Hi everyone, I’m currently working on extracting the webaclId field from AWS WAF logs and setting it as the host metadata in Splunk. However, I’ve been running into issues where the regex doesn’t seem to work, and Splunk throws the error:   Log Example: Below is an obfuscated example of an event from the logs I’m working with:     { "timestamp": 1733490000011, "formatVersion": 1, "webaclId": "arn:aws:wafv2:region:account-id:regional/webacl/webacl-name/resource-id", "action": "ALLOW", "httpRequest": { "clientIp": "192.0.2.1", "country": "XX", "headers": [ { "name": "Host", "value": "example.com" } ], "uri": "/v2.01/endpoint/path/resource", "httpMethod": "GET" } }    I want to extract the webacl-name from the webaclId field and set it as the host metadata in Splunk. For the above example, the desired host value should be: webacl-name Here’s my current Splunk configuration: inputs.conf: [monitor:///opt/splunk/etc/tes*.txt] disabled = false index = test sourcetype = aws:waf   props.conf:   [sourcetype::aws:waf] TRANSFORMS-set_host = extract_webacl_name   transforms.conf:   [extract_webacl_name] REGEX = \"webaclId\":\"[^:]+:[^:]+:[^:]+:[^:]+:[^:]+:regional\/webacl\/([^\/]+)\/ FORMAT = host::$1 DEST_KEY = MetaData:Host SOURCE_KEY = _raw     What I’ve Tried: I’ve validated the regex on external tools like regex101, and it works for the log structure. For example, the regex successfully extracts webacl-name from: "webaclId":"arn:aws:wafv2:region:account-id:regional/webacl/webacl-name/resource-id" Manual rex Testing in Splunk:   index=test sourcetype=aws:waf | rex field=_raw "\"webaclId\":\"[^:]+:[^:]+:[^:]+:[^:]+:[^:]+:regional\/webacl\/(?<webacl_name>[^\/]+)\/" | table _raw webacl_name     Questions: Does my transforms.conf configuration have any issues I might be missing? Is there an alternative or more efficient way to handle this extraction and rewrite the host field? Are there any known limitations or edge cases with using JSON data for MetaData:Host updates? I’d greatly appreciate any insights or suggestions. Thank you for your help! ... View more

Hello all, Can someone help me build a regex that may allow me to extract 3 different fields from events where all the fields are concatenated? Example of the event(everything in one line): Comment_type1|Code100|description of Code100|Comment_type1|Code101|description of Code101|Comment_type1|Code102|description of Code103|Comment_type2|Code201|description of Code201|Comment_type2|Code8000|description of Code8000|Comment_type2|Code8001|description of Code8001|Comment_type3|Code7001|description of Code7001|Comment_type3|Code9001|description of Code9001| What I would like to get: fieldA|fieldB|fieldC Comment_type1|Code100|description of Code100| Comment_type1|Code101|description of Code101| Comment_type1|Code102|description of Code103| Comment_type2|Code201|description of Code201| Comment_type2|Code8000|description of Code8000| Comment_type2|Code8001|description of Code8001| Comment_type3|Code7001|description of Code7001| Comment_type3|Code9001|description of Code9001| fieldA is always Comment_type1 OR Comment_type2 OR Comment_type3 fieldB its always a number with 3 or 4 digits fieldC is a text string Can someone help me with this? ... View more

Hello everyone I have a scheduled PDF delivery mail, where I want to manipulate the mail subject, using a mail token. Basically, I want to add the word SUCCESS or ERROR, to the mail subject. To achieve this, on my dashboard, I am using a global search, where I am creating a token, using the following code: <search id="get_status_token"> <query>my_search_here | eval fstatus=if(AAA==BBB AND CCC==DDD , "SUCCESS","ERROR") | fields fstatus</query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> <done> <set token="fstatus">$result.fstatus$</set> </done> </search> On the EDIT PDF SCHEDULE menu, I adding the following code as Subject TEST $fstatus$ but the email does never display the value of the token in the subject. Can someone help me find what am I missing? NOTE: I am using the token in the email subject and not in the PDF. Thanks in advance ... View more

Hello all, I need your help in order to get a regex that may extract fields from some messages. Example 1 USER: user1 UPDATED CUSTOMER - 123456. Added new user. New user was added. What I am looking at this message: username: user1 operation: UPDATED CUSTOMER (always two words in uppercase) customer_id: 123456 (always preceded by "-" and ending with ".") (not available in all messages) comment: Added new user. New user was added Example2 USER: user2 ADDED COUNTRY with identifier: Germany What I am looking at this message: username:user2 operation: ADDED COUNTRY (always two words in uppercase) comment: with identifier: Germany (in this message I do not have customer_id field) I am using the following REGEX that I far from being accurate. It works for the first use case but not for the second ... | rex field=message "^USER: (?P<username>.+?) (?P<operation>[A-Z].+?) - (?P<id>.+?)\. (?P<message>.*)" What I am looking for a final result: |username.... | operation...........................| id...............| message................................................| |user1............|UPDATED CUSTOMER.....| 123456 ....| Added new user. New user was added | |user2............|ADDED COUNTRY............| ..................| with identifier: Germany.........................| Can someone help me, building a general regex, please? ... View more

Hello all, I need to sum 1 day(86400 seconds) to my _time, if the event(_raw) includes the string "SB". This needs to be done, before indexing data. My data is like this: "RH",2018/03/12 03:21:40 -0700,,"Z76LVNG7N" "FH",01 "SH",2018/03/11 00:00:00 -0800,2018/03/11 23:59:59 -0700,"Z76LVNG99RA7N","" "SB","123456","Z76LVNG7N","3456789","","","T0006",2018/03/11 00:02:26 -0800,2018/03/11 00:02:26 -0800,"aa",234,"rud","ee",4,"eyt","S",,0,0,"dhl, bla, Postage, Ins:$0.00","","N","ShipSvc:First Class Package, blablabla, Postage, Ins:$0.00","","","","","","",,"","","","Express Checkout","01","02","","","","","","S","US" "SB","1234564","Z76LVNG7N","34567894","","","T0006",2018/03/11 00:03:26 -0600,2018/03/11 00:02:26 -0800,"aa",234,"rud","ee",4,"eyt","S",,0,0,"dhl, bla, Postage, Ins:$0.00","","N","ShipSvc:First Class Package, blablabla, Postage, Ins:$0.00","","","","","","",,"","","","Express Checkout","01","02","","","","","","S","US" "FF",2 To achieve this, I am using EVAL-_time in props .conf [mydata] DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TRANSFORMS-sourcetype = metadata,events,discard REPORT-report_timestamp = report_timestamp category = Custom disabled = false pulldown_type = true FIELD_HEADER_REGEX = ^\"(?:CH)\" FIELD_DELIMITER = , *EVAL-_time = strftime(if(match(_raw,"SB"),_time+86400,_time),"%Y/%m/%d %H:%M:%S %z")* Can someone help me understand what am I doing wrong? NOTE: I tested this EVAL string during search time and it works well. ... View more

Hello all, I am using Splunk DB connect v3.0.1, and I am trying to connect to an Oracle database. I am using jdk1.8.0_121, as required, and in my JVM options(server.vmopts) I have -Duser.timezone="UTC" -Ddw.server.applicationConnectors[0].port=9998 When I go to Data Lab -> SQL Explorer, I am able to choose the Oracle connection, I can choose the Schema, and I can see the list of tables. However, when i click in one of the table names( select * from SCHEMA.TABLE_NAME) I always get the following error: java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found Can someone help me to solve this issue? Thanks in advance. ... View more