Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About bhargavi
bhargavi
Path Finder
Member since:
11-08-2021
12-04-2025
Community Statistics
| Posts | 25 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 11-08-2021 |
Activity Feed
- Posted Re: Splunk Connect for Syslog (SC4S) suddenly stopped working and cannot start (full story with solution) on Reporting. 01-30-2025 09:29 AM
- Posted How to implement rlog.sh/ausearch utility for an audit.log of different format on Getting Data In. 03-18-2022 06:29 AM
- Got Karma for Re: Can you have 3 fields within a chart. 11-24-2021 04:13 PM
- Got Karma for Re: nullQueue question - Palo Logs. 11-19-2021 08:42 AM
- Posted Re: Need help with Regex on Splunk Search. 11-18-2021 11:55 AM
- Posted Re: How to filter out lines that start with # on Getting Data In. 11-17-2021 09:42 PM
- Posted Re: Splunk universal forwarder on Getting Data In. 11-17-2021 09:33 PM
- Posted Re: Need help with Regex on Splunk Search. 11-17-2021 09:20 PM
- Posted Need help with Regex on Splunk Search. 11-17-2021 11:49 AM
- Got Karma for Re: splunk integration on ocp. 11-16-2021 07:10 AM
- Posted Re: Rex field on Splunk Enterprise. 11-15-2021 08:54 AM
- Posted Re: Can you have 3 fields within a chart on Splunk Search. 11-15-2021 05:32 AM
- Posted Re: Query for Extraction of URL data in splunk on Alerting. 11-14-2021 11:44 PM
- Posted Re: Splunk stopped indexing on index="main" on Getting Data In. 11-14-2021 11:28 PM
- Posted Re: HOW TO GET FULL NAME USING REGEX FROM RAW DATA on Splunk Search. 11-14-2021 10:39 PM
- Posted Re: Route events to different indexes based on hostname on Getting Data In. 11-14-2021 08:59 PM
- Posted Re: nullQueue question - Palo Logs on Getting Data In. 11-13-2021 06:36 AM
- Posted Re: splunk integration on ocp on Splunk Search. 11-13-2021 06:20 AM
- Posted Re: Match Common Values from Multiline Fields from Different Indexes on Splunk Search. 11-13-2021 05:23 AM
- Posted Re: stanza's for props.conf on Getting Data In. 11-13-2021 03:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
I forgot to mention that you also need to comment out the line in the systemd unit file that reaches out to github because the failure of that line causes the whole startup to fail.
... View more
12-24-2022
03:57 AM
Regarding the chart. Is there a possibility to hide or remove a column in the column chart based on nullvalue. (The space created visually) ? As of now it is created spaces to 3 bars, thus its only displaying the value of given instance.
... View more
03-18-2022
06:29 AM
Hi all,
Please help with the below. I am using rlog.sh (inbuilt script) provided by Splunk in TA-unix package , to apply ausearch utility for linux audit logs.
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile_model_prod
AUDIT_FILE=/opt/splunklogs_app/audit_prod/audit.log
if [ -e $SEEK_FILE ] ; then
SEEK=`head -1 $SEEK_FILE`
else
SEEK=0
echo "0" > $SEEK_FILE
fi
FILE_LINES=`wc -l $AUDIT_FILE | cut -d " " -f 1`
if [ $FILE_LINES -lt $SEEK ] ; then
# audit file has wrapped
SEEK=0
fi
awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR>START { print } END { print NR > OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2>/dev/null | grep -v "^----"
This inbuilt script is converting default format of linux audit logs by applying ausearch utility. example below: Log input : type=TTY msg=audit(1647315634.249:442): tty pid=2962 uid=0 auid=1001 ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D Log output after using rlog.sh type=TTY msg=audit(03/15/2022 14:40:34.791:2962): tty pid=2962 uid=root auid=root ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D
Now I have audit.log being generated in a different format.. like below.. My audit.log: (custom audit.log format) IP: 10.200.30.40 | <158>Mar 11 16:10:24 xxx-yyy-zzz AuditLog type=SYSCALL msg=audit(1646979024.027:1697): arch=c000003e syscall=4 success=yes exit=0 a0=7f1304042410 a1=7f13092f66a0 a2=7f13092f66a0 a3=0 items=1 ppid=1 pid=2270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imfile" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) Hostname=10.200.30.40
(default audit.log format) type=USER_TTY msg=audit(1646592289.268:441): pid=2962 uid=0 auid=1001 ses=1368 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=73797374656D63746C2073746174757320727379736C6F67 Hostname=xxx so basically I will have logs of both default audit log format and this custom format being logged in audit.log. When I apply the rlog.sh/ausearch utility to this log, only logs with default audit.log type are being converted with ausearch utility and sent to output and indexed, the other logs are not even being sent to output. Please help.
