Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jordilazo
jordilazo
Explorer
Member since:
09-14-2022
02-23-2023
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 09-14-2022 |
Activity Feed
- Posted Re: How to insert data correctly with collect command (include fields and values)? on Splunk Enterprise. 10-11-2022 02:18 AM
- Karma Re: How to insert data correctly with collect command (include fields and values)? for johnhuang. 10-11-2022 02:16 AM
- Posted How to insert data correctly with collect command (include fields and values)? on Splunk Enterprise. 10-10-2022 05:45 AM
- Posted Re: How to prevent Splunk from creating a new field and value in an event given that a field contains the symbol "e on Splunk Enterprise. 10-03-2022 12:23 AM
- Karma Re: How to escape equal signs (=) in key value data? for woodcock. 10-03-2022 12:23 AM
- Posted Re: How to escape equal signs (=) in key value data? on Splunk Search. 09-29-2022 11:42 PM
- Karma How to escape equal signs (=) in key value data? for helge. 09-29-2022 11:35 PM
- Posted Re: How to prevent Splunk from creating a new field and value in an event given that a field contains the symbol "e on Splunk Enterprise. 09-29-2022 08:42 AM
- Posted Re: How to prevent Splunk from creating a new field and value in an event given that a field contains the symbol "e on Splunk Enterprise. 09-29-2022 06:13 AM
- Posted Re: How to prevent splunk from creating a new field and value in an event given that a field contains the symbol "e on Splunk Enterprise. 09-29-2022 01:45 AM
- Posted How to prevent Splunk from creating a new field and value in an event given that a field contains the symbol "equal"? on Splunk Enterprise. 09-28-2022 12:49 PM
- Posted Re: Insert custom field and value to splunk on Splunk Enterprise. 09-28-2022 06:44 AM
- Posted Re: Insert custom field and value to splunk on Splunk Enterprise. 09-28-2022 05:59 AM
- Karma Can splunk index same data into one index but different sourcetypes?? for sivaranjiniG. 09-28-2022 04:56 AM
- Posted How do I Insert custom field and value to splunk? on Splunk Enterprise. 09-28-2022 04:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
10-11-2022
02:18 AM
Thank you. That was what was missing
... View more
10-10-2022
05:45 AM
Hi,
I'm pretty new to splunk and I have a question.
I am trying to send information from one index to another with the "collect" command.
The problem is that when I send the events to the new index the field and value do not appear as in the old index (they disappear).
I am using this sentence:
index = legacy sourcetype = old_legacy | collect index= mew_legacy
But in the new index i'm not receiving the FIELD->VALUE .
... View more
Labels
- Labels:
-
development
-
using Splunk Enterprise
10-03-2022
12:23 AM
This solution works but it wasn't exactly what I wanted. In this post this person asked the same and its looks like there is no solution. How to escape equal signs (=) in key value data? - Splunk Community
... View more
09-29-2022
11:42 PM
Hi Woodcock, I'm having the same problem that HELGE mentioned. I have created my own KV_MODE as you gave in the solution but I still get the same error. Can you confirm that even if I have created my own KV_MODE IT IS NOT POSSIBLE to skip the equal symbol (=)? (Splunk keeps creating different fields whenever it finds an = inside the value).
... View more
09-29-2022
08:42 AM
Hi Chaker, I think it is working but the problem is that I have another event that contains double quotes" inside the value. Here is an example: mail_reviewcomment="Comentario:ÑC<2KLAZR=@Q"&"\A" So splunk is getting confused again. How can I modify the REGEX so splunk will process the field?
