Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About rob_gibson
rob_gibson
Path Finder
Member since:
06-25-2014
03-06-2026
Community Statistics
| Posts | 50 |
| Solutions | 1 |
| Karma Given | 11 |
| Karma Received | 3 |
| Member Since | 06-25-2014 |
Activity Feed
- Posted Re: rex help - extracting string between quotes on Splunk Search. 03-06-2026 12:20 PM
- Karma Re: rex help - extracting string between quotes for richgalloway. 03-06-2026 12:20 PM
- Karma Re: rex help - extracting string between quotes for ITWhisperer. 03-06-2026 12:19 PM
- Posted Re: rex help - extracting string between quotes on Splunk Search. 03-06-2026 10:56 AM
- Posted Re: rex help - extracting string between quotes on Splunk Search. 03-06-2026 10:29 AM
- Posted rex help - extracting string between quotes on Splunk Search. 03-06-2026 06:13 AM
- Got Karma for Re: Why is a value appearing twice in a table but only occurs once in the event data?. 10-31-2024 06:03 PM
- Posted Re: What are the blacklist/config options to stop events from being transferred across the network to the Indexer on Getting Data In. 04-17-2024 06:43 AM
- Posted Re: What are the blacklist/config options to stop events from being transferred across the network to the Indexer on Getting Data In. 04-12-2024 12:05 PM
- Karma Re: What are the blacklist/config options to stop events from being transferred across the network to the Indexer for PickleRick. 04-12-2024 11:53 AM
- Karma Re: What are the blacklist/config options to stop events from being transferred across the network to the Indexer for PickleRick. 04-12-2024 11:47 AM
- Karma Re: What are the blacklist/config options to stop events from being transferred across the network to the Indexer for VatsalJagani. 04-12-2024 11:06 AM
- Posted What are the blacklist/config options to stop events from being transferred across the network to the Indexer on Getting Data In. 04-12-2024 09:47 AM
- Posted Re: How to get data into Splunk without a universal forwarder on Deployment Architecture. 03-27-2024 05:53 AM
- Posted How to get data into Splunk without a universal forwarder on Deployment Architecture. 03-26-2024 12:17 PM
- Posted Re: Can not communicate with task server, please check your settings. on All Apps and Add-ons. 02-28-2024 09:09 AM
- Karma Re: Can not communicate with task server, please check your settings. for dhirendra761. 02-28-2024 09:09 AM
- Karma Why am I unable to edit permissions to a dashboard I created? for pavanae. 06-05-2020 12:48 AM
- Karma Re: Why is a value appearing twice in a table but only occurs once in the event data? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Trying to extract the value of a field which occurs twice in one event. Regex maybe? for scottrunyon. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-06-2026
12:20 PM
I think you are right about JSON. I will chase that down. Thank you for taking the time to respond. Much appreciated!
... View more
03-06-2026
10:56 AM
Ok. The events are JSON. I have 74 results to my search that I am trying to extract values from. The value I am trying to extract is from a blob sort of field that splunk is not extracting/identifying as a field. Here is what I have tried and when I finish with "|table message" I get zero results. This is done at search time. 1. ""(<?m>.+)"" 2. \"\w+\W+(?<message>[\s\w]+)\" 3. field=_raw "\"\w+\W+(?<message>[\s\w]+)\"" 4. |rex field=message "\"(?<message>[\s\w]+)\"" 5. |rex field=_raw "\"message\":\"(?<msg>.*?)\"" 6. | rex “message\”:\”(?<message>[\”]+)”
... View more
03-06-2026
10:29 AM
I've tried quite a number of extractions but nothing works. I'm basically grabbing at straws at this point.
... View more
03-06-2026
06:13 AM
I have a LogStash feed coming in, with events containing a string following this example; "message":"Transfer end logged" I need a rex to capture the string "Transfer end logged" (without quotes) Can anyone suggest a rex command please?
... View more
Labels
- Labels:
-
rex
04-17-2024
06:43 AM
I apologize for being vague. Was just trying to stick to the point. The source (LogStash) cloud server is CentOS and we have zero access or control beyond the initial setup happening over the next few days. We are not permitted to install ANY software on this server as it is externally hosted and is locked down. I plan to try and force the issue of a UF install, but I expect to be unsuccessful. In which case, LogStash is all we have. My entire environment is 60-70 UF's to an on-prem Indexer. I have no LogStash or HEC experience. I have a bad feeling about this...
... View more
04-12-2024
12:05 PM
What I can say is I have nowhere near your understanding of Splunk operations. I do appreciate your input. I am taking my limited understanding of our wholly-UF-to-Indexer environment, and applying what I know to solve the issue of reducing cloud-to-on-prem traffic over the WAN link from our new SaaS solution. I keep a very low daily transfer rate (and licensing rate) in our on-prem environment by blacklisting noise, and whitelisting the key events we want to track. I have no rights on the source machines, and I cannot install a UF, or anything for that matter. LogStash is the only option provided - which I assume requires HEC to receive the logs. I have read that HEC supports white/black listing - which is where my question came from.