... View more
Labels
- Labels:
-
inputs.conf
-
Linux
-
monitor
-
universal forwarder
11-29-2021
11:31 AM
@richgalloway @manishchoudhary @bhargavi any idea why I have splunk search - index=cloud EventName: "Error Occurred" XChangeToSalesForce | rename message as "Message" _time as Time | table Time,Message When i search on splunk search, i get the below response 1637759064 Multiple Terms found for the same agency. Agency code: But when the email is sent, i get nothing on the message field . It is set as inline Time Message 1637759064
... View more
11-19-2021
07:56 AM
When I run the subsearch it doesn't take painfully long, but your advice is definitely noted and I'll likely proceed forward with the use of CSVs rather than JSON to improve speed/efficiency of the search result. Thank you again for all your help, I'll be sure to accept your answer as the solution for others who may have a similar issue down the road.
... View more
11-18-2021
12:51 PM
I'm not sure what else to suggest. That regex is about 20x more efficient than the original. If Splunk still isn't happy then perhaps you should consider using multiple REGEX attributes, one for each pipe in the current regex.
... View more
11-17-2021
09:42 PM
Hi @mlevsh Try this for preamble_regex. It works. PREAMBLE_REGEX=# If this helps, give thumbs-up 🙂 Happy Splunking!!
... View more
11-17-2021
09:33 PM
Hey, Try these troubleshooting steps. https://www.learnsplunk.com/splunk-forwarder-not-sending-data.html
... View more
11-16-2021
06:16 AM
Give this a try (avoided using dedup command as well, best practice) index="maxis_csaroam_index" source="/home/csaops/csaroam/*_MOS.csv"
| stats count by Description
| table Description
| rex field=Description "(?<Country>\S+)\s+(?<Node>\S+)"
... View more
11-15-2021
08:17 PM
You're right, my bad -- I inadvertently tested this on 8.1.x. Some other interesting observations: You can insert newlines at the end of each values and the UI will respect it (Wrap Results needs to be turned on). | rex field=desc_data mode=sed "s/$/\n/g" You can't, however, try to interact with the comma. It seems like the comma only exists in the UI. For example replacing comma with newline doesn't work. | rex field=desc_data mode=sed "s/\,/\n/g" Trying another character like "!" works: | rex field=desc_data mode=sed "s/\!/\\0\n/g"
... View more
11-15-2021
01:25 AM
Hi, If you search logs from the SH, the field "host" (Splunk default field) is the source host from which the event originated. Hope it helps
... View more
11-14-2021
11:44 PM
Hi @Noobsplunker , Would you want to extract any field containing URL details from your events? If yes, please post the sample events here and I can help in extraction.
... View more
11-14-2021
11:28 PM
Hi @lana0203 1. Can you check if logs are being generated on your VM/desktop after 08/11/2021. If there are no logs being generated, then your index will not have any data. 2. Are you seeing in splunkd logs if the logs are being watched? .. you would find log line as 'Adding Watch on path "... your log. 3. Is splunk running fine on your VM? You can try restarting splunkd on your VM and checked if logs are being pushed.
