Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About rodneyjerome
rodneyjerome
Explorer
Member since:
10-26-2016
07-02-2021
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 10-26-2016 |
Activity Feed
- Posted Email user and get response back on Splunk SOAR. 07-01-2021 11:01 AM
- Karma Re: Filter events while sending data from Heavy Forwarder to Indexer for gcusello. 02-19-2021 12:27 AM
- Posted Re: Filter events while sending data from Heavy Forwarder to Indexer on Getting Data In. 02-19-2021 12:26 AM
- Posted Filter events while sending data from Heavy Forwarder to Indexer on Getting Data In. 02-08-2021 10:26 PM
- Karma Re: How to use a $ in a form search? for aelliott. 06-05-2020 12:46 AM
- Posted Output value required while creating Splunk Version 1 Custom Command on Splunk Search. 07-17-2019 01:24 PM
- Tagged Output value required while creating Splunk Version 1 Custom Command on Splunk Search. 07-17-2019 01:24 PM
- Posted How to use Splunk to access an email client and index the details in CSV attachments? on Getting Data In. 01-19-2017 05:40 AM
- Tagged How to use Splunk to access an email client and index the details in CSV attachments? on Getting Data In. 01-19-2017 05:40 AM
- Tagged How to use Splunk to access an email client and index the details in CSV attachments? on Getting Data In. 01-19-2017 05:40 AM
- Tagged How to use Splunk to access an email client and index the details in CSV attachments? on Getting Data In. 01-19-2017 05:40 AM
- Tagged How to use Splunk to access an email client and index the details in CSV attachments? on Getting Data In. 01-19-2017 05:40 AM
- Posted Splunk DB Connect: How to configure VIP? on All Apps and Add-ons. 11-23-2016 09:16 PM
- Tagged Splunk DB Connect: How to configure VIP? on All Apps and Add-ons. 11-23-2016 09:16 PM
- Tagged Splunk DB Connect: How to configure VIP? on All Apps and Add-ons. 11-23-2016 09:16 PM
- Posted Re: After receiving "External search command 'jsonfields' returned error code 1", how to extract fields from a JSON input? on Splunk Search. 11-18-2016 03:25 AM
- Posted Re: Custom command for json event on Getting Data In. 11-18-2016 03:21 AM
- Posted Re: Custom command for json event on Getting Data In. 11-16-2016 11:08 PM
- Posted Re: Custom command for json event on Getting Data In. 11-16-2016 04:46 AM
- Posted Re: After receiving "External search command 'jsonfields' returned error code 1", how to extract fields from a JSON input? on Splunk Search. 11-16-2016 03:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-01-2021
11:01 AM
Hi, I am looking send an email to user with simple yes/no response which I can then use to handle the case. I know Palo Alto’s soar has some integrations to handle this. Do we have similar func in Splunk or any idea on how to implement them. Thanks in advance
... View more
Labels
- Labels:
-
using Phantom
02-19-2021
12:26 AM
Thanks. This worked great!
... View more
02-08-2021
10:26 PM
Hi, I have an HFW and indexer in my environment. I'm looking to filter certain events from the log source in HFW based on REGEX while indexing in the indexer. Please find below the config files. Not sure where I'm going wrong. props.conf [testing] TRANSFORMS-routing = conGroup inputs.conf [monitor:///var/logs] disabled = false index = main sourcetype =. testing host = HFW transforms.conf [conGroup] REGEX = ^(((?!i-)(?!sample)).)*$ DEST_KEY=_TCP_ROUTING FORMAT=test outputs.conf [tcpout] defaultGroup = nothing [tcpout:test] server = X.X.X.X:9997 Any help will be. much appreciated. Thanks in advance
... View more
Labels
- Labels:
-
heavy forwarder
07-17-2019
01:24 PM
hi,
I am trying to create a simple splunk custom command using Intersplunk. Its a simple code which displays the events as is. However im getting this error
A value for "output" is required
import json
import sys
import csv
import splunk.Intersplunk
json_events = splunk.Intersplunk.readResults(None, None, False)
splunk.Intersplunk.outputResults(json_events)
Could someone help on where I am going wrong
... View more
- Tags:
- custom-command
01-19-2017
05:40 AM
Hi,
I need to access an email client (Gmail or Outlook) and index the details in the CSV attachments.
Any suggestions are appreciated
Thanks in advance
... View more
11-23-2016
09:16 PM
Hi
I would like to connect to my VIP from Splunk DB connect. Any suggestions on how to configure them?
