×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pck_npluyaud
Explorer
Member since: ‎03-21-2019
a week ago
Community Statistics
Posts 10
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎03-21-2019
Activity Feed
View All

Re: REGEX Problem : Json Structure and sub structu...

by in Splunk Search
a week ago
a week ago
Ok. So, no solution. 1. Indexed extractions => the Json is too complex 2. Automatic search-time KV-extraction => no, fields need to be parsed .... 3. Manual use of the spath command. => at the search time ... too late   Well, thanks anyway. ... View more

Re: REGEX Problem : Json Structure and sub structu...

by in Splunk Search
a week ago
a week ago
Yes, for the fields in root, there is no problem. I omit one point : the structure json is in another structure JSON ... , hence the "SOURCE_KEY = field:message" in transforms.conf { "root": {   "field1": "value1",   "message": {     "var1":132,     "var2":toto",     "var3":{},     "var4":{"A":1,"B":2},     "var5":{"C":{"D":5}}   } } After indexing, field1 is accessible, because the structure source json is seeing as a JSON. And interpreted like that. I need to parse message to find the var* like field1.   ... View more

REGEX Problem : Json Structure and sub structure

by in Splunk Search
a week ago
a week ago
Hello. For reasons of JSON log splitting, I have a problem with a complex structure. The integration is in a forwarder (not UF), in transforms.conf.  For example : { "var1":132,"var2":"toto","var3":{},"var4":{"A":1,"B":2},"var5":{"C":{"D":5}}} the expected result : "var1":132 "var2":"toto" "var3":{} "var4":{"A":1,"B":2} "var5":{"C":{"D":5}}} Actually I use [extract_message] SOURCE_KEY = field:message REGEX = "([^"]*)":("[^"}]*"|[^,"]*|\d{1,}) FORMAT = $1::$2 REPEAT_MATCH = true WRITE_META = true Online, it works ! That did not match...   ... View more
Labels

Re: Json datas selection and meta removal

by in Getting Data In
‎10-05-2021 08:23 AM
‎10-05-2021 08:23 AM
I put the rule i the props.conf in the UF. But same result , the _meta "input.type" is not removed. Another point, the sedcmd should be general : the json schema can never be the same (comma non at the same place) SHOULD_LINEMERGE = false NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none AUTO_KV_JSON = false INDEXED_EXTRACTIONS = JSON TRANSFORMS-x = remove_events set_host set_source set_sourcetype TRANSFORMS-y = extract_message SEDCMD-noinput = s/"input":\{[\s\S]+?},// ... View more

Json datas selection and meta removal

by in Getting Data In
‎10-05-2021 05:38 AM
‎10-05-2021 05:38 AM
Hye. The situation :  an instance of Splunk standalone (test platform), and an UF. The data : JSON Stream with multi level. The problem : the volume of data being important, we would like to reduce the _raw at only one field. But all JSON fields are saved as _meta. We have succeeded to update source, sourcetype and host from the JSON datas. But impossible to omit _meta ... (they always appear in the Search Head) IN :  { "input":{      "type":"log"}, "log":{      "file":"c:\log.josn"}, "@metadata":{      "beat":"filebeat",      "version":"7.10.2"}, "message":"bla bla bla", "fields":{      "type":"bdc",      "host":"VLCR03",      "type2":"back"} } OUT :  _raw  : "bla bla bla" <= OK meta "input.***" <= to suppress meta "log.***" <= to suppress meta "@metadata.beat" <= to keep meta "@metadata.version"<= to suppress meta "message"<= to suppress meta "fields.***" <= to suppress props.conf on the UF SHOULD_LINEMERGE = false NO_BINARY_CHECK = true CHARSET = AUTO KV_MODE = none AUTO_KV_JSON = false INDEXED_EXTRACTIONS = JSON TRANSFORMS-x = set_host set_source set_sourcetype TRANSFORMS-y = extract_message TRANSFORMS-z = remove_metadata transforms.conf on the UF [extract_message] SOURCE_KEY = field:message REGEX = (.*) FORMAT = $1 DEST_KEY = _raw [set_host] SOURCE_KEY = field:fields.host REGEX = (.*) FORMAT = host::$1 DEST_KEY = MetaData:Host [set_source] SOURCE_KEY = field:log.file REGEX = (.*) FORMAT = source::$1 DEST_KEY = MetaData:Source [set_sourcetype] SOURCE_KEY = fields:fields.type,fields.type2 REGEX = (.*)\s(.*) FORMAT = sourcetype::$1:$2 DEST_KEY = MetaData:Sourcetype [remove_message] SOURCE_KEY = _meta:message REGEX = (.*) DEST_KEY = queue FORMAT = nullQueue ... View more

