Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sivaranjiniG
sivaranjiniG
Path Finder
Member since:
07-12-2016
2 weeks ago
Community Statistics
| Posts | 44 |
| Solutions | 2 |
| Karma Given | 13 |
| Karma Received | 5 |
| Member Since | 07-12-2016 |
Activity Feed
- Posted Re: append new row with few different values kv store on Knowledge Management. 2 weeks ago
- Posted Re: append new row with few different values kv store on Knowledge Management. 2 weeks ago
- Posted Re: append new row with few different values kv store on Knowledge Management. 2 weeks ago
- Posted How to append new row with few different values kv store? on Knowledge Management. 2 weeks ago
- Tagged How to append new row with few different values kv store? on Knowledge Management. 2 weeks ago
- Karma Re: mvexpand not working on lookup. for kamlesh_vaghela. 12-20-2022 09:13 PM
- Karma Re: How do you search, by day, for the first and the last user to log in and log off in a Windows event? for renjith_nair. 11-12-2022 08:50 PM
- Got Karma for Can splunk index same data into one index but different sourcetypes??. 09-28-2022 04:56 AM
- Posted Can splunk index same data into one index but different sourcetypes?? on Splunk Search. 09-28-2022 04:47 AM
- Tagged Can splunk index same data into one index but different sourcetypes?? on Splunk Search. 09-28-2022 04:47 AM
- Tagged Can splunk index same data into one index but different sourcetypes?? on Splunk Search. 09-28-2022 04:47 AM
- Got Karma for Splunk SPL Query to Sigma File Conversion. 04-20-2022 10:31 AM
- Posted What is the performance impact of custom command using python? on Splunk Search. 02-26-2022 01:57 AM
- Tagged What is the performance impact of custom command using python? on Splunk Search. 02-26-2022 01:57 AM
- Posted Why are multiline fields not parsed properly? on Getting Data In. 02-14-2022 01:22 AM
- Posted Field extraction using props and transforms on Building for the Splunk Platform. 12-14-2021 04:06 AM
- Tagged Field extraction using props and transforms on Building for the Splunk Platform. 12-14-2021 04:06 AM
- Tagged Field extraction using props and transforms on Building for the Splunk Platform. 12-14-2021 04:06 AM
- Posted Re: extract json inside another json object using regex on Building for the Splunk Platform. 12-14-2021 03:02 AM
- Posted extract json inside another json object using regex on Building for the Splunk Platform. 12-14-2021 02:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Please read the my previous response fully...I have tried in both ways Anyways thanks for your response. I found a solution
... View more
2 weeks ago
Its KV store.. when i try to add a row its updating the existing row example, instead of this output i am getting name rating comment experience subject A 3 good 4 math B 4 very good 7 science A 5 Excellent 4 math this, name rating comment experience subject A 5 Excellent 4 math B 4 very good 7 science I tried these 2 solutions, I thought i dont have write access but i have i can update the file but not able to add a new row | inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup append=true key_field=key table_a
-----------------------------
| inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" | outputlookup append=true table_a
... View more
2 weeks ago
I tried it too.its not working should i enable anything or add any property while creating lookup file
... View more
2 weeks ago
Here is my kv store lookup
name
rating
comment
experience
subject
A
3
good
4
math
B
4
very good
7
science
now i want to append new row like this with different rating
name
rating
comment
experience
subject
A
3
good
4
math
B
4
very good
7
science
A
5
Excellent
4
math
i am trying to use
| inputlookup table_a
|search name="A" |eval rating=5 ,comment="Execellent" key=_key| outputlookup append=true key_field=key table_a
But this is not working..Please someone help me with this..
Thanks
... View more
Labels
- Labels:
-
kvstore
09-28-2022
04:47 AM
1 Karma
Hello, I have to index a log file in linux server in to one index but need to have two different sourcetype. Is it possible?? I tried but when compare index = audit_idx sourcetype = linux_audit and index =audit_idx sourcetype = linux_audit_mll , results are not same there are few logs missing in each. Want to know why its happening. Thanks in advance..
... View more
- Tags:
- index
- props
- transforms
Labels
- Labels:
-
other
02-26-2022
01:57 AM
Will custom command created using python reduce search performance
For example,
If i try to write alternate script for |spath command, comparing to spath will custom command reduce the search time or increase it??
... View more
Labels
- Labels:
-
other
02-14-2022
01:22 AM
I have below logs file i indexed with props below.
type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892
----
Props.conf
[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)
Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values
for example, from the first event values(type) suppose to be multivalue field with
PROCTITLE, PATH, CWD, SYSCALL but it only has single value PROCTITLE
why type value is not properly getting extracted.
Am i missing something with props configuration???
