Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nuaraujo
nuaraujo
Path Finder
Member since:
12-22-2016
3 weeks ago
Community Statistics
| Posts | 21 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 3 |
| Member Since | 12-22-2016 |
Activity Feed
- Posted Re: Convert seconds in days, hours and minutes on Splunk Search. 3 weeks ago
- Got Karma for Re: Splunk Scheduled PDF - Use token on mail subject. 12-22-2022 04:04 AM
- Got Karma for Re: Splunk Scheduled PDF - Use token on mail subject. 10-14-2020 05:35 AM
- Karma Re: Change _time before indexing for tiagofbmm. 06-05-2020 12:49 AM
- Karma Re: Splunk DB Connect: Error in 'dbxquery' command: Invalid message received for earlhelms. 06-05-2020 12:49 AM
- Karma Re: Splunk DB Connect: Error in 'dbxquery' command: Invalid message received for tmeader. 06-05-2020 12:49 AM
- Karma Re: How to remove "missing" forwarders from the Distributed Management Console? for hexx. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect: Why am I receive an Oracle connection error "error occurred at recursive SQL level 1 ORA-01882: timezone region not found"?. 06-05-2020 12:48 AM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for mookiie2005. 06-05-2020 12:47 AM
- Karma Re: Forwarder Management troubleshooting client errors for jlongworth. 06-05-2020 12:47 AM
- Karma Re: Does Splunk support excel imports for grimwiz. 06-05-2020 12:46 AM
- Posted Re: Mask password in XML at index time on Dashboards & Visualizations. 02-15-2019 08:24 AM
- Posted How do I make a search that displays all events in a lookup and alerts if any are missing? on Splunk Search. 12-12-2018 06:32 AM
- Tagged How do I make a search that displays all events in a lookup and alerts if any are missing? on Splunk Search. 12-12-2018 06:32 AM
- Posted Re: Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 05:56 AM
- Posted Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 04:11 AM
- Tagged Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 04:11 AM
- Tagged Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 04:11 AM
- Tagged Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 04:11 AM
- Tagged Can you help me build a regex to extract fields with different field delimiters? on Splunk Search. 10-29-2018 04:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
Hi @gcusello , I used your logic, but with a small change in the function used. (floor instead or round). Would this make more sense to you? | eval duration=round((now() - last_seen),0)
| eval
days=if(duration>86400,floor(duration/86400),"0"),
hours=if(duration>3600,floor((duration-days*86400)/3600),"0"),
minutes=if(duration>60,floor((duration-days*86400-hours*3600)/60),"0"),
seconds=duration-days*86400-hours*3600-minutes*60
| eval Output=days.if(days>0," days ","").hours.if(hours>0," hours ","").minutes.if(minutes>0," minutes ","").seconds." seconds"
... View more
02-15-2019
08:24 AM
Hello guys,
your regex works really well if you don't use alphanumeric characters. Can you help me find a regex to use with a password that contains alphanumeric characters?
Thanks in advance.
... View more
12-12-2018
06:32 AM
Hello all,
I need your help with the following search:
I have a lookup file with a list of ids and account ID's
ID | Account_ID
AAA | 111
BBB | 222
CCC | 333
Every day, I have events that I can match with my lookup, using ID field.
DATE | ID
2018-12-10 | AAA
2018-12-10 | BBB
2018-12-10 | CCC
2018-12-11 | AAA
2018-12-11 | BBB
2018-12-11 | CCC (lets suppose this event is missing/does not exist)
2018-12-12 | AAA
2018-12-12 | BBB
2018-12-12 | CCC
What I want to see in my result is: all events from my lookup that has existing events in the search, per day. If any is missing, an error should be displayed.
Any idea about how can I achieve this?
DATE | ID | ACCOUNT_ID |RESULT
2018-12-10 | AAA | OK
2018-12-10 | BBB | OK
2018-12-10 | CCC | OK
2018-12-11 | AAA | OK
2018-12-11 | BBB | OK
2018-12-11 | CCC | ERROR
2018-12-12 | AAA | OK
2018-12-12 | BBB | OK
2018-12-12 | CCC | OK
Thanks in advance for your help on this.
... View more
- Tags:
- splunk-enterprise
10-29-2018
05:56 AM
Thanks @harsmarvania57 . You are awesome.
