Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for some reason.  Within the event there is the following: "alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777," I need to create 3 fields from this: Host = FL-NS-VPX-INT-1 ServiceGroup = mobileapist Server = vnetapis003 When trying for Host with:  (?<="alias":")[^|]* It never finds it in Splunk.  Can't figure out why.   Extra credit: 🙂  Just kidding.  The last field I need, I can't get either with:   (?<="team","name":")[^"]* "team","name":"Monitoring_Admin"}], Here's the full event as well. INFO[2024-11-13T13:37:23.9114215-05:00] Message body: {"actionType":"custom","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","ownerDomain":"integration","ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","discardScriptResponse":true,"sendCallbackToStreamHub":false,"requestId":"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a","action":"Close","productSource":"Opsgenie","customerDomain":"siteone","integrationName":"Opsgenie Edge Connector","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","customerTransitioningOrConsolidated":false,"source":{"name":"","type":"system"},"type":"oec","receivedAt":1731523037863,"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","params":{"type":"oec","alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","integrationName":"Opsgenie Edge Connector","integrationType":"OEC","customerDomain":"siteone","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","receivedAt":1731523037863,"customerConsolidated":false,"customerTransitioningOrConsolidated":false,"productSource":"Opsgenie","source":{"name":"","type":"system"},"alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf"},"integrationType":"OEC","alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"customerConsolidated":false,"customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"}} messageId=7546739e-2bab-414d-94b5-b0f205208932   Thank you for all the help on this one, Thanks, Tom     ... View more

Hello, Sorry, still trying to get the hang of Search queries.   I am tasked with creating a table that displays a server name from one search, with a team name from another search that corresponds with the server name.  In example, 1st Search  index="netscaler | table servername Results in a table like: servername1 servername2   2nd Search index="main | table teamname Results in a table like teamname1 teamname2   I need to make 1 table that will display the corresponding teamname to the servername.  Like If servername = servername2, display teamname2 in the same table row. Does that make sense. 🙂  Let me know if any details are needed.  Not sure how to do this one. Thanks for any help, Tom ... View more

Hello everyone, I'm having an issue that I'm trying to understand and fix.  I have a Dashboard table that displays the last 24 hrs of events.  However, the event _time is always showing 11 min past the hour like:   Which these aren't the correct event times.  When I run the exact same search manually, I get the correct event times.   Does anyone know why this is occurring and how I can fix it? Thanks for any help on this one, much appreciated. Tom ... View more

Hello, I'm having a hard time trying to find what data source events from a search are originating from, the Search is: source="/var/www/html/PIM/var/log/webservices/*" I've looked thru the "Files % Directories" (Which I thought I would find it in there) and the rest of the Data Inputs, but can't seem to locate it anywhere. A side question 🙂  I tried creating a new Files % Directories Data Input by putting the full Linux path like below: //HostName/var/www/html/PIM/var/log/webservices/* But It says Path can't be empty.  I'm sure this is probably not how you format a Linux path, just couldn't find what I'm doing wrong. Thanks for any help at all, Newb       ... View more

Hello, Thank you for your help on this in advance,  I just need to create a field in Splunk Search that contains the value between 2 delimiters.    The delimiter is "?".  For example. Athena.siteone.com?suvathp001?443 What would be the regex to only extract suvathp001 Thanks again for your help, Tom     ... View more

Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included in the add-on builder. Thanks for any help on this. Tom   ... View more

Hello, I am struggling on figuring out how this request can be achieved.  I need to report on events from an API call in Splunk, However, the API call requires variables from another API call.  I have been testing with the Add-On Builder and can make the initial request.  I'm seeing the resulting events in Splunk Search, but I can't figure out how to create a secondary API call that could use the fields as variables in the secondary args or parameters fields. I was trying to use the API module, because I'm not fluent at all with scripting. Thanks for any help on this, it is greatly appreciated, Tom ... View more

Hello, Could anyone please tell me how I can disable SSL Verification for the Add-On Builder?  I can't figure out where the parameter is located at. Thank you for any help on this one, Tom   ... View more

Hello, I need help with increasing the default height of a Dashboard label.  I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this: I can manually increase the Height to look like this:  But, i need it to be defaulted at this Height: If it's not possible, is there a way to add a static text box below the Label?   Here's the Source for the Label I currently have. <label>SiteOne Automated Health Check Clone</label> <description>test Infrastructure - +13 Press 1 for the Batch Processing Team Press 2 for the Security Team Press 3 for the Network Team Press 4 for the VOIP Team Press 5 for the Monitoring Team Press 6 for the Citrix Team Press 7 for the Server Team</description> <row> <panel>   Thanks for any help on this one, Tom   ... View more

Hello, I am in need of finding an add on that would allow me to email a Dashboard on a Schedule.  The out of the box PDF creation doesn't meet our requirements sad to say.  I have been trying several different add ons that may work out for us, but everyone seems to be either no longer able to use due to Splunk Enterprise not using Advanced XML or we receive an error. So far the best add on I found is "Smart PDF Exporter for Splunk"  But, when I try to schedule it, I get a JavaScript error due to a 404 error.  Does anyone know how to resolve this or any ideas on how else I can create a scheduled email with the contents of the Dashboard in the Body.  Doesn't matter what format, as long as we can see the Dashboard in the Body of the email. Thanks for any help on this one. Tom ... View more

Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed.  Is there a way to either change the text color based on the same Threshold I am using to change the Cell color or maybe a way to just hide the values being displayed? Here's what I currently have in the Dashboard Source <format type="color" field="Monitor"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <format type="color" field="Count"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <drilldown>   Here's the column I am referring too.   Thank you for any help on this one, much appreciated Tom   ... View more

Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly 🙂 (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC   Thanks for any help on this one, Tom ... View more

Hello, I'm still in the learning process of Splunk searches and I have been tasked to create a table that contains only open transactions based off of "where closed_txn=0".  But also join a Service Now Incident # to the each row in the table.   I've been bumbling around, testing and failing on this one.  I've got it to a point where the table is only showing the open transactions, but it is being duplicated for every incident # for ServiceNow.  Below is the Search I am using, I've probably did this all wrong 🙂  integrationName="Opsgenie Edge Connector - Splunk", alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote" | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | table _time, alert.updatedAt, alert.message, alert.alias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time | where closed_txn=0 | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | fields Created, Branch, "Source Link" | sort by Created DESC | fields - _raw, _time | join s max=0 [ search (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias=x_86994_opsgenie_alert_alias | rename dv_number as Incident | table alertAlias, Incident | fields alertAlias, Incident ] | table Created, Branch, "Source Link", Incident   Thanks for any help on this one, much appreciated. Tom   ... View more