Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About lauMarot
lauMarot
Path Finder
Member since:
02-18-2014
09-09-2025
Community Statistics
| Posts | 38 |
| Solutions | 2 |
| Karma Given | 7 |
| Karma Received | 3 |
| Member Since | 02-18-2014 |
Activity Feed
- Got Karma for can't find any option for modifying / deleting an input. 08-23-2025 12:24 AM
- Karma Re: can't find any option for modifying / deleting an input for livehybrid. 08-22-2025 04:40 AM
- Posted Re: can't find any option for modifying / deleting an input on All Apps and Add-ons. 08-21-2025 09:09 AM
- Posted can't find any option for modifying / deleting an input on All Apps and Add-ons. 08-21-2025 05:50 AM
- Karma Re: Extracting port number from url field for isoutamo. 01-03-2022 11:57 PM
- Posted Extracting port number from url field on Splunk Search. 01-03-2022 11:25 PM
- Karma Re: splnkd can't find libjemalloc.so.1 for MuS. 11-27-2020 06:48 AM
- Posted Re: Splunk App for Unix and Linux - Dashboard opens then goes blank on All Apps and Add-ons. 11-27-2020 05:25 AM
- Karma Re: is $ supported in regex for field extraction ? for gabriel_vasseur. 06-05-2020 12:48 AM
- Got Karma for Re: How can i change the version of an app and icon image?. 06-05-2020 12:47 AM
- Got Karma for Re: No Output for sourcetype=cpu | head 20. 06-05-2020 12:47 AM
- Karma Re: How do I configure a Splunk Forwarder on Linux? for mnatalier. 06-05-2020 12:46 AM
- Karma Re: cast a vote for aelliott. 06-05-2020 12:46 AM
- Karma Re: geoip command stops working after upgrade to 6.1.1 - GeoIP database file 'GeoLiteCity.dat' does not exist! for rruijgrok. 06-05-2020 12:46 AM
- Posted Re: Compare field with lookup on Splunk Search. 10-17-2018 02:07 AM
- Posted Re: ERROR TcpInputProc - Message rejected. Received unexpected 1009858864 on Getting Data In. 08-05-2016 12:42 AM
- Posted Re: ERROR TcpInputProc - Message rejected. Received unexpected 1009858864 on Getting Data In. 08-03-2016 10:16 PM
- Posted Re: ERROR TcpInputProc - Message rejected. Received unexpected 1009858864 on Getting Data In. 08-03-2016 01:00 PM
- Posted Re: is $ supported in regex for field extraction ? on Splunk Search. 08-03-2016 06:52 AM
- Posted ERROR TcpInputProc - Message rejected. Received unexpected 1009858864 on Getting Data In. 08-03-2016 05:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-21-2025
09:09 AM
no, used app is "Website Monitoring"
... View more
08-21-2025
05:50 AM
1 Karma
Hello, I'm looking for the way of modifying an input using GUI (bacause I made an error when creating it) but can't find any option. Same for deleting / un-activating an input
... View more
Labels
- Labels:
-
configuration
01-03-2022
11:25 PM
Hello, Suppose I've got the following url among lot of others : (logs come from something close to Squid but not indexed properly by Splunk) nav.smartscreen.microsoft.com:443 https://www.francebleu.fr/img/antenne.svg http://frplab.com:37566/sdhjkzui1782109zkjeznds http://192.168.120.25:25 https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_175%2Cw_300%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd46af9fc9a462b0904026156648340b7.jpg I wish I could extract the port number when ther is one. I saw a lot a similar cases on Splunk Answers but the url formating was less varaible than mine. The only way to achieve my aim was to use the following SPL: index=* sourcetype=syslog | rex field=url "(http|https)?[^\:]+\:(?<port>[^\/]+)" | eval monport = if(isint(port), port, 0) | top monport Is there a more elegant way to to ?
... View more
Labels
- Labels:
-
field extraction
-
rex
11-27-2020
05:25 AM
I can remember facing that issue while using a particular version of Firefox (68.6.0esr (64 bits). Then I switched to Chrome and problem disappeared
... View more
08-05-2016
12:42 AM
yeap ! Understood ! But receiving must be set from "Data inputs » UDP " and not "Forwarding and receiving » Receive data » Add new " (my mistake) 🙂
... View more
08-03-2016
10:16 PM
yes clearly a misunderstanding (in my case) of how heavy (intermediate) forwarders should deal with their input data
... View more
08-03-2016
01:00 PM
just one dumb thing I forgot to mention : I used to think It was possible to grab the Syslog stream of my device in my Forwarder directly through TCP receiver of my Forwarder (see the screenshot)
... View more
08-03-2016
06:52 AM
of course ... so sorry, so much noise for so little !
