Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tay
tay
Explorer
Member since:
03-25-2024
09-04-2024
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 03-25-2024 |
Activity Feed
- Posted Re: JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 09-02-2024 11:40 PM
- Posted Re: JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 09-02-2024 02:37 AM
- Posted Re: JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 09-01-2024 11:08 PM
- Posted Re: JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 08-29-2024 11:38 PM
- Posted Re: JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 08-29-2024 03:56 AM
- Posted JSON parsing issue and bad timestamp recognition on Splunk Enterprise. 08-29-2024 03:01 AM
- Posted Re: retrieve indexes from splunk.log on Getting Data In. 03-26-2024 01:07 AM
- Karma Re: retrieve indexes from splunk.log for richgalloway. 03-26-2024 01:05 AM
- Posted Re: retrieve indexes from splunk.log on Getting Data In. 03-25-2024 07:16 AM
- Posted Re: retrieve indexes from splunk.log on Getting Data In. 03-25-2024 06:52 AM
- Posted retrieve indexes from splunk.log on Getting Data In. 03-25-2024 06:07 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-02-2024
11:40 PM
Find the solution, host work as an HF. As my data is cooked once so it takes the parsing configuration of this HF, i need to create an HF seperately for this kind of host
... View more
09-02-2024
02:37 AM
Thank you so much for your anwser. It's pretty clear 😀 I'm going to change my conf now.
... View more
09-01-2024
11:08 PM
Hi PickleRick, If I understand correctly, I either do all the parsing on the UF, or I remove everything from the UF and move the parsing to the indexer (IDX)?
... View more
08-29-2024
11:38 PM
Hi, this error is normal the script catch errors. All values are good. The thing is, when i ingest these logs, and I set TIME_PREFIX, I have 2 values for timestamp just for one log not the others whereas they have the same JSON format ...
... View more
08-29-2024
03:56 AM
event without issue " btoolTag = btool_validate_strptime" [
{
"bad_strptime": "%d.%m.%Y %H:%M:%S,%3",
"conf_file": "props.conf",
"stanza": "lb:logs",
"attribute": "TIME_FORMAT",
"btoolTag": "btool_validate_strptime",
"timestamp": "2024-08-29T06:00:04",
"host": "blabla_hostname"
},
{
"bad_strptime": "%y-%m-%d %H:%M:%S%",
"conf_file": "props.conf",
"stanza": "iislogs",
"attribute": "TIME_FORMAT",
"btoolTag": "btool_validate_strptime",
"timestamp": "2024-08-29T06:00:04",
"host": "blabla_hostname"
}
] affected event " btoolTag = btool_validate_regex" [
{
"bad_regex": "(?i)id_618_(?<eventfield_1>\\\\w*).*i_Media=MEDIA_(?<eventfield_2>\\\\w*).*i_Dnbits=(?<eventfield_3\\\\w*).*cs_PERString=(?<eventfield_4>\\\\w*)",
"conf_file": "props.conf",
"stanza": "fansfms:aaio",
"attribute": "EXTRACT-AoIP_message1",
"reason": "syntax error in subpattern name (missing terminator?)",
"btoolTag": "btool_validate_regex",
"timestamp": "2024-08-29T09:47:46",
"host": "blabla_hostname"
},
{
"bad_regex": "([\\i\\\\fr\\n]+---splunk-admon-end-of-event---\\r\\n[\\r\\n]*)",
"conf_file": "props.conf",
"stanza": "source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))",
"attribute": "LINE_BREAKER",
"reason": "unrecognized character follows \\",
"btoolTag": "btool_validate_regex",
"timestamp": "2024-08-29T09:47:46",
"host": "blabla_hostname"
}
]
... View more
08-29-2024
03:01 AM
Hello Splunkers, I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF * [source::/opt/splunk/etc/apps/app_name/result/*.json]
INDEXED_EXTRACTIONS=json
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+) *On IDX* [sourcetype_name]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
TIME_PREFIX=\"timestamp\"\:\s\"
MAX_TIMESTAMP_LOOKAHEAD=19
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TRUNCATE=999999 *on Search Head* [sourcetype_name]
KV_MODE=none Parsing works for all files except one Here is an excerpt, timestamp with none value Can you help me on this ?
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
03-25-2024
07:16 AM
so if I do a "join" with your query, the correct index will be associated with the sourcetype?
... View more
03-25-2024
06:52 AM
This is precisely my problem, I have to start from this command and therefore retrieve the index elsewhere... but then what happens if the indexes have sourcetype names in common?
... View more
03-25-2024
06:07 AM
Hello splunk community, I have this query but I would also like to retrieve the index to which the sourcetype belongs
index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd
(component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL)
| rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*"
| eval data_sourcetype=coalesce(data_sourcetype, st)
| rename data_sourcetype as sourcetype
| table sourcetype event_message component thread_name _time _raw
| stats first(event_message) as event_message by sourcetype component
any ideas ? thx in advance
... View more
Labels
- Labels:
-
index
-
sourcetype
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-04-2024
03:01 AM
|
