×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
miberecz
Loves-to-Learn
Member since: ‎11-16-2021
‎05-13-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-16-2021
View All

How to extract token from HTTP header?

by in Splunk Search
‎05-13-2022 01:27 AM
‎05-13-2022 01:27 AM
Hello Everyone, I have a set of data with a lot of HTTP requests, where I want to extract only the tokens highlighted below.  header=Authorization=Basic MmQyXXXXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk=     2022-05-13 10:07:07,772 INFO [io.undertow.request.dump] (default task-13778) ----------------------------REQUEST--------------------------- URI=/auth/realms/Public/protocol/openid-connect/token characterEncoding=null contentLength=29 contentType=[application/x-www-form-urlencoded;charset=UTF-8] header=Accept=application/json, application/x-www-form-urlencoded header=Cache-Control=no-cache header=Pragma=no-cache header=User-Agent=Java/11.0.4 header=Connection=keep-alive header=Authorization=Basic MmQyXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk= header=Content-Type=application/x-www-form-urlencoded;charset=UTF-8 header=Content-Length=29     I tried with the Field Extractor wizard, but with no luck.  Can you please advise, how to achieve this?  ... View more
Labels

Re: Group events happened at the exact same time a...

by in Splunk Search
‎05-02-2022 07:36 AM
‎05-02-2022 07:36 AM
props.conf I cannot share. As I understand from the Openshift deployment, the data is ingested with 'collectord'  metadata:   annotations:     collectord.io/logs-index: someindex_prod_events     collectord.io/logs-output: 'splunk::prod'   but figuring this out, gave me an idea: https://www.outcoldsolutions.com/docs/monitoring-kubernetes/v5/annotations/#defining-event-pattern ... View more

Group events happened at the exact same time and s...

by in Splunk Search
‎05-02-2022 05:36 AM
‎05-02-2022 05:36 AM
Hello Everyone, I'm trying to analyze data from a jboss server, http request and respons dumps.   An "event" in the Jboss logs looks like this:    ============================================================== 2022-04-29 11:42:54,280 INFO [io.undertow.request.dump] (default task-25) ----------------------------REQUEST--------------------------- URI=/auth/realms/XXXX/protocol/openid-connect/token characterEncoding=null contentLength=105 contentType=[application/x-www-form-urlencoded] header=Accept=application/json header=Front-End-Https=On header=Connection=Keep-Alive header=X-Forwarded-Proto=https header=RequestID=XXXXX-e05b-4a83-8a0b-2e6daf84b039 header=X-Forwarded-For=xx.46.xx.242 header=Content-Type=application/x-www-form-urlencoded header=Content-Length=105 header=Host=XXX.YYY.ZZ locale=[] method=POST protocol=HTTP/1.1 queryString= remoteAddr=/xx.46.xx.242:0 remoteHost=xxx.webhost.xxxx.com scheme=https host=xxx.yyy.zz serverPort=8443 isSecure=true body= grant_type=client_credentials scope=XYZ client_id=0XXXea client_secret=3XXXXXXXXXX85a64ba80059e0143ee --------------------------RESPONSE-------------------------- contentLength=1373 contentType=application/json header=Cache-Control=no-store header=Set-Cookie=KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/XXXX/; Secure; HttpOnly header=X-XSS-Protection=1; mode=block header=Pragma=no-cache header=X-Frame-Options=ALLOW-FROM http://localhost:4200 header=Referrer-Policy=no-referrer header=Server-Timing=intid;desc=66e921155be4dfbd header=Date=Fri, 29 Apr 2022 09:41:39 GMT header=Connection=keep-alive header=Strict-Transport-Security=max-age=31536000; includeSubDomains header=X-Content-Type-Options=nosniff header=Content-Type=application/json header=Content-Length=1373 status=200  The problem I have, that this gets translated to 6-9 line of events by the time I see it in the Search:   This makes it really difficult to search for particular Requests. For example if I want filter Requests with a specific "scope=" field. Or without any.  I have no control over the forwarding of the data, so I have to make this work on the Search side. My idea so far is to group the events that happened in the same time, because every event corresponding one Request has the same timestamp. The closest I find about this is  | transaction maxspan=1s which is not accurate enough, I could have multiple events in a second.  Any better idea here?   If I overcome this, my next problem is how to search in the resulted list.  I cannot add the filters before the grouping like this: index=someindex_prod_events sourcetype=openshift_logs NOT "scope=xyz"| transaction maxspan=1s because the filter gets calculated first, then it gets grouped. My goal is the other way around. Any help would be appreciated !   ... View more
Labels

Re: Extract username with dash (-) Field from even...

by in Splunk Search
‎11-16-2021 08:11 AM
‎11-16-2021 08:11 AM
It was extracted automatically, and so far I trusted it until I realized its not complete. Now I believe I need a regex the gets everything  after the string USER and before the :  ... View more

Extract username with dash (-) Field from event

by in Splunk Search
‎11-16-2021 07:56 AM
‎11-16-2021 07:56 AM
Hello Everyone,   I'm trying to extract usernames from the logs of a proftpd. An event looks like this: 2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.   Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part ASD-ASDASD How do I circumvent this? How can I extract strings that contains - ?     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-13-2022 10:34 PM