Activity Feed
- Karma Re: Why does splunkweb in 6.6.2 take so long to start? for gjanders. 06-05-2020 12:49 AM
- Karma Why does splunkweb in 6.6.2 take so long to start? for twinspop. 06-05-2020 12:49 AM
- Karma How to write the regex to extract this string between the 3rd and 6th underscores in my sample data? for deenadp. 06-05-2020 12:48 AM
- Karma Re: How to write the regex to extract this string between the 3rd and 6th underscores in my sample data? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to write the regex to extract this string between the 3rd and 6th underscores in my sample data? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Does Splunk process events before sending to nullqueue? for yannK. 06-05-2020 12:48 AM
- Karma How can I add an HTML tag in a Splunk alert email? for kiran331. 06-05-2020 12:48 AM
- Karma Re: Count number of events before Debup for woodcock. 06-05-2020 12:48 AM
- Karma After installing universal forwarders, why am I getting error "you currently don't have any forwarders installed" for Add Data in Splunk Web? for sayz. 06-05-2020 12:48 AM
- Karma Re: After installing universal forwarders, why am I getting error "you currently don't have any forwarders installed" for Add Data in Splunk Web? for mpiercemi9retai. 06-05-2020 12:48 AM
- Karma Re: Why is my nullQueue configuration not working at app level? for rsennett_splunk. 06-05-2020 12:48 AM
- Karma How to change the _time text in the table? for renanprado96. 06-05-2020 12:48 AM
- Karma Re: How to change the _time text in the table? for woodcock. 06-05-2020 12:48 AM
- Karma Why is Splunk DB Connect 3.0 unable to start Task Server? for tlmayes. 06-05-2020 12:48 AM
- Got Karma for How to run rex commands from CLI mode. 06-05-2020 12:48 AM
- Got Karma for Re: How to run rex commands from CLI mode. 06-05-2020 12:48 AM
- Karma Timestamp lookahead questions for edrivera3. 06-05-2020 12:47 AM
- Karma How to re-index the deleted data in splunk. for felix_fxm. 06-05-2020 12:47 AM
- Karma Moving manual rex to props.conf and transforms.conf for splunk_worker. 06-05-2020 12:47 AM
- Karma Re: How to use rex command to extract two fields and chart the count for both in one search query? for sowings. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-13-2017
01:19 PM
Hope splunk team would consider your answer and modify the sendemail in coming releases. very helpful.
... View more
09-11-2016
06:24 PM
I have tried with -index_earliest parameter. its display empty field value.
... View more
09-11-2016
06:08 PM
It doesn't help me in any way. Moreover, if I keep " double quote at REX it throws me an error, and \" doesn't work for REX anyway. And I am using windows machine cmd prompt, shell and bash don't apt to this scenario ?
... View more
09-10-2016
11:16 AM
My query works from Splunk Web UI and returns field values of Source in a table form, but it doesn't work from the CLI.
Splunk web returns
Source
==========
stock
funds
Splunk CLI returns output EMPTY
Source
===========
Splunk CLI doesn't returns the field values with the table command.
splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | table Source" user admin password changeme
I have tried with eval and fields command instead of table
splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | eval chicken=Source | fields chicken" user admin password changeme
but still it output empty values
chicken
===========
But it works well in web search results
Is there any other way to display the field values from command interface ?
... View more
09-10-2016
09:40 AM
1 Karma
It works with single quote ' , for \" it throws me an error There is no such file.
splunk search "index=apps sourcetype=weblogs | rex field=_raw 'Source: (?<Source>.*)' | dedup Source | outputtext usexml=false " user admin password changeme
... View more
09-10-2016
09:38 AM
It doesn't work for me, I tried with single quote ' and it works.
... View more
09-09-2016
09:11 PM
1 Karma
I want to run Splunk query from the cmd prompt.
It works just fine with basic error search, but when I tried with rex extraction it doesn't recognize the pipe | and rex commands.
splunk search "index=apps sourcetype=weblogs | rex field=_raw "Source: (?<Source>.*)" | dedup Source | outputtext usexml=false " user admin password changeme
... View more
09-08-2016
01:37 PM
| outputcsv append=true create_empty=false results
here the search results will be saved in resutls.csv under $SPLUNK_HOME/var/run/*.csv
... View more
09-08-2016
01:34 PM
NO...! You can't export the |outputcsv to /tmp/ or some other folder, according to the |outputcsv doc
the file will save $SPLUNK_HOME/var/run/*.csv ,
example directory
C:\Program Files\Splunk\var\run\splunk\csv
... View more
09-08-2016
01:31 PM
But even if you mention results.txt the output would result.txt.csv. I faced the same situation.
The output of the|outputcsv is always .csv ?
... View more
09-06-2016
03:20 PM
I downvoted this post because copy pasted the splunk docs, not pointing to the actual problem
... View more
08-13-2016
04:05 PM
Is there any way to save the count of the events before doing the dedup ?
This is my query
index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error
This query lists all my Severity=Error events (i.e, total:3 events in the last 10minutes custom timeframe)
....................
