Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About im_bharath
im_bharath
Path Finder
Member since:
07-21-2022
04-24-2023
Community Statistics
| Posts | 20 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 07-21-2022 |
Activity Feed
- Posted How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Tagged How to send syslog using rsyslog over TCP encrypted with TLS? on Getting Data In. 04-10-2023 04:09 AM
- Karma Re: How to merge multiple eval's into a single using if (match)? for ITWhisperer. 04-10-2023 03:58 AM
- Posted Re: How to merge multiple eval's into a single using if (match)? on Security. 03-14-2023 02:39 AM
- Karma Re: merge multiple eval's into a single using if (match), for ITWhisperer. 03-13-2023 02:05 AM
- Posted Re: How to merge multiple eval's into a single using if (match)? on Security. 03-13-2023 02:04 AM
- Posted Re: merge multiple eval's into a single using if (match), on Security. 02-27-2023 01:25 AM
- Posted Re: merge multiple eval's into a single using if (match), on Security. 02-20-2023 05:02 AM
- Posted How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Tagged How to merge multiple eval's into a single using if (match)? on Security. 02-20-2023 03:21 AM
- Posted Re: Remove duplicate values only in one column out of four columns. on Splunk Search. 11-22-2022 01:34 AM
- Karma Re: Remove duplicate values only in one column out of four columns. for kamlesh_vaghela. 11-22-2022 01:34 AM
- Posted Re: Remove duplicate values only in one column out of four columns. on Splunk Search. 11-21-2022 05:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-10-2023
04:09 AM
Hello All,
Currently a certain application is sending the data to splunk via syslog method(rsyslog) using TCP, so now the application team want to try and send the data using the syslog (rsyslog) over TCP with TLS encryption,
Can any one please help me how this can be achieved, and it would be really awesome if anybody can provide leads on any splunk documentation or links available for reference.
Thanks.
... View more
Labels
- Labels:
-
data
-
heavy forwarder
-
inputs.conf
-
other
03-14-2023
02:39 AM
Hey @ITWhisperer , I understand there is only so much you can do without the access to data, but really appreciate your help since it was the starting point for me.. i mean with your suggestion i tried different things and finally was able to get the solution. Thank you..!!
... View more
03-13-2023
02:04 AM
Hey @ITWhisperer Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE" index="your_index" sourcetype="yoursourcetype" | eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser", match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity", match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector", match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus", match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")
... View more
02-27-2023
01:25 AM
Hello @ITWhisperer , I tried using the SPL you have given me (OfCourse modified accordingly) and i could get the values for two types of the entries... so I plan to test this using the sample data including all types of the events... and will let you know if it works or not.
... View more
02-20-2023
05:02 AM
hi @ITWhisperer , I did use the case(), but i am getting an error "Error in 'eval' command: The expression is malformed. Expected )." eval logtype = case(('browser',".*?LTS.*?CID.*?Expo"),('adminlogs',".*?MT.*?CT.*?MB"),('useractivity',"*?LTS.*?Cust.*?SID.*?InReason"),('appconnector',".*?LTS.*?Cust.*?SID.*?STp"),('userstatus',".*?LTS.*?Cust.*?Uname.*?SessionID")), Don't have a clue as to what I missed here.
... View more
02-20-2023
03:21 AM
Hello everyone,
i have this below SPL i am using,
index=abcde* | eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ") | eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "),
When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest.
If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field.
Now,
my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above,
[eval logtype = if(match,(regex), "X"," ")]
Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.
or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below.
logtype
Values count %
browser xx xx%
adminlogs xx xx%
useractivity xx xx%
appconnector xx xx%
userstatus xx xx%
Hope the above question makes sense, any help on this will be much appreciated.
Thanks...!!!
