Activity Feed
- Posted Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Tagged Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Tagged Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Tagged Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Tagged Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Tagged Run makeresults command through REST API is giving error on Splunk Search. 07-06-2023 11:31 PM
- Posted Re: Can you create/modify a lookup file via REST API? on Splunk Search. 06-06-2023 06:37 AM
- Posted How to avoid ExecProcessor rescheduling? on All Apps and Add-ons. 07-20-2022 12:32 PM
- Tagged How to avoid ExecProcessor rescheduling? on All Apps and Add-ons. 07-20-2022 12:32 PM
- Tagged How to avoid ExecProcessor rescheduling? on All Apps and Add-ons. 07-20-2022 12:32 PM
- Tagged How to avoid ExecProcessor rescheduling? on All Apps and Add-ons. 07-20-2022 12:32 PM
- Karma Re: How to create fields based on multivalue field of keys, and multivalue field of values for ITWhisperer. 06-14-2022 12:03 PM
- Posted How to create fields based on multivalue field of keys, and multivalue field of values on Splunk Search. 06-10-2022 07:41 AM
- Tagged How to create fields based on multivalue field of keys, and multivalue field of values on Splunk Search. 06-10-2022 07:41 AM
- Tagged How to create fields based on multivalue field of keys, and multivalue field of values on Splunk Search. 06-10-2022 07:41 AM
- Tagged How to create fields based on multivalue field of keys, and multivalue field of values on Splunk Search. 06-10-2022 07:41 AM
- Posted Re: How to convert _raw with encoded chars (not detected as string) into a readable string? on Splunk Search. 05-20-2022 11:29 AM
- Posted How to convert _raw with encoded chars (not detected as string) into a readable string? on Splunk Search. 05-20-2022 10:05 AM
- Tagged How to convert _raw with encoded chars (not detected as string) into a readable string? on Splunk Search. 05-20-2022 10:05 AM
- Tagged How to convert _raw with encoded chars (not detected as string) into a readable string? on Splunk Search. 05-20-2022 10:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-06-2023
11:31 PM
I receive the following error while trying to execute a simple "makeresults" command by using REST API call: Used endpoint: https://localhost:8089/servicesNS/nobody/myapp/search/jobs Search example: "| makeresults | eval name=\"denis\"" Error message: "Error in 'makeresults' command: This command must be the first command of a search." "search": "search | makeresults | eval nombre=\"denis\"" I see that the API call changes my search adding a "search" word before the search itself. How can I get riddle of that?
... View more
Labels
- Labels:
-
search job inspector
06-06-2023
06:37 AM
It's a pretty old question, but I managed to create lookup csv files using the REST API by running a search through the API. Let's suppose you need to create a lookup file inside "my_app", named "my_lookup.csv" with fields "myfield1,myfield2,myfield3": The CURL might be something like this: curl -k -u admin:pass https://localhost:8089/servicesNS/admin/my_app/search/jobs search="search | makeresults | eval field1=\"\",field2=\"\",field3=\"\" | table field1 field2 field3 | outputlookup my_lookup.csv create_context=app"
... View more
07-20-2022
12:32 PM
I've configured an inputs.conf to run a single .bat script:
[script://.\bin\scripts\prueba_py.bat]
disabled = 0
_TCP_ROUTING = splunkcloud_prod
index = ldcsap
sourcetype = _json
interval = 0-59/5 * * * *
My batch script prueba_py.bat just execute a python script called prueba_py.py:
@echo off
python.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.py"
exit /b 0
And finally my python script only creates a dictionary, convert it to json and print it:
import json
person = {"name":"Denis","surname":"Soto","age":"34"}
print(json.dumps(person))
exit(0)
Assuming the inputs.conf stanza, it should be executed every 5 minutes, using the TCP_ROUTING and indexing the data to "ldcsap" index. Well... that's not happening. I'm receiving the following INFO alert in splunkd.log, I cannot find the error. 07-20-2022 16:30:00.033 -0300 INFO ExecProcessor [6652 ExecProcessor] - setting reschedule_ms=299967, for command="C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.bat"
... View more
Labels
- Labels:
-
configuration
06-10-2022
07:41 AM
I have the following json event: {
"tags":
[
{"key":"Name","value":"Damian"},
{"key":"Age","value":34},
{"key":"Country","value":"Argentina"},
{"key":"City","value":"Buenos Aires"}
]
} I need to extract the correspondent fields in my event, with the key and value: Name="Damian" Age="34" Country="Argentina" City="Buenos Aires" This is what I tried: | spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| eval {a_keys} = a_value But the result of it is a multivalued field: Name Age Country City = [ "Damian", "34", "Argentina", "Buenos Aires" ] How can I create the correct fields?
