Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rczone
rczone
Path Finder
Member since:
11-19-2019
09-01-2021
Community Statistics
| Posts | 18 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 1 |
| Member Since | 11-19-2019 |
Activity Feed
- Posted Re: How to use mvindex to break json file with multiple values on Splunk Search. 09-01-2021 11:57 AM
- Karma Re: How to use mvindex to break json file with multiple values for kamlesh_vaghela. 09-01-2021 11:56 AM
- Posted Re: How to use mvindex to break json file with multiple values on Splunk Search. 08-31-2021 06:44 AM
- Posted Re: How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:49 PM
- Posted How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:48 PM
- Tagged How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:48 PM
- Tagged How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:48 PM
- Tagged How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:48 PM
- Tagged How to use mvindex to break json file with multiple values on Splunk Search. 08-30-2021 12:48 PM
- Posted Re: JSON Fields Extraction using REX on Splunk Search. 08-26-2021 07:02 PM
- Posted JSON Fields Extraction using REX on Splunk Search. 08-26-2021 02:43 PM
- Tagged JSON Fields Extraction using REX on Splunk Search. 08-26-2021 02:43 PM
- Tagged JSON Fields Extraction using REX on Splunk Search. 08-26-2021 02:43 PM
- Tagged JSON Fields Extraction using REX on Splunk Search. 08-26-2021 02:43 PM
- Tagged JSON Fields Extraction using REX on Splunk Search. 08-26-2021 02:43 PM
- Karma Re: Rex fields from a log fle for somesoni2. 06-05-2020 12:51 AM
- Karma Re: Rex fields from a log fle for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Rex fields from a log fle for vnravikumar. 06-05-2020 12:51 AM
- Karma Re: Trim braces from a token variable-Dynamic dashboards for woodcock. 06-05-2020 12:50 AM
- Karma Re: Splunk Rex: Extracting fields of a string into a Column for mayurr98. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
09-01-2021
11:57 AM
@kamlesh_vaghela Thankyou so much it worked most of the part for me its truncating job_names with count 1 if the job_names is duplicate here is my sample json file -- XYZ job_names has 2 records i it ,with count 2 and count 1 respectively in this case XYZ is only displayed once in output but i have to get 2 rows for XYZ {"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }}
... View more
08-31-2021
06:44 AM
Thankyou...but im looking to split the values individually as i need them to use further in my query...with jso spath split we cant use the values as individually
... View more
08-30-2021
12:49 PM
@ITWhisperer any inputs @kamlesh_vaghela
... View more
08-30-2021
12:48 PM
Hello All, So i have a field like below with JSON file {"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "ZZZ", "group": "", "instance": "PQ1", "job_names": ["ZZZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }} Im using below query to break down the JSON file above All the fields count,app_code, group, instance are getting as expected but for job_names im unable to break down and that particular attrbute has a list of jobs underneath it Im looking for a query to get jobnames also <<mysearch>>| spath input=results|rename unique_appcodes{}.* as * | eval x = mvzip(count,mvzip(app_code,mvzip(group,mvzip(instance,mvzip(instance,job_names))))) | mvexpand x | eval x = split(x, ",")| eval job_count=mvindex(x,0), app_code = mvindex(x,1) ,group=mvindex(x,2), instance = mvindex(x,3),job_names = mvindex(x,4) |table app_code job_count group instance job_names Expected output app_code count group instance job_names
XYZ 2 PQ1 XYZ#cmd#johntest1,XYZ#cmd#remetest
ZZZ 2 ABC1234 PQ2 ZZZ#ADM#cmd#pac,ZZZ#cmd#GET_APP_CODE
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
-
subsearch
-
table
08-26-2021
07:02 PM
@ITWhisperer Appreciate the response yes the solution is exactly im looking at...but the field values changes every time in the log so i cant hardcode them so i have to use either field name for rex or _raw to get the values of "unique_appcodes" again im using index=bwwm splunk_server_group=AWS sourcetype="app.log" | rex field=_raw (?msi)(?<json_field>\{\"unique_appcodes\"[\s\S]+\}$) So how can modify to use to |makeresults Please suggest Sample logsnippet--we will have different attributes each time so cant hardcode appcode: ABC
aws_acctid: 123456789
aws_appshortname: beem
aws_region: us-east-1b
cwmessage: 2021-08-26 17:14:10 araeapp INFO MRC: Unique AppCodes Report requested.