Date: [07/Mar/2004:16:04:49 -0800]
IP: ipaddress
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
Type: Info
Severity: Error
....................
....................
Date: [07/Mar/2004:16:05:49 -0800]
IP: ipaddress
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
Type: Info
Severity: Error
....................
....................
Date: [07/Mar/2004:16:07:49 -0800]
IP: ipaddress
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
Type: Info
Severity: Error
....................
Now I used Dedup to show only one result in the last 10minutes timeframe.
index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error | dedup Severity
OUTPUT
....................
Date: [07/Mar/2004:16:07:49 -0800]
IP: ipaddress
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
Type: Info
Severity: Error
....................
But I want to show the total error events count (i.e 3 events) in the output or either count saved in the field.
I have tried the eval command to save the count, but field value count shows 1 after using dedup (skipped this method).
| eval tcount = mvcount(Severity)
Then I have used stats command which counts the events but doesn't show the raw event.
| stats count by Severity
I have included the _raw with the stats command but COUNT didn't work may because the _raw event timestamp is different.
| stats count by Severity, _raw
OUTPUT
Severity Count _raw
Error 1 event
Error 1 event
Error 1 event
But how to show the count of the events as well as the 1 similar error event ?.
DESIRED OUTPUT
Severity Count _raw
Error 3 event
OR any other methods to save the events count before dedup ?
... View more
08-11-2016
03:46 PM
I have tried yours and it works as expected.
... View more
07-15-2016
03:14 PM
I want to get rid of three line from my seven lines code.
1: get rid of 20 dots first and last
2: get rid of type:Info line
... View more
07-14-2016
03:22 PM
Please check my question updated. Apologies for the confusion.
... View more
07-14-2016
03:21 PM
Please check my question updated. Apologies for confusion.
... View more
07-14-2016
02:15 PM
I would like to eliminate the unnecessary content in the events because I have a small license. I want to remove the text and 20 . characters from each of the events. So I added two stanzas in transforms.conf: one for removing the . dot, and one for removing text . Even these small stanzas make a huge impact on my very frequently rolling logs.
transforms.conf
[nullifytext]
REGEX = ^\.{20}$
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[webserverIH]
TRANSFORMS-removedots= nullifytext
category = Application
description = webserver logs
pulldown_type = 1
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
I have edited those logs at the search app level c:\Splunk\etc\apps\search\local and restarted Splunk. Now I have deleted the old logs and reindexed the new similar logs, but still I see the text (not shown here) and dots in the events.
UPDATE
This is my custom log file looks like. We want to remove the dots only from the splunk perspective.
....................
IP: ipaddress
Date: [07/Mar/2004:16:05:49 -0800]
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
Type: Info
....................
I want to remove only the . dot and Type:info from the event, not the entire event which contain the Type:info . I need Splunk not to index those dots and test for every event, and desired output should be
IP: ipaddress
Date: [07/Mar/2004:16:05:49 -0800]
Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
Response: 401
... View more
07-07-2016
10:58 AM
I have an index called high with sourcetype logs
logs sourcetype is continuously indexing logs under \logs dir.
I have decided to create a new index and want to move those logs to that new index called Medium .
I have successfully moved the events to Medium,
index="high" sourcetype=logs | collect index="Medium"
but I can't see the events with the sourcetype
index="Medium" sourcetype=logs
no events found
index="Medium"
It works and shows all the events, but not real-time logs.
And when new logs were updated under logs sourcetype, Splunk is showing those real-time logs under index high , not under the Medium index.
How to show real-time events under medium index instead of high index with sourcetype logs ?
... View more
07-06-2016
11:48 AM
After going through couple of splunk answers and documents. Search time field extractions are good compared to the index-time field extractions (editing conf files).
https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html
https://answers.splunk.com/answers/57247/index-time-field-extraction.html
... View more
07-06-2016
08:46 AM
Out of three ways to extract the fields,
1. BY using rex or eval command in search
2. By using field extractor option
3. By adding entries to the prop.conf and transforms.conf
Currently, I am using 1st method, by using rex commands such as
index="PriorityLogs" sourcetype="WebPay" | rex field=_raw "ProcessId: (?<ProcessId>.*)" | rex field=_raw "EventId: (?<EventId>.*)"
which extracts the desired ProcessID with 99.9% of the events.
Coming to the field extractor, my logs don't have a proper structure which leads to poor field extractions when i use the Splunk field extractor.
Which one is the best method?
... View more
07-05-2016
05:55 PM
I can index the individual file under that appy directory but not entire appy directory. Wondering why its not indexing because the logs in appy are similar to other folder logs but different application.
... View more
07-05-2016
05:53 PM
I am not fetching data from remote servers to run that forwarder command.
Those directories are on splunk local server. (I mean that "appy" directory is located on D drive and splunk installed on C drive) no other servers connected using universal forwarder..
... View more
07-05-2016
04:55 PM
I am searching for "all time" only . Interesting thing is it is indexing individual files but not that directory.
... View more
