×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sabbas
Explorer
Member since: ‎06-03-2025
‎08-18-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎06-03-2025
Activity Feed
View All

Re: How to find highly recurring events

by in Splunk Search
‎08-18-2025 10:04 AM
‎08-18-2025 10:04 AM
So as an example, we have a log with this content Missing a resource in Resources for key <key>. Where <key> is a different value (several dozen options), the source, host, and sourcetypes are also different because we have 80+ hosts, 100+ sources, and several sourcetypes.  Logs for one particular key occur 5 million type. Another example of logs would be one that contains the content Ticket-XXXX: getAdmins and then has different hosts, sources, and sourcetypes. So we're looking for something that can get us the most frequent logs disregarding the source/host/sourcetype ... View more

How to find highly recurring events

by in Splunk Search
‎08-18-2025 08:35 AM
‎08-18-2025 08:35 AM
Hello! We use Splunk cloud platform for logging. We wanted to know how we can find highly recurring events. We have many different types of logs with some different values for the properties logged so creating a reg-ex for a search query isnt feasible. There are several types of these logs and we want to group similar logs together to get a count for which ones occur the most, and what the content of the logs look like. We tried using cluster in the search queries, but even with a low threshold of t=0.2 all the events end up with their own cluster label. Any suggestions? ... View more
Labels

Getting Ingestion data spanning 9 months

by in Splunk Search
‎08-18-2025 08:28 AM
‎08-18-2025 08:28 AM
Hi folks, We use Splunk Cloud Platform for our logging needs. We would like to know the following all for the last 9 months: 1- monthly number of ingestions 2- daily number of ingestions 3- monthly amount of ingestion in GB 4- daily amount of ingestion in GB Is there any built in way to get this information in Splunk cloud platform, or queries we can run to get the above info? Thank you! ... View more
Labels

How to apply role based filtering on Splunk Cloud ...

by in Splunk Search
‎06-04-2025 12:15 PM
‎06-04-2025 12:15 PM
Hello folks, We use Splunk cloud platform (managed by Splunk) for our logging system. We want to implement role based search filtering to mask JWT tokens and Emails in the logs for certain users. Ex.  Roles: User, RestrictedUser Both roles have access to the same index: main Users can query as normal, but if a RestrictedUser searches the logs then they should get the logs with the token and email data masked. Documentation/community posts/gemini recommended adding regex for filtering in transforms conf and updating some other conf files like so # transforms.conf [redact_jwt_searchtime] REGEX = (token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+)) FORMAT = token=xxx.xxx.xxx SOURCE_KEY = _raw [redact_email_searchtime] REGEX = ([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}) FORMAT = xxx@xxx.xxx SOURCE_KEY = _raw # props.conf [*] TRANSFORMS-redact_for_search = redact_jwt_searchtime, redact_email_searchtime # authorize.conf [test_masked_data] srchFilter = search_filters = redact_for_search creating an app and uploading it on the cloud platform. Since the platform is managed by Splunk, I'm not sure if that would be sufficient or even work.   Anyone have suggestions on the best way to apply the role based search filters when on Splunk Cloud rather than on premise? ... View more
Labels

Role Based filtering to mask JWT tokens and Emails

by in Splunk Search
‎06-03-2025 07:45 AM
‎06-03-2025 07:45 AM
Hello folks, We use Splunk cloud platform for our logging system. I was trying to use the Search Filter under the Restrictions tab in Edit Role to add a filter which masks JWT tokens and emails in a search but keep running into an error with the litsearch command: unbalanced parenthesis. Regex used in the search filter: | eval _raw=replace(_raw, "token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+)", "token=xxx.xxx.xxx") | eval _raw=replace(_raw, "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}", "xxx@xxx.xxx") When a user with the role that has the restriction above tries to search for anything the job inspector shows that there are parenthesis around the literal search and the search filter above so it would look like this litsearch (<search terms> | eval _raw....) I tried changing the search filter to be  | rex mode=sed "s/token=([A-Za-z0-9-]+\.[A-Za-z0-9-]+\.[A-Za-z0-9-_]+)/token=xxx.xxx.xxx/g" to only replace the tokens but still run into the same issue. When previewing the filter the results work fine, but when doing an actual query with the user it will fail. Any suggestions to make the search filter simpler, or any other methods I could use for role based search filtering? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2025 08:17 AM
Karma given to
View All