About efelder0

efelder0 · ‎04-09-2012

so, maybe strptime would not be useful in this scenario?

efelder0 · ‎04-09-2012

Yes, that worked. However, I have another field that requires reformatting. But, this time I am doing my field extraction from the transforms.conf. For example, I am pulling a field called "IncidentTime" and its value is 12/11/2011 11:16:48 PM. Here is the entry in transforms.conf: REGEX = (?i) <![CDATA[(?P [a-zA-Z -:\d]+)(?=]) What would the new REGEX be to only include the date string? or would it be better to use the strptime function from within the search?

efelder0 · ‎04-09-2012

I am trying to reformat a date field in Splunk. I have a field called "last_updated_date" and its value is 2012-04-03. I am using the strptime command to reformat the field to the following: 04/03/12. Here is my syntax: eval last_updated_date=strftime(strptime(last_updated_date,"%Y-%b-%D"),"%M/%D/%Y") However, it returns blank values in my output. Thoughts?

efelder0 · ‎04-05-2012

I am extracting a date/time stamp out of some XML; however, I need to strip out the time from the string. i.e. - 3/7/2012 2:25:52 PM (GMT) --> needs to be: 3/7/2012 What would the REGEX be and would that regex be in the props.conf or can it go in the search string? Here is the entry in props = EXTRACT-CreateTimeStamp_GMT = (?i) (?P [^<]+)

efelder0 · ‎03-20-2012

From my list of field in Splunk, I have three fields with numeric values that I would like to add together and assign the total to a field called "Total_Threat_Count". i.e. - Critical_Severity = 50 + Medium_Severity = 25 + Low_Severity = 25 AS Total_Threat_Count (100) What would the stats command that would work best here. I have tried stats sum(Critical_Severity, Medium_Severity, Low_Severity) AS Total_Threat_Count, but I am getting a blank value for that field.

efelder0 · ‎02-16-2012

Would displayRowNumbers work here? If so, how would it be configured in my search query?

efelder0 · ‎02-16-2012

I am indexing a CSV file into Splunk and wish to display the row number in a seperate column called 'row count'. Example: Field 1 Field 2 Row Count Field 3 blah blah 1 blah blah blah 2 blah blah blah 3 blah What is the best method to achieve this? Thanks.

efelder0 · ‎02-09-2012

OK, that works.. However, I need to invoke a space between the 2 fields. I believe \s will work here. how does that change the regex statement?

efelder0 · ‎02-08-2012

I am extracting a field out of an XML feed. More specifically, this is the field: 2012-01-30T12:57:20/x:LastUpdated I need some assistance on manipulating my regex statement in props.conf to force the output to look like this: 2012-01-30 12:57:20 Here is what is in my props.conf: EXTRACT-Last_Updated = (?i) (?P [^<]+) Any suggestions?

efelder0 · ‎01-26-2012

I am extracting a field called "Severity" out of an XML data feed. and the values that are returned are severity 1, severity 2, severity 3, severity 4. I would like to re-assign the values to now say Low (instead of severity 1), Medium (instead of severity 2), High (instead of severity 3), Critical (instead of severity 4). I am certain than an EVAL statement would work here, but not sure what the syntax is. Any suggestions?

efelder0 · ‎01-24-2012

415.848.8400 option 3

efelder0 · ‎01-19-2012

What are some of the methods that I can remove the header row after running the 'outputcsv' command in my search? Here are some of the fields in that header row: CreateTimeStamp_GMT Data_Source Reference_Number SourceIP_Address Incident_Category

efelder0 · ‎01-12-2012

Here is the scenario: During any given day (usually @ midnite), I am 'auto' indexing 3-5 files into Splunk and then running a search query, then producing some sort of output/report using "outputcsv". However, at any given point during the day, there will be new files being auto-indexed into Splunk. Right now, Splunk is grabbing the current files and including the events from the older files in the search results. Is there a way to configure Splunk (or use an app) to generate N number of reports as each unique file gets indexed. In other words, if I index 5 XML files from Symantec, index them into Splunk, and create 5 separate .csv files which each contain unique information without duplicating the event information from a previously indexed file?

