Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About niboucher
niboucher
Explorer
Member since:
02-21-2014
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 02-21-2014 |
Activity Feed
- Got Karma for How to search top 5 IPs with highest distinct count emails per day?. 06-05-2020 12:47 AM
- Posted Re: Change sourcetype via field extraction and transforms on Getting Data In. 10-04-2018 09:59 AM
- Posted Re: Change sourcetype via field extraction and transforms on Getting Data In. 10-04-2018 12:45 AM
- Posted Re: Change sourcetype via field extraction and transforms on Getting Data In. 10-03-2018 12:56 AM
- Posted Re: Change sourcetype via field extraction and transforms on Getting Data In. 10-02-2018 09:14 AM
- Posted Re: Change sourcetype via field extraction and transforms on Getting Data In. 10-02-2018 06:44 AM
- Posted Change sourcetype via field extraction and transforms on Getting Data In. 10-02-2018 02:56 AM
- Tagged Change sourcetype via field extraction and transforms on Getting Data In. 10-02-2018 02:56 AM
- Posted How to search top 5 IPs with highest distinct count emails per day? on Splunk Search. 07-31-2014 10:15 AM
- Tagged How to search top 5 IPs with highest distinct count emails per day? on Splunk Search. 07-31-2014 10:15 AM
- Tagged How to search top 5 IPs with highest distinct count emails per day? on Splunk Search. 07-31-2014 10:15 AM
- Tagged How to search top 5 IPs with highest distinct count emails per day? on Splunk Search. 07-31-2014 10:15 AM
- Tagged How to search top 5 IPs with highest distinct count emails per day? on Splunk Search. 07-31-2014 10:15 AM
Topics I've Started
10-04-2018
09:59 AM
Thanks a lot man!
The problem was certainly caused by the lack of timestamp.
Setting it to CURRENT and using the regex you provided made it work.
Niboucher
... View more
10-04-2018
12:45 AM
it didn't work
When I use regex below, it works and index everything in the dest sourcetype but adding a pattern inside the capturing group breaks it
REGEX= (.*)
... View more
10-03-2018
12:56 AM
That didn't work either.
UF conf
inputs.conf
[monitor:///var/log/containers/*.log]
sourcetype = testData
recursive = false
Indexer conf
props.conf
[testData]
TRANSFORMS-testProp = testData_trans
transforms.conf
[testData_trans]
DEST_KEY = MetaData:Sourcetype
REGEX = (\[A\]\[B\].*)
FORMAT = sourcetype::testData_B
... View more
10-02-2018
09:14 AM
I tried to modify directly props.conf and transforms.conf and restart splunk but that didn't make it
transforms.conf
[testData_trans]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (\[A\]\[B\].*)
FORMAT = sourcetype::testData_B
props.conf
[sourcetype::testData]
TRANSFORMS-testProp = testData_trans
Do you guys have any idea that could help me make this work?
... View more
10-02-2018
06:44 AM
Hey,
Exactly!
I want data to be indexed in a different sourcetype when data arrives to the indexer.
It's a clustered environnment and I have very limited rights as a user.
REST API doesn't seem to be a suitable option.
I will deploy a new splunk instance with full admin rights to try to modify directly transforms.conf and props.conf
Thanks
... View more
10-02-2018
02:56 AM
Hi there,
One of UF is configured to send logs to sourcetype testData.
I'd like to push some of those logs matching a certain pattern (all logs matching the "[A][B]" pattern) to sourcetype testData_B.
Sample of log
[A][B] blabla
[A][C] blabla
I tried to use transforms and field extraction but I couldn't make it work. I don't have ssh access so I did via the web interface
Transformation
Field extraction
What's wrong with my setup?
Thanks!
... View more
- Tags:
- splunk-enterprise
07-31-2014
10:15 AM
1 Karma
Hello,
In each line of the logs ,there is an email, an IP address and a timestamp.
I'd like to calculate for each day the top 1 (or top 5 or top 10) IPs which have the biggest number of distinct emails.
I'm using this
| bin span=1d _time
| stats dc(email) by ip,_time
but this doesn't do the trick since it prints a line for each IP and each day and I don't know to get only the top 5 dc(email) per IP
I'd like the result to look like this
_time dc(email) ip
2014-07-28 50 10.1.1.1
30 1.1.1.2
20 1.1.1.3
10 1.1.1.4
10 1.1.1.4
2014-07-29 120 10.9.1.1
85 25.1.1.2
45 34.1.1.3
35 26.1.1.4
15 42.1.1.4
Do you guys know how to do this?
... View more
