Activity Feed
- Got Karma for Re: new indexer not showing in Monitoring console. 10-02-2023 08:12 PM
- Got Karma for Changing the Ulimits for openfiles. 12-13-2022 06:45 AM
- Got Karma for Why is Distributed Management Console (DMC) not displaying accurate DISK usage values?. 01-05-2022 12:42 AM
- Got Karma for Re: Knowledge Objects with "No owner" ownership.. 12-27-2021 07:55 AM
- Got Karma for Knowledge Objects with "No owner" ownership.. 12-27-2021 07:55 AM
- Posted Re: Automatic client deletion in deployment server (similar to manual "delete record" option). on Deployment Architecture. 09-20-2021 04:17 PM
- Posted Re: Splunk rest curl query fails to execute on the successive attempts with the session key authorization on Splunk Search. 07-29-2021 05:08 PM
- Karma Splunk rest curl query fails to execute on the successive attempts with the session key authorization for sathishraja92. 07-29-2021 05:08 PM
- Got Karma for Double field extraction for the JSON data. 04-02-2021 06:48 AM
- Posted Re: Splunk Cloud Gateway setup on All Apps and Add-ons. 10-06-2020 11:27 AM
- Posted Re: Splunk Cloud Gateway setup on All Apps and Add-ons. 10-06-2020 11:07 AM
- Posted Re: Problem with upgrade on Splunk Cloud Gateway to version 1.12.4 - drone_mode_subscription_modular_input on All Apps and Add-ons. 10-04-2020 04:23 PM
- Posted Re: Splunk Cloud Gateway setup on All Apps and Add-ons. 10-04-2020 04:23 PM
- Posted Re: .csv file input indexed and available in splunk but the data is invisible on Getting Data In. 09-16-2020 05:02 PM
- Posted Re: Data PArsing json on Getting Data In. 08-27-2020 03:48 PM
- Karma Re: Data PArsing json for to4kawa. 08-27-2020 12:34 PM
- Posted Re: Data PArsing json on Getting Data In. 08-27-2020 12:32 PM
- Posted Re: Data PArsing json on Getting Data In. 08-26-2020 10:11 AM
- Posted Data PArsing json on Getting Data In. 08-25-2020 04:29 PM
- Posted field extractions transforms on Getting Data In. 07-16-2020 11:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
09-20-2021
04:17 PM
I am looking for a solution too, But in the meanwhile you can do a restart of the deployment server which clears the old records.
... View more
07-29-2021
05:08 PM
Even I am facing the same issue. Were you able to figure out anything ?
... View more
10-06-2020
11:27 AM
pip install future I cannot install this because I see that pip is not installed on the hosts and I don't have root access to the host.
... View more
10-06-2020
11:07 AM
Traceback (most recent call last): File "etc/apps/splunk_app_cloudgateway/bin/drone_mode_subscription_modular_input.py", line 23, in <module> from spacebridgeapp.logging import setup_logging File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/__init__.py", line 1, in <module> from spacebridgeapp.logging.spacebridge_logging import setup_logging File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/spacebridge_logging.py", line 7, in <module> from spacebridgeapp.logging import setup_logging as itoa_logger File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/setup_logging.py", line 3, in <module> from builtins import object ImportError: No module named builtins I am getting the above error , do you know how to solve it ? @casingc_splunk Thanks,
... View more
10-04-2020
04:23 PM
@casingc_splunk , please check
... View more
10-04-2020
04:23 PM
Unable to initialize modular input "drone_mode_subscription_modular_input" defined inside the app "splunk_app_cloudgateway": Introspecting scheme=drone_mode_subscription_modular_input: script running failed (exited with code 1) What about this message ? How to resolve it ? @casingc_splunk
... View more
09-16-2020
05:02 PM
Too many events (100K) with the same timestamp: incrementing timestamps 1 second(s) into the future to insure retrievability Even I am having the same error but my data does not have a timestamp in the event, so I kept it to DATETIME_CONFIG=CURRENT . How do I overcome this error ?
... View more
08-27-2020
03:48 PM
Thanks @to4kawa , I was stuck at (.) part. what does (.) mean in regex , how did you manage to figure it out ? do we need to always capture something in the LINE_BREAKER before we write the regex. Thanks Nawaz.
... View more
08-27-2020
12:32 PM
yes , the SPL seems fine. But in reality , each event contains 50 different certificate tags and comes to 4096 lines in each event. The main drawback is if we do spath and mvexpand the raw events view would be the same and confusing, i.e, every event would have 4096 lines instead of just one certificate., And if we do spath and mvexpand on many events where each event has 50 different certificates , it would take a lot of time. and unclear. That's why I was preferring to break the events at props level so that each certificate would go to each event and the raw events view would be easy to work with. Anyways, thanks for the SPL you deserve points.
