About prasant

prasant · ‎12-13-2023

thanks, it helped .

prasant · ‎12-07-2023

How to display timechart for specific time period for specific business days. Eg: index="someindex" |dedup eventid| timechart count(_raw) by eventName span=60m for monday,tuesday, wednesday, thursday, friday during 6pm - 8pm. Or for specific dates .How can achieve this? thanks in advance

prasant · ‎01-26-2023

Thanks..not sure why I keep getting error.. this works though | search [ | inputlookup sample.csv | fields data]|lookup sample.csv data local=true . This returned all the other fields from csv file to the 'interesting fields' sidebar.

prasant · ‎01-26-2023

Thanks but getting Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup error, This works though | search [ | inputlookup sample.csv | fields data]| but how can I add the other corresponding columns from csv file along with the other fields from the event?

prasant · ‎01-26-2023

I have sample.csv file with about 30000 rows with columns: sample data data value1 value2 5600012345 abc xxx 7890012345 fsfs rwrr I have below query index="b2c" |rex field=path1.path2.details "code=\'(?<data>[^\n\r\']{10})" I can see the extracted 'data' field in the fields list. I want to query 'data' column values in the csv file and return table with the data and other fields from the event and csv file. how to use inputlookup or lookup command to search the extracted field? Thanks for the help in advance

prasant · ‎11-08-2021

Thanks,,, I used below "\"status\":\"(?<contactStatus>[^\n\r\"]*)\",\"birthDate\"", it also worked.

prasant · ‎11-07-2021

Need help to extract value between 2 fields eg: below "status":"Active", "birthDate":"xxxx-03-06", I am trying below rex field=details "\"status\"\:\"(?<contactStatus>[^\n\r\",]+)*\"birthDate\"" NOTE: there is another status field, so I am trying to use this option, as I know "birthDate " follows "status" field. Thanks for you help in advance

prasant · ‎08-08-2021

@ITWhisperer Thanks it worked, I was thinking of using rex and combine the indexes in one search.

prasant · ‎08-07-2021

Hi, @ITWhisperer thanks for u r response, but your solution doesnt seem to work, I am using join( real time) so I can get the values of the subsearch as column, against the join condition. i.e common identifier is correlation ID. Outer Search A, Contact Column x Subsearch B, Contact Column y Join condition correlationId final stats/table should have combined result of column x and y along with all the other columns from Search A and Search B. The reason I want to combine the values is that, sometime Column x or Column Y will have the value. thanks

prasant · ‎08-06-2021

Hi Splunk experts, I have below usecase and using below query index=Index1 app_name IN ("customer","contact") | rex field=msg.message.details "\"accountUuid\":\"(?<SFaccountUUID>[^\n\r\"]+)" | rex field=msg.message.details "\"contactId\":\"(?<SFcontactUUID>[^\n\r\"]+)" |rex field=msg.details "\'customerCode\'\=\'(?<cac>[^\n\r\']{10})\'" | rename msg.correlationId AS correlationId | stats latest(SFcontactUUID) as contactUUID,latest(SFaccountUUID) as accountUUID,values(msg.tag.Status) as QStatus,values(msg.tag.errorMessage) as Q_errorMessage,values(msg.tag.errorCode) as Q_errorCode by correlationId | join type=left correlationId [search index=index2 app_name="contact1" |rename msg.message.header.correlationId AS correlationId |stats values(msg.message.header.Status) AS DStatus,values(msg.message.header.eventName) AS eventName,values(msg.message.header.errorMessage) as D_errorMessage,values(msg.message.header.errorCode) as D_errorCode by correlationId] The common identifier between the 2 searches is the correlationId. Below is sample result correlationId contactUUID accountUUID Q_errorMessage Q_errorCode D_errorCode D_errorMessage ab861125-6cd7-493b-999f-ef9b2edd8315023758601 C0DABCC1-EFC8-11eb-A67A-005056B89B42 null null 201 null null { "ContactUUID": "b020c98a-43f5-d6b3-e983-45ffddf52a73"} Is it possible to coalesce the value of highlighted in red from subsearch into the ContactUUID field in the outersearch?I am expecting this value either in outer or subsearch and so how can I solve it?

prasant · ‎07-21-2021

Thanks a lot @kamlesh_vaghela now I am able to get the important fields with kvdelim and pairdelim to parse the required key value pairs.

