Hi, So i have below base query : | inputlookup abc.csv where DECOMMISSIONED=N | fields DATABASE DB_VERSION APP_NAME ACTIVE_DC HOST_NAME DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename DATABASE as Database | join type=left Database [| metadata type=hosts index=data | fields host, lastTime, totalCount | eval Database=Upper(host)| search totalCount&gt;1 | stats max(lastTime) as lastTime, last(totalCount) as totalCount by Database | eval age=round((now()-lastTime)/3600,1) | eval Status=case( lastTime&gt;(now()-(3600*2)),"Low", lastTime&lt;(now()-(3600*2+1)) AND lastTime&gt;(now()-(3600*8)) ,"Medium", lastTime&lt;(now()-(3600*8+1)) AND lastTime&gt;(now()-(3600*24)),"High", 1=1,"Critical") | convert ctime(lastTime) timeformat="%d-%m-%Y %H:%M:%S" | eval Reference="SPL"] | rex mode=sed field=HOST_NAME "s/\..*$//g" | fields Database Reference DB_VERSION APP_NAME ACTIVE_DC HOST_NAME Status DB_ROLE COMPLIANCE_FLAG | fillnull value=Missing Status | fillnull value=Null Now i need to add field let say Privacy with PII PCI and SOX as filter but i don't need the value of these fields to be come as filter in Privacy filed and reflect same in summary tab  <row> <panel> <table> <title>Summary</title> <search base="base"> <query>| search APP_NAME="$application$" Database="$database$" HOST_NAME="$host$" DB_VERSION="$version$" Status="$status$" COMPLIANCE_FLAG="$compliance$" Privacy="$privacyFilter$" | eval StatusSort=case(Status="Missing","1",Status="Critical","2",Status="High","3",Status="Medium","4",Status="Low","5") | sort StatusSort | table APP_NAME Database HOST_NAME DB_VERSION ACTIVE_DC Status DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename APP_NAME as Application, DB_VERSION as Version, ACTIVE_DC as DC, HOST_NAME as HOST</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="FileSize"> <option name="precision">0</option> </format> <format type="color" field="Status"> <colorPalette type="map">{"Missing":#DC4E41,"Critical":#F1813F,"High":#F8BE34,"Medium":#62B3B2,"Low":#53A051}</colorPalette> </format> </table> </panel> </row> </form>   can someone help how i can get i added this panel <!-- New Privacy Filter Panel --> <input type="multiselect" token="privacyFilter" searchWhenChanged="true"> <label>Privacy</label> <choice value="*">All</choice> <choice value="PII">PII</choice> <choice value="PCI">PCI</choice> <choice value="SOX">SOX</choice> <fieldForLabel>Privacy</fieldForLabel> <fieldForValue>Privacy</fieldForValue> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> and this <row> <panel> <table> <title>Summary</title> <search base="base"> <query>| search APP_NAME="$application$" Database="$database$" HOST_NAME="$host$" DB_VERSION="$version$" Status="$status$" COMPLIANCE_FLAG="$compliance$" Privacy="$privacyFilter$" | eval StatusSort=case(Status="Missing","1",Status="Critical","2",Status="High","3",Status="Medium","4",Status="Low","5") | sort StatusSort | table APP_NAME Database HOST_NAME DB_VERSION ACTIVE_DC Status DB_ROLE COMPLIANCE_FLAG PII PCI SOX | rename APP_NAME as Application, DB_VERSION as Version, ACTIVE_DC as DC, HOST_NAME as HOST</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="FileSize"> <option name="precision">0</option> </format> <format type="color" field="Status"> <colorPalette type="map">{"Missing":#DC4E41,"Critical":#F1813F,"High":#F8BE34,"Medium":#62B3B2,"Low":#53A051}</colorPalette> </format> </table> </panel> </row> </form>   but getting no result found  ... View more

Hi all, I am setting dashboard and alert where we are trying to alert if there is missing hosts in splunk for more than 24 hours . I am using below query but getting malformed error when running in search although on dashboard its giving result.   | inputlookup data.csv where DECOMMISSIONED=N SUB_ENVIRONMENT!=TEST | fields ACTIVE_DC APP_NAME DATABASE HOST_NAME APP_NAME DB_VERSION DB_ROLE SUB_ENVIRONMENT | eval Reference=ABC | rename HOST_NAME as host | join type=left host [ search index=dbecx source="*audit*" | stats count as SPLEvents latest(_time) as LastSeen by host | eval age=round((now()-LastSeen)/3600,1) | eval Status=case( LastSeen&gt;(now()-(3600*2)),"Low", LastSeen&lt;(now()-(3600*2+1)) AND LastSeen&gt;(now()-(3600*8)) ,"Medium", LastSeen&lt;(now()-(3600*8+1)) AND LastSeen&gt;(now()-(3600*24)),"High", 1=1,"Critical") | convert ctime(LastSeen) timeformat="%d-%m-%Y %H:%M:%S" | eval Reference="SPL"] | fields DB_VERSION DATABASE APP_NAME ACTIVE_DC host Status SPLEvents | rex mode=sed field=host "s/\..*$//g" | fillnull value=Missing Status | fillnull value=Null   Can someone help here ... View more