efelder0 · ‎01-04-2012

I am trying to reformat a date/time stamp field from within my output. Here is the current format: 21:32:31-Dec 08 2011 New format: 12/08/2011 21:32:31 AM/PM thanks.

efelder0 · ‎12-29-2011

Here is the actual search string: sourcetype="McAfee ePo - All" | sort DAT_Version__VirusScan_Enterprise_ | eval AV_Version=DAT_Version__VirusScan_Enterprise_ | eval Version_Diff=Current_DAT_Version- DAT_Version__VirusScan_Enterprise_ | eval Severity =case( DAT_Version__VirusScan_Enterprise_ = 0, "Informational", DAT_Version__VirusScan_Enterprise_ == "", "Informational", Version_Diff >= 0 AND Version_Diff <= 5, "Low", Version_Diff > 5 AND Version_Diff <= 10, "Medium", Version_Diff > 10, "High", DAT_Version__VirusScan_Enterprise_ = "N/A", "Informational") | table System_Name Last_Communication Current_DAT_Version AV_Version Severity Engine_Version__VirusScan_Enterprise_

efelder0 · ‎12-29-2011

That field being extracted is blank...

efelder0 · ‎12-29-2011

Neither of the above mentioned seems to be working.. DO you have example of the len() command?

efelder0 · ‎12-29-2011

SOrry, I am looking for blank values. So, eval Severity=case (AV_Version == "", "Informational") should work??

efelder0 · ‎12-29-2011

How do I assign the value "Informational" to the field Severity when the AV Version contains NULL values byu using the Case: Severity= Informational AV Version = NULL eval Severity =case (AV_Version = NULL, "Informational") --> this does not work PLease advise.. thx

efelder0 · ‎12-20-2011

OK, this works now: eval Severity=if(sourcetype=="Low", "Low", null())

efelder0 · ‎12-20-2011

I tried that. In fact, here is the actual search string = sourcetype="McAfee ePo - Med" | eval Severity=if(sourcetype=="McAfee ePo - Med", "Medium") | table Severity I am getting the following error message: [EventsViewer module] Error in 'eval' command: The arguments to the 'if' function are invalid.

efelder0 · ‎12-20-2011

I am trying to assign a value to a Severity field when the sourcetype = "low" or "Med" or "high". I.e. - IF sourcetype = Low, then Severity = "Low". I am certain that an EVAL statement should work here, but not sure what the statement would read?? thx

efelder0 · ‎12-19-2011

I have a field in my output that contains the following values: DAT_Version = 6556.0000 What would the REGEX look like to strip out the .0000?

efelder0 · ‎12-19-2011

thanks, work fine now..

efelder0 · ‎12-19-2011

I am receiving the following message: "The sort command is truncating output to 10000 rows" How do I resolve this so that I can get all my data? thx

Posts	55
Solutions	2
Karma Given	0
Karma Received	41
Member Since	‎11-03-2011

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

Remove data from Index

Help with Reporting

Splunk replication in 5.0?

Help with eval (if)

Date format

setting up data replication

Splunk Failover

Display top 3 Employees by Class Frequency

Indexing ZIP files

include indexTime in output file

Re: Issue with strptime

Re: Some RegEx help with date formatting

Issue with strptime

Some RegEx help with date formatting

stats sum?

Re: Display row numbers in output

Display row numbers in output

Re: Field extraction in XML (need some regex assis...

Field extraction in XML (need some regex assistanc...

Help with EVAL statement

Re: Splunk support phone number

Removing Header row after outputcsv command

Prevent Splunk from re-indexing data

reformat date, timestamp

Re: Help with CASE

Re: Help with CASE

Re: Help with CASE

Re: Help with CASE

Help with CASE

Re: Help with Splunk search (EVAL command)

Re: Help with Splunk search (EVAL command)

Help with Splunk search (EVAL command)

How to strip out trailing 0's

Re: The sort command is truncating output to 10000...

The sort command is truncating output to 10000 row...

Are you a member of the Splunk Community?