cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
prasant
Explorer
Member since: ‎07-20-2021
‎03-03-2023
Community Statistics
Posts 12
Solutions 1
Karma Given 6
Karma Received 0
Member Since ‎07-20-2021
Activity Feed
View All

Re: How to search values in the lookup file?

by in Splunk Search
‎01-26-2023 08:50 PM
‎01-26-2023 08:50 PM
Thanks..not sure why I keep getting error.. this works though   | search [ | inputlookup sample.csv | fields data]|lookup sample.csv data local=true . This returned all the other fields from csv file to the 'interesting fields' sidebar. ... View more

Re: search values in the lookup file

by in Splunk Search
‎01-26-2023 07:16 PM
‎01-26-2023 07:16 PM
Thanks but getting Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup error, This works though  | search [ | inputlookup sample.csv | fields data]| but how can I add the other corresponding columns from csv file along with the other fields from the event? ... View more

How to search values in the lookup file?

by in Splunk Search
‎01-26-2023 05:26 PM
‎01-26-2023 05:26 PM
I have sample.csv file with about 30000 rows with columns: sample data data  value1    value2 5600012345    abc  xxx 7890012345    fsfs rwrr I have below query     index="b2c" |rex field=path1.path2.details "code=\'(?<data>[^\n\r\']{10})"     I can see the extracted 'data' field in the fields list. I want to  query  'data' column values in the csv file and return table with the data and other fields from the event and csv file. how to use inputlookup or lookup command to search the extracted field? Thanks for the help in advance ... View more
Labels

Re: Rex command

by in Dashboards & Visualizations
‎11-08-2021 03:53 PM
‎11-08-2021 03:53 PM
Thanks,,, I used below "\"status\":\"(?<contactStatus>[^\n\r\"]*)\",\"birthDate\"", it also worked. ... View more

Rex command

by in Dashboards & Visualizations
‎11-07-2021 07:47 PM
‎11-07-2021 07:47 PM
Need help to extract value between 2 fields eg: below "status":"Active", "birthDate":"xxxx-03-06", I am trying below rex field=details "\"status\"\:\"(?<contactStatus>[^\n\r\",]+)*\"birthDate\"" NOTE: there is another status field, so I am trying to use this option, as I know "birthDate " follows "status" field. Thanks for you help in advance ... View more
Labels

Re: coalesce values of Outsearch and Subsearch

by in Splunk Search
‎08-08-2021 05:01 PM
‎08-08-2021 05:01 PM
@ITWhisperer  Thanks it worked, I was thinking of using rex and combine the indexes in one search. ... View more

Re: coalesce values of Outsearch and Subsearch

by in Splunk Search
‎08-07-2021 08:17 PM
‎08-07-2021 08:17 PM
Hi, @ITWhisperer  thanks for u r response, but your solution doesnt seem to work, I am using join( real time) so I can get the values of the subsearch as column, against the join condition. i.e common identifier is correlation ID. Outer Search A,  Contact Column x Subsearch B, Contact Column y  Join condition correlationId final stats/table should have combined result of column x and y along with all the other columns from Search A and Search B. The reason I want to combine the values is that, sometime Column x or Column Y will have the value. thanks      ... View more

coalesce values of Outsearch and Subsearch

by in Splunk Search
‎08-06-2021 08:35 PM
‎08-06-2021 08:35 PM
Hi Splunk experts, I have below usecase and using below query     index=Index1 app_name IN ("customer","contact") | rex field=msg.message.details "\"accountUuid\":\"(?<SFaccountUUID>[^\n\r\"]+)" | rex field=msg.message.details "\"contactId\":\"(?<SFcontactUUID>[^\n\r\"]+)" |rex field=msg.details "\'customerCode\'\=\'(?<cac>[^\n\r\']{10})\'" | rename msg.correlationId AS correlationId | stats latest(SFcontactUUID) as contactUUID,latest(SFaccountUUID) as accountUUID,values(msg.tag.Status) as QStatus,values(msg.tag.errorMessage) as Q_errorMessage,values(msg.tag.errorCode) as Q_errorCode by correlationId | join type=left correlationId [search index=index2 app_name="contact1" |rename msg.message.header.correlationId AS correlationId |stats values(msg.message.header.Status) AS DStatus,values(msg.message.header.eventName) AS eventName,values(msg.message.header.errorMessage) as D_errorMessage,values(msg.message.header.errorCode) as D_errorCode by correlationId] The common identifier between the 2 searches is the correlationId. Below is sample result   correlationId contactUUID accountUUID Q_errorMessage Q_errorCode D_errorCode D_errorMessage ab861125-6cd7-493b-999f-ef9b2edd8315023758601   C0DABCC1-EFC8-11eb-A67A-005056B89B42 null null 201 null null { "ContactUUID": "b020c98a-43f5-d6b3-e983-45ffddf52a73"} Is it possible to coalesce the value of highlighted in red from subsearch into the ContactUUID field in the outersearch?I am expecting this value either in outer or subsearch and so how can I solve it?  ... View more
Labels

