Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About praddasg
praddasg
Path Finder
Member since:
02-10-2020
03-03-2021
Community Statistics
| Posts | 45 |
| Solutions | 0 |
| Karma Given | 13 |
| Karma Received | 0 |
| Member Since | 02-10-2020 |
Activity Feed
- Karma Re: Regex for richgalloway. 03-03-2021 10:12 AM
- Posted Re: Regex on Splunk Enterprise. 03-03-2021 08:11 AM
- Posted Re: Regex on Splunk Enterprise. 03-03-2021 08:06 AM
- Karma Re: Regex for richgalloway. 03-03-2021 07:53 AM
- Karma Re: Regex for richgalloway. 03-03-2021 07:45 AM
- Posted Re: Regex on Splunk Enterprise. 03-03-2021 06:47 AM
- Posted Regex on Splunk Enterprise. 03-02-2021 03:43 PM
- Karma Re: How to calculate percentage of data which has two different values between these two values for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: How to calculate percentage of data which has two different values between these two values for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Trying to remove certain strings in a aggregated operation for jpolvino. 06-05-2020 12:51 AM
- Karma Re: Why using regex to remove a particular field is not working? for vnravikumar. 06-05-2020 12:51 AM
- Karma Re: Why using regex to remove a particular field is not working? for mydog8it. 06-05-2020 12:51 AM
- Karma Re: Schedule alert with different cron condition for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Alert not getting triggered with cron schedule for manjunathmeti. 06-05-2020 12:51 AM
- Karma Re: Alert not getting triggered with cron schedule for skoelpin. 06-05-2020 12:51 AM
- Karma Re: Is it possible to configure more than 1 cron for one alert? for woodcock. 06-05-2020 12:51 AM
- Posted Re: Raw data only parsing the first instance on Splunk Search. 03-30-2020 06:34 PM
- Posted Re: Raw data only parsing the first instance on Splunk Search. 03-28-2020 05:50 PM
- Posted Re: Raw data only parsing the first instance on Splunk Search. 03-28-2020 04:16 PM
- Posted Re: Raw data only parsing the first instance on Splunk Search. 03-28-2020 07:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-03-2021
08:11 AM
oh one more thing, the content between "=" and "request" could be any number of character or number and can have multiple spaces as well
... View more
03-03-2021
08:06 AM
@richgalloway the text trying to match here is anything after "=", until "request" so the complete text here is message=abc ef x request-id
... View more
03-03-2021
06:47 AM
Hello @richgalloway Thank you for taking the time and explaining. I really appreciate the time you vested in explaining this. Interestingly this one works | rex field=_raw message="(?<message>.*).request" So does the | rex field=_raw "message="(?<message>.*).request"" but not the "message=\\\"(?<message>.*).request\\\"" when I say work, I mean it is giving the desired result and by not working I mean not giving the desired result. Although in none of the cases there wasn't any syntax error. The one with the escaped quotation mark only gives the result until before the spaces i.e. if it is "message=abc efg request-id", it only prints "abc". Does this have anything to do with the Splunk version? 2. Regarding The sequence .* ("dot-star") means "everything from here on" - I am assuming this regex and nothing to do with Splunk itself. So I tried to use this concept in a sublime text editor to see what happens. I used message=Error translating Grubhub webhook order: The location for this order cannot be found request-id and tried to replace message=.* with let's say new. I found the entire thing got wiped out and replaced with new. I was expecting something like message=new. I even tried message="(?.*).request", "message="(?.*).request"", but no changes happened. Is it because Splunk uses some different regex logic than sublime text editor? 3. I am still confused about the use of quotation mark, I tried using the website which you mentioned, but it confused me more lol.
... View more
03-02-2021
03:43 PM
Hello All, I am not so familiar with regex, but looking at some old query have been able to build one for my need. I am looking for help to understand how this is working in terms of regular expression and Splunk rex syntax So the regex I am using is | rex field=_raw message="(?<message>.*).request" for the message=abc ff request-id where I am trying to extract anything after "=" until "request-id". There could be spaces as well I think "<message>" here is the field name I want to denote The wild card character "*" within the braces indicate everything after "message=" But I don't understand The use of "?". Is this part of the syntax of splunk regex or signifying anything and everything after "message=" i.e. working along with "*" What is the use of braces here? is this indicating the section I am trying to parse? The dot "." after "<message>". Is this splunk syntax? The dot "." after braces. Is this denoting/delimiting/indicating the string which is present after the parsing section The most confusing part is the use of quotes. What would be regex if it is like "message abc ff request-id" and I want to parse anything between message and request
... View more
Labels
- Labels:
-
using Splunk Enterprise
03-30-2020
06:34 PM
Hi @to4kawa
can you please explain a bit more when you say the query is wrong? What I meant above is in the complete query I am not using search instead using where
service
| where not reason like "%P%"
|table status, reason
... View more
03-28-2020
07:22 AM
Hi @richgalloway the raw data is like service: mnp, o=123, X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
and my <search criteria> is service
... View more
03-26-2020
08:10 PM
Hello All,
I have a data like this
X1=[A(status=X, reason=Y), A(status=Z, reason=Y), A(status=xyz, reason=abc)]
Now when I am using the query <search criteria> | table status, reason it is giving values "X" and "Y"
1. Trying to understand why it is not considering the values Z & Y and xyz & abc
2. If I have to get the result of values Z & Y and xyz & abc how to retrieve?
... View more
03-06-2020
09:30 AM
Hello @gcusello
Can you help me with the syntax if i want to use date_wday and date_hour
... View more
03-06-2020
08:45 AM
Is it possible to configure more than 1 cron for one alert? some thing like */2 9-11,11-13 * * 1-4,5-1 , i think the answer is no but wanted reconfirm. The reason i want to know is because alert condition is same but the triggering times will differ based upon day and hours
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
alert condition
-
cron
03-06-2020
08:43 AM
It seems the splunk integration was broken because I did not include some text in the message section. All sorted and thanks for your help
... View more
03-06-2020
07:22 AM
although I am using earliest but i still changed the time range from alert configuration to 2 mins (earlier it was 12 hours) still no luck
... View more
03-06-2020
06:03 AM
Hello All,
I have configured an alert with earliest=-24h and head 3000 and i can see from search there are lot of results are populating but I am no alerts are getting generated. Alert threshold is greater than 2 and results populating are 77
I have integrated the alert with splunk. At first I thought it might the integration is broken but I am verifying from here activity->triggered alerts but i do not see anything
https://share.getcloudapp.com/kpuYKLmd
I am not sure if this due to the cron and other settings, so here it is
https://share.getcloudapp.com/o0uD6gyX
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-03-2021
01:33 PM
|
Karma given to
