Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About kisfoldik
kisfoldik
Explorer
Member since:
06-28-2017
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 06-28-2017 |
Activity Feed
- Karma Re: Hi! I would like to create a field extraction of a multi-valued field. for javiergn. 06-05-2020 12:48 AM
- Posted Re: Connection time delta of a replication session, filter source and destination by connection id on Splunk Search. 07-05-2017 02:56 AM
- Posted Connection time delta of a replication session, filter source and destination by connection id on Splunk Search. 07-04-2017 01:30 AM
- Tagged Connection time delta of a replication session, filter source and destination by connection id on Splunk Search. 07-04-2017 01:30 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-30-2017 06:24 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-30-2017 06:09 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-29-2017 02:12 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-29-2017 01:30 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-28-2017 08:56 AM
- Posted Re: Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-28-2017 08:22 AM
- Posted Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-28-2017 04:46 AM
- Tagged Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-28-2017 04:46 AM
- Tagged Hi! I would like to create a field extraction of a multi-valued field. on Splunk Search. 06-28-2017 04:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
07-05-2017
02:56 AM
index=log-3155-prod* eventtype=fwdldap-all-prod-hosts sourcetype="ldap-infra:access" laas_appId="ldap-infra/prod/ldap_FWD_PROD"
| eval timeFromBIND=if(match(_raw,".BIND."),_time,NULL)
| eventstats first(timeFromBIND) as timeFromBIND by conn
| eval diff=_time-timeFromBIND
| rex field=_raw "from (?.) to (?.)"
| stats first(_time) as connTime first(timeFromBIND) as timeFromBIND first(diff) as diff by source destination conn
| fields - diff - conn - timeFromBIND | rename connTime to connTime_in_sec | sort - connTime_in_sec
--------the source-destination is fine with this command, but doesn't give the time I need plus the format is weird.. ..any idea?
... View more
07-04-2017
01:30 AM
Hi! I would like to create a chart for connection time delta of a replication session, filter source and destination by connection id.
The basic search is :
index=log-3155-prod* eventtype=fwdldap-all-prod-hosts sourcetype="ldap-infra:access" laas_appId="ldap-infra/prod/ldap_FWD_PROD" "cn=replication manager"
One example connection is "conn=478597"
[04/Jul/2017:04:00:03 -0400] conn=478597 op=-1 msgId=-1 - closed.
[04/Jul/2017:04:00:03 -0400] conn=478597 op=8 msgId=-1 - closing from 10.99.67.108:57901 - U1 - Connection closed by unbind client -
[04/Jul/2017:04:00:03 -0400] conn=478597 op=8 msgId=9 - UNBIND
[04/Jul/2017:03:55:02 -0400] conn=478597 op=7 msgId=8 - RESULT err=0 tag=120 nentries=0 etime=0.001000
[04/Jul/2017:03:55:02 -0400] conn=478597 op=7 msgId=8 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.6"
[04/Jul/2017:03:55:02 -0400] conn=478597 op=6 msgId=7 - RESULT err=0 tag=120 nentries=0 etime=0.001000
[04/Jul/2017:03:55:02 -0400] conn=478597 op=6 msgId=7 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.1"
[04/Jul/2017:03:54:04 -0400] conn=478597 op=5 msgId=6 - RESULT err=0 tag=120 nentries=0 etime=0.000000
[04/Jul/2017:03:54:04 -0400] conn=478597 op=5 msgId=6 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.6"
[04/Jul/2017:03:54:04 -0400] conn=478597 op=4 msgId=5 - RESULT err=0 tag=120 nentries=0 etime=0.000000
[04/Jul/2017:03:54:04 -0400] conn=478597 op=4 msgId=5 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.1"
[04/Jul/2017:03:50:57 -0400] conn=478597 op=3 msgId=4 - RESULT err=0 tag=120 nentries=0 etime=0.001000
[04/Jul/2017:03:50:57 -0400] conn=478597 op=3 msgId=4 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.6"
[04/Jul/2017:03:50:57 -0400] conn=478597 op=2 msgId=3 - RESULT err=0 tag=120 nentries=0 etime=0.001000
[04/Jul/2017:03:50:57 -0400] conn=478597 op=2 msgId=3 - EXT oid="1.3.6.1.4.1.42.2.27.9.6.1"
[04/Jul/2017:03:50:57 -0400] conn=478597 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0.001000
[04/Jul/2017:03:50:57 -0400] conn=478597 op=1 msgId=2 - SRCH base="" scope=0 filter="(objectclass=*)" attrs="supportedcontrol supportedextension moddnenabledsuffixes"
[04/Jul/2017:03:50:57 -0400] conn=478597 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="cn=replication manager,cn=replication,cn=config"
[04/Jul/2017:03:50:57 -0400] conn=478597 op=0 msgId=1 - BIND dn="cn=replication manager,cn=replication,cn=config" method=128 version=3
[04/Jul/2017:03:50:57 -0400] conn=478597 op=-1 msgId=-1 - fd=78 slot=78 LDAP connection from 10.99.67.108:57901 to 10.98.68.160
expected output.
