×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
MWAKburns
Engager
Member since: ‎05-08-2017
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎05-08-2017
Activity Feed
View All

How to find the difference between time stamps in ...

by in Splunk Search
‎06-15-2017 01:11 PM
‎06-15-2017 01:11 PM
Hello! I am have a bunch of logs stating when a job has started and finished. I have been asked to find a way to tell how long the job took to run. I am having some trouble finding the best way to do this. Here the raw data of the logs: CONS02^NO> 18:01:09.489 18:01:10 EDTMFD FIN CONS02^NO> 18:01:09.089 18:01:10 FMMFD FIN CONS02^NO> 18:01:09.089 18:01:10 EDTMFD START CONS02^NO> 18:00:04.514 18:00:04 FTPFIL FIN CONS02^NO> 18:00:03.758 18:00:03 FTPST FIN CONS02^NO> 18:00:03.758 18:00:03 FTPFIL START CONS02^NO> 18:00:03.558 18:00:03 FTPST START CONS02^NO> 18:00:03.363 18:00:03 FMMFD START CONS02^NO> 17:55:03.753 17:55:03 FTPFIL FIN CONS02^NO> 17:55:03.186 17:55:03 FTPSTA FIN CONS02^NO> 17:55:03.186 17:55:03 FTPFIL START CONS02^NO> 17:55:02.986 17:55:02 FTPSTA START I have been stumped on how to make this work. I was thinking the goal output would be to combine the 2 matching job events (1 Job START and 1 Job FIN) and have the difference between the time stamps as a new field, but I am not sure if this is even possible. Any ideas would be helpful! ... View more

Re: How to mask sensitive data at index time?

by in Getting Data In
‎06-06-2017 10:34 AM
‎06-06-2017 10:34 AM
That worked! Thanks rjthibod! ... View more

How to mask sensitive data at index time?

by in Getting Data In
‎06-06-2017 09:44 AM
2 Karma
‎06-06-2017 09:44 AM
2 Karma
I am trying to mask PII data at index time. Here is an example of PII data I am trying to mask: RecipientSSNxxx-xx-4321RecipientSSN I am able to mask it at search time using this source= mysource | rex "(?RecipientSSN\d{3}\-\d{2}\-\d{4})" | rex field=RecipientSSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g" However, I need it to masked at index time. I have tried the following in props.conf and transforms.conf (system\local for both): props.conf [nsb_message] TRANSFORMS-anonymize = ssn-anonymizer transforms.conf [ssn-anonymizer] regex = (\d{3}\-\d{2}\-)(\d{4}) FORMAT= $1XXX-XX-$2 DEST_KEY = _raw I have restarted Splunk, input new test files via index file monitors one-time, and the SSN is still not masked. Any help would be appreciated. I verified that the sourcetype does exist in the inputs.conf (system\local) as well. Any help or pointers would be greatly appreciated! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All