Re: json field extraction

by in Splunk Search
‎07-21-2021 05:25 AM
‎07-21-2021 05:25 AM
Thanks a lot @kamlesh_vaghela  now I am able to get the important fields with kvdelim and pairdelim to parse the required key value pairs.  ... View more

Re: json field extraction

by in Splunk Search
‎07-20-2021 03:43 AM
‎07-20-2021 03:43 AM
Hi Kamlesh, Appriciate your prompt response. Hope below format helps, this is sample format, the structure is pretty much same as our actual event. Thanks { [-] cf_app_id: test123 cf_app_name: test event_type: LogMessage job_index: ebcf8d13 message_type: OUT msg: { [-] level: INFO logger: UpdateContact message: { [-] details: Data{SystemId='null', language='English', parentSourceSystemAction='null', contactId='cf4cae75-28b3', status='Active', birthDate='1991-01-15', eventAction='Create', Accounts=[CustomerAccounts{ Case='000899', accountid='4DA4F29E', contactRelationship=ContactRelationship{expiryDate='', contactType='owner', endDate=''}}],workContact=WorkContact{faxNumber='null', mobileNumber='null', emailAddress='null', phoneNumber='null'},homeContact=HomeContact{faxNumber='null', mobileNumber='null', emailAddress='', phoneNumber='null'},businessAddress=null,personalAddress=[PersonalAddress{addressId='9205', locality='PARK', internationalPostCode='null', internationalState='null', additionalInfo='null', isPrimary='Y', streetNumberStart='null', addressType='null', status='CO', streetNumberStartSuffix='null', postalCode='765', streetNumberEnd='null', streetName='null', country='null', streetNumberEndSuffix='null', streetType='null', state='null', subAddress=SubAddress{buildingName='null', numberStart='null', addressLines=[MIL PDE,], details=[Details{value='null', detailType='null'}, Details{value='null', detailType='null'}]}}],identification=Identification{driverLicense=DriverLicense{state='null', number='null'}}} header: { [-] correlationId: 707000J-52f6-10df-00f3-f859-1c5ed entityId: cf75-2b3-cb38-cef-a72ad88 entityName: test errorCode: null errorMessage: null eventName: testevent processName: process1 processStatus: SUCCESS serviceName: testservice serviceType: Dispatch } } timestamp: 2021-07-20 } origin: rep timestamp: 1626764261880766200 } ... View more

json field extraction

by in Splunk Search
‎07-20-2021 03:12 AM
‎07-20-2021 03:12 AM
Hi Splunk Experts, Below is a sample event, I have below spath msg.message.details, I am trying to extract certain  fields from the details datapath. How can I extract 'msg.message.details' into fields?, I am still a newbie and learning on the go in splunk world, I am guessing to use rex, but is there a way using spath? Our index has structured other json paths eg:y has other spath eg:msg.message.header.correlationId, etc,  { [-] cf_app_id: test123 cf_app_name: test event_type: LogMessage job_index: ebcf8d13 message_type: OUT msg: { [-] level: INFO logger: UpdateContact message: { [-] details: Data{SystemId='null', language='English', parentSourceSystemAction='null', contactId='cf4cae75-28b3', status='Active', birthDate='1991-01-15', eventAction='Create', Accounts=[CustomerAccounts{ Case='000899', accountid='4DA4F29E', contactRelationship=ContactRelationship{expiryDate='', contactType='owner', endDate=''}}],workContact=WorkContact{faxNumber='null', mobileNumber='null', emailAddress='null', phoneNumber='null'},homeContact=HomeContact{faxNumber='null', mobileNumber='null', emailAddress='', phoneNumber='null'},businessAddress=null,personalAddress=[PersonalAddress{addressId='9205', locality='PARK', internationalPostCode='null', internationalState='null', additionalInfo='null', isPrimary='Y', streetNumberStart='null', addressType='null', status='CO', streetNumberStartSuffix='null', postalCode='765', streetNumberEnd='null', streetName='null', country='null', streetNumberEndSuffix='null', streetType='null', state='null', subAddress=SubAddress{buildingName='null', numberStart='null', addressLines=[MIL PDE,], details=[Details{value='null', detailType='null'}, Details{value='null', detailType='null'}]}}],idv=Identification{doc=License{state='null', number='null'}}} header: { [-] correlationId: 707000J-52f6-10df-00f3-f859-1c5ed entityId: cf75-2b3-cb38-cef-a72ad88 entityName: test errorCode: null errorMessage: null eventName: testevent processName: process1 processStatus: SUCCESS serviceName: testservice serviceType: Dispatch } } timestamp: 2021-07-20 } origin: rep timestamp: 1626764261880766200 } Any help is much appreciated. Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-03-2023 12:03 AM
Karma given to