Source ----------------------destination---------------connection_time
10.99.67.108:57901------10.98.68.160---------------9.46 s
Your help is really appreciated!
... View more
- Tags:
- delta
06-30-2017
06:24 AM
Bull's eye! Great! Thanks!
... View more
06-30-2017
06:09 AM
This works great with that static data you have put after the | eval raw = .... but is it possible to use the data which is filtered out from logs with the / index=log-3155-prod* eventtype=fwdldap-all-prod-hosts sourcetype="ldap-infra:access" laas_appId="ldap-infra/prod/ldap_FWD_PROD" "SRCH base=" /-command?
Also goes to the hosts..hosts is recognized as interesting filed..so I also need it not as static data given by me. Your answer is really appreciated! Thank you very much in advance!
... View more
06-29-2017
02:12 AM
expected output with chart command
cn uid mailaddress sn office
host1 564 444 56 77 2222
host2 57 565 11 676 44
host3 569 66 45 565 33
... View more
06-29-2017
01:30 AM
..here is another example:
---search command:
index=log-3155-prod* eventtype=fwdldap-all-prod-hosts sourcetype="ldap-infra:access" laas_appId="ldap-infra/prod/ldap_FWD_PROD" "SRCH base="
---result:
[29/Jun/2017:03:28:37 -0400] conn=16035519 op=32155 msgId=32156 - SRCH base="msfwid=1281620,ou=people,o=company" scope=0 filter="(objectclass=)" attrs=ALL
[29/Jun/2017:03:28:37 -0400] conn=16047221 op=54 msgId=55 - SRCH base="msfwid=785323,ou=people,o=company" scope=2 filter="(objectclass=msperson)" attrs="personaltitle givenname msmiddleinitial sn cn mail telephonenumber employeenumber uid msfwid businesscategory departmentnumber title building floor"
[29/Jun/2017:03:28:37 -0400] conn=16035519 op=32154 msgId=32155 - SRCH base="msfwid=1487082,ou=people,o=company" scope=0 filter="(objectclass=)" attrs=ALL
[29/Jun/2017:03:28:37 -0400] conn=16047221 op=53 msgId=54 - SRCH base="msfwid=1260584,ou=people,o=company" scope=2 filter="(objectclass=msperson)" attrs="personaltitle givenname msmiddleinitial sn cn mail telephonenumber employeenumber uid msfwid businesscategory departmentnumber title building floor"
[29/Jun/2017:03:28:37 -0400] conn=16047226 op=102 msgId=55603 - SRCH base="msfwid=1421236,ou=people,o=company" scope=2 filter="(objectclass=msperson)" attrs="personaltitle givenname msmiddleinitial sn cn mail telephonenumber employeenumber uid msfwid businesscategory departmentnumber title building floor"
----field extraction:
(?=[^a]*(?:attrs=|a.*attrs=))^(?:[^"\n]*"){5}(?P<"attrib_extraction">[^"]+)
"attrib_extraction" -needed to added in this way even if inserted as code example...so please ignore the " " here.
Thanks
... View more
06-28-2017
08:56 AM
Thank you! I have tried all the versions but in the end I got the attrs truncated.. 😞
I will try to be more specific..this is the filed extrcation..it works:
(?=[^a](?:attrs=|a.*attrs=))^(?:[^"\n]"){5}(?P[^"]+)
"search commad"..."SRCH base=" | chart count by attrib_extraction ---gives the same without the commands you have posted.:
attrib_extraction count
* 69994
* aci 120
* modifytimestamp 312
1.1 76545
1.1 uid cn objectclass 3
assistant l cn mail maildrop personaltitle secretary title uid workertype 24
attributetypes objectclasses ditcontentrules 90
...so the extracted character line is handled as one..what I would need, is to count every attribute separately. If the user / program does a search for 20 attribute than after the atrrs="
20 attribute will be listed. But it might be a * if they want to have all attribute of the object(s). I hope that was more clear now. Thank you for your help! Best regards! Károly
... View more
06-28-2017
08:22 AM
Thanks, but the problem is that we have got more then 400 kind of attributes..not only this 4 what you see in the example line. It can be * as well if the LDAP search is for to get back any attribute of the object which mathches as well or it can be anything else like attrs="memberurl uniquemember objectclass uid cn" or attrs="uid cn" etc.
... View more
06-28-2017
04:46 AM
This is a typical relevant line from logs:
[28/Jun/2017:07:26:04 -0400] conn=9354 op=7 msgId=8 - SRCH base="o=company" scope=2 filter="(&(|(objectclass=mailgroup)(objectclass=person)(objectclass=alias))(!(objectclass=moderatedgroup))(mailalternateaddress=owner-john.doe@company.com))" attrs="cn uid mailaddress uniquemember"
The "attrs=" is the required text and the "cn uid mailaddress uniquemember" -attributes would need to be extracted separetly..the space is the delimiter between them. With the wizard I only able to select one of them. But I need to count them one by one .... | chart count by host,attrib_extraction
Thanks!
... View more
- Tags:
- extraction
- multivalue