... View more
09-29-2022
06:13 AM
Hi Chaker, Unfortunately I have tried everything but Splunk keeps automatically creating a new field for the mail_reviewcomment field. Maybe the problem is in the input.conf? I run the script automatically. Here I leave my configuration: HF: inputs.conf
[script://script.py]
disabled = 0
index = jordi_emails
interval = 55 14 * * *
source = external
sourcetype = preproc props.conf
[preproc]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TIME_PREFIX = timestamp=
MAX_TIMESTAMP_LOOKAHEAD = 10
CHARSET = UTF-8
KV_MODE = auto
TRANSFORMS-dynamic_sourcetype = dynamic_sourcetype
[test]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)" transform.conf
[dynamic_sourcetype]
REGEX = sourcetype="(\w+)"
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype SH: Looks exactly the same like the props.conf in my HF (as you said).
... View more
09-29-2022
01:45 AM
Hi Chaker, My props looks like: [preproc] SHOULD_LINEMERGE = false NO_BINARY_CHECK = true TIME_PREFIX = timestamp= MAX_TIMESTAMP_LOOKAHEAD = 10 CHARSET = UTF-8 KV_MODE = auto TRANSFORMS-dynamic_sourcetype = dynamic_sourcetype EXTRACT-test = mail_reviewcomment="(?<mail_reviewcomment>.+?)" But is still not working. Any idea? should I introduce the events like CSV?
... View more
09-28-2022
12:49 PM
Hi, I have been able to enter the following data in splunk through key value with the following format: sourcetype="excel_page_10" mail_sender="jordi@jordilazo.com" mail_recipient="lazo@jordilazo.es" mail_date_ep="1635qqqqwe2160816.0" mail_nummails="1222asdasd.adasdqweqw" mail_level="0@qw....." mail_info="NO" mail_removal="NO" mail_area="Miami" mail_subject="RE: NMXWZFOG< >VSTI" mail_id="XXX-KKKK-NNNN-KNZI" mail_reviewcomment="Comentario:ÑC<AZR=@P""\a" As can be seen in the image, splunk has been able to correctly classify all the fields and value. However it has created a new field called AZR with the value @P. This is because it has detected an = inside the comment review value and created it. What do I have to modify in the props and transform so that it detects the entire reviewcomment field as 1 single value and includes the symbol =?
... View more
Labels
- Labels:
-
development
09-28-2022
06:44 AM
Sorry is the first time I am doing this. Could you explain it with more detail? Where should I add EXTRACT? as you said in the props.conf but exactly where and with what parameters?
... View more
09-28-2022
05:59 AM
Hi isoutamo, Thanks for your information!! Thanks to you I have been able to upload the data correctly except for a small error. In the field: mail_reviewcomment I have a = which makes splunk automatically create a new field for me without me asking it. Is there any way to be able to insert the = symbol to the splunk and at the same time not create a new field? Thank you.
... View more
09-28-2022
04:39 AM
Hi, Im dummy in Splunk and I have one doubt. Maybe you can help me. I want to insert in an index that I have created some data that I have obtained when executing a script in python, so the result of the script is the following:
sourcetype="script_emails" mail_sender="jordi@jordilazo.com" mail_recipient="jordilazo2@jordilazo.es" mail_date="10-10-2022" mail_subject="RE: NMXWZFOG< >VSTI" mail_reviewcomment="Comment:ÑC<AZR=@P"&"\A"
How do I configure the inputs, props and transform so that it is uploaded correctly in Splunk?
- Field - Value - Source - Sourcetype I have this:
inputs.conf
[script://"script.py"]
disabled = 0
index = python_emails
interval = 22 13 * * *
source = ????(I dont know what to insert here)
sourcetype = mytest
transform.conf
[test_sourcetype]
REGEX = sourcetype="(\w+)"
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
[test_comment]
REGEX = mail_reviewcomment="(.+)"
FORMAT = mail_reviewcomment::$1
WRITE_META = true
props.conf
[mytest]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TIME_PREFIX = timestamp=
MAX_TIMESTAMP_LOOKAHEAD = 10
CHARSET = UTF-8
KV_MODE = auto
TRANSFORMS-test_sourcetype = test_sourcetype,test_comment
Thanks for you help!
... View more
Labels
- Labels:
-
configuration
-
development
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-23-2023
08:15 AM
|