... View more
08-26-2020
10:11 AM
Hi @to4kawa , It didn't work . I want two separate events like this., I tried LINE_BREAKER and break only before in props.conf, to parse the data into individual events but still didn't work. I was able to use regex101 and find a regex to break the event and applied the same regex in Splunk but its not taking {
"NotAfter": "2020-09-06T15:34:22-07:00",
"NotBefore": "2019-09-07T15:34:22-07:00",
"allowedOperations": [
"certificate_show",
"certificate_der_download"
],
}, {
"NotAfter": "2020-10-07T10:51:40-07:00",
"NotBefore": "2019-10-08T10:51:40-07:00",
"allowedOperations": [
"certificates_show"
],
} Thanks Nawaz
... View more
08-25-2020
04:29 PM
I am trying to parse json data in Splunk This is the example data. {
"certificates": [
{
"NotAfter": "2020-09-06T15:34:22-07:00",
"NotBefore": "2019-09-07T15:34:22-07:00",
"allowedOperations": [
"certificate_show",
"certificate_der_download"
],
},
{
"NotAfter": "2020-10-07T10:51:40-07:00",
"NotBefore": "2019-10-08T10:51:40-07:00",
"allowedOperations": [
"certificates_show"
],
}
I want only the data between the tags before "NotAfter" into separate events , and the top part has to be ignored. I have tried regex101 to identify to identify the breaking patters , it works there but not in Splunk. Can you please guide. Thanks., nawaz
... View more
Labels
- Labels:
-
JSON
-
props.conf
-
sourcetype
07-16-2020
11:32 AM
Hi, I am unable to figure out a regex that matches the key value pairs of my data , I think the transforms.conf regex and format would help here. I am posting a sample event. SAEGW-SGW10,sdfsd-sdfafsadf:1,sdafsdf:3,asdfsdf:3,dsfgdsfgretewq:0 It is just a FIELD_NAME:FIELD_VALUE pair. Just the first word of the event does not have a value associated with it. I have tried this ([^\:]+)\:([^\,]+)\, but this not 100% accurate . Looking for more accuracy. Thanks
... View more
Labels
- Labels:
-
props.conf
-
sourcetype
-
transforms.conf
07-08-2020
12:44 PM
Hi,
I am using a batch input to ingest some huge files with a single line events that do not have a timestamp.
I have used the DATETIME_CONFIG = CURRENT config but found the following error.:
WARN AggregatorMiningProcessor - Too many events (100K) with the same timestamp: incrementing timestamps 1 second(s) into the future to insure retrievability .
Which is more effective NONE or CURRENT and what can be used in my case?
Thanks
... View more
Labels
- Labels:
-
props.conf
06-29-2020
10:30 AM
Hi , I have installed Splunk version 7.2.6 in some of the servers and I don't see the type dropdown in one of the servers in the field transformations page UI . Can you please let me know how to enable this dropdown ? Thanks
... View more
Labels
06-23-2020
02:15 PM
Thanks for the reply, I see a bookmark button as well. If I bookmark a question , where can I find it in the profile ?
... View more
06-23-2020
01:25 PM
Hi, I see that the Splunk answers page has been updated a few weeks ago. In the previous version, I used to save or favorite many questions that I was interested in. Where can I find those questions now ? And also the questions that I have asked previously , where can I find those ? thanks
... View more
06-23-2020
01:19 PM
Hi, I have knowledge based on how to do assign dynamic sourcetype for the events based on the source values. But I want to know is it possible to assign the props.conf for the out coming sourcetype values. Thanks,
... View more
Labels
- Labels:
-
props.conf
-
sourcetype
04-28-2020
01:24 PM
So you mean we cannot perform search time extractions again on already search time extracted fields. ??
... View more
04-28-2020
01:24 PM
I figured out the issue here.
The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work.
If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field.
I did not change any other parameters in my settings shown in the question except for the source_key.
... View more
04-28-2020
01:20 PM
Thanks for the regex.
I figured out the issue here.
The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work.
If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field.
... View more
04-28-2020
01:20 PM
I figured out the issue here.
The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work.
If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field.
I did not change any other parameters in my settings shown in the question except for the source_key.
... View more
04-27-2020
04:57 PM
zsdfgdsgfgsdfg dfgkh sdfl;askgh a;sdfkghjak gah fkgakfgakgj ha;sdghkjasgh as;kgkahsjkghao[YOWERT [Y [OYTUWEH ASDGH IQHIWURHTGIWQUHO HEOW ROIouoasdfoutyet uertyuqewr tyouyqwrtuootptypowreqyturwet wqrtu8 sdfgsdfg sdfg w['aE QWE[T QWETJHTJKERHWTERHWKTH EJRTHKJEWRHTUII auioprtywerryweuortyew c=IN IP4 10.33.22.11ghghfjgfhj ghjgjedkj wrktjyhoe oqw4u5yohwueirthywi hqiuehrtqtp[[qh erhtjqehrtueqhrtuiqwyhtkjewhgiuhdefjkaslhguqirotuyqpuyt quywertuipyp y] oiq ytuoqerytu htuqerhuthuqeirhtuy4238[ ]2u5]r iuwifhdjgfhjrhgtu
=-+c=IN IP4 10.44.33.22+t334543 34q535asdtesdft
... View more
04-27-2020
04:35 PM
I can understand what you mean but it does not effect anything , I use the same format for other field transforms as well in order to avoid confusion and it works well.
... View more
04-21-2020
10:38 PM
Hi,
I would like to extract field values from UI using the field transformations and field extractions from settings.
I have added the field extractions and referenced it to use a field transform. I follow the same naming conventions for other normal field extractions with transforms and it works well.
props.conf
[sourcetype]
REPORT-IP = REPORT-IP
transforms.conf
[REPORT-IP]
FORMAT = IP::$1
MV_ADD = 1
REGEX = c=IN IP4 (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
SOURCE_KEY = list
I have verified the regex and it captures well when checked in general, however I don't see the required multi value field in Splunk with the values extracted.
Is anything else missing ?
Thanks
... View more
04-21-2020
01:32 PM
ok. But I made a change in the UI and I looked at the backend CLI and the parameter was marked as 1 instead of true .
... View more
