Activity Feed
- Posted Re: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event on Getting Data In. 04-29-2021 12:14 PM
- Karma Re: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event for richgalloway. 04-29-2021 12:14 PM
- Posted DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event on Getting Data In. 04-29-2021 08:10 AM
- Posted How to extract fields from database column using sql query on splunk db connect application. on Getting Data In. 01-18-2021 09:44 AM
- Posted Regex to extract multivalue and null values from the fields. on Getting Data In. 10-27-2020 07:09 AM
- Posted Getting error in rex command while running search for DB health check report. on Splunk Search. 09-02-2020 01:11 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
04-29-2021
12:14 PM
Thank you!! I made changes to Time_Format and corrected MAX_TIMESTAMP_LOOKAHEAD=30 instead of 50 and it worked.
... View more
04-29-2021
08:10 AM
Hi All, I've deployed below props to splunk SHC and IDX clusters but fields are not extracted in splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event. Defaulting to timestamp of previous event (Thu Jan 21 14:02:33 2016). Can you please help and let me know if i need to make any changes? [props] TIME_PREFIX=^ TIME_FORMAT=%d-%b-%Y %I.%M.%S.%6Q %p MAX_TIMESTAMP_LOOKAHEAD=50 SHOULD_LINEMERGE=false NO_BINARY_CHECK=true LINE_BREAKER=([\r\n])\d+\-\w+\-\d+\s+\d+\.\d+\.\d+\.\d+\s+\w+\s EXTRACT-field1=regex EXTRACT-field2=regex Sample events: 29-APR-21 09.44.57.234427 AM ,TEST , 11,Login ,2098856,4 29-APR-21 09.44.56.234428 AM ,TEST , 12,Login ,2098856,4
... View more
Labels
- Labels:
-
field extraction
01-18-2021
09:44 AM
Hi All, I kindly request your help to get fields extracted from database column. I'm working on splunk db-connect app. Can anyone please provide me sample sql query to extract subfields from status field? For e.g. I would need something like msg=login failed, host and ip fields to be extracted from below unique database records. Sample Database output with unique records from splunk db-connect app: Date User Input Status xxx abc 123 login failed... host=xyz | ip=0.0.0.0 | yyy xyz 456 login successful zzz pqr 789 host=xyz | ip=0.0.0.0 | Appreciate your help!!
... View more
Labels
- Labels:
-
field extraction
10-27-2020
07:09 AM
Hi Community, I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the below log sample. So could you help me in modifying the regex please? Thanks in advance. Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)* e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\, Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well) Log source Sample: Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\, MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx,
... View more
Labels
- Labels:
-
field extraction
09-02-2020
01:11 AM
Hello Splunkers,
I'm working on creating a DB health check report. Idea is to get the error info when there is a failed db connection. When I'm trying to run the search below in Splunk QA I'm getting an error as Error in 'rex' command: Encountered the following error while compiling the regex '^(?<error>.*)\n?': Regex: syntax error in subpattern name (missing terminator).
Could you please help me resolve this issue? Thanks in advance.
index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*"
| eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S")
| join type=left connection [search index="_internal" sourcetype=dbx_server ERROR
| rex field=_raw "^(?<error>.*)\n?"
| rex field=error "/api/connections/(?<connection>[^/]+)"]
| stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name
| sort - status
... View more
- Tags:
- error