×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
wilcomply13
Explorer
Member since: ‎05-03-2021
‎01-28-2022
Community Statistics
Posts 13
Solutions 2
Karma Given 2
Karma Received 2
Member Since ‎05-03-2021
Activity Feed
View All

Re: Comparing Multivalue Fields

by in Splunk Search
‎09-16-2024 12:35 PM
1 Karma
‎09-16-2024 12:35 PM
1 Karma
Exactly what I needed and all I had to do was substitute my field names.  Worked like a charm.  Karma for you.  Thanks ! ... View more

Re: JSON nested field extraction

by SplunkTrust in Splunk Search
‎01-27-2022 02:26 AM
‎01-27-2022 02:26 AM
For structured data like JSON, I still prefer buildin SPL commands to custom regex so even badly formatted, but syntactically correct inputs do not ruin extraction.  The same idea can be implemented with spath, for example: | rex mode=sed "s/boolValue/value/g" ``` treat boolValue just like string value ``` | rex mode=sed "s/\"\"/\"()\"/g" ``` compensate for spath's lack of zero-length standin ``` | spath | rename events{}.parameters{}.* as field_* ``` johnhua's original code below ``` | eval _raw=mvjoin(mvzip(field_name, field_value, ":"),"|") | extract pairdelim="=|",kvdelim=":" A caveat with spath is that it doesn't have an option to provide a standin for zero-length string values, so I have to force a non-zero standin. ... View more

Re: Field extraction failing on ampersand

by in Getting Data In
‎01-10-2022 07:14 AM
‎01-10-2022 07:14 AM
Jan 10 15:08:21 host.domain.com 2022-01-10 15:07:38 reason=Allowed event_id=000000000000 protocol=HTTPS action=Allowed transactionsize=1111 responsesize=111 requestsize=1111 urlcategory=Custom URL Category serverip=8.8.8.8 clienttranstime=111 requestmethod=POST refererURL=www.google.com/ ClientIP=9.9.9.9 status=204 user=user@domain.com url=www.google.com/gen_204?atyp=csi&ei=rUvcYZ-iM5GV0PEPt9uH8As&s=web&st=13120&fid=2&t=fi&zx=1641827258879 ... View more

Re: Search Time Issue

by in Splunk Search
‎07-21-2021 11:42 AM
1 Karma
‎07-21-2021 11:42 AM
1 Karma
I looked at this so long I didn't think about the field name for time in the lookup.  I coalesced the base search and the lookup time fields and was able to resolve the issue | eval time = coalesce(_time, latestTime) | stats latest(time) as latestTime by...... ... View more

JSON Search Time Extractions Truncated

by in Splunk Search
‎06-21-2021 11:39 AM
‎06-21-2021 11:39 AM
I've been troubleshooting an issue with a search time field extractions of a JSON field being truncated at 4096 characters. I've done a fair bit of troubleshooting the issue with no real luck. Current props.conf: KV_MODE = JSON TRUNCATE = 0 Limits.conf is at the default so that doesn't appear to be an issue at the moment. I'm also able to run makeresults with a field with a character count of 8192 with no issue, so it doesn't appear to be a global limitation. Any insight as to why this is occurring would be greatly appreciated. ... View more
Labels

User query GET request malformed

by in Splunk Search
‎05-13-2021 07:17 AM
‎05-13-2021 07:17 AM
I have a single user that is being affected by a strange issue where they are able to search, however the event table returns no content: If this user submits a search the URL appears to be malformed: https://splunkinstance.site:8000/en-US/app/search/search?dispatch.sample_ratio=1&display.events.fields=%5B%22host%22%2C%22source%22%2C%22sourcetype%22%2C%22callerIpAddress%22%2C%22category%22%2C%22tag%22%2C%22tag%3A%3Aeventtype%22%2C%22ms_Mcs_AdmPwd%22%2C%22user_login%22%2C%22user_caps%22%2C%22object_type%22%2C%22object_name%22%2C%22hist_ip%22%2C%22signature%22%2C%22error%22%2C%22sender%22%2C%22mail%22%5D&display.events.list.wrap=1&display.events.maxLines=5&display.events.rowNumbers=0&display.events.table.wrap=1&display.events.type=list&display.general.type=events&display.page.search.mode=verbose&display.page.search.tab=events&display.prefs.events.count=10&workload_pool=&q=search%20index%3Dweb&earliest=-15m&latest=now&sid=1620911471.38537_9F0273CD-B076-4A00-B73C-8A9CFED6A82A   While if I issue the same search my URL: https://splunkinstance.site:8000/en-US/app/search/ search?earliest=-15m&latest=now&q=search%20index%3Dweb&display.page.search.mode=verbose&dispatch.sample_ratio=1&workload_pool=&sid=1620911758.72975_80C75F5F-836C-4502-ADC6-6F26EF89DE77   The users GET requests appear to be recalling an extensive field list even when a single index is searched: index=web | fields index     I've confirmed the issue with the user in different browsers, as well as that the user has correct permissions.  ... View more
Labels

Re: Issues with wildcard input stanza

by in Getting Data In
‎05-10-2021 12:04 PM
‎05-10-2021 12:04 PM
Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-28-2022 08:38 AM
Karma from
View All
Karma given to
View All