... View more
04-12-2024
09:47 AM
I have a cloud-based server sending events to the Indexer over my WAN link via Http Event Collector (HEC). We have limited bandwidth on the WAN link. I want to limit (blacklist) a number of event codes and reduce the transfer of log data over the WAN. Q: Does a blacklist on inputs.conf for the HEC filter the events at the indexer, or does it stop those event from being transferred at the source? Q: If I install a Universal Forwarder, am I able to stop the blacklisted events from being sent across the WAN?
... View more
Labels
03-27-2024
05:53 AM
Does the HEC support allow/deny for specific event types? We have a LOT of data that we do not want to capture/forward from the cloud.
... View more
03-26-2024
12:17 PM
I have an on-prem splunk enterprise installation, consisting exclusively of Universal forwarders and a single Indexer. We now have a cloud-hosted environment, that it restricted, as it is hosted by an external company. They do not allow us to install any software (but their own) on the servers. Is there any way to get data into my Indexer, without a forwarder? Without a forwarder, am I able to apply allow/deny lists to events?
... View more
Labels
- Labels:
-
universal forwarder
02-28-2024
09:09 AM
Thanks so much!
... View more
03-16-2018
12:14 PM
For the certificate verify issue, these steps are helpful
https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html
And when you create the certs and complete the openssl "questionaire" make sure the common name/FQDN is different for the root cert and the server cert. It will not work is you use the same value for both. (even if the value is blank)
... View more
11-23-2017
11:58 AM
I found a successful solution to this issue. Basically the dbxquery contains primarily SQL query language and did not respond properly to common splunk search language. In short, you really need to make this work with SQL language (not my forte).
In the DB Connect 3.1.1 app, Data Lab>SQL Explorer you can input your SQL code until you get the results you want, and it spits out the Splunk search string on the right, where you can "open in search". This provides the working search string.
Also, saving as a real-time alert would not work, so I set it up on a 30 minute cron schedule, which is */30 * * * * , and the search string looks back 31 mins from NOW to catch the desired events.
| dbxquery query="SELECT * FROM \"SQLCrypto\".\"dbo\".\"ProcessLog\" WHERE [Message] LIKE '%![IsSuccess!]:False%' ESCAPE '!') AND [Created] BETWEEN DATEADD(MINUTE,-31,GETDATE()) AND GETDATE() ORDER BY [Id] DESC " connection="SQL"
... View more
11-22-2017
08:03 AM
I'm guessing this is not a common issue for DB Connect users? I cannot find any details on why dbxquery returns every matching event and ignores the search time restraint (eg; last hour, last day, etc)
... View more
11-03-2017
07:25 AM
That did not work syntactically (Splunk complained), however this statement was accepted;
| where timefield >= (sysdate - 30) | where Message like "%[IsSuccess]:False%"
However, zero results were produced. I have a matching "False" event on Oct 11th, 2017 that fails to show with the "sysdate" parameter.
... View more
11-02-2017
08:34 AM
I just setup DB Connect for the first time. I'm having trouble wrapping my head around how it operates. Every other input I have is from a Universal Forwarder - (I understand how they work.) DB Connect does not appear to use time/date stamps in the same way as a UF input.
For example, I can create a SQL query within the DB Connect DataLab that returns the results I want. However, using dbxquery in a search string for a span over the past 24 hours, returns 3 year old events!
| dbxquery connection=SQL query="SELECT * FROM SQLCrypto"."dbo"."ProcessLog" | where Message like "%[IsSuccess]:False%"
Can anyone suggest how I can rein in my results to actually include only events in the past 24 hours?
Ultimately, I am looking to create an alert which triggers once an hour for %[IsSuccess]:False% events.
... View more
06-29-2017
11:30 AM
1 Karma
That's close enough for an "Accept" woodcock!
My search didn't like the "*" you added, and I'm unclear of the function.
What I did was;
| search (object_name:table1 OR object_name:table2) AND (statement:alter OR statement:create OR statement:delete OR statement:drop OR statement:exec OR statement:insert OR statement:select OR statement:update)
The resulting table included only the hits, which is exactly what I wanted. It created a conditional alert. Bravo!
Many thanks
... View more
06-29-2017
10:38 AM
Thank you for your reply.
The rex command I am running does return the value I want, so I'm not sure why you say it is faulty. What I'm unclear on is how to use it as a condition.
I did not get any results using the example you provided, sorry.
... View more
06-29-2017
10:35 AM
My laptop has been out of commission for a while, apologies for the delay in responding.
To clarify, I need an alert that is triggered for ANY of those statement: conditions, but only where object_name:table1 or table2.
I tried your suggestions but got zero results (where I know that 4 exist within the search time frame.)
