cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
drogo
Explorer
Member since: ‎03-18-2023
3 weeks ago
Community Statistics
Posts 9
Solutions 0
Karma Given 9
Karma Received 0
Member Since ‎03-18-2023
Activity Feed
View All

Re: Split square bracket expression

by in Splunk Search
‎08-28-2023 07:32 AM
‎08-28-2023 07:32 AM
@hanks @richgalloway this help ... View more

Re: Split square bracket expression

by in Splunk Search
‎08-28-2023 07:31 AM
‎08-28-2023 07:31 AM
Thanks @ITWhisperer  ... View more

Split square bracket expression: How to separate o...

by in Splunk Search
‎08-28-2023 05:27 AM
‎08-28-2023 05:27 AM
Hi, I want to separate out below fields in table format. Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT] Query I am using = | eval Namespace=mvindex(split(mvindex(split(_raw, "Namespace "),1),"],"),1) | eval ServiceName=mvindex(split(mvindex(split(_raw,"ServiceName "),1),"],"),0) | eval Version=mvindex(split(mvindex(split(_raw,"Version "),1),"],"),0) | stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host | sort -Version Expected result Host AppName ServiceName Version                   ... View more
Labels

How to create Alert query when date in field is le...

by in Splunk Search
‎08-09-2023 01:49 AM
‎08-09-2023 01:49 AM
Hi Team, I am setting up an alert on Splunk where my data is in below format.  I am writing a query where it returns those row only where CertExpiry is in15 days. Basically alert should trigger if cert is getting expired in next 15days. Component  Server CertExpiry Zone.jar sample September 13, 2023 9:49:49 AM CDT   ... View more
Labels

Re: How to extract fields from txt format

by in Splunk Search
‎03-27-2023 11:41 PM
‎03-27-2023 11:41 PM
Hi @gcusello, I got the solution, thanks for your help! https://regex101.com/r/aPEZ6B/1  ... View more

Re: How to extract fields from txt format

by in Splunk Search
‎03-27-2023 11:16 PM
‎03-27-2023 11:16 PM
Thanks gcusello, this really helps. I am getting values which are prior to , in messages but messages are having thousands of count and those in below pattern. How can I get whole value. Update value on below page. https://regex101.com/r/aPEZ6B/1 Sample - 2023-03-21 04:14:13.859, queue_name:stream-AccountProfile, messages: 16,2303, bytes: 13 KiB, actCusumers: 4, numSubjects: 1 2023-03-21 04:14:13.859, queue_name:stream-SampleProfile, messages: 3,522, bytes: 2.4 MiB, actCusumers: 4, numSubjects: 1 ... View more

How to extract fields from txt format?

by in Splunk Search
‎03-22-2023 01:34 AM
‎03-22-2023 01:34 AM
Hello, I want to extract fiends from below log format. Can someone please help. Log format - 2023-03-21 04:14:13.859, queue_name:stream-AccountProfile, messages: 16, bytes: 13 KiB, actCusumers: 4, numSubjects: 1 2023-03-21 04:14:13.859, queue_name:stream-SampleProfile, messages: 3,522, bytes: 2.4 MiB, actCusumers: 4, numSubjects: 1 Fields I want to extract are queue name, messages, actCusumers, numSubjects.  I am using below eval commands but looks like I am not getting all logs, also getting duplicate events. I am want to extract only latest ones. Query -  | eval ArrayAttrib=split(_raw,",") | eval numSubjects=mvindex(split(mvindex(ArrayAttrib,-1) ,": "),1) | eval actConsumers=mvindex(split(mvindex(ArrayAttrib,-2) ,": "),1) | eval bytes=mvindex(split(mvindex(ArrayAttrib,-3) ,": "),1) | eval messages=mvindex(split(mvindex(ArrayAttrib,-4) ,": "),1) | eval stream=mvindex(split(mvindex(ArrayAttrib,-5) ,":"),1) | eval dtm=strftime(_time,"%Y-%m-%d %H:%M") | stats max(dtm) by stream numSubjects actConsumers bytes messages | fields "stream", "messages", "actConsumers", "numSubjects", "max(dtm)" | dedup "messages" | dedup "stream" | sort "stream"           ... View more
Labels

Re: Splunk query to extract key value pair

by in Splunk Search
‎03-19-2023 01:16 AM
‎03-19-2023 01:16 AM
Thanks @gcusello, the main problem I am seeing that on splunk logs. The json file is not showing in one line. Each attribute is on individual line and Splunk is considering each line as separate log. See below example. I am looking to pull config.name field, similarly others.   ... View more

Splunk search to extract key value pair?

by in Splunk Search
‎03-18-2023 01:43 AM
‎03-18-2023 01:43 AM
Hi, I have injected NATS stream details in json format to the splunk and it look below. Wanted to extract key value pair from it. Any help is appreciated. Thanks in advance! looking to extract values of below key - messages bytes first_seq first_ts last_seq last_ts consumer_count   JSON format -   {   "config": {     "name": "test-validation-stream",     "subjects": [       "test.\u003e"     ],     "retention": "limits",     "max_consumers": -1,     "max_msgs_per_subject": -1,     "max_msgs": 10000,     "max_bytes": 104857600,     "max_age": 3600000000000,     "max_msg_size": 10485760,     "storage": "file",     "discard": "old",     "num_replicas": 3,     "duplicate_window": 120000000000,     "sealed": false,     "deny_delete": false,     "deny_purge": false,     "allow_rollup_hdrs": false,     "allow_direct": false,     "mirror_direct": false   },   "created": "2023-02-14T19:26:42.663470573Z",   "state": {     "messages": 0,     "bytes": 0,     "first_seq": 39482101,     "first_ts": "1970-01-01T00:00:00Z",     "last_seq": 39482100,     "last_ts": "2023-03-18T03:10:35.6728279Z",     "consumer_count": 105   },   "cluster": {     "name": "cluster",     "leader": "server0.mastercard.int",     "replicas": [       {         "name": "server1",         "current": true,         "active": 387623412       },       {         "name": "server2",         "current": true,         "active": 387434624       }     ]   } } ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma given to