... View more
- Tags:
- json
- multivalue
- spath
Labels
- Labels:
-
eval
05-20-2022
11:29 AM
Already tried, no success. It would work if the _raw field is recognized as string, but it is not. I've already tried "tostring(_raw)" also. Nothing changes
... View more
05-20-2022
10:05 AM
I have the following _raw field in my index:
_raw
Response Headers:
{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}
So, I realized ' = '. But there is no way to convert that string into a human readable string, like this: Response Headers:
{'Date': 'Fri, 13 May 2022 02:59:34 GMT', 'Content-Type': 'application/json; charset=utf-8'}
I tried with something like this, without sucess:
| eval myfield = replace(tostring(_raw),"x27","'")
Then I checked if the string contains "x27" and turns out it is not being detected:
| eval exists=if(like(tostring(_raw), "%x27%"), "YES", "NO")
Is there a way to convert that weird string into a human readable string?
... View more
Labels
- Labels:
-
eval
-
field extraction
05-09-2022
05:47 AM
This is exactly what I needed. Now the output is in the correct order. Thanks!!
... View more
05-06-2022
08:16 AM
The problem is that the _time field is exactly the same between events, and there is no way to "sort" it in a logical way. I've created this search as an example: | makeresults | eval _time=now(), broken_message="order, in only one event."
| append
[ | makeresults | eval _time=now(), broken_message="ge it in the correct" ]
| append
[ | makeresults | eval _time=now(), broken_message="events, and I need to mer" ]
| append
[ | makeresults | eval _time=now(), broken_message="in multiple" ]
| append
[ | makeresults | eval _time=now(), broken_message="is broken" ]
| append
[ | makeresults | eval _time=now(), broken_message="This message" ] This is the output: _time broken_message 2022-05-06 12:06:04 order, in only one event. 2022-05-06 12:06:04 ge it in the correct 2022-05-06 12:06:04 events, and I need to mer 2022-05-06 12:06:04 in multiple 2022-05-06 12:06:04 is broken 2022-05-06 12:06:04 This message The way I find to merge the message is this: | eventstats values(broken_message) as message by _time
| mvcombine delim="" message
| table message And this is the result with the wrong order: message This message events, and I need to mer ge it in the correct in multiple is broken order, in only one event. The output of your suggested method is not exactly the same, but it is also disordered: | sort _time
| eventstats list(broken_message) as message by _time
| mvcombine delim="" message
| table message Note that I needed to add "mvcombine" in order to merge the "list" output in a single line. And here is the output: message order, in only one event. ge it in the correct events, and I need to mer in multiple is broken This message So, there is no logical way to sort it in the correct way. That's why my first question was related to the powershell ERROR output in _internal index. I suppose the same happens in every Splunk instance, is not an isolated error. So, Is this a know issue? and if so, is there a workaround for this?
... View more
05-03-2022
11:56 AM
Hello all,
We receive the "splunkd.log" from every Universal Forwarder into our "_internal" index. There are some events with log_level=ERROR that I need to analize, some of them are related to PowerShell script execution errors. The issue with this events is that the script outputs the error in several lines and the event is splitted in multiple events, all of them with the same "_time" (in the image below, the field "a_fechahora" is = _time)
I was able to merge the "a_mensaje" rows by "_time", but there are some issue with the order of the rows:
E.g. As you can see in green, the "Co" statement is incomplete, and it continues some lines below with the "mmandNotFoundException". Same happens with "or if a pat" (...) "h was included" Is this a common / known issue? Is there any way to prevent this messed lines in powershell outputs?
Regards,
... View more
- Tags:
- error
- merge
- powershell
Labels
- Labels:
-
eval
04-25-2022
04:46 AM
This is exactly what i needed. Thanks!
... View more
04-17-2022
05:45 PM
Let's suppose I have the following search:
| makeresults
| eval name="Denis", age=34
| append
[| makeresults
| eval name="Nazarena", age=28]
| append
[| makeresults
| eval name="Diego", age=10]
| append
[| makeresults
| eval name="Maria", age=43]
| search age > 30
| stats count by name
It outputs:
name
count
Denis
1
Maria
1
I need to get the number of times some name appears when it's age is higher than 30 BUT I need to show the unmatched names (lower than 30) as "count = 0". Something like this:
name
count
Denis
1
Nazarena
0
Diego
0
Maria
1
What should I need to change in this search in order to achieve that?