... View more
06-21-2017
08:32 AM
I think I'm close on this, but I'm missing something;
I have events forwarding to my indexer from MS SQL Audit via WinEventLog:Application. A number of fields are not being automatically extracted, so I'm relying on rex to pull out the values I need for an alert. There is a large, multi-line field called "Message" which contains all the values I need. Within "Message" are other values like object_name, database_name, user_name, etc. I have no trouble pulling the values I need into a search and creating a table, but I'm not clear how to use a rex-returned value as a condition to trigger an alert.
The alert is only required if object_name:table1 or object_name:table2. Also if the "statement value is alter or create or delete, etc.
Partial Search String (outputs values to a table - not shown)
index=SQLAUDIT ComputerName=SERVER12 | search Message statement:alter OR statement:create OR statement:delete OR statement:drop OR statement:exec OR statement:insert OR statement:select OR statement:update | eval "Date - Time"=strftime(_time,"%F - %T") | rex "object_name:(?<TableID>.*)" | rex "statement:(?<AlertType>.+?)[\r]" | rex "database_name:(?<DBN>.*)"
Data Sample
Message=Audit event: event_time:2017-06-14 12:58:53.7376885
sequence_number:1
action_id:SL
succeeded:true
permission_bitmask:1
is_column_permission:true
session_id:79
server_principal_id:2
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:1201906778
class_type:U
session_server_principal_name:DOMAIN\USER1234
server_principal_name:DOMAIN\USER1234
server_principal_sid:010500000000000567890093a2a241345661e2f43170a32821c0000
database_principal_name:public
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:SERVER12\DBMSSQL
database_name:DB_NAME1
schema_name:db19
object_name:table_1
statement:select top 100 a.* , b.*
from tableClosed a,
table_1 b
where a.flngAccountKey = b.flngAccountKey
and a.fstrCaseType = 'TRPHD'
... View more
05-24-2017
07:52 AM
Hey I got it to work!
I left out the rex command and just used | eval Account_Name=mvindex(Account_Name,1) | in order to extract the second occurrence of the Account_Name field.
Many thanks Scott!!
... View more
05-24-2017
07:47 AM
Thanks Scott,
I'm getting errors trying to add this to my search. I think I'm missing something.
Error in 'rex' command: Encountered the following error while compiling the regex 'Account Name:\s+(?\w+\$?)': Regex: unrecognized character after (? or (?-
In your example is 'Account Name: a reference to my existing duplicate field, and Wanted_ID is a new name for the extracted field value?
... View more
05-18-2017
11:29 AM
I am hopeful someone has a suggestion for this reporting issue.
I have an event generated by Microsoft SQL Audit, which is being written to the Windows:Security log on the forwarder. I need to create a search string which captures the value of the 2nd "Account_Name" field, containing the value "userid". However, "Account_Name" field appears twice in each record. As the field name is not unique, my table is showing the value of both fields concatenated into one string.
Source Data Sample;
Subject:
Account Name: hostname1$
New Logon:
Account Name: userid
Table results displayed for "Account_Name";
hostname1$
userid
The following is sample event data (scrubbed);
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=hostname1.network.com
TaskCategory=Logon
OpCode=Info
RecordNumber=559165
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: hostname1$
Account Domain: MyDomain
Logon ID: 0x3E7
Logon Type: 10
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-606747145-790525478-839522115-29674
Account Name: userid
Account Domain: MySubDomain
Logon ID: 0x16ABZ9093
Logon GUID: {00000000-0000-0000-0000-000000000000}
... View more
10-24-2016
12:29 PM
Yes, specifically adding "| nomv statement |" corrected the issue.
... View more
10-21-2016
09:45 AM
2 Karma
Thank you! That put me on the right track. I used nomv to eliminate the multivalue.
index=* ComputerName="serverhostname" EventCode=33205 | nomv statement | table ComputerName, statement
... View more
10-21-2016
07:12 AM
I'm running a very simple search to draw a table. One of the values returned is appearing twice in the table, but only occurs once in the event data. Is this a bug?
Here is the search string;
index=* host=serverhostname EventCode=33205 | table ComputerName, statement
The result in the table is the value for 'statement' appears twice. I get two events returned, with two lines each but only the 'statement' value is doubled. All other fields are blank on the second line.
Here is the event data that is being queried;
10/17/2016 12:20:25 PM
LogName=Application
SourceName=MSSQL$OTPMSSQL
EventCode=33205
EventType=0
Type=Information
ComputerName=HOSTNAME.FQDN
TaskCategory=None
OpCode=None
RecordNumber=904492
Keywords=Audit Success, Classic
Message=Audit event: event_time:2016-10-17 16:20:24.1512330
sequence_number:1
action_id:AL
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:136
server_principal_id:276
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:8
class_type:DB
session_server_principal_name:DOMAIN\USERID
server_principal_name:DOMAIN\USERID
server_principal_sid:010500000000000515000000093a2a2426761e2f43170a326b1e0000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:SERVERNAME\OTPMSSQL
database_name:DBA
schema_name:
object_name:DBA
statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA_log', FILEGROWTH = 1048576KB )
additional_information:
.
Collapse
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2026
06:12 AM
|
Karma given to
