Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About pck_npluyaud
pck_npluyaud
Explorer
Member since:
03-21-2019
05-02-2025
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 03-21-2019 |
Activity Feed
- Posted Re: REGEX Problem : Json Structure and sub structure on Splunk Search. 05-02-2025 08:29 AM
- Posted Re: REGEX Problem : Json Structure and sub structure on Splunk Search. 05-02-2025 02:48 AM
- Posted REGEX Problem : Json Structure and sub structure on Splunk Search. 05-02-2025 12:41 AM
- Posted Re: Json datas selection and meta removal on Getting Data In. 10-05-2021 08:23 AM
- Posted Json datas selection and meta removal on Getting Data In. 10-05-2021 05:38 AM
- Posted Concatenation of records between two keywords ? on Splunk Search. 12-07-2020 12:55 AM
- Karma Re: splunk trial / HEC / props & transforms for richgalloway. 07-09-2020 09:15 AM
- Posted Smart PDF Exporter : setup unavalaible, http 303/404 on All Apps and Add-ons. 03-21-2019 05:49 AM
- Tagged Smart PDF Exporter : setup unavalaible, http 303/404 on All Apps and Add-ons. 03-21-2019 05:49 AM
- Tagged Smart PDF Exporter : setup unavalaible, http 303/404 on All Apps and Add-ons. 03-21-2019 05:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-02-2025
08:29 AM
Ok. So, no solution. 1. Indexed extractions => the Json is too complex 2. Automatic search-time KV-extraction => no, fields need to be parsed .... 3. Manual use of the spath command. => at the search time ... too late Well, thanks anyway.
... View more
05-02-2025
02:48 AM
Yes, for the fields in root, there is no problem. I omit one point : the structure json is in another structure JSON ... , hence the "SOURCE_KEY = field:message" in transforms.conf { "root": { "field1": "value1", "message": { "var1":132, "var2":toto", "var3":{}, "var4":{"A":1,"B":2}, "var5":{"C":{"D":5}} } } After indexing, field1 is accessible, because the structure source json is seeing as a JSON. And interpreted like that. I need to parse message to find the var* like field1.
... View more
05-02-2025
12:41 AM
Hello. For reasons of JSON log splitting, I have a problem with a complex structure. The integration is in a forwarder (not UF), in transforms.conf. For example : { "var1":132,"var2":"toto","var3":{},"var4":{"A":1,"B":2},"var5":{"C":{"D":5}}} the expected result : "var1":132 "var2":"toto" "var3":{} "var4":{"A":1,"B":2} "var5":{"C":{"D":5}}} Actually I use [extract_message] SOURCE_KEY = field:message REGEX = "([^"]*)":("[^"}]*"|[^,"]*|\d{1,}) FORMAT = $1::$2 REPEAT_MATCH = true WRITE_META = true Online, it works ! That did not match...
... View more
Labels
- Labels:
-
regex
10-05-2021
08:23 AM
I put the rule i the props.conf in the UF. But same result , the _meta "input.type" is not removed. Another point, the sedcmd should be general : the json schema can never be the same (comma non at the same place) SHOULD_LINEMERGE = false NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none AUTO_KV_JSON = false INDEXED_EXTRACTIONS = JSON TRANSFORMS-x = remove_events set_host set_source set_sourcetype TRANSFORMS-y = extract_message SEDCMD-noinput = s/"input":\{[\s\S]+?},//
... View more
10-05-2021
05:38 AM
Hye. The situation : an instance of Splunk standalone (test platform), and an UF. The data : JSON Stream with multi level. The problem : the volume of data being important, we would like to reduce the _raw at only one field. But all JSON fields are saved as _meta. We have succeeded to update source, sourcetype and host from the JSON datas. But impossible to omit _meta ... (they always appear in the Search Head) IN : { "input":{ "type":"log"}, "log":{ "file":"c:\log.josn"}, "@metadata":{ "beat":"filebeat", "version":"7.10.2"}, "message":"bla bla bla", "fields":{ "type":"bdc", "host":"VLCR03", "type2":"back"} } OUT : _raw : "bla bla bla" <= OK meta "input.