Hi Team, How to write a regex to capture this two password from the logs ? Eg:  😧 [20200527-144244] login login: cf_db_password=weblogic         😧 [20200527-144244] login login: password=weblogic_test         😧 [20200527-134842] login login: cf.db.password.hms=test_weblogic   password\.?\=([^\s]+) --> Using this regex I was able to capture the first two logs pattern.   password\.?\w+?\=([^\s]+)  --> Using this regex I was able to capture "D: [20200527-134842] login login: cf.db.password.hms=test_weblogic"    Question is how to write a regex pattern to capture all the password pattern from the above example.       ... View more

Hi All, I have created a dashboard with four panels and used a base query and sub query. But in the base query  i have used the non-transforming command. Base query details index=test sourcetype=x_service component=x_component |  eval result=case(result="Passed","CompletePassed",result="Failed","CompletedFailed",isnotnull(result),result,isnull(result),null) | eventstats lastest(result) as result latest(status) as finalStatus earliest(_time) as Earliest latest(_time) as Latest by transId,component  | eval Final_result=case(isnull(result) AND isnotnull(finalStatus),finalStatus,isnotnull(result),result,isnull(result) AND isnull(finalStatus),"MissingStatus") | fields  _time, transId,component,result,Final_result,status,finalStatus,message,duration In one of the panels I have used sub query to find the average duration to complete the transaction. Average duration to complete the transaction  | timechart span=30m avg(duration)  Using the above base query and sub query, I am able to get the output but it seems it is not best practice to use the non-transforming commands in dashboards,  so used stats command instead of event stats command in base search and got the output. Similarly to calculate the average duration to complete the transaction created another base query for that panel and used  the stats/timechart unable to get the output.  index=test sourcetype=x_service component=x_component | stats earliest (_time) as Earliest   latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)   unable to get the output.  But when we use the eventstats commands I am  getting the output. index=test sourcetype=x_service component=x_component | eventstats earliest (_time) as Earliest   latest(_time) as Latest by correlationId | eval duration= Earliest-Latest | timechart span=30m avg(duration)   Question is how to write the sub query using the base query. Thanks in advance.                        ... View more

Hi All, Today I had a question from my customer, that he wants to monitor the bunch of software running in his environment, one of the software product is AutoCad, which he wants to monitor its health and performance, currently they are monitored but not efficiently (unable to find out where is the problem based on hard ware or software or network communication or data base) so they need monitoring solution which can provide them analytics and also find the exact problem like network issue, hardware issue etc. So that it can be resolved by the concern team or application owner. They have the splunk application running in the environment, but not sure how to get AutoCad into Splunk? ... View more

Hi All, I am trying to ingest the syslog data into splunk for test POC. In-order to ingests the syslog data, I had followed the below steps 1) created ubuntu 18.04 in Google cloud and opened the firewall port 514. 2) Install syslog-ng on Ubuntu. $ sudo apt-get install syslog-ng -y 3) Verify installed version of syslog-ng root@syslog-ng:~# syslog-ng --version syslog-ng 3 (3.13.2) Config version: 3.13 Installer-Version: 3.13.2 4) Create a Network input (UDP) in the Splunk console. Splunk  Settings  Data inputs  UDP  Add New 5) Below details are configured in syslog-ng.conf. source auth_log { file ("/var/log/secure"); }; destination splunk-demo { network ("35.247.51.122" transport("udp")); }; --> Splunk-demo IP address log { source(auth_log); destination(s) 6) Restart syslog-ng service to effect the changes root@syslog-ng:/etc/syslog-ng# systemctl restart syslog-ng 7) Unable to see the syslog-ng data getting ingested into splunk-demo instance which is the indexer server index = syslog-data Details: Splunk Enterprise 8.0.2 Trial Version Syslog version --> syslog-ng 3 (3.13.2) Splunk indexer IP address -- > 35.247.51.122 Syslog server IP address --> 35.225.250.86 Firewall Port --> 514 is opened for communication Kindly guide me how to troubleshoot this issue and where I can see the error details on why the data is not getting ingested. Thanks in advance. ... View more

Hi All, Currently we have BMC-True site application monitoring the application logs using an agent, but we wanted to move forward with an agent-less monitoring in future, not only just monitoring the device but we wanted to use the data to improve our performance. Please do let me know how we can use Splunk to do this better than the current application. Thanks in Advance. ... View more

