Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About lumpymilk
lumpymilk
Explorer
Member since:
02-03-2017
01-27-2021
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 02-03-2017 |
Activity Feed
- Got Karma for How to override default for INDEXED_EXTRACTIONS?. 02-24-2022 09:55 AM
- Posted Re: earliest and latest information in custom python search command on Splunk Search. 01-27-2021 10:02 AM
- Posted Re: get earliest time from timepicker in custom commands on Splunk Enterprise. 01-27-2021 09:41 AM
- Posted How to override default for INDEXED_EXTRACTIONS? on Getting Data In. 08-11-2020 04:43 PM
- Tagged How to override default for INDEXED_EXTRACTIONS? on Getting Data In. 08-11-2020 04:43 PM
- Posted Re: Change output location of splunk diag? on Monitoring Splunk. 08-24-2018 01:58 PM
- Posted Is it necessary to set LINE_BREAKER, TIME_FORMAT, TIME_PREFIX in props.conf for Splunk DB Connect sources? on All Apps and Add-ons. 06-02-2017 11:51 AM
- Tagged Is it necessary to set LINE_BREAKER, TIME_FORMAT, TIME_PREFIX in props.conf for Splunk DB Connect sources? on All Apps and Add-ons. 06-02-2017 11:51 AM
- Tagged Is it necessary to set LINE_BREAKER, TIME_FORMAT, TIME_PREFIX in props.conf for Splunk DB Connect sources? on All Apps and Add-ons. 06-02-2017 11:51 AM
- Tagged Is it necessary to set LINE_BREAKER, TIME_FORMAT, TIME_PREFIX in props.conf for Splunk DB Connect sources? on All Apps and Add-ons. 06-02-2017 11:51 AM
- Posted Re: Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 11:44 AM
- Posted Re: Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:47 AM
- Posted Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:14 AM
- Tagged Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:14 AM
- Tagged Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:14 AM
- Tagged Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:14 AM
- Tagged Why does my regular expression ignore escaped double quotes in value? on Splunk Search. 02-03-2017 09:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 |
01-27-2021
10:02 AM
For the sake of anyone searching and finding this, these return a float that matches time picker when I try them. I just wish I could find inheritable or nested Option() types so I can borrow those with their existing validation. earliest = self.search_results_info.api_et latest = self.search_results_info.api_lt
... View more
01-27-2021
09:41 AM
From what I can tell, these look like the right attributes. They show up with a float so you may have to convert them depending on what you're using it for. earliest = self.search_results_info.api_et latest = self.search_results_info.api_lt I'd like to know how to create an Option() that uses the same validator as what search uses. LMK if you find that.
... View more
08-11-2020
04:43 PM
1 Karma
According to documentation here, under the title "Clear a setting": https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Howtoeditaconfigurationfile
A configuration setting that appears in default can be overridden by an empty setting in local. This often works for things like FIELDALIAS, EVAL, EXTRACT, REPORT and others except I notice it does NOT work for the INDEXED_EXTRACTIONS setting. It looks like the routine that validates this setting will choke if one of the known-good values is not present. So then, if a vendor set INDEXED_EXTRACTIONS=json in their add-on, I might try and set INDEXED_EXTRACTIONS= in the local/props.conf for that same sourcetype, hoping to instead do my JSON on a select few json nodes.
If I did try that, and as Splunk has documented it, then I would find the file would no longer be read in at all. Instead I'd find the following in splunkd.log: ERROR IndexedExtractionsConfig - Invalid value='' for parameter='INDEXED_EXTRACTIONS'.
and that would be followed by:
ERROR TailReader - Ignoring path="/myvendorApp/logs/filename.log" due to: Invalid indexed extractions configuration - see prior error messages
If anyone knows how to make this work for INDEXED_EXTRACTIONS, please let me know.
... View more
Labels
- Labels:
-
props.conf
08-24-2018
01:58 PM
It's probably worth mentioning since it was difficult to find. There is an option to write the diag to stdout as an uncompressed tar. From there you can do what you like. This is useful if you don't have space on the remote server.
this will send the diag as uncmpressed tar to stdout, then pass that through gzip prior to passing the gzipped output back through your ssh session and redirecting to a local gzipped copy. Note, the pipe needs to be escaped if you want to gzip prior to data transferring across the network.
ssh user@remoteserver $SPLUNK_HOME/bin/splunk diag --stdout | gzip > mydiag.tgz
If you just want to put the file into /tmp or /var then you can do this...
$SPLUNK_HOME/splunk diag --stdout | gzip > /tmp/mydiag.tgz
... View more
06-02-2017
11:51 AM
According to Best Practices for App building , we should at minimum set:
TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, TIME_FORMAT, LINE_BREAKER, SHOULD_LINEMERGE, TRUNCATE, KV_MODE
So normally for a sourcetype, I would set these basic configurations in props.conf to help Splunk parse data during indexing. I'm wondering if this is even necessary when I'm using a Splunk DB Connect 2 or Splunk DB Connect 3 add-on to load the data. It seems that we already set these when we are creating the db input.
... View more
02-03-2017
11:44 AM
Can someone explain how to handle the \" characters in a capture group when my field boundaries are double quotes? That's what I really need. It seems like splunk is having a problem when I escape the backslash and double quotes in my regex. Other regex tools are able to handle things like \"(?(\\"|[^\"])?)\" or \"(?(?:(\\"|[^\"]))?)\" just fine... but splunk errors on it.
... View more
02-03-2017
09:47 AM
Let me clarify a little. It is in fact a little more complicated than I originally stated.
The data is in w3c format. "(?.*)" would match but with the data looking like this ...
"data" "data" "data" data data data "http://www.mydomain.com/request.pl?clientData=someVar:\"this is the important data\"" "other data" "more data"
\"(?[^\"]*?)\"\s\"(?[^\"]*?)\"\s\"(?[^\"]*?)\"\s(?\S*?)\s(?\S*?)\s(?\S*?)\s\"(?.*)\"
matches more than the request data.
... View more
02-03-2017
09:14 AM
When extracting the request or cookie from httpd logs I'm having problems capturing an entire request when the request contains an escaped double quote. The reason appears to be in the handling of this sequence \" by Splunk.
For example if the request field of the log contains this data ...
"http://www.mydomain.com/request.pl?clientData=someVar:\"this is the important data\""
Then a regular expression for \"(?[^\"]*?)\" will capture http://www.mydomain.com/request.pl?clientData=someVar:\
If I try \"(?(?:(\x5c\x22|[^\"]))*?)\" then the search fails with an error saying "Please check log"... no details.
If I try \"(?(?:(\x5c\x21|[^\"]))*?)\" then the search completes with no error. Too bad \x21 isn't what I'm looking for.
If I try \"(?(?:(\x5c.|[^\"]))*?)\" in the hopes that ANY character preceded by a backslash will match then I get an error again.
The simple question is how would one capture data between double quotes where the data may contain escaped double quotes?
... View more
