Activity Feed
- Posted Re: Regex expression to extract fields on Splunk Search. 10-27-2021 02:28 PM
- Posted Re: Regex expression to extract fields on Splunk Search. 10-27-2021 02:08 PM
- Posted Re: Regex expression to extract fields on Splunk Search. 10-27-2021 12:46 PM
- Posted Regex expression to extract fields on Splunk Search. 10-27-2021 10:59 AM
- Karma Re: Search index using search values from database for HiroshiSatoh. 06-05-2020 12:46 AM
- Posted Re: How to update browsercaps file for TA-browscap? on All Apps and Add-ons. 07-17-2018 09:15 AM
- Posted Re: Search index using search values from database on Splunk Search. 09-13-2013 11:30 AM
- Posted Re: Search index using search values from database on Splunk Search. 09-13-2013 08:44 AM
- Posted Re: Search index using search values from database on Splunk Search. 09-13-2013 07:26 AM
- Posted Search index using search values from database on Splunk Search. 09-12-2013 12:23 PM
- Tagged Search index using search values from database on Splunk Search. 09-12-2013 12:23 PM
- Tagged Search index using search values from database on Splunk Search. 09-12-2013 12:23 PM
- Tagged Search index using search values from database on Splunk Search. 09-12-2013 12:23 PM
- Tagged Search index using search values from database on Splunk Search. 09-12-2013 12:23 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
10-27-2021
02:28 PM
I was able to get this to work by changing w to S like this: Target\s+(?<Target>\S+) Thanks again for the help
... View more
10-27-2021
02:08 PM
Really appreciate the help. That worked for those 2. I also need one for Target. I tried this: Target\s+(?<Target>\w+) But with a value of this: Target ABCDE\test.user I only get the ABCDE. How do I change the expression to get the entire ABCDE\test.user
... View more
10-27-2021
12:46 PM
These are coming from windows event logs. Some of the fields are in name value pairs and extract on their own but last 4 fields are the ones I need expressions for. Here is example of entire message: 10/27/2021 02:39:17 PM LogName=Application EventCode=16117 EventType=0 ComputerName=XXXXXXXXX002.xxxx.com User=NOT_TRANSLATED Sid=S-1-5-21-114000000-41296648-3127784425-637889 SidType=0 SourceName=AdminSvc Type=Information RecordNumber=1502524 Keywords=Audit Success, Classic TaskCategory=SetInfo OpCode=None Message=Action SetInfo ObjectType Computer AssistantAdmin xxxx\xxxxx Target xxxxx\xxxx-xxxx$ Domain Controller xxxxxx06 AccountDisabled
... View more
10-27-2021
10:59 AM
I have two fields below that show up in our log files. I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that didn't extract. Is there a simple Regex I can use to extract ObjectType and Domain Controller fields in example below? Values should never have space so we can end value after first space. ObjectType User Domain Controller TSTETCDRS001
... View more
Labels
- Labels:
-
field extraction
-
regex
07-17-2018
09:15 AM
I tried updating browsecap file to csv file from browscap.org but I get the same error below. I can see the file format is different from the last one but in the TA-browscap ver 1.2 it says it was modified to accept the new format. Is there something else in settings I need to set so it knows it is the new format? I checked Splunk settings to make sure I am on ver 1.2 of TA-browscap.
Script for lookup table 'browscap_lookup' returned with error code 1. Results may be incorrect.
... View more
09-13-2013
11:30 AM
Changing the As to "query" fixed it. Everything working as needed now.
... View more
09-13-2013
08:44 AM
I never tried the "blue 'i' icon". That is a very cool feature. It did help me figure out the problem is not lowercase at all. My query not only returns the name but also returns the db column like empName="Joe". It appears it is only searching for a field called empName with Joe. This is fine for the first index but the second index the field is called firstName. When I change the dbquery to Select empName as firstName.... it then finds it in the second query but not the first. What I really want to do is search every field in the index, any ideas on how to get rid of the field name?
... View more
09-13-2013
07:26 AM
Thanks for the reply. All the column names are spelled correctly. To prove it was an upper/lowercase issue I changed the name in my test database to all lower case and it is then able to find it in the second index but not the one it was before. Again this is only on a test database so this will not work as a production solution.
... View more
09-12-2013
12:23 PM
I want to be able to do a search of an index with search parameters returned from a database lookup. An example would be a table like:
User Name | Employee ID
Jim 1234
Joe 2345
Then my search could either search the index for all Names or be able to pass an employee id to just return the one name. I would eventually want to create a view with a form where the user can either enter an Employee ID or * for all. I have installed DB Connect and can view the database and run queries but can't figure out how to get the lookup to work from an normal search command from my app. Can anyone tell me if this is possible and if so how it can be done or where I should start with?
Update:
I was able to get this almost working using this search
index=* [ | dbquery "dbName" "SELECT empName FROM tblName where mail='joe.smith@gmail.com'"]
The problem I am now having is the name is found in one of my indexes but not the other. The difference is in one index the name is upper/lowercase just like the db and it is found. On the ohter is is all lowercase so it doesn't seem to find it. I have tried using LOWER(empName) inside the sql cmd and also eval lower([.....]) but neither return any results. I know splunk is supposed to be case insensitive but I have found some posts that say that may not be true for some types of data. Anyone have any ideas how I can get this last piece to work.
... View more