***" <= to suppress meta "log.***" <= to suppress meta "@metadata.beat" <= to keep meta "@metadata.version"<= to suppress meta "message"<= to suppress meta "fields.***" <= to suppress props.conf on the UF SHOULD_LINEMERGE = false NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none AUTO_KV_JSON = false INDEXED_EXTRACTIONS = JSON TRANSFORMS-x = set_host set_source set_sourcetype TRANSFORMS-y = extract_message TRANSFORMS-z = remove_metadata transforms.conf on the UF [extract_message] SOURCE_KEY = field:message REGEX = (.*) FORMAT = $1 DEST_KEY = _raw [set_host] SOURCE_KEY = field:fields.host REGEX = (.*) FORMAT = host::$1 DEST_KEY = MetaData:Host [set_source] SOURCE_KEY = field:log.file REGEX = (.*) FORMAT = source::$1 DEST_KEY = MetaData:Source [set_sourcetype] SOURCE_KEY = fields:fields.type,fields.type2 REGEX = (.*)\s(.*) FORMAT = sourcetype::$1:$2 DEST_KEY = MetaData:Sourcetype [remove_message] SOURCE_KEY = _meta:message REGEX = (.*) DEST_KEY = queue FORMAT = nullQueue
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
transforms.conf
12-07-2020
12:55 AM
Hello. It is not a question, it is a use case that I don't arrive to resolve. The situation : a log file on remote server, with a Splunk Universal Forwarder and only an inputs.conf (not other conf) a props.conf on Heavy Forwarder with LINE_BREAKER = \d{1,4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(,|.)\d{1,3}\s\[ The default format : 2020-12-07 08:02:24.350 [<thread>] <type> <bla bla bla ...> When the record is a Java Exception logging, there is no problem. The record is complete and contain all the stacktrace (SHOULD_LINEMERGE = TRUE) But I have other cases which group together a whole set of lines. And each time, the first line contains the word "started", and the last the word "ended". For example, this is for Splunk only one log. But I would like 4 ! 2020-12-07 08:02:30,567 [http-nio-10.108.181.36-30000-exec-6] INFO p.a.f.s.w.FrontalAuthentRestController 869 - - b- health-check started. (FrontalAuthentRestController.java:37)
2020-12-07 08:02:30,583 [http-nio-10.108.181.36-30000-exec-6] INFO p.a.f.s.w.FrontalAuthentRestController 869 - - b- health-check ended. (FrontalAuthentRestController.java:44)
2020-12-07 08:02:34,670 [http-nio-10.108.181.36-30000-exec-9] INFO p.a.f.s.w.FrontalAuthentRestController 845 - - b- health-check started. (FrontalAuthentRestController.java:37)
2020-12-07 08:02:34,684 [http-nio-10.108.181.36-30000-exec-9] INFO p.a.f.s.w.FrontalAuthentRestController 845 - - b- health-check ended. (FrontalAuthentRestController.java:44) I find the same problem with "proxy started" / "proxy ended", or "doFilter started" / "doFilter ended"... Each time, Splunk gathers the recordings into one 2020-12-07 08:01:43,430 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - proxy started. (Proxy.java:106)
2020-12-07 08:01:43,433 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f. - IDPART = // NUINPE = (Proxy.java:108)
2020-12-07 08:01:43,443 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - /3 (ProxyHelper.java:49)
2020-12-07 08:01:43,444 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f. - /3 (Proxy.java:114)
2020-12-07 08:01:43,907 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - proxy ended. (Proxy.java:124) Do you have an idea ?
... View more
03-21-2019
05:49 AM
Hye.
I installed the plugin on Search Head, and PhantomJS in the /bin directory as describe.
When I want to do the setup, there are :
a http 303 => "GET /fr-FR/manager/smart_exporter_app/apps/local/smart_exporter_app/setup?action=edit HTTP/1.1" 303
followed by a 404 => "GET /fr-FR/manager/smart_exporter_app/apps/local/smart_exporter_app?msgid=6200000.015878963048 HTTP/1.1" 404
Smart PDF Exporter 1.0.2
Splunk Enterprise 7.0.2
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-02-2025
12:05 AM
|