Hi All, Need a help on the list of parsing stanza on props.conf based on the raw log taken from the source application. Details: MAX_TIMESTAMP_LOOKAHEAD = SHOULD_LINEMERGE = false TIME_PREFIX = LINE_BREAKER = TIME_FORMAT = Raw data: {"metadata":{"lastReview":"2019-07-26T11:30:00","contactDl":"dl-gedit-wxxxs-dev@xxx.com","vcs":{"type":"GITHUB","typeOther":null,"location":"https://github.ldn.xxxx.com/GED-Params/CommonAnalyticalService","contentType":["Application Code"],"operationEnvironment":null,"binaries":null,"largeFiles":null,"numberOfArtifacts":null,"entitlement":{"type":"xxx"}},"application":{"itamCodes":["AAxxx5"],"language":null,"datastores":null,"buildTool":["Maven"]},"issueTracker":null,"documentation":null,"codeAnalysis":null,"qualityAssurance":null,"artifact":null,"artifactRepository":null,"internal":{"tags":[],"location":"https://github.ldn.xxxx.com/GED-Params/CommonAnalyticalService/metadata.buildchain.xxx.yaml","batch":"2019-07-27","repoType":"flow_github","id":"flow_github_123000_","errors":["The Last Review date is not in the valid format of yyyy-MM-dd.","The Application datastores field is missing.","The Application languages field is missing.","The ArtifactRepository section is missing.","The ContinuousIntegration buildStepConfig field is missing.","The ContinuousIntegration buildOrchestrationConfig field is missing.","The ContinuousIntegration executionOfBuild field is missing.","The ContinuousIntegration entitlement field is missing.","The VCS binaries field is missing.","The VCS largeFiles field is missing.","The VCS numberOFArtifacts field is missing."]},"ci":{"ciInstances":[{"type":"TeamCity","uri":"https://flow-teamcity5.xxx.net/project.html?projectId=ged_params_Wxxxs","buildStepConfig":null,"buildOrchestrationConfig":null,"executionOfBuild":null,"entitlement":null}]}}} Show syntax highlighted ... View more

Hi All, Need a help on Line Break Regex and TIME_FORMAT on props.conf, I am ingesting sonarqube logs in to splunk for the below log details with the following source type, but got stuck with the Regex part. Ce.log details: 2019.07.12 11:05:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task 2019.07.12 11:05:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs 2019.07.12 11:15:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task 2019.07.12 11:15:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs 2019.07.12 11:25:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task 2019.07.12 11:25:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs 2019.07.12 11:35:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task 2019.07.12 11:35:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs 2019.07.12 11:45:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task 2019.07.12 11:45:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs Source type and stanza details: [sonarqube:ce] SHOULD_LINEMERGE=false LINE_BREAKER = ([\r\n]+)\d+.\d+.\d+\s+\d+:\d+:\d+\s+\w+ TIME_FORMAT=%Y.%m.%d %H:%M:%S TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=19 Access.log details: x.x.x.x- - [11/Jul/2019:17:54:12 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc71kFTVuzYd0BsSB&p=1&ps=500 HTTP/1.1" 200 288 "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACB" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc74DFTVuzYd0BsTO&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACC" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWqYLPh9Yaosnfiy-EtA&p=1&ps=500 HTTP/1.1" 200 3989 "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACD" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWkV46fXeS_Bw5qUD5wC&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACE" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc8AHFTVuzYd0BsWp&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACF" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc8LZFTVuzYd0Bsd5&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACG" x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWoCWw4hDVsFMZYP1Pzs&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACH" [sonarqube:access] SHOULD_LINEMERGE=false TIME_FORMAT= %d/%b/%Y:%H:%M:%S %Z TIME_PREFIX= \d+.\d+.\d+.\d+\s+-\s+-\s+[ MAX_TIMESTAMP_LOOKAHEAD=26 LINE_BREAKER =([\r\n]+)\d+.\d+.\d+.\d Need help on the above stanza's to parse the sonarqube data in splunk. Kindly guide me on this. ... View more

Hi All, Good Morning, I have requirement to create a dashboard to display the total number of concurrent running builds in Jenkins and team city. Need 4 panels to display total number of builds with time chart and single value visualization. Already we have 9 panels to display Build count, Build duration and Queue Time by Day in place. Details about the Panels Type and Query: 1) TC Build Duration Per day Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | time chart span =1h sum(duration) 2) TC Build count & Duration: Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | time chart span =1h count (duration) 3) Jenkins Build & Queue Time By Day: Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | time chart span = 1h sum(Job_duration) sum(Queue_time) 4) Jenkins Build Count & Duration & Queue Time: Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | time chart span = 1h sum(Job_duration) sum(Queue_time) count 5) TC Build Count: Single Value Visualization: Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | stats count 6) TC Build Count in seconds: Single Value Visualization: Index = TC-App sourcetype =tc:srv “Build started” OR “Finished build” | transaction buildId keepevicted =true | sum (duration) 7) Jenkins Build Count: Single Value Visualization: Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats count 😎 Jenkins Build Duration in seconds : Single Value Visualization Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats sum (Job_duration) 9) Jenkins Queue Time in seconds: Index =JK-App sourcetype=* event_tag =”Job_event” type=”completed” build_number = “*” | dedup host build_url sortby - _time | search ‘UTC_to_local_time(Job_started_at)’ | stats sum (queue_time) Now need to create additional panels to display the concurrent running build Jobs in Jenkins and Team city. Kindly guide me how to do that. ... View more

Hi All, I had two question's on splunk. 1) How to list the indexes details available in splunk search heads? 2) What is streaming and non-streaming commands and how are they executed (in which scenario's it is used) thanks in advance. ... View more