×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
castle1126
Communicator
Member since: ‎05-28-2010
‎06-05-2020
Community Statistics
Posts 53
Solutions 0
Karma Given 10
Karma Received 20
Member Since ‎05-28-2010
Activity Feed
Topics I've Started
View All

Re: Revisiting REGEX to extract domain name from a...

by in Splunk Search
2 weeks ago
1 Karma
2 weeks ago
1 Karma
I know this is a very old post but here's a simple solution via spl at search time. Just split using "." and then use mvindex to extract the components. | eval host=mvindex(split(fqdn, "."),0) | eval domain=mvindex(split(fqdn, "."),1) | eval org_type=mvindex(split(fqdn, "."),2) | eval country=mvindex(split(fqdn, "."),3) Hope someone finds this useful Cheers   ... View more

Re: Question about daisy chaining two indexers tog...

by Splunk Employee in Getting Data In
‎06-20-2011 01:16 PM
‎06-20-2011 01:16 PM
Well, you're not going to have an exact copy if you do this, and there's no easy way to get them synced back up, but you can set dropEventsOnQueueFull and maxQueueSize in outputs.conf to control how much and how long the primary indexer holds and waits for the secondary. ... View more

Re: How do I search for the = character?

by in Splunk Search
‎05-24-2011 10:22 AM
‎05-24-2011 10:22 AM
I just tried this too. No luck, nothing returned. ... View more

Re: How to build a transaction from multiple, some...

by in Splunk Search
‎09-15-2013 11:22 PM
‎09-15-2013 11:22 PM
Does the 3rd index have ip? If so, what happens when you try to build a transaction on ip and user_name? ... View more

Re: Difficult SMTP log search. Help!

by in Splunk Search
‎01-12-2011 05:54 PM
‎01-12-2011 05:54 PM
Hey gkanapathy, could you make your comment an answer so I could vote for it answering my question? ... View more

Re: SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no ce...

by Splunk Employee in Security
‎01-26-2012 02:12 PM
1 Karma
‎01-26-2012 02:12 PM
1 Karma
I would suggest a review of the procedure detailed in this tutorial to set up splunk-2-splunk communication using SSL certificates signed by a 3rd party certificate authority. The troubleshooting section might help you to pinpoint where the issue with your current configuration is. ... View more

Re: Can I add text to return value of eval/case?

by Splunk Employee in Splunk Search
‎02-11-2011 06:52 AM
2 Karma
‎02-11-2011 06:52 AM
2 Karma
You can concatenate your strings right in the case statement. Assuming your EVAL expression is correct, you could do it like this to get the address as you wish: ... | eval changed = case(NOT address="-", "Address changed to " + address, NOT city="-", city, NOT state="-", state) ... View more

Re: issue with transactions

by in Splunk Search
‎12-03-2010 06:09 PM
‎12-03-2010 06:09 PM
Thanks much! Doing the search that way worked very nicely... ... View more

Re: Custom view - pie chart not showing all data

by in Dashboards & Visualizations
‎05-30-2015 09:48 AM
‎05-30-2015 09:48 AM
Hi Type is it a name of a field in your data ? If no try to use the following search by replacing Type field by _raw field LookupQuery - Count by _raw ... View more

Re: Am I bumping into limits issue with subsearch ...

by in Splunk Search
‎12-01-2010 06:40 PM
‎12-01-2010 06:40 PM
Nick, I've tried using the search that you added to your updated answer, but still no luck. I do not get the information required. Any other ideas? ... View more

Re: Set hostname correctly for SYSLOG input coming...

by in Getting Data In
‎11-04-2010 03:44 PM
‎11-04-2010 03:44 PM
To test with I added the PROPS and TRANSFORMS to my Forwarder (not running light forwarder) and the host field did change correctly. Thanks for this information it was very helpful! ... View more

Re: Logs ingested via sinkhole are not receiving t...

by Splunk Employee in Getting Data In
‎11-02-2010 05:39 PM
‎11-02-2010 05:39 PM
Yes, unless you were to, for example, disable AUTO_HEADER for the csv sourcetype. The AUTO_HEADER behavior is designed around storing the names of the fields in a sourctype, and 'learned' is the app that came to exist around storing generated sourcetypes for other purposes. ... View more

Re: distributed search issue - duplicate licenses

by in Installation
‎10-28-2010 08:28 PM
‎10-28-2010 08:28 PM
That was it! I thought I had changed licenses prior to setting up distributed searches but didn't. Thanks! ... View more

Re: Multi line log issue

by in Getting Data In
‎10-26-2010 03:14 PM
‎10-26-2010 03:14 PM
Hey SoutheringtonP, I changed the client from running LightForwarder to Forwarder. Your change to the props.conf worked perfect! Thanks for the insight!! ... View more

Re: Monitoring files within the C:\Program Files (...

by in Getting Data In
‎10-25-2010 03:27 PM
‎10-25-2010 03:27 PM
Please accept the answer that helped you out, so this question can be closed out. Thanks ... View more

Re: Error moving warm buckets to new server

by Splunk Employee in Deployment Architecture
‎11-17-2010 07:04 AM
1 Karma
‎11-17-2010 07:04 AM
1 Karma
I believe only the warm and cold dbs need to have unique ids. ... View more

Re: Search for percent symbol in log entries

by in Splunk Search
‎09-14-2010 06:03 PM
‎09-14-2010 06:03 PM
Thanks! This worked great! ... View more

Re: GeoIP app not working correctly

by in Splunk Search
‎08-25-2010 09:46 PM
‎08-25-2010 09:46 PM
hi @castle1126 - instead of adding a new answer (like you'd do on a traditional forum), on Splunk Answers you'll want to add a comment on the correct answer and "accept" it by clicking the checkmark. Thanks! ... View more

Re: Trying to extract field, from a CSV extracted ...

by Splunk Employee in Splunk Search
‎07-28-2010 04:23 AM
1 Karma
‎07-28-2010 04:23 AM
1 Karma
I had a similar case just today. Try the following props.conf: [weblogs] KV_MODE = none REPORT-extracts = csv_extract protocol_extract Let me know how it goes, .gz ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
Karma given to