... View more
10-29-2018
04:11 AM
Hello all,
Can someone help me build a regex that may allow me to extract 3 different fields from events where all the fields are concatenated?
Example of the event(everything in one line):
Comment_type1|Code100|description of Code100|Comment_type1|Code101|description of Code101|Comment_type1|Code102|description of Code103|Comment_type2|Code201|description of Code201|Comment_type2|Code8000|description of Code8000|Comment_type2|Code8001|description of Code8001|Comment_type3|Code7001|description of Code7001|Comment_type3|Code9001|description of Code9001|
What I would like to get:
fieldA|fieldB|fieldC
Comment_type1|Code100|description of Code100|
Comment_type1|Code101|description of Code101|
Comment_type1|Code102|description of Code103|
Comment_type2|Code201|description of Code201|
Comment_type2|Code8000|description of Code8000|
Comment_type2|Code8001|description of Code8001|
Comment_type3|Code7001|description of Code7001|
Comment_type3|Code9001|description of Code9001|
fieldA is always Comment_type1 OR Comment_type2 OR Comment_type3
fieldB its always a number with 3 or 4 digits
fieldC is a text string
Can someone help me with this?
... View more
Thanks @masonmorales for the quick reply, but since in this dashboard I have 3 different searches, this would require at least 3 mails.
... View more
04-10-2018
12:41 PM
Hello everyone
I have a scheduled PDF delivery mail, where I want to manipulate the mail subject, using a mail token. Basically, I want to add the word SUCCESS or ERROR, to the mail subject.
To achieve this, on my dashboard, I am using a global search, where I am creating a token, using the following code:
<search id="get_status_token">
<query>my_search_here
| eval fstatus=if(AAA==BBB AND CCC==DDD , "SUCCESS","ERROR")
| fields fstatus</query>
<earliest>-1d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
<done>
<set token="fstatus">$result.fstatus$</set>
</done>
</search>
On the EDIT PDF SCHEDULE menu, I adding the following code as Subject
TEST $fstatus$
but the email does never display the value of the token in the subject.
Can someone help me find what am I missing?
NOTE: I am using the token in the email subject and not in the PDF.
Thanks in advance
... View more
- Tags:
- splunk-enterprise
04-05-2018
01:35 AM
Hello everyone,
were you able to find a solution, in order to display App logo and App name, on navigation menu?
Thanks in advance
... View more
03-27-2018
02:27 AM
Thank @p_gurav.
Your suggestion would already be a good solution. However, can you just help me getting 2 words for "operation"? In your suggestion, I am only getting one. Even so, BIG THANK YOU for your quick reply.
... View more
03-27-2018
02:05 AM
Hello all,
I need your help in order to get a regex that may extract fields from some messages.
Example 1
USER: user1 UPDATED CUSTOMER - 123456. Added new user. New user was added.
What I am looking at this message:
username: user1
operation: UPDATED CUSTOMER (always two words in uppercase)
customer_id: 123456 (always preceded by "-" and ending with ".") (not available in all messages)
comment: Added new user. New user was added
Example2
USER: user2 ADDED COUNTRY with identifier: Germany
What I am looking at this message:
username:user2
operation: ADDED COUNTRY (always two words in uppercase)
comment: with identifier: Germany (in this message I do not have customer_id field)
I am using the following REGEX that I far from being accurate. It works for the first use case but not for the second
... | rex field=message "^USER: (?P<username>.+?) (?P<operation>[A-Z].+?) - (?P<id>.+?)\. (?P<message>.*)"
What I am looking for a final result:
|username.... | operation...........................| id...............| message................................................|
|user1............|UPDATED CUSTOMER.....| 123456 ....| Added new user. New user was added |
|user2............|ADDED COUNTRY............| ..................| with identifier: Germany.........................|
Can someone help me, building a general regex, please?
... View more
03-13-2018
12:36 PM
@tiagofbmm, THANK YOU. It works.
Your suggestions makes total sense, because the _time is in seconds, even if it is shown as a normal date.
NOTE: Do you know how to mark your answer as "accepted answer"?
... View more
03-13-2018
11:56 AM
During Search Time, works really well. I already tested it before.
At this stage, there are no stupid questions @tiagofbmm, but yes, I restarted my indexer and deleted the previous data in it. I guaranteed that the indexer was clean, before all my test.
https://ibb.co/gFHyec
link text
... View more
03-13-2018
11:26 AM
Thanks deepashri, but a TZ_ALIAS will not solve my issue because I the data is from the previous day. I really need to sum 86400 seconds to the _time field.
