Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About jagadeeshm
jagadeeshm
Contributor
Member since:
06-08-2016
09-17-2022
Community Statistics
| Posts | 127 |
| Solutions | 4 |
| Karma Given | 27 |
| Karma Received | 21 |
| Member Since | 06-08-2016 |
Activity Feed
- Posted Re: Set multiple tokens using "condition match" on Dashboards & Visualizations. 09-14-2022 07:42 PM
- Got Karma for Index Strategy - Single index with multiple sourcetypes vs Multiple indexes with dedicated sourcetype. 01-13-2021 10:44 AM
- Got Karma for Re: how to create splunk custom search command with java ?. 10-08-2020 11:25 AM
- Got Karma for Re: Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?. 10-05-2020 03:31 AM
- Karma Re: Eval expression with gentimes is not generating new fileds for kamlesh_vaghela. 06-05-2020 12:49 AM
- Karma Re: Is there a default sourcetype for /opt/log/www1/secure.log? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Why am I experiencing indexer congestion after 6.5.0 upgrade? for ptoro. 06-05-2020 12:48 AM
- Karma Re: What is the best practice for installing and managing apps in a distributed environment? for gcusello. 06-05-2020 12:48 AM
- Karma Re: Numerous messages WARN LineBreakingProcessor Truncating for remote_searches.log for dshpritz. 06-05-2020 12:48 AM
- Karma Re: How to use the foreach command to list a particular field that contains an email address? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Can Eventgen run on a Universal Forwarder? for wweiland. 06-05-2020 12:48 AM
- Karma Re: HTTP Event Collector: Is it possible to send multiple events in one API call? for msivill_splunk. 06-05-2020 12:48 AM
- Karma Re: Change background of single value based on its text for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Should a summary index be created on both Search Head and Indexer? for MuS. 06-05-2020 12:48 AM
- Karma Re: How do I find an orphaned search in Splunk 6.4.1? for inventsekar. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Kafka: Where do I find the pre-built dashboard panels? for rpille_splunk. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Kafka: Where do I find the pre-built dashboard panels? for ppablo. 06-05-2020 12:48 AM
- Got Karma for HTTP Event Collector returns Bad Request - what is wrong with my event?. 06-05-2020 12:48 AM
- Got Karma for Re: What is the expected response time for an HEC POST?. 06-05-2020 12:48 AM
- Got Karma for Management Console - Indexing Performance shows Queue Fill Ratio's are at 100% (almost). 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
04-28-2017
04:21 AM
I have events with the following format -
[Thread-2505_GOOGLE_INT_20170424155901301f9e61-1493049600619-NSRLM_2_1_RTL_39088504_2_R_PCLN,PCLN] 2017-04-24 12:00:02 : T:0.047 secs S:XXXX-SSSS-SSSSSS A:Availability M:INT_20170424155901301f9e61-1493049600619-NSRLM_2_1_RTL_39088504_2_R_1 CMD: [<?xml version="1.0" ?><AvailabilityRequestV2 xmlns="http://xml.google.com" siteid="1470249" apikey="SFGSDGSDFSDFGSFG" async="false" waittime="5"><Type>4</Type><Id>460573</Id><Radius>0</Radius><Latitude>0.0</Latitude><Longitude>0.0</Longitude><CheckIn>2017-10-01</CheckIn><CheckOut>2017-10-17</CheckOut><Rooms>1</Rooms><Adults>2</Adults><Children>0</Children><Language>en-us</Language><Currency>000</Currency></AvailabilityRequestV2>]
Notice couple of things - event starts with a thread name in square brackets, followed by date/time, followed by an unwanted ":", followed by several key/value pairs separated by a ":", and finally at the end you have content in XML inside square brackets.
