×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nolejj
Explorer
Member since: ‎04-20-2022
‎09-28-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-20-2022
Activity Feed
View All

Re: Tableau System Logs

by in Getting Data In
‎09-27-2023 08:18 AM
‎09-27-2023 08:18 AM
Another unique field to extract is the Operation performed: \:\s+[A-Z]+\s+(?<Operation>[*\s]+) You can test on a report with: | rex field=_raw "\:\s+[A-Z]+\s+(?<Operation>[*\s]+)" You can use the operation event results to narrow down on the type events you want to search. For the event message portion, you can use: (?ms)([A-Z].*\s-\s+(?<Message>.*) You can test on a report with: | rex field=_raw "(?ms)([A-Z].*\s-\s+(?<Message>.*)" (?ms) is used to display multiple lines of a message. Example would be Java messages.   Thanks, Joe ... View more

Re: Customize Length of Value with an added Prefix

by in Splunk Search
‎04-25-2022 11:22 AM
‎04-25-2022 11:22 AM
Thank you. Short and nice. 🙂 ... View more

Re: How would I extract fields from raw data conta...

by SplunkTrust in Splunk Search
‎04-21-2022 03:31 PM
1 Karma
‎04-21-2022 03:31 PM
1 Karma
Run them as separate rex commands | rex "user_id:\[\d+\]\s\"(?<user_id>[^\"]+)" | rex "NAME:\[\d+\]\s\"(?<NAME>[^\"]+)" | rex "Car:\[\d+\]\s\"(?<Car>[^\"]+)" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-28-2023 07:17 PM
Karma given to
View All