cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
gartnerj
Explorer
Member since: ‎02-25-2014
‎06-05-2020
Community Statistics
Posts 8
Solutions 1
Karma Given 0
Karma Received 2
Member Since ‎02-25-2014
Activity Feed
View All

REST API search issue in Postman

by in Getting Data In
‎04-25-2019 11:40 AM
‎04-25-2019 11:40 AM
I have the Authorization figured working, but every time I run a search, I get the following error: (NOTE the AAA/BBB/nnn stuff is just to mask actual values in this post) <messages> <msg type="DEBUG">Configuration initialization for /var/splunkhot/splunk/etc took 112ms when dispatching a search (search ID: 1556216662.24755_33CF52FC-F282-491A-875E-F8EC1EB01F4C)</msg> <msg type="DEBUG">Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.</msg> <msg type="DEBUG">base lispy: [ AND host::AAAAAAA source::/app/jboss/BBBBBB/log/server.log ]</msg> <msg type="DEBUG">search context: user="nnnnnnn", app="search", bs-pathname="/var/splunkhot/splunk/etc"</msg> </messages> The actual search I have in the body of the POST is: search=search+host%3DAAAAAAA+source%3D%2Fapp%2Fjboss%2BBBBBB%2Flog%2Fserver.log+%7C+search+ERROR+earliest%3D-4h I've even done just a SIMPLE search: search=search+host%3DAAAAAAA and I STILL get an error. Any ideas what the issue is?? ... View more

REST search issue using Postman

by in Splunk Search
‎04-25-2019 11:33 AM
‎04-25-2019 11:33 AM
I have the authorization done, and when I do the POST to do a search I keep getting the error: (note AAAA and bbb, nnnnnn are the correct host and logpath values in my actual search) <messages> <msg type="DEBUG">Configuration initialization for /var/splunkhot/splunk/etc took 143ms when dispatching a search (search ID: 1556216277.24597_33CF52FC-F282-491A-875E-F8EC1EB01F4C)</msg> <msg type="DEBUG">Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.</msg> <msg type="DEBUG">base lispy: [ AND host::AAAAAAA source::/app/jboss/bbbb/log/server.log ]</msg> <msg type="DEBUG">search context: user="nnnnnnnn", app="search", bs-pathname="/var/splunkhot/splunk/etc"</msg> </messages> The actual search I have in the body is this ) search=search+host%3DAAAAAA+source%3D%2Fapp%2Fjboss%2Fbbbbb%2Flog%2Fserver.log+%7C+search+ERROR+earliest%3D-4h I've tried a bunch of different variations, but I am always getting th EVAL-url Length error. I even did JUST search=search+host%3DAAAAAA and still got the error! Any ideas here on how to format the search correctly to get this to run without that error? I can run the search directly in SPLUNK so it does in fact work. ... View more

Re: How to write regex for field extraction to mat...

by in Splunk Search
‎09-12-2014 09:23 AM
1 Karma
‎09-12-2014 09:23 AM
1 Karma
Well, I actually got it to work via regex: (?:[^:\n]*:){4}\d+\.\d+\w+,(?P<ComponentName>[^,]+),(?P<EventCode>[^,]+),(?P<MessageType>[^,]+),?(?P<ServiceName>[^,]+)?,?(?P<ServiceMethod>[^,]+)?,?(?P<ServiceInstance>[^,]+)?,ID:(?P<messageId>[^,]+),ID:(?P<CorrelationId>[^,]+),(?P<UserId>[^,]*)?,(?P<otherInfo>[^,]*) This gets all of parts for each type correctly. Thanks for the other suggestions -- I am going to look into those as it would be nice to have the fields extracted automatically so that I don't have to use this in each search/report. ... View more

Re: Question about timestamp formatting

by SplunkTrust in Getting Data In
‎02-25-2014 10:59 AM
‎02-25-2014 10:59 AM
Glad to hear it. Please accept the answer. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All