I want to extract/transform this into the following so it is easy to search and run spath to extract fields from xml -
Thread = Thread-2505_GOOGLE_INT_20170424155901301f9e61-1493049600619-NSRLM_2_1_RTL_39088504_2_R_PCLN,PCLN
DateTime = 2017-04-24 12:00:02
ResponseTime = 0.047 secs
S = XXXX-SSSS-SSSSSS
A = Availability
M = INT_20170424155901301f9e61-1493049600619-NSRLM_2_1_RTL_39088504_2_R_1
Action = CMD
XML = <?xml version="1.0" ?><AvailabilityRequestV2 xmlns="http://xml.google.com" siteid="1470249" apikey="SFGSDGSDFSDFGSFG" async="false" waittime="5"><Type>4</Type><Id>460573</Id><Radius>0</Radius><Latitude>0.0</Latitude><Longitude>0.0</Longitude><CheckIn>2017-10-01</CheckIn><CheckOut>2017-10-17</CheckOut><Rooms>1</Rooms><Adults>2</Adults><Children>0</Children><Language>en-us</Language><Currency>000</Currency></AvailabilityRequestV2>
Notice that the last key CMD is put into a new key "Action" and value is put inside XML. I was able to do some clean up like removing square brackets, removing extra ":" etc with the following SED Command -
SEDCMD-remove-xml-header = s/\<\?xml[^\>]*\>//g
SEDCMD-remove-square-brackets = s/\[|\]//g
SEDCMD-remove-colon = s/ : / /g
SECCMD-reame-threadname = s/Thread-/Thread:/1
How do I achieve the rest? Is a key value transformer?
... View more
04-19-2017
10:39 AM
Any further update on this issue? We are seeing the same pattern with 6.5.3
... View more
04-19-2017
06:37 AM
Was this ever resolved for you guys?
... View more
04-17-2017
07:38 PM
So how did you eventually resolve this issue?
... View more
03-31-2017
01:36 PM
Yes, I get the same error!
... View more
03-17-2017
05:49 AM
It doesn't actually extract domain name, which is my core issue.
... View more
03-16-2017
07:32 PM
cisco_ironport_web.log has the following events -
Event - 1
1489714117.601 56 27.1.11.11 TCP_REFRESH_HIT/200 54491 GET http://www.flatbed-scanner-review.org/inter-banner_flatbed.jpg bhussain@buttercupgames.com DIRECT/www.flatbed-scanner-review.org image/jpeg DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting <nc,ns,0,-,-,-,-,0,-,-,-,-,-,-,-,nc,-> - http://www.flatbed-scanner-review.org/
Event - 2
1489713615.376 809 211.166.11.101 TCP_MISS/200 147639 GET http://www.vindy.com/ myuan@buttercupgames.com DIRECT/www.vindy.com text/html DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting <IW_news,3.4,0,-,-,-,-,0,-,-,-,-,-,-,-,IW_news,-> - -
I use the following reg-ex to extract user, url and domain
"field1","field2","field3","field4","field5","field6","url","user","field9","field10","field11","field12","field13","domain"
It doesn't work for second event, because domain fields has '-'. How do I fix it?
... View more
03-16-2017
07:00 PM
Splunk DB Connect is an app to configure inputs for getting data from a database. How is that related to HEC?
HEC is a convenient REST end-point to post data into Splunk.
... View more
03-16-2017
06:55 PM
1 Karma
You can use Distributed Management Console (Version 6.5 # now calls it Monitoring Console) has 2 dashboard that provides an overview of your HEC performance across the deployment. You can enable and check performance.
Reference # https://docs.splunk.com/Documentation/Splunk/6.5.2/DMC/Inputdashboards
... View more
03-16-2017
06:48 PM
If you are using Splunk 6.5, this is now supported natively in Simple XML.
Example:
<form>
<init>
<set token="p_Time_Ago">INITIAL_VALUE</set>
</init>
...
</form>
Reference # Set tokens on page load
... View more
03-15-2017
10:51 PM
Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?
source_ip is easy because of the format
user is a little bit tricky because of different format of log lines
Example events -
Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)
In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?
... View more
03-13-2017
05:52 PM
1 Karma
We have a multi-site cluster and I started noticing in DMC that some of the Queue Fill Ratio's are almost at 100%. What does that mean?
Here is a snapshot from 5 mins ago -
Each row here indicates an indexer (hidden for privacy). And I am noticing that the indexer keeps changing and one or the other is at near 100%.
We are using HTTP Event Collector to post data into Splunk and we are seeing "Server is busy" error while posting the events.
Please advice.
... View more
03-07-2017
10:31 AM
any supporting documentation on this ?
... View more
03-07-2017
08:05 AM
1 Karma
I think 25MB - http://docs.splunk.com/Documentation/Splunk/6.4.4/Forwarding/Protectagainstlossofin-flightdata
... View more
03-07-2017
07:51 AM
I have a multi-site indexer clustering.
All my UF(s) are configured for Site0 (auto-balanced across all indexers available in both sites) and Indexer Acknowledgement is DISABLED.
