I found this error Error in 'rex' command: The regex 'fields=_raw' does not extract anything. It should specify at least one named group. Format: (?...).. what does it exactly mean ... View more

Error in 'rex' command: Encountered the following error while compiling the regex '(?)\w+\s\d+\s\w+\s\d+)$': Regex: unmatched parentheses I found out that error . Is that something i'm i missing in that query ?? ... View more

Hi index=sftp USER=gradydftsftpdata SESSION_ID=* | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP | join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close"| rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$" | fields SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | rex field=_raw "(?)\w+\s\d+\s\w+\s\d+)$"| table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION Is this the correct way to join the regular expression?? ... View more

Thanks for you response. I have a query in which i want to add a regular expression where it can display the events with bytes read 0 written 317555. So i need a regular expression which i can add it to this query index=sftp USER=gradydftsftpdata SESSION_ID=* | table USER, SESSION_ID,USER_IP,date_hour,_time | dedup SESSION_ID,USER_IP| join type=left max=2 SESSION_ID [search index=sftp SESSION_ID=* date_hour=* ACTION="open" OR ACTION="close" | table SESSION_ID, FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION. Wih this query i get the content that i needed. But along with that content i need to display any session_id that content bytes read 0 written 317555 in it. ... View more

It works somesoni. Can I know what's the best practice for splunk quries. Can you suggest me any kind of documentation or something like that ... View more

when i replace it with the above one it displays all the closed content. I think the files which having the filename need to be verified. ... View more

Hi Somesoni2, I got that query executed . But [search index=sftp SESSION_ID=* date_hour=* ACTION != session. I edited ACTION !=session to ACTION = open or close i mean one at a time and i'm able to get the exact output what i'm expecting for. But where can i initialize if i want to see open and close together in that query. ... View more

USER SESSION_ID USER_IP date_hour gradydftsftpdata 20716 10 gradydftsftpdata 15931 9 gradydftsftpdata 11034 8 gradydftsftpdata 6597 7 gradydftsftpdata 2127 6 gradydftsftpdata 28354 5 gradydftsftpdata 23974 4 gradydftsftpdata 19498 3 gradydftsftpdata 14957 2 This is the result for the first query FILE_NAME _time USER_IP ACTION /datafeed/EL/xyz_EL_201705136.txt 2017-01-27 03:15:04 close /datafeed/EL/xyz_EL_201705136.txt 2017-01-27 03:15:04 open This is the output for the second query. when i use this query index=sftp USER=gradydftsftpdata SESSION_ID=* | join sftp[search index=sftp SESSION_ID=* date_hour=* ACTION != session | table FILE_NAME, _time, USER_IP, ACTION] | table FILE_NAME,USER, SESSION_ID,USER_IP,date_hour,_time,ACTION | dedup SESSION_ID,USER_IP I get the output as FILE_NAME USER SESSION_ID USER_IP date_hour _time ACTION /datafeed/ gradydftsftpdata 20716 10 2017-01-30 10:15:05 forced /datafeed/ gradydftsftpdata 15931 9 2017-01-30 09:15:03 forced What result i'm looking for is , when we enter the above query I need to get the ACTION as closed and open for particular FILE_NAME as we got in query 2 ... View more

Thank you for your quick reply koshyk. What i'm trying to do is when i give input as index=sftp USER=gradydftsftp and it give output as Jan 27 10:15:01 wmcloudsftp internal-sftp[9055]: session closed for local user gradydftsftpdata. Jan 27 09:15:03 wmcloudsftp internal-sftp[4534]: session closed for local user gradydftsftpdata So my question is how can i create a dashboard with a query which displays file name ,uploadby,uploadtime,download,downloadby and download time. Filename is something like (9055) uploadby is gradydftsftp uploadtime is 09:15:03 ... View more