Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About sivaranjiniG
sivaranjiniG
Path Finder
Member since:
07-12-2016
2 weeks ago
Community Statistics
| Posts | 49 |
| Solutions | 2 |
| Karma Given | 16 |
| Karma Received | 6 |
| Member Since | 07-12-2016 |
Activity Feed
- Got Karma for How do i view my splunk certificate in splunk site. 02-12-2025 12:44 PM
- Karma Re: Is there any way to get the fields and its expression from datamodel for livehybrid. 02-02-2025 11:51 PM
- Karma Re: How do i view my splunk certificate in splunk site for vsommer. 02-02-2025 12:55 AM
- Karma Re: How do i view my splunk certificate in splunk site for kiran_panchavat. 02-02-2025 12:55 AM
- Posted Is there any way to get the fields and its expression from datamodel on Splunk Search. 02-02-2025 12:54 AM
- Posted Re: How do i view my splunk certificate in splunk site on Training + Certification Discussions. 02-01-2025 08:41 AM
- Posted How do i view my splunk certificate in splunk site on Training + Certification Discussions. 01-29-2025 09:03 AM
- Posted How to update enableSched in savedsearch.conf using python script on Splunk Search. 09-24-2024 03:24 AM
- Tagged How to update enableSched in savedsearch.conf using python script on Splunk Search. 09-24-2024 03:24 AM
- Posted installing python module in splunk on Getting Data In. 02-22-2024 08:44 PM
- Tagged installing python module in splunk on Getting Data In. 02-22-2024 08:44 PM
- Posted Re: append new row with few different values kv store on Knowledge Management. 09-14-2023 05:36 AM
- Posted Re: append new row with few different values kv store on Knowledge Management. 09-13-2023 09:37 PM
- Posted Re: append new row with few different values kv store on Knowledge Management. 09-13-2023 07:20 PM
- Posted How to append new row with few different values kv store? on Knowledge Management. 09-13-2023 01:38 PM
- Tagged How to append new row with few different values kv store? on Knowledge Management. 09-13-2023 01:38 PM
- Karma Re: mvexpand not working on lookup. for kamlesh_vaghela. 12-20-2022 09:13 PM
- Karma Re: How do you search, by day, for the first and the last user to log in and log off in a Windows event? for renjith_nair. 11-12-2022 08:50 PM
- Got Karma for Can splunk index same data into one index but different sourcetypes??. 09-28-2022 04:56 AM
- Posted Can splunk index same data into one index but different sourcetypes?? on Splunk Search. 09-28-2022 04:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-02-2025
12:54 AM
Hello, Is there any way to get fieldname and its expression from datamodel using rest api(using splunk query)? I am already using this query but here fields and its expressions are shuffled. | datamodel
| spath output=modelName modelName
|search modelName=Network_Traffic
|rex max_match=0 field=_raw "\[\{\"fieldName\":\"(?<fields>[^\"]+)\""
|rex max_match=0 field=_raw "\"expression\":\"(?<expression>.*?)\"}"
|table fields expression
... View more
Labels
- Labels:
-
tstats
02-01-2025
08:41 AM
Hello, No, I do see some free trainings i went through but i don't see the main certifications i have there, I have completed Splunk Enterprise Security Admin(Active), Splunk Power User and Admin Certificate(Expired).
... View more
01-29-2025
09:03 AM
1 Karma
Hello, I have completed splunk admin certification in 2019. I know its expired but i m not able to see the certificates anywhere Also someone please tell me where to view active and inactive certificates(not as a partner)
... View more
Labels
- Labels:
-
Certification
09-24-2024
03:24 AM
I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1. Please let me know if anyone know how to do this..
... View more
- Tags:
- python
- update conf
02-22-2024
08:44 PM
Hello, I have problem in installing Python module on splunk i am getting pip not found error whenever i try to using pip module.. I am not sure what is wrong here.. Please someone help me figure this out..
... View more
Labels
- Labels:
-
data
-
scripted input
09-14-2023
05:36 AM
Please read the my previous response fully...I have tried in both ways Anyways thanks for your response. I found a solution
... View more
09-13-2023
09:37 PM
Its KV store.. when i try to add a row its updating the existing row example, instead of this output i am getting name rating comment experience subject A 3 good 4 math B 4 very good 7 science A 5 Excellent 4 math this, name rating comment experience subject A 5 Excellent 4 math B 4 very good 7 science I tried these 2 solutions, I thought i dont have write access but i have i can update the file but not able to add a new row | inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup append=true key_field=key table_a
-----------------------------
| inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" | outputlookup append=true table_a
... View more
09-13-2023
07:20 PM
I tried it too.its not working should i enable anything or add any property while creating lookup file
... View more
09-13-2023
01:38 PM
Here is my kv store lookup
name
rating
comment
experience
subject
A
3
good
4
math
B
4
very good
7
science
now i want to append new row like this with different rating
name
rating
comment
experience
subject
A
3
good
4
math
B
4
very good
7
science
A
5
Excellent
4
math
i am trying to use
| inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup append=true key_field=key table_a
But this is not working..Please someone help me with this..
Thanks
... View more
Labels
- Labels:
-
kvstore
09-28-2022
04:47 AM
1 Karma
Hello, I have to index a log file in linux server in to one index but need to have two different sourcetype. Is it possible?? I tried but when compare index = audit_idx sourcetype = linux_audit and index =audit_idx sourcetype = linux_audit_mll , results are not same there are few logs missing in each. Want to know why its happening. Thanks in advance..
... View more
- Tags:
- index
- props
- transforms
02-26-2022
01:57 AM
Will custom command created using python reduce search performance
For example,
If i try to write alternate script for |spath command, comparing to spath will custom command reduce the search time or increase it??
