Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pchintha
pchintha
Engager
Member since:
10-31-2021
04-12-2022
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-31-2021 |
Activity Feed
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-11-2022 08:04 PM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-11-2022 12:33 AM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-08-2022 07:44 AM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-08-2022 06:53 AM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-08-2022 06:24 AM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-06-2022 09:47 PM
- Tagged Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-06-2022 09:47 PM
- Posted Re: Fields Extraction from raw events with regex on Splunk Enterprise. 04-06-2022 09:28 PM
- Posted How to Extract Fields from raw events with regex on Splunk Enterprise. 04-06-2022 07:20 PM
- Posted Re: Need Regex to extract the fields on Splunk Enterprise. 03-24-2022 04:53 AM
- Posted Re: How to create regex to extract the fields on Splunk Enterprise. 03-24-2022 03:09 AM
- Posted Re: How to create regex to extract the fields on Splunk Enterprise. 03-24-2022 01:33 AM
- Posted Re: Need Regex to extract the fields on Splunk Enterprise. 03-23-2022 07:24 PM
- Tagged Re: Need Regex to extract the fields on Splunk Enterprise. 03-23-2022 07:24 PM
- Posted How to create regex to extract the fields on Splunk Enterprise. 03-23-2022 07:22 PM
- Posted Re: SSL certificate checker issue on Security. 02-14-2022 04:22 AM
- Posted Re: SSL certificate checker issue on Security. 02-14-2022 03:39 AM
- Posted Re: SSL certificate checker issue on Security. 02-14-2022 01:32 AM
- Posted SSL certificate checker issue: How to see all SSL Certificates in the current search? on Security. 02-13-2022 05:57 PM
- Posted Regex Extraction for Field on Splunk Enterprise. 12-27-2021 07:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-11-2022
08:04 PM
Hi, please update for this
... View more
04-11-2022
12:33 AM
Hi Sorry for late responding, as you said i did same its working in the props.conf and transforms.conf but except the Server field in the logs, can you please share the extract field for the Server for transforms.conf
... View more
04-08-2022
07:44 AM
Any update by chance
... View more
04-08-2022
06:53 AM
1) please share more sample raw events 04-08-2022 06:31 Server: O85XDC7, Userid: PKDPRW8, Alias: o34xda3pkspaw8, Return Code: 400, Password Len: 8, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0 04-08-2022 06:31 Server: O87XDC0, Userid: TOWDHU1, Alias: o73xda3sppklxl, Return Code: 400, Password Len: 25, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0 04-08-2022 06:31 Server: O85XDC7, Userid: PKDPRW8, Alias: o34xda3pkspaw8, Return Code: 400, Password Len: 8, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0 2) share the props and transforms that you have wrote We tried in all different ways but no luck props.conf [ssc_cloakware] REPORT-extractions = extractions transforms.conf [extractions] DELIMS = ",", ":" #SOURCE_KEY = _raw #REGEX = \s([^\:]+)\:\s+([^\,]+) #FORMAT = $1::$2 #MV_ADD = true #REPEAT_MATCH = true #CLEAN_KEYS = false 3) where did you write the props and transforms? In Search Head Deployer 4) have you restarted splunk instance after updating props and transforms ? Yes, we restarted if any changes done we do always restart and bundle push as well Actually this is we are taking sample events from Prod and uploading in UAT there we are trying. And index we created in indexer for this custom app
... View more
04-08-2022
06:24 AM
Hi as you provided this is not working for me, and the regex 101 link which you provided its on working only on that not in Splunk query. And the transforms.conf and props.conf is also not working.
... View more
04-06-2022
09:47 PM
@mayurr98 No i already saw i guess why its not taking up is there is a space before the Server field you can see the sample raw data below 04-07-2022 00:44 Server: bug, Userid: monika, Alias: bugmonika, Return Code: 400, Password Len: 16, Host: lhplc3216, Execution ID: oracle, Directory: /bug/lds/oracle/rdbms/dbh_7347285/dbs Program: bugeco.exe, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0
... View more
- Tags:
- extractions
04-06-2022
09:28 PM
@mayurr98 So good thanks for the quick help, this is working for me. am getting the all fields separated from raw events except from Server and also need STANZA same thing need to fix this automatic in props.conf and transforms.conf in the app
... View more
04-06-2022
07:20 PM
Need to extract fields from the below raw data currently no fields automatically extracted.
Raw Event: Server: autoparts01, Userid: monika, Alias: autoparts01monika, Return Code: 400, Password Len: 32, Host: ELKSPL3212, Execution ID: autodr1, Directory: C:\windows\system32, Program: C:\windows\Sys64\dllhost.exe, Elapsed Time: 0, Bypass Cache: false, Type: Windows dll - 0, Version: 3.6
Output Sample: need regex and the fields are every separated by (,)
Server: autoparts01 to Server=autoparts01 Userid: monika to Userid=monika
... View more
Labels
- Labels:
-
using Splunk Enterprise
03-24-2022
03:09 AM
@venky1544 thanks for your help, but i need only the output is status=504 not to be like status=/504 url=wpad.example.com not to be like url=http://wpad.example.com Here we are separating the http:// only we are not checking the NONE things in the url field
... View more
03-24-2022
01:33 AM
@ITWhisperer i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.
... View more
03-23-2022
07:24 PM
@isoutamo hi i need your help for a regex to get the fields
... View more
- Tags:
- @
03-23-2022
07:22 PM
From the below Log: aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com
Need to extract the fields: Field 1: result=NON/504 change to status=504 Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com
Need the regular expression for this.