... View more
03-13-2018
11:08 AM
Thanks @tiagofbmm for the quick reply to my question.
The problem that I have in my data is that, this is a report file, generated daily, but with data from previous day.
In the example that I posted, the report, was generated on 2018/03/12.
"RH",2018/03/12 03:21:40 -0700,,"Z76LVNG7N"
The data (in the lines that start with SB), contains a field that splunk is using as timestamp
"SB","123456","Z76LVNG7N","3456789","","","T0006",2018/03/11 00:02:26 -0800,2018/03/11 00:02:26 -0800,"aa",234,"rud","ee",4,"eyt","S",,0,0,"dhl, bla, Postage, Ins:$0.00","","N","ShipSvc:First Class Package, blablabla, Postage, Ins:$0.00","","","","","","",,"","","","Express Checkout","01","02","","","","","","S","US"
In this example that I am sharing, I want to convert the date 2018/03/11 00:02:26 -0800 to 2018/03/12 00:02:26 -0800
I thought that using this eval in the props.conf of my indexer would change the value of _time, before the data is indexed.
Currently, after cleaning the index and reindex my data, nothing happens. I suspect that I may need to use a TRANSFORM instructions.
... View more
03-13-2018
10:30 AM
Hello all,
I need to sum 1 day(86400 seconds) to my _time, if the event(_raw) includes the string "SB". This needs to be done, before indexing data.
My data is like this:
"RH",2018/03/12 03:21:40 -0700,,"Z76LVNG7N"
"FH",01
"SH",2018/03/11 00:00:00 -0800,2018/03/11 23:59:59 -0700,"Z76LVNG99RA7N",""
"SB","123456","Z76LVNG7N","3456789","","","T0006",2018/03/11 00:02:26 -0800,2018/03/11 00:02:26 -0800,"aa",234,"rud","ee",4,"eyt","S",,0,0,"dhl, bla, Postage, Ins:$0.00","","N","ShipSvc:First Class Package, blablabla, Postage, Ins:$0.00","","","","","","",,"","","","Express Checkout","01","02","","","","","","S","US"
"SB","1234564","Z76LVNG7N","34567894","","","T0006",2018/03/11 00:03:26 -0600,2018/03/11 00:02:26 -0800,"aa",234,"rud","ee",4,"eyt","S",,0,0,"dhl, bla, Postage, Ins:$0.00","","N","ShipSvc:First Class Package, blablabla, Postage, Ins:$0.00","","","","","","",,"","","","Express Checkout","01","02","","","","","","S","US"
"FF",2
To achieve this, I am using EVAL-_time in props .conf
[mydata]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-sourcetype = metadata,events,discard
REPORT-report_timestamp = report_timestamp
category = Custom
disabled = false
pulldown_type = true
FIELD_HEADER_REGEX = ^\"(?:CH)\"
FIELD_DELIMITER = ,
*EVAL-_time = strftime(if(match(_raw,"SB"),_time+86400,_time),"%Y/%m/%d %H:%M:%S %z")*
Can someone help me understand what am I doing wrong?
NOTE: I tested this EVAL string during search time and it works well.
... View more
- Tags:
- indexing
01-19-2018
02:58 AM
Hello all, any update on this problem.
I have Splunk 7.0.1 running on Centos 6.6, with Splunk DB Connect. Any queries that I run always ends with Error in 'dbxquery' command: Invalid message received from external search command during setup, see search.log.
Thanks
... View more
09-20-2017
12:54 PM
Hello all,
1 - I created /opt/splunk/etc/apps/MyApp/appserver/static/dashboard.css with the exact content of the dashboad.css above
2 - I added script="dashboard.css" to my xml file. The first line is now like:
<form script="dashboard.css">
3 - I confirmed that the permissions in the folders and files are ok. I restarted Splunk.
Even so, I still have all the default options in the timepicker. Am I missing something?
Thanks in advance.
... View more
03-03-2017
10:27 AM
1 Karma
Thanks jcoates.
You post redirected me to the real problem. My DB version is 11.2.0.3.0 , and I was using ojdbc7.jar. I changed the driver to ojdbc6.jar, and it worked without issues.
Thank you for your help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