... View more
Labels
- Labels:
-
stats
03-05-2022
09:26 PM
1 Karma
It was easier than I thought. The dedup would get the last event. As the source is a lookup and the field is not the default "_time", I just needed to sort by Sell_Date before. In my case, the sort of this field works properly (it was detected as a proper datetime field) so I don't need to strptime before sorting. | inputlookup mylookup
| sort -Sell_Date
| dedup Name
... View more
03-05-2022
11:34 AM
Well, my question is not that intuitive, but I will deep dive here: Let's suppose I have this lookup: Name Product Sell_Date Denis Bread 2022-02-21 Maria Beer 2022-02-23 Denis Water 2022-01-27 Denis Cheese 2022-03-05 Maria Beer 2021-12-12 I need to get the last "Sell_Date" grouping by "Name". In this case: Name Product Sell_Date Denis Cheese 2022-03-05 Maria Beer 2022-02-23 I know there is "dedup" command, but it's not working because "Sell_Date" is not being considered as "_time" field because this is a lookup and not an Index. I'm getting the wrong row as dedup result. How can I get a custom dedup, specifying the field that should work as "_time"?
... View more
Labels
- Labels:
-
lookup
10-05-2021
08:44 AM
I have a search that I need to filter by a field, using another search. Normally, I would do this: main_search where [subsearch | table field_filtered | format ] It works like this: main_search
for result in subsearch:
field_filtered=result In my case, I need to use each result of subsearch as filter BUT as "contains" and not "equal to". I tried something like this but is not working: main_search | where in (field_filtered,[subsearch]) How can I success in this?
... View more
Labels
- Labels:
-
field extraction
-
subsearch
08-06-2021
08:47 AM
I have an Index called myindex: NAME AGE CITY COUNTRY LEGAL AGE Denis 17 London UK NO Denis 18 YES Maria 17 Rosario Argentina NO Maria 18 YES Nani 11 Paris France NO This is a basic example. The case is when LEGAL AGE=NO, there are several more fields available than when LEGAL AGE=YES. Notice that when LEGAL AGE=YES the field "CITY" and "COUNTRY" didn't exists at all. What I need to get are all the people of this index with all the information EVEN if they are not in LEGAL AGE. I use a join for this: index=myindex "LEGAL AGE"=NO
| join NAME
[ search index=myindex "LEGAL AGE"=YES ] The problem is that it is working only if the subsearch returns something. In this example, it will work for Denis and Maria, but not for Nani. How can I make it works even if subsearch is returning nothing?
... View more
06-02-2021
05:01 AM
Hi Soutamo. Thanks for your response. I am populating the new index with a report that extract and process data from another existing index. My search/report looks like the following: index=OldIndex
#SOME OTHER COMMANDS THAT WE NEED TO EXECUTE
| eval host = SomeOtherField
| fields + host, metric_label, metric_value
| collect index=NewIndex The result event looks exactly as I need: Only 3 fields, and host field populated correctly. I've scheduled it to run every 5 minutes. But then, in the "NewIndex" the data is being populated like "OldIndex": with the same fields and the "host" with the original value. What is the problem?
... View more
05-28-2021
08:04 AM
I have a report that is getting events from an existing index, processing the data and indexing again to another custom Index I've created. The original index have the "host" field populated with the indexer hostname. I need to replace this value with the value of another field. For that (and more) reason I've created a new index and a report, schedule and configure it to populate the new index. The report shows the information exactly as I need. The problem is when the report is being indexed to the new index: The "host" field is being populated with the indexer as value (as in original index) and the value that I need to be in host field is in another field automatically created and named "orig_host". How can I fix that?
... View more
Labels
- Labels:
-
fields
02-26-2021
04:35 AM
[SOLVED]: I had to append the following parameters to the [Service] tag in the unit file (splunk.service): StartLimitInterval=30 StartLimitBurst=5 RestartSec=10 Now it's working correctly.
... View more
02-22-2021
07:53 AM
Indeed, we have /opt/splunk as a partition mount. Should we add something to the unit file in order to wait for partition's initialization? How can we do that?
... View more
02-22-2021
06:42 AM
Hello, We have an Splunk Enterprise version 8.0.5 configured in PRD, we have enabled boot-start with --systemd-managed 1 and specified the user splunk as the owner of the service. It keeps failing during boot with this error: start request repeated too quickly for splunk.service If I run "splunk start | restart | stop" it uses systemd to manage the process also (what is correct) and it works properly after boot. If I run "systemctl start splunk" after boot, the service starts ok. The problem is only during boot. Server information: NAME="Oracle Linux Server" VERSION="7.9" journalctl logs says: Failed at step EXEC spawning /opt/splunk/bin/splunk: No such file or directory -- Subject: Process /opt/splunk/bin/splunk could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /opt/splunk/bin/splunk could not be executed and failed. -- -- The error number returned by this process is 2. How can we fix it?
... View more
Labels
- Labels:
-
heavy forwarder
-
host
-
Linux
-
syslog
02-02-2021
07:06 AM
When you said "SHM" is it the Deployer, the Search Head Captain or the same SH with the issue?
... View more