... View more
11-14-2021
10:39 PM
Hi @hrs2019 Try this. | rex "Name=(?P<Name>\w+\,\s\w+)"
... View more
11-14-2021
08:59 PM
Hi @Abha111 , Will the host name parameter come inside the events as well? If yes. you can simply define a regex in transforms.conf to route it to specific index. Example below. props.conf [your_sourcetype] enter your props TRANSFORMS-routing=set_nonprod,setprod transforms.conf [set_nonprod] REGEX = abc-nprd* DEST_KEY = _MetaData:Index FORMAT = index_x [setprod] REGEX = abc-prd* DEST_KEY = _MetaData:Index FORMAT = index_y Try this. Let me know for any further questions. If this works, give thumbs-up 🙂 Happy Splunking!!
... View more
11-13-2021
06:36 AM
1 Karma
Hi @danielfurtaw , Nullqueue entry in transforms.conf looks fine. As far as I know, entry for TRANSFORMS- in the props.conf only matters. It executes from Right to Left. Order does not matter in the transforms.conf file. i.e. From the below entries, first pan_decryption is executed, then pan_globalprotect and so on. TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption So if you have the regexes ready for all the below transform segments.. you need to place pan_discard in the first. TRANSFORMS-sourcetype = pan_discard ,pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption So after all the regexes are executed, pan_discard comes into picture and the remaining logs will be sent to nullQueue. Try the above and let me know . If its helps, please give an upvote 🙂 Happy Splunking 🙂
... View more
11-13-2021
06:20 AM
1 Karma
Hi @Roshni, If you wish to extract during search time, you can use "Rex" command in your search query to extract required fields. It is simple and easy to learn and fun as well :). Sharing here some of splunk docs link for your reference to read through. I have learnt regex from this site. - https://regexone.com/ Its pretty cool and lets us practice then and there. its pretty cool. Try here. Splunk docs link : https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Rex You can practice regex in https://regex101.com/. Regex cheat sheet : https://www.debuggex.com/cheatsheet/regex/pcre Happy Splunking ! 🙂
... View more
11-13-2021
02:49 AM
What results do you get? If there are no other configuration items pertaining to your sources (have you tried btool props list?) I'd say that you redirect all matching sources (do you match properly? Are you sure you shouldn't use "..." instead of "*"?) to nullqueue so the index rewriting is a bit pointless since all events should get discarded in the end.
... View more
11-12-2021
10:14 AM
This thread is more than 3 years old. To help ensure more people see it and offer solutions, you should post a new question.
... View more
11-12-2021
12:02 AM
Hi @woodcock @somesoni2 Could you please help me out here. I have a little different scenario here, but facing similar issue. We are integrating the json logs via HEC into Splunk Heavy Forwarder. I have tried the below configurations.I am applying the props for the source. In transforms, there are different regexes and I would want to route it to different indexes based on log files and route all the other files not required to a null queue. I would not be able to use FORMAT=indexqueue in transforms.conf as I cannot mention multiple indexes in inputs.conf .This is not working and no data is getting indexed. Kindly help. The configs are like below: PROPS.CONF -- [source::*model-app*] TRANSFORMS-segment=setnull,security_logs,application_logs,provisioning_logs TRANSFORMS.CONF -- [setnull] REGEX=class\"\:\"(.*?)\" DEST_KEY = queue FORMAT = nullQueue [security_logs] REGEX=(class\"\:\"(/var/log/cron|/var/log/audit/audit.log|/var/log/messages|/var/log/secure)\") DEST_KEY=_MetaData:Index FORMAT=model_sec WRITE_META=true LOOKAHEAD=40000 [application_logs] REGEX=(class\"\:\"(/var/log/application.log|/var/log/local*?.log)\") DEST_KEY=_MetaData:Index FORMAT=model_app WRITE_META=true LOOKAHEAD=40000 [provisioning_logs] REGEX=class\"\:\"(/opt/provgw-error_msg.log|/opt/provgw-bulkrequest.log|/opt/provgw/provgw-spml_command.log.*?)\" DEST_KEY=_MetaData:Index FORMAT=model_prov WRITE_META=true