2021-08-26 17:14:10 araeapp INFO MRC_ARAE_I_042: (local) requesting uniq_appcodes report for KKA
2021-08-26 17:14:10 araeapp INFO {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}
... View more
08-26-2021
02:43 PM
Hello, I have a requirement where i need to extract part of JSON code from splunk log and assign that field to spath for further results My regex is working in regex101 but not in splunk below is log snippet --looking to grab the JSON code starting from {"unique_appcodes to end of line..i have shown the expected output below in the post cwmessage: 2021-08-26 17:14:10 araeapp INFO MRC: Unique AppCodes Report requested.
2021-08-26 17:14:10 araeapp INFO MRC_ARAE_I_042: (local) requesting uniq_appcodes report for KKA
2021-08-26 17:14:10 araeapp INFO {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]} Rex using:
| rex field=_raw (?msi)(?<json_field>\{\"unique_appcodes\".+\}$) and this perfectly working in regex101.com which is extracting the below required part but when i use this in SPlunk its not giving any results im thinking its the spaces between the JSON attributes Please let me know your thoughts {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
02-05-2020
10:14 AM
I have the log snippet below want to extract id and hostname into 2 different fields
for example in the expected output from below is
id host
rmk123 abc.bbb.com@hostname.com
rmc143 bdc.ab.cpm@hostname.com
[01/05/2020 13:06:21] BAUAJM_I_30031 Client [CA WAAE Auto:15515][5][abc@hostname.com:50019:12.304.593.10] [0x80c91100][02/05/2020 13:06:21.8474][0:rmk123@abc.bbb.com@hostname.com 0] API ID [34] execution started.
[01/05/2020 13:06:21] BAUAJM_I_30032 Client [CA WAAE Auto:15509][5][bdc.ab.cpm@hostname.com:12345:19.304.293.10] [0x28bbbfff][02/05/2020 13:06:21.6946][0:rmc143@bdc.ab.cpm@hostname.com 0] API ID [66] execution completed. Total time: 0.132519 seconds.
Please assist
... View more
12-23-2019
12:53 PM
Im creating link to different dashboards based on the application clicked on from the main form
So i have a token variable $sig.team$ which is basically selecting team from drop down
so now im linking to different dashboards based on the team selected,,,so i have defined a custom url with parameters like below:
/app/search/$sigteam$_Events_TEST?form.issuetype=$click.value$&form.time.earliest=$earliest$&form.time.latest=$latest$&form.sigteam=$sigteam$&form.host=*
One of the team defined has spaces : Test Team
so when you select this the $sig.team$ token value is Test Team (with space)
and the URL is resolving to
/app/search/Test%20%Team_Events_TEST?form.issuetype=$click.value$&form.time.earliest=$earliest$&form.time.latest=$latest$&form.sigteam=$sigteam$&form.host=*
But My backend Dashboard id wont accept spaces so i have created as TestTeam(with No spaces) but the URL is not resolving as it has no spaces
Is there any way that we can remove the space in the token $sig.team$ when only "Test Team" is selected in backend XML with eval and replace?
