This may not be the best place to ask given my issue isn't technically Splunk related, but hopefully I can get some help from people smarter than me anyway.   (?i)(?P<scheme>(?:http|ftp|hxxp)s?(?:://|-3A__|%3A%2F%2F))?(?:%[\da-f][\da-f])?(?P<domain>(?:[\p{L}\d\-–]+(?:\.|\[\.\]))+[\p{L}]{2,})(@|%40)?(?:\b| |[[:punct:]]|$) The above regex is a template I'm working from(lol, I'm not nearly good enough to write this). While it's not too hard to read and see how it works, in a nut shell, it matches on the domain of a URL and nothing else. It does this by first looking for the optional beginning 'https://' and storing that in the 'scheme' group. Following that, it parses the following domain.  For example, the URL 'https://community.splunk.com/t5/forums/postpage/board-id/splunk-search' would match 'community.splunk.com'   My issue is that the way it looks for domains following the 'scheme' group requires it use a TLD(.com, .net, etc). Unfortunately, internal services used by my company don't use a TLD, and this causes the regex not to catch them. I need to change this so it can do this.   I want to modify the regex expression above to detect on URLs like: 'https://mysite/resources/rules/123456' wherein the domain would be 'mysite'. I've attempted to do so, but with my limited understanding of how regex really works, my attempts lead to too many matches as shown below. (?i)(?P<scheme>(?:http|ftp|hxxp)s?(?::\/\/|-3A__|%3A%2F%2F))?(?:%[\da-f][\da-f])?(?P<domain>((?:[\p{L}\d\-–]+(?:\.|\[\.\]))+)?[\p{L}]{2,})(@|%40)?(?:\b| |[[:punct:]]|$) I tried to throw in an extra non-capturing group within the named 'domain' ground and make the entire first half of the 'domain' group optional, but it leads to matches beyond the domain. Thank you to whomever may be able to assist. This doesn't feel like it should be such a difficult thing, but it's been vexing me for hours. ... View more

Hopefully I've only got a small problem this time, but I've had no luck fixing it despite hours of trying. All I'm trying to do is convert a string time field to unix using strptime. This is my time field: Ended: 0d1h55m0s   I've been trying to convert it to unix using the following command: | eval time_sec = strptime('Time', "Ended: %dd%Hh%Mm%Ss")   For clarity, this is the full search: | inputlookup metrics.csv | eval occurred=strftime(strptime(occurred,"%a, %d %b %Y %T %Z"), "%F %T %Z") | eval closed=strftime(strptime(closed,"%a, %d %b %Y %T %Z"), "%F %T %Z") | eval time_sec = strptime('Time', "Ended: %dd%Hh%Mm") | where strptime(occurred, "%F %T") >= strptime("2025-05-01 00:00:00", "%F %T") AND (isnull(closeReason) OR closeReason="Resolved") | fillnull value=Resolved closeReason   The example time I've posted above 0d1h55m0s should ideally convert to 6900(seconds). ... View more

I've been smashing my head against this issue for the past few hours. I need to check a multivalue field to see if it contains the "N/A" *and* any value that isn't "N/A". If this is true, I need to filter whatever "N/A" exist within the field and return the remaining non-N/A values as a multivalue field. ... View more