prasant · ‎07-20-2021

Hi Kamlesh, Appriciate your prompt response. Hope below format helps, this is sample format, the structure is pretty much same as our actual event. Thanks { [-] cf_app_id: test123 cf_app_name: test event_type: LogMessage job_index: ebcf8d13 message_type: OUT msg: { [-] level: INFO logger: UpdateContact message: { [-] details: Data{SystemId='null', language='English', parentSourceSystemAction='null', contactId='cf4cae75-28b3', status='Active', birthDate='1991-01-15', eventAction='Create', Accounts=[CustomerAccounts{ Case='000899', accountid='4DA4F29E', contactRelationship=ContactRelationship{expiryDate='', contactType='owner', endDate=''}}],workContact=WorkContact{faxNumber='null', mobileNumber='null', emailAddress='null', phoneNumber='null'},homeContact=HomeContact{faxNumber='null', mobileNumber='null', emailAddress='', phoneNumber='null'},businessAddress=null,personalAddress=[PersonalAddress{addressId='9205', locality='PARK', internationalPostCode='null', internationalState='null', additionalInfo='null', isPrimary='Y', streetNumberStart='null', addressType='null', status='CO', streetNumberStartSuffix='null', postalCode='765', streetNumberEnd='null', streetName='null', country='null', streetNumberEndSuffix='null', streetType='null', state='null', subAddress=SubAddress{buildingName='null', numberStart='null', addressLines=[MIL PDE,], details=[Details{value='null', detailType='null'}, Details{value='null', detailType='null'}]}}],identification=Identification{driverLicense=DriverLicense{state='null', number='null'}}} header: { [-] correlationId: 707000J-52f6-10df-00f3-f859-1c5ed entityId: cf75-2b3-cb38-cef-a72ad88 entityName: test errorCode: null errorMessage: null eventName: testevent processName: process1 processStatus: SUCCESS serviceName: testservice serviceType: Dispatch } } timestamp: 2021-07-20 } origin: rep timestamp: 1626764261880766200 }

prasant · ‎07-20-2021

Hi Splunk Experts, Below is a sample event, I have below spath msg.message.details, I am trying to extract certain fields from the details datapath. How can I extract 'msg.message.details' into fields?, I am still a newbie and learning on the go in splunk world, I am guessing to use rex, but is there a way using spath? Our index has structured other json paths eg:y has other spath eg:msg.message.header.correlationId, etc, { [-] cf_app_id: test123 cf_app_name: test event_type: LogMessage job_index: ebcf8d13 message_type: OUT msg: { [-] level: INFO logger: UpdateContact message: { [-] details: Data{SystemId='null', language='English', parentSourceSystemAction='null', contactId='cf4cae75-28b3', status='Active', birthDate='1991-01-15', eventAction='Create', Accounts=[CustomerAccounts{ Case='000899', accountid='4DA4F29E', contactRelationship=ContactRelationship{expiryDate='', contactType='owner', endDate=''}}],workContact=WorkContact{faxNumber='null', mobileNumber='null', emailAddress='null', phoneNumber='null'},homeContact=HomeContact{faxNumber='null', mobileNumber='null', emailAddress='', phoneNumber='null'},businessAddress=null,personalAddress=[PersonalAddress{addressId='9205', locality='PARK', internationalPostCode='null', internationalState='null', additionalInfo='null', isPrimary='Y', streetNumberStart='null', addressType='null', status='CO', streetNumberStartSuffix='null', postalCode='765', streetNumberEnd='null', streetName='null', country='null', streetNumberEndSuffix='null', streetType='null', state='null', subAddress=SubAddress{buildingName='null', numberStart='null', addressLines=[MIL PDE,], details=[Details{value='null', detailType='null'}, Details{value='null', detailType='null'}]}}],idv=Identification{doc=License{state='null', number='null'}}} header: { [-] correlationId: 707000J-52f6-10df-00f3-f859-1c5ed entityId: cf75-2b3-cb38-cef-a72ad88 entityName: test errorCode: null errorMessage: null eventName: testevent processName: process1 processStatus: SUCCESS serviceName: testservice serviceType: Dispatch } } timestamp: 2021-07-20 } origin: rep timestamp: 1626764261880766200 } Any help is much appreciated. Thanks

Posts	14
Solutions	1
Karma Given	8
Karma Received	0
Member Since	‎07-20-2021

Online Status	Offline
Date Last Visited	‎06-19-2025 08:07 PM

Dashboard timechart

How to search values in the lookup file?

Rex command

coalesce values of Outsearch and Subsearch

json field extraction

Re: Dashboard timechart

Dashboard timechart

Re: How to search values in the lookup file?

Re: search values in the lookup file

How to search values in the lookup file?

Re: Rex command

Rex command

Re: coalesce values of Outsearch and Subsearch

Re: coalesce values of Outsearch and Subsearch

coalesce values of Outsearch and Subsearch

Re: json field extraction

Re: json field extraction

json field extraction

Are you a member of the Splunk Community?