Thanks in advance
... View more
11-18-2016
03:25 AM
Answer is in this link.
https://answers.splunk.com/answers/474552/custom-command-for-json-event.html
... View more
11-18-2016
03:21 AM
That really helped. Apparently there were some errors in python scripts that I need to take care of. The logic works perfectly fine. Thanks.
... View more
11-16-2016
11:08 PM
Hi Flynt,
still no luck. When try executing the command it just gives me an error
External search command 'jsonfields' returned error code 1.
I think there's no problem with the JSON. When I tried to run in pycharm with the sample json event as a File. I got it without any errors
import json
import sys
import csv
json_event = open(r'C:\Users\rodney.jerome.samuel\Desktop\sample_json.json')
json_data = json.load(json_event)
fields = (json_data['Fields'])
extracted_fields = {}
for f in fields:
if not f['values']:
extracted_fields[f['Name']] = 'null'
elif 'value' not in f['values'][0]:
extracted_fields[f['Name']] = 'null'
else:
extracted_fields[f['Name']] = f['values'][0]['value']
print(extracted_fields)
This is the sample output i got as dictionary. So I don't think there is any problem with json event.
{'user-template-29': 'null', 'has-change': 'null', 'user-template-28': 'MPT', 'user-template-05': 'SF'}
... View more
11-16-2016
04:46 AM
It's not working. Below is my sample json input. I want the fields extracted
for example :
ut2: null
ut3:SF
VS:2
I need the python script for extracting the fields in such a way.
{
"Type": "defect",
"Fields": [
{
"values": [],
"Name": "ut2"
},
{
"values": [
{
"value": "SF"
}
],
"Name": "ut3"
},
{
"values": [
{
"value": "2"
}
],
"Name": "vs"
},
{
"values": [
{
"value": "N"
}
],
"Name": "attached"
},
{
"values": [
{
"value": "vh"
}
],
"Name": "pri"
},
],
}
I'm just getting the fields that are automatically extracted if I try your script. Not any change. Kindly help. I guess the json_events will have csv. Need to get _raw from that and then perform the json operations
any suggestions?
... View more
11-16-2016
03:55 AM
sure i will try that and get back to you
... View more
11-13-2016
10:40 PM
Hi,
I'm using the below line, while creating custom command for key value field extraction. My events are in json format. I would like to know the format in which the events are retrieved while the below line is given (string) or type of json_event.
json_events = splunk.Intersplunk.readResults(None, None, True)
I have also attached the entire script for your reference. I think I'm having problems while loading the json event
import json
import sys
import csv
import splunk.Intersplunk
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
json_events = splunk.Intersplunk.readResults(None, None, True)
for json_event in json_events:
json_data = json.load(json_event)
fields = (json_data['Fields'])
for f in fields:
if not f['values']:
json_event[f['Name']] = 'null'
elif 'value' not in f['values'][0]:
json_event[f['Name']] = 'null'
else:
json_event[f['Name']] = f['values'][0]['value']
splunk.Intersplunk.outputResults(json_events)
Thanks in advance
... View more
11-08-2016
11:28 PM
Try using custom commands. This is very useful
http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Writeasearchcommand
... View more
11-08-2016
07:48 AM
Hi,
I am trying to extract fields from a JSON input. I don't understand if I am making any mistake in getting the events or in output. Below is my python script:
import splunk.Intersplunk
json_events = splunk.Intersplunk.readResults(None, None, True)
for json_event in json_events:
json_data = json.load(json_event)
fields = (json_data['Fields'])
for f in fields:
if not f['values']:
json_event[f['Name']] = 'null'
elif 'value' not in f['values'][0]:
json_event[f['Name']] = 'null'
else:
json_event[f['Name']] = f['values'][0]['value']
splunk.Intersplunk.outputResults(json_events)
and the below snippet is a sample json event.
{
"Type": "defect",
"Fields": [
{
"values": [],
"Name": "ut2"
},
{
"values": [
{
"value": "SF"
}
],
"Name": "ut3"
},
{
"values": [
{
"value": "2"
}
],
"Name": "vs"
},
{
"values": [
{
"value": "N"
}
],
"Name": "attached"
},
{
"values": [
{
"value": "vh"
}
],
"Name": "pri"
},
],
}
I have stored them as dictionary (key, value pairs). I am getting error "External search command 'jsonfields' returned error code 1"
any suggestions?
Thanks in advance
... View more