Need is we have to check if the selected team is " Test Team" then only delete the space and rename as TestTeam and assign to $sig.team$
Any feedback is welcome...Please suggest how to trim these braces in this scenario
Tried: But no luck
<eval token="sigteam">trim($supgrpemail$)</eval>
... View more
12-20-2019
12:27 PM
1 Karma
Im creating link to different dashboards based on the application clicked on from the main form
So i have a variable $sig.team$ which is basically selecting team with token prefix as ( and suffix as )as these are needed for my search queries
so now im linking to different dashboards based on the team selected,,,so i have defined a custom url with parameters like below:
/app/search/$sigteam$_Events_TESTl?form.issuetype=$click.value$&form.time.earliest=$earliest$&form.time.latest=$latest$&form.sigteam=$sigteam$&form.host=*
but when i click that the $sigteam$ resolving to (TESTAPP) instead of TESTAPP because of pre-fix and suffix like below:
/app/search/(TESTAPP)_Events_TESTl?form.issuetype=$click.value$&form.time.earliest=$earliest$&form.time.latest=$latest$&form.sigteam=$sigteam$&form.host=*
But i need the output URL as :
/app/search/TESTAPP_Events_TESTl?form.issuetype=$click.value$&form.time.earliest=$earliest$&form.time.latest=$latest$&form.sigteam=$sigteam$&form.host=*
Any feedback is welcome...Please suggest how to trim these braces in this scenario
... View more
11-20-2019
12:52 PM
index="m_data" sourcetype="uat:tables"
| fillnull value="Unknown"
| search SIG_TEAM_NAME IN ("" , "TESTAPP") ALERT_DESCRIPTION IN ("") ALERT_ID IN ("*") ALERT_SUPPORTGROUP IN ("TESTAPP")
| dedup ALERT_ID
| rex "KB_List\":\"(?[^\"]+)"
| table SIG_ID ALERT_ID SIG_ENVIRONMENT ALERT_HOSTNAME ALERT_INSTANCE KB_List ISSUE_TYPE ALERT_DESCRIPTION SIG_DESCRIPTION ALERT_STATUS ALERT_SUPPORTGROUP ALERT_FIRST_EVENT_TIME ALERT_LAST_EVENT_TIME
| sort ALERT_ID
|eval ISSUE_TYPE=case( match(ALERT_DESCRIPTION,"(FILE_test_file)") | ("For transaction Login . 3 out of 3 transactions failed%, ), "Global FIle Issue"
... View more
11-20-2019
12:36 PM
| eval ISSUE_TYPE=case( match(ALERT_DESCRIPTION,"(FILE_test_file)") | ("For transaction Login . 3 out of 3 transactions failed%, ), "Global FIle Issue"
@mayurr98
... View more
11-20-2019
11:47 AM
@mayurr98 Thankyou for the response...my idea is to shorten the query (cutdown the usage of multiple AND)
im getting what i want with multiple match functions
IS there anyway can i use those strings in a single 'like' or 'match' function?
like below:
case( match(ALERT_DESCRIPTION,"(FILE_test_file)") | ("For transaction Login . 3 out of 3 transactions failed%, ), "Global FIle Issue"
... View more
11-20-2019
11:15 AM
Hello All,
THis might be simple question but need some guidance here:
i'm using pattern match like below but not satisfied with using double match conditions
match(ALERT_DESCRIPTION,"(FILE_test_file)") AND match(ALERT_DESCRIPTION,"For transaction Login \. 3 out of 3 transactions failed") ), "Global FIle Issue"
Here ALERT_DESCRIPTION is a column in a table and Global FIle Issue is where the alert has to be named if the condition satisfied.
The description has the actual description of the error ..but im filtering the errors based on the issue so using match function here ..i want to use rex function inside match(or esle pls guide me how to check 2 strings patterns in single match function instead of multiple match functions
like this
match(ALERT_DESCRIPTION,"(rex <<magic goes here>)", "Global FIle Issue"
... View more
11-19-2019
01:04 PM
@mayurr98 | rex "KB_List\":\"(?[^\"]+)" | table KB_Listed this worked..thanks a ton
... View more
11-19-2019
12:59 PM
@mayurr98 returning none ...
| rex "KB_List\":\"(?[^\"]+)" | table KB_list
... View more
11-19-2019
12:53 PM
tried this also rex "KB_List":"(?[^\"]+)" | table KB but no use
... View more
11-19-2019
12:50 PM
Error in 'SearchParser': Mismatched ']'. @richgalloway
... View more
11-19-2019
12:06 PM
I'm a newbie to SPlunk REX trying to do some dashboards and need help in extracting fields of a particular variable
i read old articles in SPlunk old questions but couldn't figured it out..
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column
Expected output: as a table
KB_Listed
KB000119050,KB000119026,KB000119036
i have tried:
| `rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""`
Message Snippet below:
svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},""
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-01-2021
05:51 PM
|
Karma given to
