×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bpenny
Explorer
Member since: ‎10-13-2023
3 weeks ago
Community Statistics
Posts 6
Solutions 1
Karma Given 1
Karma Received 2
Member Since ‎10-13-2023
Activity Feed
View All

Re: REST query via console vs API showing differen...

by in Splunk Search
3 weeks ago
2 Karma
3 weeks ago
2 Karma
Turns out this was user error due to not parsing the results properly. ... View more

REST query via console vs API showing different re...

by in Splunk Search
3 weeks ago
3 weeks ago
Executive overview: We're using Splunk Cloud (Victoria Experience), and we're in the process of spinning up a new instance for FedRAMP purposes. One thing I'm trying to do is streamline migrating of some of our custom sourcetypes from the existing environment to the new one. I'm able to perform a search via the console that returns a record containing all the details of a given sourcetype (This particular sourcetype has a few dozen EVAL-*, FIELDALIAS-*, and LOOKUP-* settings, so it's a pretty complex one.): | rest /services/configs/conf-props | search title="sfdc:logfile"   If I try the above search via a POST to /services/search/v2/jobs/export (or the /servicesNS equivalent with either - wildcards or an explicit user & app) I don't get any of those EVAL-* etc. settings. The authentication token I'm using for the search was created by an admin user, and I've tried using that same admin user on the /servicesNS  requests. Why am I only getting partial results via the API? ... View more
Labels

Re: Applying an inputlookup across a list of value...

by in Splunk Search
‎04-09-2025 06:32 AM
‎04-09-2025 06:32 AM
Thanks, @livehybrid, this is very close to what I need. What I ultimately want though, is to make these automatic lookups. We actually have about ten different ones that we need to apply to this particular sourcetype. I just can't seem to figure out how to add something like msg.message_set{}.type to an automatic lookup and have it work. ... View more

Applying an inputlookup across a list of values

by in Splunk Search
‎04-08-2025 08:11 AM
‎04-08-2025 08:11 AM
We have a use case where some JSON being ingested into Splunk contains a list of values like this: "message_set": [ { "type": 9 }, { "type": 22 }, { "type": 15 }, ... ], That list has an arbitrary length, so it could contain anywhere from one up to around 30 "type" values. Splunk is parsing the JSON just fine, so these fields can be referenced as "message_info.message_set{}.type" in searches. I'd like to set up an inputlookup that maps these numerical values to more descriptive text. Is there a way to apply an inputlookup across an entire list of arbitrary size like this, or would I need to explicitly add an inputlookup definition for each individual index in the list? I'd ultimately like to add these as LOOKUP settings in the sourcetype for this data so that they're automatically applied for all searches. ... View more
Labels

Re: Timestamp confusion in JSON data loaded via a ...

by in Getting Data In
‎10-13-2023 08:45 AM
‎10-13-2023 08:45 AM
As a followup, I tried using the following timestamp settings instead. This regex matches on the JSON up to the record.time.timestamp field, and in Settings -> Add Data it also correctly sets the _time field for all my test data: TIME_PREFIX = \"time\":\s*{.*\"timestamp\":\s TIME_FORMAT = %s.%6N This also fails to properly parse the data when ingested through the Universal Forwarder ... View more

Timestamp confusion in JSON data loaded via a Univ...

by in Getting Data In
‎10-13-2023 07:36 AM
‎10-13-2023 07:36 AM
We are using Splunk Cloud 9.0.2303.201 and have version 9.0.4 of the Splunk Universal Forwarder installed on a RHEL 7.9 server. The UF is configured to monitor a log file that outputs JSON in this format:   {"text": "Ending run - duration 0:00:00.249782\n", "record": {"elapsed": {"repr": "0:00:00.264696", "seconds": 0.264696}, "exception": null, "extra": {"run_id": "b20xlqbi", "action": "status"}, "file": {"name": "alb-handler.py", "path": "scripts/alb-handler.py"}, "function": "exit_handler", "level": {"icon": "", "name": "INFO", "no": 20}, "line": 79, "message": "Ending run - duration 0:00:00.249782", "module": "alb-handler", "name": "__main__", "process": {"id": 28342, "name": "MainProcess"}, "thread": {"id": 140068303431488, "name": "MainThread"}, "time": {"repr": "2023-10-13 10:09:54.452713-04:00", "timestamp": 1697206194.452713}}}   Long story short, it seems that Splunk is getting confused by the multiple fields in the JSON that look like timestamps. The timestamp that should be used is the very last field in the JSON. I first set up a custom sourcetype that's a clone of the _json sourcetype by manually inputting some of these records via Settings -> Add Data.  Using that tool I was able to get Splunk to recognize the correct timestamp via the following settings:   TIMESTAMP_FIELDS = record.time.timestamp TIME_FORMAT = %s.%6N     When I load the above record by hand via Settings -> Add Data and use my custom sourcetype with the above fields then Splunk shows the _time field is being set properly,  so in this case it's 10/13/23 10:09:54.452 AM. The exact same record, when loaded through the Universal Forwarder, appears to be ignoring the TIMESTAMP_FIELDS parameter. It ends up with a date/time of 10/13/23 12:00:00.249 AM, which indicates that it's trying to extract the date/time from the "text" field at the very beginning of the JSON (the string "duration 0:00:00.249782"). The inputs.conf on the Universal Forwarder is quite simple:   [monitor:///app/appman/logs/combined_log.json] sourcetype = python-loguru index = test disabled = 0     Why is the date/time parsing working properly when I manually load these logs via the UI but not when being imported via the Universal Forwarder? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma from
View All
Karma given to
View All