Hi all, I have to extract sourcetype as field in Dashboard. There are multiple sourcetype like  : oracle:audit:json, oracle:audit:json11,oracle:audit:json12,sourcetype=oracle:audit:sql11,sourcetype=oracle:audit:sql12 I have written regex : rex mode=sed field=sourcetype "s/oracle:audit:(.*)\d\d/\1/g" Its working fine for all the sourcetype :  oracle:audit:json11,oracle:audit:json12,sourcetype=oracle:audit:sql11,sourcetype=oracle:audit:sql12 But when the data is coming with oracle:audit:json, its not giving the result in Dashboard. Main search query is giving result. macros definition : definition = (sourcetype=oracle:audit:json OR sourcetype=oracle:audit:json11 OR sourcetype=oracle:audit:json12 OR sourcetype=oracle:audit:sysaud OR sourcetype=oracle:audit:sysaud11 OR sourcetype=oracle:audit:sysaud12 OR sourcetype=oracle:audit:sql11 OR sourcetype=oracle:audit:sql12) I have written macros also where i have passed all the sourcetype but getting no result or partial result in dashboard for sourcetype  oracle:audit:json   ... View more

index=mysql sourcetype=audit_log earliest=1 | rex field=source "\/home\/mysqld\/(?&lt;Database1&gt;.*)\/audit\/" | rex field=source "\/mydata\/log\/(?&lt;Database2&gt;.*)\/audit\/" | eval Database = coalesce(Database1,Database2) | fields - Database1,Database2 | rex field=USER "(?&lt;USER&gt;[^\[]+)" | rex mode=sed field=HOST "s/\.[a-z].*$//g" | eval TIMESTAMP=strptime(TIMESTAMP, "%Y-%m-%dT%H:%M:%S UTC") | where TIMESTAMP &gt; now()-3600*24*90 | eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d") | eval COMMAND_CLASS=if(isnull(COMMAND_CLASS) OR COMMAND_CLASS="", "NA", COMMAND_CLASS) | eval HOST=if(isnull(HOST) OR HOST="", "NA", HOST) | eval IP=if(isnull(IP) OR IP="", "NA", IP) | eval Action=if(isnull(NAME) OR NAME="", "NA", NAME) | eval STATUS=if(isnull(STATUS) OR STATUS="", "NA", STATUS) | eval Query=if(isnull(SQLTEXT) OR SQLTEXT="", "NA", SQLTEXT) | eval USER=if(isnull(USER) OR USER="", "NA", USER) | stats count as Events by Database USER HOST IP COMMAND_CLASS Action STATUS Query TIMESTAMP | lookup mysql_databases.csv DATABASE as Database OUTPUT APP_NAME | eval APP_NAME=if(isnull(APP_NAME) OR APP_NAME="", "NA", APP_NAME)   and hence getting no output in search and reporting tab ... View more

Hi, Can it be possible to extract one common field if we have two sourcetypes and sourcepath is also different in them , index is same. Example : sourcetype : abc with source path : /home/mysqld/$DB_NAME/audit/audit.log sourcetype:xyz with sourcepath : /mydata/log/$DB_NAME/audit/audit.log I need to have DBname extracted is that possible to get it via regex if yes what it can be. Also if not can i make soucretype as one with 2 different sourcepath /home/mysqld/$DB_NAME/audit/audit.log and /mydata/log/$DB_NAME/audit/audit.log  and then extract DBname from it via regex?   ... View more

Hi , I have to get the below fields extracted from these three logs to create visulisation: Fields i am interested: Event_log type,originator_username,object,username,destination,bucket_name,time,type   I have written this regex to create parser but i am not getting all the fields while writing base serach: ^(?:[^ \n]* ){2}(?P<event_log>\w+\s+[a-z_-]+)(?:[^ \n]* ){2}\{"originator_username"\:(?P<originator_username>.[a-z]+")\,"object"\:(?<object>.[a-z]+)[^,\n]*,"extra"\:\{(?P<extra>.[a-z]+)":[^,\n]*(?:[^,\n]*,){6}"time"\:(?P<time>\w+),(?:[^,\n]*,){2}"type"\:(?<type>.[a-z_]+[a-z])"}   2022-01-23 10:19:47,140 WARNING event_log EventLog: {"originator_username":"abc","object":"cluster","extra":{"username":"admin"},"object_type":"cluster","originator_uid":0,"time":164287087,"throttled_event_count":1,"obj_uid":null,"type":"failed_authentication_attempt"} 2022-01-23 07:24:05,479 INFO event_log EventLog: {"originator_username":"abcef","object":"bdb:1","extra":{"destination":{"bucket_name":"dbabucket","type":"s3","subdir":"radar2","filename":""}},"object_type":"bdb","originator_uid":0,"time":164767765,"throttled_event_count":1,"obj_uid":"1","type":"backup_succeeded"} 2022-01-23 07:15:00,294 INFO event_log EventLog: {"originator_username":"adminstrator","object":"bdb:1","object_type":"bdb","originator_uid":0,"time":1642788100,"throttled_event_count":1,"obj_uid":"1","type":"backup_started"}   Can anyone help me what neededd to be fix in regex so i can get all the needed field extracted for base search. ... View more