Concatenation of records between two keywords ?

by in Splunk Search
‎12-07-2020 12:55 AM
‎12-07-2020 12:55 AM
Hello. It is not a question, it is a use case that I don't arrive to resolve. The situation : a log file on remote server, with a Splunk Universal Forwarder and only an inputs.conf (not other conf) a props.conf on Heavy Forwarder with LINE_BREAKER = \d{1,4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(,|.)\d{1,3}\s\[ The default format : 2020-12-07 08:02:24.350 [<thread>] <type> <bla bla bla ...> When the record is a Java Exception logging, there is no problem. The record is complete and contain all the stacktrace (SHOULD_LINEMERGE = TRUE) But I have other cases which group together a whole set of lines. And each time, the first line contains the word "started", and the last the word "ended". For example, this is for Splunk only one log. But I would like 4 !       2020-12-07 08:02:30,567 [http-nio-10.108.181.36-30000-exec-6] INFO p.a.f.s.w.FrontalAuthentRestController 869 - - b- health-check started. (FrontalAuthentRestController.java:37) 2020-12-07 08:02:30,583 [http-nio-10.108.181.36-30000-exec-6] INFO p.a.f.s.w.FrontalAuthentRestController 869 - - b- health-check ended. (FrontalAuthentRestController.java:44) 2020-12-07 08:02:34,670 [http-nio-10.108.181.36-30000-exec-9] INFO p.a.f.s.w.FrontalAuthentRestController 845 - - b- health-check started. (FrontalAuthentRestController.java:37) 2020-12-07 08:02:34,684 [http-nio-10.108.181.36-30000-exec-9] INFO p.a.f.s.w.FrontalAuthentRestController 845 - - b- health-check ended. (FrontalAuthentRestController.java:44)       I find the same problem with "proxy started" / "proxy ended", or "doFilter started" / "doFilter ended"... Each time, Splunk gathers the recordings into one       2020-12-07 08:01:43,430 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - proxy started. (Proxy.java:106) 2020-12-07 08:01:43,433 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f. - IDPART = // NUINPE = (Proxy.java:108) 2020-12-07 08:01:43,443 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - /3 (ProxyHelper.java:49) 2020-12-07 08:01:43,444 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f. - /3 (Proxy.java:114) 2020-12-07 08:01:43,907 [http-nio-10.108.181.35-30000-exec-3] INFO p.a.f - proxy ended. (Proxy.java:124)       Do you have an idea ? ... View more

Smart PDF Exporter : setup unavalaible, http 303/4...

by in All Apps and Add-ons
‎03-21-2019 05:49 AM
‎03-21-2019 05:49 AM
Hye. I installed the plugin on Search Head, and PhantomJS in the /bin directory as describe. When I want to do the setup, there are : a http 303 => "GET /fr-FR/manager/smart_exporter_app/apps/local/smart_exporter_app/setup?action=edit HTTP/1.1" 303 followed by a 404 => "GET /fr-FR/manager/smart_exporter_app/apps/local/smart_exporter_app?msgid=6200000.015878963048 HTTP/1.1" 404 Smart PDF Exporter 1.0.2 Splunk Enterprise 7.0.2 ... View more
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma given to
View All