About nmohammed

nmohammed · ‎03-01-2023

@mbachhav - did you get this done ? I am running into similar challenge and thinking best way of getting this from HF to SHC/Indexer

nmohammed · ‎10-28-2021

Try this - "Account\sName:\s(?P<account_name>.+)\sAccount Domain"

nmohammed · ‎10-26-2021

index=star env=prod | chart count(eval(time <100)) AS "<100ms", count(eval(time >100 AND time <200)) AS "<200ms", count(eval(time >200 AND time <300)) AS "<300ms" | stats count by time try that query and select pie chart under visualizations.

nmohammed · ‎10-26-2021

Can you share the exception with multiple Caused by : ? meanwhile, you can try this - base search | rex field=_raw "Caused by:\s*(?P<exception_cause>.*)"

nmohammed · ‎10-26-2021

@Sharzi try this to return records where DB is NOT "unknown" base_search [ inputlookup myLookup | fields TenantName, tenantId | where tenantId!="Unknown" AND TenantName=TenantName] | lookup myLookup tenantId TenantName output TenantName, tenantId, Region, DB | | table _time TenantName tenantId Region Status DB updated reply to correct spellings and missing fields

nmohammed · ‎10-21-2021

@gitingua can you share your search query that you're trying for this result ?

nmohammed · ‎10-21-2021

nmohammed · ‎10-21-2021

@Susha Is your forwarder sending disk space data and are you able to see any data in index=os ? breakdown the search query into individual parts and check index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com index=os sourcetype=df host=de1secsplfwd002.dc-r.security.vodafone.com | strcat host '@' Filesystem Host_FileSystem

nmohammed · ‎10-21-2021

@pavanae can you share your search query ? But you should be able to search the host like following - | inputlookup answers-571895.csv | where Host="*"

nmohammed · ‎10-21-2021

It should work, I tried it out with csv file you shared. It can either be permissions (but you're able to see contents of lookup using inputlookup). Check the fieldnames (case-sensitive) & also spell-check Try another way (replace with your filename) - | inputlookup answers-571716.csv | where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"

nmohammed · ‎10-21-2021

are you able to see the contents of the lookup file created ? run the following command | inputlookup myfile.csv

nmohammed · ‎10-20-2021

file1.csv -- > csv based lookup file2.csv --> cidr based lookup (I've renamed "IP Address" field to ip_address) Add a new lookup definition, name it "file2" and select file2.csv Check on advanced options. In "Match type" type in "CIDR(ip_address)" . | inputlookup file1.csv | fields src_ip, username | lookup file2 "ip_address" as src_ip output ASN, Other

nmohammed · ‎10-20-2021

Hi @gitingua try this out, assuming you've these files uploaded as lookups | inputlookup file1.csv | appendcols [inputlookup file2.csv | fields ASN,Other ] | table username,src_ip,ASN,Other

nmohammed · ‎10-20-2021

@MikeB inputlookup can be used to fetch results. | inputlookup myfile.csv | where failcode IN ("g-ab", "c-cd", "d-dd")

nmohammed · ‎10-20-2021

@GRC Sample log events data will help to work further on your request.

nmohammed · ‎10-19-2021

@LIP can you share sample events and the search you're trying to run ?

nmohammed · ‎10-13-2021

Thanks @isoutamo But how do I search logs related the frozen buckets or purged data?

nmohammed · ‎10-12-2021

We know the amount of data ingested daily from the Splunk internal logs and the License dashboard, but we're trying to find if there's a way to find the amount of data purged on daily based on the our data retention policy. Appreciate any help on this.

nmohammed · ‎10-02-2019

hi @MuS, This is great. can this app be used on Search Head cluster without causing any issues ? Thanks

nmohammed · ‎08-21-2019

hi @lyndac I am in exact similar situation ? were you able to identify and make it working successfully with batch input. Just want to make sure, the file is completely indexed before deletion and newer files keep getting created in the directory with application requests, so they need to be monitored, forwarded and deleted. Thanks

Posts	134
Solutions	10
Karma Given	1
Karma Received	21
Member Since	‎03-02-2015

Online Status	Offline
Date Last Visited	‎03-01-2023 08:59 PM

Splunk query to find amount of data purged based o...

distsearch.conf is overridden after updating throu...

Regex in props.conf doesn't work

How do you mask values using SEDCMD in payload emi...

Why is tstats command with eval not working on a p...

How do you create an alert for different cron sch...

Help with Masking data

whitelist directories inputs.conf

How to blacklist events for a specific event code ...

Any way to pull data from a custom ServiceNow tab...

Re: How to replicate CSV(lookup) from heavy forwar...

Re: Extracting Account Name:

Re: How to split the call based on TimeTaken

Re: extract all "cause by"

Re: use lookup file inside if statement

Re: help to write the request correctly

Re: Monitoring sources - better way?

Re: forwarder disk space issue

Re: using wild card in a lookup column?

Re: How to display limited results from a field

Re: How to display limited results from a field

Re: Write a request

Re: Write a request

Re: How to display limited results from a field

Re: Extract Log Data

Re: Correlation alert with multiple events

Re: Splunk query to find amount of data purged bas...

Splunk query to find amount of data purged based o...

Re: How to embed several dashboards using iFrame?

Re: Does useACK=true in inputs.conf [batch://] sta...