... View more
02-14-2022
01:22 AM
I have below logs file i indexed with props below.
type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892
----
Props.conf
[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)
Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values
for example, from the first event values(type) suppose to be multivalue field with
PROCTITLE, PATH, CWD, SYSCALL but it only has single value PROCTITLE
why type value is not properly getting extracted.
Am i missing something with props configuration???
Thanks for the help in advance )
... View more
Labels
- Labels:
-
indexer
-
props.conf
-
transforms.conf
12-14-2021
04:06 AM
Hello, { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} i already a below props and transforms to extract all the fields from message. Props.conf [json_no_new] REPORT-json = report-json,report-json-new KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ^{ NO_BINARY_CHECK = true disabled = false pulldown_type = true Transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) DEST_KEY = _raw [report-json-new] REGEX = \\*"([^"]+)\":[\s]*"*(\[.*?\]|\{.*?\}"*\}*|[^"]+|\d+),* FORMAT = $1::$2 SOURCE_KEY = json2 Now from the result i have below field with json value user = {"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]} again with props and transform i want to extract values from user field. Please some one let me know if thats possible Thanks
... View more
- Tags:
- props
- rex
- transforms
12-14-2021
03:02 AM
Thanks for the reply, but i need to use props and transforms either index or search time extraction
... View more
- Tags:
- hanks
12-14-2021
02:25 AM
Hello I have this below data, { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} Need to extract user:{username:.....} user part alone need to write once regex to extarct all the values inside user object..like user.username, user.uid, user.groups
... View more
- Tags:
- regex
11-21-2021
07:49 AM
Here is the solution.. Referred these, https://community.splunk.com/t5/Getting-Data-In/Extract-JSON-data-within-the-logs-JSON-mixed-with-unstructured/td-p/195292 https://community.splunk.com/t5/Splunk-Search/Problem-with-using-SOURCE-KEY/m-p/40116 Props.conf [json_no_timestamp] REPORT-json = report-json,report-json-kv KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true disabled = false pulldown_type = true transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) # Manually extract JSON key-value [report-json-kv] REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+) FORMAT = $1::$2 SOURCE_KEY = json2
... View more
11-21-2021
04:00 AM
we used spath in the query but its making the query heavy. thats the reason why trying to do it in the index time. All the available solution helps in extraction if whole event i json. but couldnt find anything to extract a fields from another field.
... View more
11-17-2021
12:56 AM
I have a field message which have values has json format need to extract all the values in the json. { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} here from message field need to extract kind, stage, requestURI... and these fields inside json are dynamic(it can be more in other event). need help in extracting these fields in index time using props and transforms Thanks
... View more
- Tags:
- indextime extraction
Labels
- Labels:
-
props.conf
-
transforms.conf
09-19-2021
08:18 AM
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/"
type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039
type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00
type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66 While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working Please someone help me with this..
... View more
12-17-2020
05:55 AM
Is it possible to use props and transforms in UF?
... View more
12-17-2020
05:10 AM
I have a file with full of logs from different sources. But i want to monitor only logs from a particular network device(cisco-ise). Please help me do it using props here in the example wherever <ise-hostname> those has to be monitored(means before going to indexer it should extract ise logs Oct 6 03:44:01 <hostname> rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1294" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 6 03:44:02 <hostname> rhsmd: This system is registered to RHN Classic.
Oct 6 03:44:06 <ise-hostname> <hostname>: Dropping Primary discovery request from AP - limit for maximum APs supported 30 reached
Oct 6 03:40:16 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:16.968 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<PORT>, DestinationIPAddress=<ip-address>, DestinationPort=<PORT>, Protocol=Radius, User-Name=ppp, Acct-Status-Type=Start, Acct-Session Id=sfaksdaksf, Event-Ti
mestamp=1569504083, AcsSessionID=<hostname>/asdasd, FailureReason=11007 Could not locate Network Device , Step=333, Step=55, Step=22, Step=11, #44
Oct 6 03:44:09 <hostname>: MOBILESTATION_NOT_FOUND: Could not find the mobile sadas in internal database
Oct 6 03:40:26 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:26.180 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<port>, DestinationIPAddress=<ip-address>, DestinationPort=<port>, Protocol=Radius, User-Name=wipro, Acct-Status-Type=Start, Acct-Session-Id=sdfsdfs, Event-Timestamp=1569504083, AcsSessionID=dfsdf, FailureReason=33 Could not locate Network Device , Step=343, Step=231, Step=55, Step=11, #44
... View more
Labels
12-15-2020
06:48 PM
I have a Bluecoat device i want to monitor that device logs using UF. after have opened port from bluecoat to a relay server(Windows server with UF installed). But Data is not getting forwarded to Indexer..Please let me know if forwarding logs from network devices through tcp port using Splunk UF is possible.. If thats possible please suggest me some way to troubleshoot this issue(from Splunk UF data is not sent to Indexer)
... View more
Labels
- Labels:
-
universal forwarder
11-24-2020
01:39 AM
i need to find daily indexing volume but without using any internal indexes..
... View more
- Tags:
- search query
Labels
- Labels:
-
search head
11-03-2020
10:20 PM
Okay. Thanks for your response. I have multiple monitor stanzas in my inputs conf file..So you are saying this mistake i made in one stanza will not affect other stanzas..data will still sent to indexer?
... View more
11-02-2020
08:00 PM
Hello, i have a windows machine(Windows Version 10) which is configured to send data to a indexer. but data is not sent to indexer. while checking splunkd log, i see a warning WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\<app_name>\local\inputs.conf, line 1: Cannot parse into key-value pair: ?#################################### there is this as issue in inputs conf which is corrected now. but could it be the issue which blocks the UF to send data to indexer?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Karma given to
