Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About im_bharath
im_bharath
Path Finder
Member since:
07-21-2022
03-06-2026
Community Statistics
| Posts | 25 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 07-21-2022 |
Activity Feed
- Posted Splunk Universal Forwarder 9.2.5 on Splunk Search. 02-04-2026 02:34 AM
- Posted Re: Adding emails to Trusted group on Alerting. 01-02-2024 02:12 AM
- Posted Adding emails to Trusted group on Alerting. 12-21-2023 07:31 AM
- Posted How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Karma Re: How to merge multiple eval's into a single using if (match)? for ITWhisperer. 04-10-2023 03:58 AM
- Posted Re: How to merge multiple eval's into a single using if (match)? on Security. 03-14-2023 02:39 AM
- Karma Re: merge multiple eval's into a single using if (match), for ITWhisperer. 03-13-2023 02:05 AM
- Posted Re: How to merge multiple eval's into a single using if (match)? on Security. 03-13-2023 02:04 AM
- Posted Re: merge multiple eval's into a single using if (match), on Security. 02-27-2023 01:25 AM
- Posted Re: merge multiple eval's into a single using if (match), on Security. 02-20-2023 05:02 AM
- Posted How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-04-2026
02:34 AM
Is Splunk Universal Forwader 9.2.5 supports to Windows Server 2025 ? Pls confirm. am seeing below in search community but one of my colleague is installed in Windows Server 2025. Splunk Universal Forwarder 9.2.5 does not support Windows Server 2025. The compatibility matrix indicates that Universal Forwarder versions are supported for a limited time, and it is essential to check the latest compatibility information on the Splunk support portal for the most accurate and updated details. Looking forward your response. Thanks in advance..!
... View more
- Tags:
- UF 9.2.5
Labels
- Labels:
-
other
01-02-2024
02:12 AM
Okay Thanks for the suggestions.. i will reach out to our exchange team and see if they can provide a solution and will post the outcome here. Thanks.
... View more
12-21-2023
07:31 AM
Hello All, Currently we have setup the use case to send the emails whenever a condition is satisfied and an alert is fired up. My concern is whenever the email is received we are receiving the address in the FROM field as "abc.xyz+untrusted@jkl.com", and we think that some mail boxes are not getting these emails from the specific untrusted email address, please correct me if i am misunderstood. Also, is there a way to add this "abc.xyz@jkl.com" to the trusted email group or something like that? or is there a different way to get the actual email address instead of the +untrusted email whenever an email is sent out from splunk. Hope this makes sense. Thanks,
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
email
04-10-2023
04:09 AM
Hello All,
Currently a certain application is sending the data to splunk via syslog method(rsyslog) using TCP, so now the application team want to try and send the data using the syslog (rsyslog) over TCP with TLS encryption,
Can any one please help me how this can be achieved, and it would be really awesome if anybody can provide leads on any splunk documentation or links available for reference.
Thanks.
... View more
Labels
- Labels:
-
data
-
heavy forwarder
-
inputs.conf
03-14-2023
02:39 AM
Hey @ITWhisperer , I understand there is only so much you can do without the access to data, but really appreciate your help since it was the starting point for me.. i mean with your suggestion i tried different things and finally was able to get the solution. Thank you..!!
... View more
03-13-2023
02:04 AM
Hey @ITWhisperer Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE" index="your_index" sourcetype="yoursourcetype" | eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser", match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity", match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector", match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus", match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")
... View more
02-27-2023
01:25 AM
Hello @ITWhisperer , I tried using the SPL you have given me (OfCourse modified accordingly) and i could get the values for two types of the entries... so I plan to test this using the sample data including all types of the events... and will let you know if it works or not.
... View more
02-20-2023
05:02 AM
hi @ITWhisperer , I did use the case(), but i am getting an error "Error in 'eval' command: The expression is malformed. Expected )." eval logtype = case(('browser',".*?LTS.*?CID.*?Expo"),('adminlogs',".*?MT.*?CT.*?MB"),('useractivity',"*?LTS.*?Cust.*?SID.*?InReason"),('appconnector',".*?LTS.*?Cust.*?SID.*?STp"),('userstatus',".*?LTS.*?Cust.*?Uname.*?SessionID")), Don't have a clue as to what I missed here.
... View more
02-20-2023
03:21 AM
Hello everyone,
i have this below SPL i am using,
index=abcde* | eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ") | eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "),
When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest.
If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field.
Now,
my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above,
[eval logtype = if(match,(regex), "X"," ")]
Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.
or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below.
logtype
Values count %
browser xx xx%
adminlogs xx xx%
useractivity xx xx%
appconnector xx xx%
userstatus xx xx%
Hope the above question makes sense, any help on this will be much appreciated.
Thanks...!!!