Many thanks
... View more
08-03-2016
05:47 AM
Hello,
problem on splunk enterprise 6.4.2
I've just set up an intermediate (heavy) splunk 6.4 forwarder between my syslog-ng server and my indexer. This heavy forwarder is supposed to help me filtering F5 BigIP logs
1 - Receiving was set up on Indexer to listen on port 5141 (not 9997 default port) usin web Gui (then i double check that the stanza is ok in inputs.conf)
2 - Forwarding was activated from forwarder using web Gui (menu "Forwarding ans Receiving / Forward data") adding "xxx.xxx.xxx.xxx:5141" where xxx.xxx.xxx.xxx is the IP of my indexer
3 - log Stream can be displayed on idexer using tcpdump
4 - no data is collected in any index and the error " ERROR TcpInputProc - Message rejected. Received unexpected 1009858864" is thrown
What could be wrong ?
... View more
08-03-2016
02:38 AM
I've attached a three events file sample
... View more
08-03-2016
01:17 AM
I've attached a three events file sample
... View more
08-03-2016
01:13 AM
link textlog sample
... View more
08-03-2016
01:12 AM
thx for helping but it does not work with attached log sample (to large for text input field)
... View more
08-02-2016
07:35 AM
nice try ... but it does not work 😞
Generally I use the wizzard and not type in dircetly my regex but taht time wizzard generate the following error :
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
... View more
08-02-2016
07:32 AM
(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) match the first IP adress found in my log line 😞
adding $ (outside or inside parethesis) breaks any match
... View more
08-02-2016
07:02 AM
I've got the following log line and I wish I could extract the last IP address field:
.................(variable number of fields)....."N/A","N/A","xxx.xxx.xxx.xxx"
I used to think that something like the following should have worked
(?P‹lastIP›\d+.\d+.\d+.\d+$)
... View more
- Tags:
- extraction
- field
- regex
08-21-2015
03:09 AM
1 Karma
For versioning : Add the following stanza to app.conf to add your app into the app launcher. Fill out each attribute as described.
[launcher]
author=<author of app>
description=<textual description of app>
version=<version of app>
For logos : Place app icon images at the following location:
$SPLUNK_HOME/etc/apps//static/
with files name using followin rules (appIcon.png,appIcon_2x.png, appLogo.png...) : http://docs.splunk.com/Documentation/Splunk/6.2.5/AdvancedDev/AddConfigurations
... View more
08-13-2015
06:11 AM
08-13-2015
06:06 AM
"No dashboards are currently using this but might do in the future. "
are you sure ???
as event type clientip-internal appears in pageview = (eventtype=web-traffic
status=200
NOT (eventtype=web-uri-nonpage OR
eventtype=web-agent-nonpublic OR
eventtype=exclude-pageview)
and
web-agent-nonpublic is defined as follow : eventtype=ua-bot OR eventtype=clientip-nonroutable OR eventtype=clientip-internal
so clientip-internal is indeed used for example in Traffic Center (but the filter as -not- defined does not applied to any event)
... View more
08-13-2015
02:52 AM
Shouldn't clientip-internal be configured ?
default value is : eventtype=web-traffic clientip=Some.CIDR.Range
... View more
08-13-2015
01:15 AM
uninstall and then install once again
configure exactly as detailed in doc (website config, then run lookups and finally add data model acceleration). I had previously a warning message in website config that I hadn't noticed
=> works fine now
... View more
08-11-2015
01:17 AM
by default, logs are indexed in default index ('main' index in this case)
... View more
08-11-2015
01:16 AM
i've deleted the application and installed it once again. Now i've got data for real-time tab but nothing in tabs relying in tstats / summaries even if I've set up acceleration on web model.
|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session,Web.ua_family _time span=1d | timechart span=1d dc(Web.http_session) by Web.ua_family | rename Web.ua_family AS "Browser "
=> 0 event matching !
and if I cut the query to make it larger :
|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web
=> 2 events
... View more
08-10-2015
12:14 PM
yes of course
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-09-2025
03:19 AM
|
Karma given to