Thanks for the help in advance )
... View more
Labels
- Labels:
-
indexer
-
props.conf
-
transforms.conf
12-14-2021
04:06 AM
Hello, { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} i already a below props and transforms to extract all the fields from message. Props.conf [json_no_new] REPORT-json = report-json,report-json-new KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ^{ NO_BINARY_CHECK = true disabled = false pulldown_type = true Transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) DEST_KEY = _raw [report-json-new] REGEX = \\*"([^"]+)\":[\s]*"*(\[.*?\]|\{.*?\}"*\}*|[^"]+|\d+),* FORMAT = $1::$2 SOURCE_KEY = json2 Now from the result i have below field with json value user = {"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]} again with props and transform i want to extract values from user field. Please some one let me know if thats possible Thanks
... View more
- Tags:
- props
- rex
- transforms
Labels
- Labels:
-
other
12-14-2021
03:02 AM
Thanks for the reply, but i need to use props and transforms either index or search time extraction
... View more
- Tags:
- hanks
12-14-2021
02:25 AM
Hello I have this below data, { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} Need to extract user:{username:.....} user part alone need to write once regex to extarct all the values inside user object..like user.username, user.uid, user.groups
... View more
- Tags:
- regex
Labels
- Labels:
-
other
11-21-2021
07:49 AM
Here is the solution.. Referred these, https://community.splunk.com/t5/Getting-Data-In/Extract-JSON-data-within-the-logs-JSON-mixed-with-unstructured/td-p/195292 https://community.splunk.com/t5/Splunk-Search/Problem-with-using-SOURCE-KEY/m-p/40116 Props.conf [json_no_timestamp] REPORT-json = report-json,report-json-kv KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true disabled = false pulldown_type = true transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) # Manually extract JSON key-value [report-json-kv] REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+) FORMAT = $1::$2 SOURCE_KEY = json2
... View more
11-21-2021
04:00 AM
we used spath in the query but its making the query heavy. thats the reason why trying to do it in the index time. All the available solution helps in extraction if whole event i json. but couldnt find anything to extract a fields from another field.
... View more
11-17-2021
12:56 AM
I have a field message which have values has json format need to extract all the values in the json. { [-]
guessedService: ejj
logGroup: /aws/ejj/cluster
logStream: kube-apt-15444d2f8c4b216a9cb69ac
message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}} here from message field need to extract kind, stage, requestURI... and these fields inside json are dynamic(it can be more in other event). need help in extracting these fields in index time using props and transforms Thanks
... View more
- Tags:
- indextime extraction
Labels
- Labels:
-
props.conf
-
transforms.conf
09-19-2021
08:18 AM
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/"
type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039
type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00
type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66 While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working Please someone help me with this..
... View more
Labels
- Labels:
-
other
12-17-2020
05:55 AM
Is it possible to use props and transforms in UF?
... View more
12-17-2020
05:10 AM
I have a file with full of logs from different sources. But i want to monitor only logs from a particular network device(cisco-ise). Please help me do it using props here in the example wherever <ise-hostname> those has to be monitored(means before going to indexer it should extract ise logs Oct 6 03:44:01 <hostname> rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1294" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 6 03:44:02 <hostname> rhsmd: This system is registered to RHN Classic.
Oct 6 03:44:06 <ise-hostname> <hostname>: Dropping Primary discovery request from AP - limit for maximum APs supported 30 reached
Oct 6 03:40:16 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:16.968 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<PORT>, DestinationIPAddress=<ip-address>, DestinationPort=<PORT>, Protocol=Radius, User-Name=ppp, Acct-Status-Type=Start, Acct-Session Id=sfaksdaksf, Event-Ti
mestamp=1569504083, AcsSessionID=<hostname>/asdasd, FailureReason=11007 Could not locate Network Device , Step=333, Step=55, Step=22, Step=11, #44
Oct 6 03:44:09 <hostname>: MOBILESTATION_NOT_FOUND: Could not find the mobile sadas in internal database
Oct 6 03:40:26 <ise-hostname> CISE_Failed_Attempts 1 0 2019-10-06 03:40:26.180 +05:30 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=62, Device IP Address=<ip-address>, Device Port=<port>, DestinationIPAddress=<ip-address>, DestinationPort=<port>, Protocol=Radius, User-Name=wipro, Acct-Status-Type=Start, Acct-Session-Id=sdfsdfs, Event-Timestamp=1569504083, AcsSessionID=dfsdf, FailureReason=33 Could not locate Network Device , Step=343, Step=231, Step=55, Step=11, #44
... View more
Labels
12-15-2020
06:48 PM
I have a Bluecoat device i want to monitor that device logs using UF. after have opened port from bluecoat to a relay server(Windows server with UF installed). But Data is not getting forwarded to Indexer..Please let me know if forwarding logs from network devices through tcp port using Splunk UF is possible.. If thats possible please suggest me some way to troubleshoot this issue(from Splunk UF data is not sent to Indexer)
... View more
Labels
- Labels:
-
universal forwarder
11-24-2020
01:39 AM
i need to find daily indexing volume but without using any internal indexes..
... View more
- Tags:
- search query
Labels
- Labels:
-
search head
11-03-2020
10:20 PM
Okay. Thanks for your response. I have multiple monitor stanzas in my inputs conf file..So you are saying this mistake i made in one stanza will not affect other stanzas..data will still sent to indexer?
... View more
11-02-2020
08:00 PM
Hello, i have a windows machine(Windows Version 10) which is configured to send data to a indexer. but data is not sent to indexer. while checking splunkd log, i see a warning WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\<app_name>\local\inputs.conf, line 1: Cannot parse into key-value pair: ?#################################### there is this as issue in inputs conf which is corrected now. but could it be the issue which blocks the UF to send data to indexer?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Karma given to