... View more
Labels
- Labels:
-
other
02-14-2022
04:22 AM
This helps for me, from in this and expires is in GMT and the expTime is in EST guess so and we need all to know in EST only
... View more
02-13-2022
05:57 PM
Hi please help here
we are using below base search and we need to see all ssl certificates with days left in EST.
index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats c by host expires cert | eval time = strftime( strptime( expires , "%b %d %H:%M:%S %Y %Z" ), "%Y/%m/%d %H:%M:%S %Z")
need exact query for this we tried a lot actually. we are using ssl_checker app for this.
... View more
Labels
- Labels:
-
authentication
-
SSL
12-27-2021
07:49 PM
Hi, From the below events i need to extract the field called "Event_Name" which is associated with "BeyondTrust_PBUL_ACCEPT_Event" from below 3 events Desired output: Event_Name(filed name)=BeyondTrust_PBUL_ACCEPT_Event(field value) Example Event 1: <86>Dec 22 ddppvc0729 pbmerd2.1.0-12: BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='IST'; Request_Date='2021/1/27'; Request_Time='2:2:51'; Request_End_Date='2021/1/27'; Request_End_Time='22:1:51';Submit_User='spnt'; Submit_Host='wcpl.com'; Example Event 2: <83>Dec 22 ddpc0729 pbmerd21.1.0-12: [2658] 5105.1 failed to get ACK packet during a CMD_SWAPTTY_ONE_LINE sequence - read failure in receive acknowledgement Example Event 3: <38>Dec 22 ddppvc0729 root[25132]: [ID 7011 auth.info] CEF:0|BeyondTrust|PowerBroker|1.1.0-12|7011|PBEvent=Accept|4|act=Accept end=Dec 1 2021 1:11:40 shost=dc8 dvchost=dc8 suser=t8adsfk duser=root filePath=/opt/ cs1Label=Ticket cs1=Not_Applicable deviceExternalId=0a2adfersds9 fname=./SSB_Refresh_Pbrun_Local_Policy_Files.sh What i tried from regex extraction: Input: (?<Event_Name>\w{10}[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+) Output: matching 2 places from above 3 events
... View more
Labels
- Labels:
-
using Splunk Enterprise
11-15-2021
12:51 AM
@bhargavi we are having example 50 HF`s from these HF`s sending logs to Indexers right, so while searching in SH from which HF we are getting the logs for this do we can right some stanzas in props.conf to extract the HF`s field to find easily. What stanzas will help to get solution.
... View more
11-14-2021
10:21 PM
HI, I am having some logs comes with XML format for Privilaged Access Manager, i need to extract the fields by default like this Example: fields <level></level> <k>=<v> commandinitiatio =USER <success>false</success> success=false jan 9 09:04:56 1.30.124.24 1 2012-01-09T14:04:56+00:00 yahoota.com pam - metric DETAIL <Metric><type>getAccount</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>commandName</k><v>getAccount</v><k>clientType</k><v>java</v><k>osarch</k><v>amd64</v><k>targetServerAlias</k><v>USR_LOCL_MARKETING_INTELLIGENCE_BATCH</v><k>nodeid</k><v><?xml version="1.0" encoding="utf-8" ?><nodeid><macaddr></macaddr><macaddr>:E0</macaddr><macaddr>A0:C:E0</macaddr><macaddr>:E0</macaddr><macaddr>1:E1</macaddr><macaddr>1:E3</macaddr><macaddr>:E2</macaddr><machineid>1E3</machineid><applicationtype>cspm</applicationtype></nodeid></v><k>enablefips</k><v>true</v><k>executionUID</k><v>bibatusr</v><k>version</k><v>4.5.3</v><k>scriptStat</k><v>/opt/ibm/bigintegrate/tools</v><k>scriptName</k><v>/home/infra/bibatusr/run_ds_job.sh</v><k>osversion</k><v>3.10.0-1127.el7.x86_64</v><k>digestLoginDate</k><k>applicationtype</k><v>cspm</v><k>getXMLIndicator</k><v>false</v></hashmap></description><errorCode>405</errorCode><userID>client</userID><success>false</success><originatingIPAddress>10.111.211.50</originatingIPAddress><originatingHostName>yahoota.com</originatingHostName><extensionType></extensionType></Metric> I need this as default when these type logs integrated to splunk its automatically extract fields when we set up in props.conf and trasforms.conf so here what is the stanzas we have to write under this.
... View more
Labels
- Labels:
-
configuration
11-11-2021
04:49 AM
Hi, We are having bunch of HFs in our environment from HFs we have confusion from which HF is getting the data, so to find easily we have to right stanza in props.conf in defaults/local. So based on this what is the stanza i can right Example fields: splunk_HF indextime
... View more
Labels
- Labels:
-
props.conf
11-01-2021
12:00 AM
Hello Team, In my org they installed the below certs in particular role, need to know by seeing below table which category it may comes to. Can anyone please explain how this. We are checking this link but not understand. About securing Splunk Enterprise with SSL - Splunk Documentation Role Cert Remarks Internal Heavy Forwarders /opt/splunk/etc/auth/myServerCertificate.pem /opt/splunk/etc/auth/rootCA.pem SH cluster Cluster Master DMZ HF DS ES SH Deployer HF Cluster IDX Cluster Monitoring Console ES SH Cluster /opt/splunk/etc/auth/webcerts/mySplunkWebCertificate.pem /opt/splunk/etc/auth/myServerCertificate.pem /opt/splunk/etc/auth/rootCA.pem
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-12-2022
09:39 PM
|