... View more
11-22-2022
01:34 AM
Hey @kamlesh_vaghela , I have tried below SPL query as suggested by you, | multikv forceheader=1
| table column1 column2 column3 column4
| rename comment as "upto this is sample data"
| streamstats count by column1 column2 column4
| eval column1=if(count==1,column1,""), column2=if(count==1,column2,""),column4=if(count==1,column4,"")
|fields - count so i got below result similar to the other post, but we were getting the multiple values for column3 like 1,1,2,3,3,3,3,4,5,5,5,6,6, instead of 1,2,3,4,5,6 So i have added the "dedup column3" to your search and it removed the duplicate results. Thank you for the solution.
... View more
11-21-2022
05:17 AM
Hey @kamlesh_vaghela, I will try and let you know if this works as well or not..
... View more
11-21-2022
05:16 AM
Hey @gcusello, That worked.. thanks a lot.
... View more
11-21-2022
04:36 AM
Hello All,
When using the "stats count by column1, column2, column3, column4"
I get the below result
Existing table :
column1
column2
column3
column4
XXXXXXXX
YYYYY
A
123
XXXXXXXX
YYYYY
B
123
XXXXXXXX
YYYYY
C
123
XXXXXXXX
YYYYY
D
123
XXXXXXXX
YYYYY
E
123
Where as I need this result :
column1
column2
column3
column4
XXXXXXXX
YYYYY
A
123
B
C
D
E
Could somebody please help me with the query?
Thanks,
... View more
10-25-2022
09:24 AM
Hey @richgalloway , As you suggested, i can add the "Extract" option in the existing default sourcetype(database:internal), but since it is a distributed environment there are multiple apps which have been integrated to Splunk using the DBCONNECT and are using the same default sourcetype, So, add the "EXTRACT" attribute will it not affect the other apps ? Is my understanding correct? Is there a way that we can apply this EXTRACT attribute for a specific application? Thanks,
... View more
10-25-2022
01:11 AM
Hello All,
we have a default database:internal sourcetype for a application using DBConnect to send data to Splunk and I want to extract couple of fields from the incoming data from splunk side,
So, I was wondering If I use a custom sourcetype(database:internal:xxxx:zzzz), should I use(extract) the attributes from the data,
"EXTRACT-xxxx = xxxx" in the props.conf or will the intended fields be extracted by default when we change to custom sourcetype?
Any explanation would be really appreciated.
Thanks.
... View more
Labels
- Labels:
-
props.conf
-
sourcetype
10-25-2022
12:46 AM
hey @isoutamo, before I could see in the splunkd*.log like you suggested, the issue was resolved I mean to say that I was able to login to the splunkweb, however they were some errors, I will take a look at them and (probably post here) once I log back in. I will keep you posted.
... View more
10-20-2022
07:40 AM
500 internal server error
Oops.
The server encountered an unexpected condition which prevented it from fulfilling the request. Click here to return to Splunk homepage.
I have installed Splunk instance on the Ubuntu (WSL), and had some issues while starting the splunk so i followed the steps suggested by @naisanza (https://community.splunk.com/t5/Getting-Data-In/Why-am-I-getting-quot-homePath-opt-splunk-var-lib-splunk-audit/m-p/220231/highlight/false#M43245), this was fixed,
And still my Splunkweb was not up and running so i have followed steps suggested by @fearofcasanova in the post(https://community.splunk.com/t5/Installation/splunk-installation-is-failing-to-generate-cert-pem/m-p/405406/highlight/false#M5445) the issue was fixed
And i tried to login to splunk web link "https://<ip.o.o.o>:8000" and when i entered the credentials it was giving me the above 500 error.
Can somebody help me out in fixing this issue, thanks in advance.
... View more
Labels
- Labels:
-
Linux
-
search head
-
splunkd
10-20-2022
07:24 AM
Hey @fearofcasanova , Thanks for the answer, this worked like a charm and now my splunkweb is up and running. Thanks,
... View more
10-20-2022
07:17 AM
Hey @naisanza, I installed the splunk on the Ubuntu (WSL) and encountered the same issue and i have tried the option you have provided and it worked.. Thank you very much.
... View more
10-17-2022
06:59 AM
Hey All, I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively, 1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com....... 2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com 3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events. In the "Props.conf" I can add below, FIELDALIAS-src_host = src_host AS dest_host FIELDALIAS-shost = shost AS dhost but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01". Any help on this will be much appreciated. Thanks.
... View more
Labels
- Labels:
-
configuration
-
development
10-11-2022
05:23 AM
Thank you very much @richgalloway
... View more
10-11-2022
05:06 AM
Hey @richgalloway thank you for the response. So when i say "point these indexes 5 indexes to global index", I want the application to send the data in to this newly created "index_global" instead of these 5 indexes.
... View more
10-10-2022
04:02 AM
Hello All,
We are currently getting data from an application into these 5 indexes(index1, index2, index3, index4, index5.. ) from different locations around the world. And I want to try and create a new index called "index_global" and point all these 5 indexes to this global index so that all the data can be available under a single index.
Hope this makes sense.
I would really like to understand, how i can achieve this. Any help on this would be really appreciated.
Thanks and cheers.
... View more
Labels
- Labels:
-
administration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2026
07:10 AM
|
Karma given to