When UF tries to forward data to a specific indexer and if it is down, does UF re-try sending the SAME data to the next indexer available in the auto-load balancing list?
PS: I referred this document already and it is not clear enough about this specific situation -
http://docs.splunk.com/Documentation/Splunk/6.4.4/Forwarding/Protectagainstlossofin-flightdata
... View more
02-01-2017
02:18 PM
How did you resolve this ?
... View more
01-31-2017
01:47 PM
So what was the final outcome? Did you end up figuring out the root cause?
... View more
01-27-2017
06:28 AM
I got it working with double $$ signs instead of one.
... View more
01-26-2017
08:50 PM
Here is my final version with the following -
Default option is show "All" indexes and sourcetypes
Selecting specific indexes will filter sourcetypes
Submit button to filter the table based on the selected indexes and sourcetypes.
Note # Tips are welcome to improve the performance of the SPL.
Hope that saves a few hours for someone.
<form>
<label>Splunk Indexes and SourceTypes</label>
<fieldset submitButton="true">
<input type="multiselect" token="index_selected">
<label>Select Index</label>
<search>
<query>| rest /servicesNS/-/-/data/indexes|rename "title" as index | search (index!=_* AND index!="cim_*") | stats count by index</query>
</search>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="sourcetype_selected">
<label>Select SouceType(s)</label>
<choice value="*">All</choice>
<search>
<query>| metadata type=sourcetypes $index_selected$ | rename sourcetype as SourceType | stats count by SourceType</query>
<earliest>0</earliest>
</search>
<fieldForLabel>SourceType</fieldForLabel>
<fieldForValue>SourceType</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>SourceType=</valuePrefix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| eventcount summarize=false index=* index!=_* | dedup index | fields index | map maxsearches=100 search="| metadata type=sourcetypes index=\"$$index$$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$$index$$\"" | rename "sourcetype" as "SourceType" | fields index SourceType TotalEvents FirstEvent LastEvent |search $index_selected$ | search $sourcetype_selected$</query>
<earliest>-3d@d</earliest>
<latest>now</latest>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
... View more
01-26-2017
07:07 PM
1 Karma
Any solutions for this issue?
... View more
01-26-2017
07:02 PM
How I hide the input?
... View more
01-26-2017
05:42 PM
I opened up a separate question for my filters. Thanks!
... View more
01-26-2017
05:41 PM
After browsing through Splunk Answers, the closest I could get is the following SPL to list all Indexes and Sourcetypes in a single table -
| eventcount summarize=false index=* index!=_* | dedup index | fields index
| map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index SourceType TotalEvents FirstEvent LastEvent
I want to provide the users with the ability to filter by indexes and sourcetypes. Here is what I have so far -
<form>
<label>Splunk Indexes and SourceTypes</label>
<fieldset submitButton="false">
<input type="multiselect" token="index" searchWhenChanged="true">
<label>Select Index</label>
<search>
<query>| rest /servicesNS/-/-/data/indexes|rename "title" as index | eval dy = (frozenTimePeriodInSecs/86400) % 365 | eval retention = dy . " days" | dedup index | stats count by index</query>
</search>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<choice value="\"$index$\"">ALL</choice>
<default>"\""$index$\"""</default>
<initialValue>\"$index$\"</initialValue>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="true">
<label>Select SourceType(s)</label>
<search>
<query>| metadata type=sourcetypes index=* | stats count by sourcetype</query>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>SourceType=</valuePrefix>
<delimiter> OR </delimiter>
<choice value="*">ALL</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| eventcount summarize=false index=* index!=_* | dedup index | fields index | map maxsearches=100 search="| metadata type=sourcetypes index=\"$index$\" | eval retention=tostring(abs(lastTime-firstTime), \"duration\") | convert ctime(firstTime) ctime(lastTime) | sort lastTime | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\" | eval index=\"$index$\"" | rename index as "Index" "sourcetype" as "SourceType" | fields Index SourceType TotalEvents FirstEvent LastEvent | search $source_type$</query>
<earliest>-3d@d</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
I am unable to achieve 2 things here -
When I filter indexes, I want the respective sourcetypes to be filtered in the sourctypes dropdown
Display the table with selected indexes and sourcetypes only (should be able to select multiple in both case)
The query seems to be slow, but it gives the expected output.
Any advice? Thanks!
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-17-2022
12:34 PM
|
Karma from
Karma given to