... View more
11-12-2021
12:00 AM
Hi @niketn Could you please help me out here. I have a little different scenario. We are integrating the json logs via HEC into Splunk Heavy Forwarder. I have tried the below configurations.I am applying the props for the source. In transforms, there are different regexes and I would want to route it to different indexes based on log files and route all the other files not required to a null queue. I would not be able to use FORMAT=indexqueue in transforms.conf as I cannot mention multiple indexes in inputs.conf .This is not working and no data is getting indexed. Kindly help. The configs are like below: PROPS.CONF -- [source::*model-app*] TRANSFORMS-segment=setnull,security_logs,application_logs,provisioning_logs TRANSFORMS.CONF -- [setnull] REGEX=class\"\:\"(.*?)\" DEST_KEY = queue FORMAT = nullQueue [security_logs] REGEX=(class\"\:\"(/var/log/cron|/var/log/audit/audit.log|/var/log/messages|/var/log/secure)\") DEST_KEY=_MetaData:Index FORMAT=model_sec WRITE_META=true LOOKAHEAD=40000 [application_logs] REGEX=(class\"\:\"(/var/log/application.log|/var/log/local*?.log)\") DEST_KEY=_MetaData:Index FORMAT=model_app WRITE_META=true LOOKAHEAD=40000 [provisioning_logs] REGEX=class\"\:\"(/opt/provgw-error_msg.log|/opt/provgw-bulkrequest.log|/opt/provgw/provgw-spml_command.log.*?)\" DEST_KEY=_MetaData:Index FORMAT=model_prov WRITE_META=true
... View more
11-11-2021
11:59 PM
Hi @MuS Could you please help me out here. We are integrating the json logs via HEC into Splunk Heavy Forwarder. I have tried the below configurations.I am applying the props for the source. In transforms, there are different regexes and I would want to route it to different indexes based on log files and route all the other files not required to a null queue. I would not be able to use FORMAT=indexqueue in transforms.conf as I cannot mention multiple indexes in inputs.conf .This is not working and no data is getting indexed. Kindly help. The configs are like below: PROPS.CONF -- [source::*model-app*] TRANSFORMS-segment=setnull,security_logs,application_logs,provisioning_logs TRANSFORMS.CONF -- [setnull] REGEX=class\"\:\"(.*?)\" DEST_KEY = queue FORMAT = nullQueue [security_logs] REGEX=(class\"\:\"(/var/log/cron|/var/log/audit/audit.log|/var/log/messages|/var/log/secure)\") DEST_KEY=_MetaData:Index FORMAT=model_sec WRITE_META=true LOOKAHEAD=40000 [application_logs] REGEX=(class\"\:\"(/var/log/application.log|/var/log/local*?.log)\") DEST_KEY=_MetaData:Index FORMAT=model_app WRITE_META=true LOOKAHEAD=40000 [provisioning_logs] REGEX=class\"\:\"(/opt/provgw-error_msg.log|/opt/provgw-bulkrequest.log|/opt/provgw/provgw-spml_command.log.*?)\" DEST_KEY=_MetaData:Index FORMAT=model_prov WRITE_META=true
... View more
11-09-2021
02:47 AM
You seem to be doing the same mistake that the OP did, mixing nullQueueing with index-transformation in general. While there might be more clever ways to solve this HEC-wise or not sending the unwanted stuff in the first place, this should work as a general principle: Set queue = nullQueue for all events Set queue = indexQueue for those events you want to keep, i.e. regex matching file names for any file you want to keep (i.e. the ones in the regexes from the security, application or provisioning parts) Set _MetaData:Index = xxx (basically the existing stuff) Props.conf --- [blablah] TRANSFORMS-dostuff =setnullq, keepsome, setindexsec, setindexapp, setindexprov transforms.conf --- as before but with the addition: [keepsome] REGEX = insert your regex here DEST_KEY = queue FORMAT= indexQueue
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-04-2025
12:14 AM
|
