×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lbruhns
Explorer
Member since: ‎11-06-2020
‎04-28-2022
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎11-06-2020
Activity Feed
View All

Re: How to raise the alert for sourcetype=netstat

by in Getting Data In
‎12-02-2021 11:59 AM
‎12-02-2021 11:59 AM
came here for same question   ... View more

Re: AD FS Audit Logs (ADFS Audit) XML issues

by in All Apps and Add-ons
‎04-09-2021 01:06 PM
‎04-09-2021 01:06 PM
I have an admin on demand ticket open for this right now, did you ever get resolution? ... View more

Re: Unable to send data to multiple indexes using ...

by in Splunk Enterprise
‎04-02-2021 11:50 AM
‎04-02-2021 11:50 AM
info on this seems sparse i have a similar challenge with k8s coing over hec, i'd like to be able to have more htan one index per token but how does it route? ... View more

Re: dynamic eval statement from a template contain...

by in Splunk Search
‎03-09-2021 01:51 PM
‎03-09-2021 01:51 PM
This Worked great using  rex field=@mt max_match=0 "{(?<replacement_fields>[^}]+)" | eval message='@mt' | foreach * [ | eval message=coalesce(replace(message, "{".mvindex(replacement_fields, mvfind(replacement_fields, "<<FIELD>>"))."}", '<<FIELD>>'), message) ]   (?<!\{){(?!\{)(?<replacement_fields>[^}]+) this regex managed the escaped brackets   now i'll try to somehow make this part of the sourcetype, more likely i'll make a macro. the lookup table solution is not desireable, with the template in the log it gives the developers complete control to change the message to meet their needs without having to have a process for adding or appending templates ... View more

dynamic eval statement from a template contained i...

by in Splunk Search
‎03-05-2021 10:09 AM
‎03-05-2021 10:09 AM
i have application logs which contain a message template in a json field (@mt) to convert other json fields into a human readable message. The content of that field will look like {RequestProtocol} {RequestMethod} {RequestPath} responded {StatusCode}. the text in the {} corresponds to the keys in key value pairs in the rest of the json i made this eval eval message="\"".replace(replace(spath(_raw, "@mt"),"{", "\"."),"}",".\"")."\"" this returns message="".RequestProtocol." ".RequestMethod." ".RequestPath." responded ".StatusCode."" it dispays the key names rather than the values in that same search i have  eval test=" ".RequestProtocol." ".RequestMethod." ".RequestPath." responded ".StatusCode."" that returns test=HTTP/1.1 POST /path/to/thing responded 202 this returns the values.  how can i create an eval that forms the message from the template? i would love to make this part of the sourcetype  ... View more
Labels

Re: Manage SC4S config with Deployment Server

by in Splunk Dev
‎11-06-2020 02:01 PM
‎11-06-2020 02:01 PM
it does reach to the dep server through the UF installed on it the same one that sends all the OS logs for the server its installed on. I am thinking a script that builds the env file the same way splunk builds the conf files from all the apps into one conf. I was hoping someone in the community had done it if not maybe I'll give it a shot. ... View more

Manage SC4S config with Deployment Server

by in Splunk Dev
‎11-06-2020 01:44 PM
‎11-06-2020 01:44 PM
we have a SC4S server for both prod and dev environments and would like to use the deployment server to manage the SC4S Configs like environment files and metadata.csv is this possible? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-28-2022 05:36 PM
Karma given to
View All