cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Shariq
Explorer
Member since: ‎11-25-2020
‎10-30-2021
Community Statistics
Posts 7
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎11-25-2020
Activity Feed
View All

Re: Regex not working on splunk for the expression...

by in Splunk Search
‎10-29-2021 01:48 PM
‎10-29-2021 01:48 PM
single quote did not worked ... View more

Re: Regex not working on splunk for the expression...

by in Splunk Search
‎10-28-2021 02:20 PM
‎10-28-2021 02:20 PM
i did not try _raw earlier but when I did just now,it worked. but still, I am not clear why request-all-header is not working since I can see that this field is getting extracted properly without any rex. ... View more

Re: Regex not working on splunk for the expression...

by in Splunk Search
‎10-28-2021 02:05 PM
‎10-28-2021 02:05 PM
i even tried changing the variable name but no luck ... View more

Re: Regex not working on splunk for the expression...

by in Splunk Search
‎10-28-2021 02:00 PM
‎10-28-2021 02:00 PM
No , it is still not working in Splunk with real event. i can see the events but the query is not doing anything the make result is something I tried in all ways and it works with make result but not with the query with original event.   | makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})" | rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno ... View more

Regex not working on splunk for the expression whi...

by in Splunk Search
‎10-28-2021 12:57 PM
‎10-28-2021 12:57 PM
i have data as below :     Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https    and working rex below from regex 101  :   IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})   now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below : index=test sourcetype="test" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})" | rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" ... View more
Labels

Re: way to use case insensitive fields - Not Value

by in Splunk Search
‎11-25-2020 04:16 PM
‎11-25-2020 04:16 PM
eval coalesce worked well for me without changing the data at ingestion. thanks. ... View more

way to use case insensitive fields - Not Value

by in Splunk Search
‎11-25-2020 01:59 PM
1 Karma
‎11-25-2020 01:59 PM
1 Karma
Mydata is like below where the customerNumber can come like CustomerNumber or customernumber or CUSTOMERNUMBER AND isoCountryCode can come as IsoCountryCode, ISOCountryCode or any other combination.   Now during field extraction Splunk considers all these fields as seperate. though while writing query i want to consider all these fields as one. Environment = prod-dmz-usch01 | API = testapi| RequestURI = /test/v5/tesdt/10-12345?customerNumber=01-12345&isoCountryCode=US | ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb.   My query is as below:   index=test sourcetype="testsamples" testapi "ProxyRequestFlowName = testDetails-OpenAPIv3GetVerb" | search isocountrycode=US OR isoCountryCode=US   -- this seems to be taking care of multiple values but it is not a good idea to write each field here, how to handle all scenario's ? | bucket _time span="24h" | chart count by customerNumber where count in top100 -- i am able to give only one value of customer number here , how can i handle all use cases ? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-30-2021 07:10 PM
Karma from
View All
Karma given to
View All