... View more
Labels
- Labels:
-
other
11-22-2022
01:34 AM
Hey @kamlesh_vaghela , I have tried below SPL query as suggested by you, | multikv forceheader=1
| table column1 column2 column3 column4
| rename comment as "upto this is sample data"
| streamstats count by column1 column2 column4
| eval column1=if(count==1,column1,""), column2=if(count==1,column2,""),column4=if(count==1,column4,"")
|fields - count so i got below result similar to the other post, but we were getting the multiple values for column3 like 1,1,2,3,3,3,3,4,5,5,5,6,6, instead of 1,2,3,4,5,6 So i have added the "dedup column3" to your search and it removed the duplicate results. Thank you for the solution.
... View more
11-21-2022
05:17 AM
Hey @kamlesh_vaghela, I will try and let you know if this works as well or not..
... View more
11-21-2022
05:16 AM
Hey @gcusello, That worked.. thanks a lot.
... View more
11-21-2022
04:36 AM
Hello All,
When using the "stats count by column1, column2, column3, column4"
I get the below result
Existing table :
column1
column2
column3
column4
XXXXXXXX
YYYYY
A
123
XXXXXXXX
YYYYY
B
123
XXXXXXXX
YYYYY
C
123
XXXXXXXX
YYYYY
D
123
XXXXXXXX
YYYYY
E
123
Where as I need this result :
column1
column2
column3
column4
XXXXXXXX
YYYYY
A
123
B
C
D
E
Could somebody please help me with the query?
Thanks,
... View more
10-25-2022
09:24 AM
Hey @richgalloway , As you suggested, i can add the "Extract" option in the existing default sourcetype(database:internal), but since it is a distributed environment there are multiple apps which have been integrated to Splunk using the DBCONNECT and are using the same default sourcetype, So, add the "EXTRACT" attribute will it not affect the other apps ? Is my understanding correct? Is there a way that we can apply this EXTRACT attribute for a specific application? Thanks,
... View more
10-25-2022
01:11 AM
Hello All,
we have a default database:internal sourcetype for a application using DBConnect to send data to Splunk and I want to extract couple of fields from the incoming data from splunk side,
So, I was wondering If I use a custom sourcetype(database:internal:xxxx:zzzz), should I use(extract) the attributes from the data,
"EXTRACT-xxxx = xxxx" in the props.conf or will the intended fields be extracted by default when we change to custom sourcetype?
Any explanation would be really appreciated.
Thanks.
... View more
Labels
- Labels:
-
props.conf
-
sourcetype
10-25-2022
12:46 AM
hey @isoutamo, before I could see in the splunkd*.log like you suggested, the issue was resolved I mean to say that I was able to login to the splunkweb, however they were some errors, I will take a look at them and (probably post here) once I log back in. I will keep you posted.
... View more
10-20-2022
07:40 AM
500 internal server error
Oops.
The server encountered an unexpected condition which prevented it from fulfilling the request. Click here to return to Splunk homepage.
I have installed Splunk instance on the Ubuntu (WSL), and had some issues while starting the splunk so i followed the steps suggested by @naisanza (https://community.splunk.com/t5/Getting-Data-In/Why-am-I-getting-quot-homePath-opt-splunk-var-lib-splunk-audit/m-p/220231/highlight/false#M43245), this was fixed,
And still my Splunkweb was not up and running so i have followed steps suggested by @fearofcasanova in the post(https://community.splunk.com/t5/Installation/splunk-installation-is-failing-to-generate-cert-pem/m-p/405406/highlight/false#M5445) the issue was fixed
And i tried to login to splunk web link "https://<ip.o.o.o>:8000" and when i entered the credentials it was giving me the above 500 error.
Can somebody help me out in fixing this issue, thanks in advance.
... View more
Labels
- Labels:
-
Linux
-
search head
-
splunkd
10-20-2022
07:24 AM
Hey @fearofcasanova , Thanks for the answer, this worked like a charm and now my splunkweb is up and running. Thanks,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-24-2023
03:44 PM
|
Karma given to
