Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jmillpps
jmillpps
New Member
Member since:
01-13-2017
06-05-2020
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-13-2017 |
Activity Feed
- Posted How can I correlate results from two separate searches? on Splunk Search. 10-04-2017 11:35 AM
- Tagged How can I correlate results from two separate searches? on Splunk Search. 10-04-2017 11:35 AM
- Tagged How can I correlate results from two separate searches? on Splunk Search. 10-04-2017 11:35 AM
- Tagged How can I correlate results from two separate searches? on Splunk Search. 10-04-2017 11:35 AM
- Posted Re: What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-15-2017 09:31 AM
- Posted Re: What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-14-2017 08:30 PM
- Posted What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-13-2017 11:59 AM
- Tagged What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-13-2017 11:59 AM
- Tagged What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-13-2017 11:59 AM
- Tagged What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-13-2017 11:59 AM
- Tagged What is the best approach for a search time extraction of JSON formatted data within syslog event value? on Getting Data In. 01-13-2017 11:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
10-04-2017
11:35 AM
I have syslog formatted events that correlate together based on one value, and a search that will pull a single line of those events:
s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
The search to be performed is to pull events matching 'mid' value: 2jhsd9asdhjs9s2hn2u
This search results in the following events found:
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
I would like to search for all events relating to the two 's' values found (1js832fc and 28s72d) from the initial search by 'mid' (2jhsd9asdhjs9s2hn2u).
I am finding it difficult to perform a search based on values found in a search, and sub-searches seem to be limited to the events that were found within the search, instead of searching back through the entire index? The result I would like is a search that initially searches for 'mid', and then searches back through the index for events that match the found events 's' value, and the end result would be all of the events above:
s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
Is this possible?
... View more
01-15-2017
09:31 AM
Problem solved! Thank you for your help somesoni2! Working like a charm now
... View more
01-14-2017
08:30 PM
I think I see the issue here, and it's slightly unrelated to the question asked. The answer provided is definitely the best answer and was the path I was running down before to no avail before. Good answer though, and the following document pages were a great read as well:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Managefieldtransforms
http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Exampleconfigurationsusingfieldtransforms
So, the real issue here is that it appears that this must be added to the props/transforms conf files located under the users search app's local directory:
/opt/splunk/etc/users/admin/search/local/
The purpose of the extraction is having it exist inside the install-able TA and that the extracted fields would already exist for the enduser and not require the user to append them anywhere themselves. Adding directly to the TA's default directory's props/transforms conf files has no percieved effect when attempting to use the 'search' app in splunk:
/opt/splunk/etc/apps/TA_vendor_product/default/
Is this a limitation for bare-bones TA's when searching for data pulled through it's modular input, or is what I am attempting to do not the right way about going to implement this type of capability? The end result I'm searching for is being able to use the search app in splunk to search for extracted fields like this, but not having to add any custom user transforms/props configuration file edits. I'd like all of these customizations to reside inside of the bare-bones TA, so that it is as simple to install and seamless for the end user as possible to get it to ingest data, and search for the underlying fields within it.
... View more
01-13-2017
11:59 AM
I have a data source I am pulling syslog data from (a modular input). The data returned from this API is syslog formatted, however one of the fields within the syslog data contains a JSON formatted object within it. I am wondering what the best approach would be to start enabling default search-time extraction of the data held within this field:
<38>1 2017-01-13T17:31:46Z - VENDORHERE - EVENTYPEHERE [USERHERE@PIDHERE ... threatsInfoMap="[{\"threatID\":\"...\", \"threatType\":\"...\", \"classification\":\"...\", \"threatUrl\":\"...\", \"threatTime\":\"...\", \"threat\":\"...\", \"campaignID\":\"...\"},{\"threatID\":\"...\", \"threatType\":\"...\", \"classification\":\"...\", \"threatUrl\":\"...\", \"threatTime\":\"...\", \"threat\":\"...\", \"campaignID\":\"...\"}]" ...]
The ... 's are obviously redaction's of the data. The 'threatsInfoMap' field is the field containing JSON formatted data within the syslog data however. It is basically an array, that can contain no/single/many individual threats. Expanded out (and the escaped quote marks removed):
[
{
"threatID":"...",
"threatType":"...",
"classification":"...",
"threatUrl":"...",
"threatTime":"...",
"threat":"...",
"campaignID":"..."
},
{
"threatID":"...",
"threatType":"...",
"classification":"...",
"threatUrl":"...",
"threatTime":"...",
"threat":"...",
"campaignID":"..."
}
]
I would like to make these fields default searchable in the TA (add-on / app) that I am developing, however I am finding it difficult to be able to extract multiple values for the same field name using regexes. Can someone please point me in the right direction or suggestions so that I should begin to explore adding this type of search time extraction and ingestion of these values?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
