i have a standalone splunk machine there i am monitoring a airwatch sample log Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: ApplicationPublishedUser: xxx.yyyEvent Source: ServerEvent Module: AppsEvent Category: ApplicationsEvent Data: LoginSessionID=;Application=xxx;ApplicationType=Internal;ApplicationVersion=0.95.251112.0;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d;ApplicationBundle=com.xxx.mersal Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source≈: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18 Nov 13 20:48:19 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: InstallApplicationRequestedUser: xxx.yyyEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: ApplicationType=Internal;Application=xxx;ApplicationVersion=CU2407.95.251112;ApplicationUUID=xxx-35e8-40a3-b7ec-e3e28261002d Event Timestamp: Nov 13 20:48:18    Inputs.conf [monitor:///Applications/Splunk/etc/apps/Data_APP/Data/dummyfile.log] disabled = false host = hostname index = omnissa_idx sourcetype = omnissa:airwatch:syslog   props.conf [omnissa:airwatch:syslog] SHOULD_LINEMERGE = false TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 100 REPORT-main = airwatch_main_fields, airwatch_kv_fields   Transforms.conf [airwatch_main_fields] REGEX = Event Type:\s*(?<event_type>[^:]+):\s*(?<event_action>.*?)(?=User:)User:\s*(?<user>.*?)(?=Event Source:)Event Source:\s*(?<event_source>.*?)(?=Event Module:)Event Module:\s*(?<event_module>.*?)(?=Event Category:)Event Category:\s*(?<event_category>.*?)(?=Event Data:)Event Data:\s*(?<event_data>.*?)(?=Event Timestamp:)Event Timestamp:\s*(?<event_timestamp>.*) FORMAT = [airwatch_kv_fields] REGEX = (\w+)=([^;]+) FORMAT = $1::$2   the same regex is working when i apply it using rex field=_raw <regex> but its not working when i put it in the transforms So when i use this configuration, i dont see any fields getting extracted.. But i am not sure how these below fields are extracted automatically even with below props those 4 fields are extracted  [omnissa:duplicate] SHOULD_LINEMERGE = false ... View more

Hello, I have completed splunk admin certification in 2019. I know its expired but i m not able to see the certificates anywhere Also someone please tell me where to view active and inactive certificates(not as a partner) ... View more

I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1.  Please let me know if anyone know how to do this..     ... View more

Hello, I have problem in installing Python module on splunk i am getting pip not found error whenever i try to using pip module.. I am not sure what is wrong here.. Please someone help me figure this out.. ... View more

Here is my kv store lookup  name rating comment experience  subject A 3 good 4 math B 4 very good 7 science   now i want to append new row like this with different rating name rating comment experience  subject A 3 good 4 math B 4 very good 7 science A 5 Excellent  4 math   i am trying to use      | inputlookup table_a |search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup append=true key_field=key table_a     But this is not working..Please someone help me with this..   Thanks ... View more

Hello, I have to index a log file in linux server in to one index but need to have two different sourcetype. Is it possible?? I tried but when compare  index = audit_idx sourcetype = linux_audit and index =audit_idx sourcetype = linux_audit_mll , results are not same there are few logs missing in each. Want to know why its happening. Thanks in advance..   ... View more

Will custom command created using python reduce search performance For example, If i try to write alternate script for |spath command, comparing to spath will custom command reduce the search time or increase it?? ... View more

Hello, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   i already a below props and transforms to extract all the fields from message.  Props.conf [json_no_new] REPORT-json = report-json,report-json-new KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ^{ NO_BINARY_CHECK = true disabled = false pulldown_type = true Transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) DEST_KEY = _raw [report-json-new] REGEX = \\*"([^"]+)\":[\s]*"*(\[.*?\]|\{.*?\}"*\}*|[^"]+|\d+),* FORMAT = $1::$2 SOURCE_KEY = json2 Now from the result i have below field with json value user = {"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]} again with props and transform i want to extract values from user field. Please some one let me know if thats possible  Thanks ... View more

Hello I have this below data, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   Need to extract user:{username:.....} user part alone  need to write once regex to extarct all the values inside user object..like user.username, user.uid, user.groups     ... View more

I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00 type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66  While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working  Please someone help me with this.. ... View more