data does not display as a field which I can manipulate/sort by/etc within the search results.
Is this not a valid XML tag which is therefore a field?
... View more
12-14-2016
02:37 PM
2 Karma
With some guidance from the comments above I have been able to resolve my original issue and implement a working solution.
The reason that all lookup OUTPUT values for the product field were being returned as NULL is due to the fact that the CSV lookup table did not contain ALL possible values for the product field that were returned by my search - and also did not cater for any NULL values.
By implementing the following commands into my search query I have been able to successfully return the replacement lookup values into the correct field (product).
lookup vgate_prod_names product as product OUTPUT meaningful_product | eval product=coalesce(meaningful_product,product) | fields - meaningful_product
Above I am looking up the product field values against the list of values in the product column of my CSV file, and for any match, I am returning the value from the meaningful_product column of the CSV as a new field named meaningful_product.
Then to address the original issue of simplifying the value names in the product field, I am using the eval command against the product field combined with the coalesce function which will replace any value of the product field with associated meaningful_product value, or if there is no match/null, then replacing with the original product value.
The fact that some values of the product field remain unchanged is a non issue in my case as this will equate to <1% of the result data.
Happy Splunking!
... View more
12-13-2016
08:47 PM
One approach depending on how you would like to format your results would be to add another field to your CSV labelled "error" with all values being "true" perhaps and for any matches in the lookup OUTPUT a new field "error" with the value "true".
... View more
12-13-2016
08:45 PM
The stanza relating to a particular lookup table should be unique to avoid any issues as mentioned above.
... View more
12-13-2016
08:43 PM
This is a slightly complicated one - however if you can provide some sample data then there may be a more suitable way to approach the logic here.
... View more
12-13-2016
02:10 PM
I have set up a lookup CSV which looks something like:
product, meaningful_product
product_1, "Meaningful Name 1"
product_2, "Meaningful Name 2"
etc..
I have added the lookup file to the Splunk Lookup Table files as below;
/opt/splunk/etc/apps/search/lookups/product_names.csv
I have added a Lookup Definition for the CSV as below:
Name Type Supported Fields
vgate_prod_names file product,meaningful_product
Now that I have completed all of the above steps, I am testing this in one of my searches in a similar method to the below:
search query | lookup vgate_prod_names product AS product OUTPUT meaningful_product AS product | more search
I have also tried this syntax:
search query | lookup vgate_prod_names product OUTPUT meaningful_product AS product | more search
However in both instances, the search returns all of the results it should, however the product field contains only blank values.
Side note - if I am to run the following query:
search query | lookup vgate_prod_names product OUTPUTNEW meaningful_product AS product_new | more search
Which in the above, product_new is a new field name - my search returns a new field named product_new with all of the values which I was expecting to be set for the product field.
Does there need to be a lookup value in my CSV lookup table for EVERY possible value that can be returned in the product field?
To generate my product field value list I generated a count of all product field values for the year to date - I suppose there may be some fields which were not returned in this original search. Any way around this? The search took some time obviously.
What am I doing wrong??
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