Good day,   I'm hoping someone smarter than me can help me figure this out. In the search below, I'm trying to correlate a set of events from two different indexes. IndexA has network switch connection logs, and IndexB has dhcp hostname mappings. I want to combine the information from both. IndexA has a unique SessionID value that I'm using to differeniate individual connection attempts, and I want to have my stats table summarize by this field only so I can see informatino per a connection attempt. Index B does not have this field, however. For reference, in the narrow time range I'm working within, there are only two SessionID's for the same MAC/IP address pair. Likewise, there's only a single set of unique DHCP logs. This was done deliberately by unplugging/plugging a computer into the network twice to generate two connection attempts while keeping the same DHCP information. Because the SessionID field is not in the second index, I ran the first stats command summarize my events on the two fields the two indexes did share: the MAC and IP Address. With the individual events now gone and everything summarized, I ran the second stats command to then summarize by the Session_ID. This does work except for one flaw. As stated above, there are only two Session_ID's contained within two events, each with their own _time field. Because I use the values() function of stats, both timestamps are printed as a multi-value field in each row of the stats table, and you're not able to tell which timestamp belongs to which Session_ID. I've tried different permutations of things, such as using mvexpand between the stats command to split the time_indexA(I'm not interested in charting the time for events from indexB) field back into individual events. I've also tried summarizing by time in the first stats command alongside the MAC/IP address. I attempted using eventstats as well, but it's not a command I'm very familiar with, so that didn't work either. And finally, when I do manage to make some progress with correlating each timestamp to its own event, so far, I've alwasy lost the hostname field from indexB as a byproduct. I've attached a picture of the table when run in case my explanation is subpar.   (index=indexA) OR (index=indexB) | rex field=text "AuditSessionID (?<SessionID>\w+)" | rex field=pair "session-id=(?<SessionID>\w+)" | eval time_{index}=strftime(_time,"%F %T") | eval ip_add=coalesce(IP_Address, assigned_ip), mac_add=coalesce(upper(src_mac), upper(mac)) | eval auth=case(CODE=45040, "True", true(), "False") | stats values(host_name) as hostname values(networkSwitch) as Switch values(switchPort) as Port values(auth) as Auth values(SessionID) as Session_ID values(time_indexA) as time by mac_add, ip_add | stats values(time) as time values(hostname) as hostname values(Switch) as Switch values(Port) as Port values(Auth) as Auth values(ip_add) as IP_Address values(mac_add) as MAC_Address by Session_ID   ... View more

Good day,   I'm having an issue with an email dashboard I'm attempting to create in Splunk. This dashboard filters on the various email headers fields such as sender, recipient, subject, etc. One of these fields is the attachments field. The issue is that there is *alwasy* a sender, recipient, and subject....but not all emails have attachments nor do I always want to filter by it. In the dashboard, I'm using a text field with a default value of '*' . The problem with this is shown in the extract below.     index=email source=/var/email_0.log attachments=$file$ OR sha256=$hash$       This search will find all emails with attachments, but filter emails without any. However, what if I want search an email just by its subject while ignoring attachments? I'd love to be able to change the dashboard so that filtering by these fields could be turned on and off, but I haven't found a way to do that. I thought I could use isnotnull(attachments) inside a case() or if() function to test if the field exists, but those expressions don't appear to work in the base search. Does anyone have any insight into how I could change the search(or dashboard) so that I'm not always filtering by attachments? Perhaps by changing the default values? Or perhaps the regex command? ... View more

As per the subject, I'm attempting to convert a rex expression in my search into a proper field extraction using the Field Extractor so I can drop the rex and use the field in my base search directly. The rex expression works perfectly but requires the use of max_match=0 in order to get all the results. Unless I'm mistaken(which is very posible), I don't have that option available in the Field Extractor, and because of that, the regex only picks up one value instead of multiple. I've tested the regex on regex101, and it works fine there, grabbing all the values properly. It's just in the Field Extractor that it isn't grabbing stuff. The rex expression itself does use a specific field rather than just running on _raw, but the search does work when running on _raw(I verified) The rex expression is placed below followed by the regex itself.     rex field=AttachmentDetails max_match=0 "(?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)"         (?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)         Below, I've placed some test data you can use on regex101 to verify the expression above. It captures both fields on the site, but just not in Splunk, and I can't tell why. Perhaps I've misunderstood how grouping works in regex. orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, {'NotSecrets!!.txt': 'fileHash': 'a3b9adaee5b83973e8789edd7b04b95f25412c764c8ff29d0c63abf25b772646'}, {}}, 'Secrets!!.txt': 'fileHash': 'c092a4db704b9c6f61d6a221b8f0ea5f719e7f674f66fede01a522563687d24b'}, {}}} orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, ... View more