I need to create a regex to match the fieldname for first match and fieldvalue for the second match. Issue happens when the field value contains "<" and ">" in the value using the regex I created. example below. <Recommendation><![CDATA[<p><ul><li>Remove all backup files, binary archives, alternate versions of files, and test files from the web document root of production servers.</li><li>Amend your deployment policy to include the removal of these file types by an administrator.</li></ul></p>]]></Recommendation> I am currently using this regex to get the desired result. providing the regex and sample data I am dealing with. https://regex101.com/r/Pr0Xag/2 this is currently the regex I am using. <([^>]+)>([^<]*)<\/\1> transforms.conf [xml-extr11] REGEX = <([^>]+)>([^<]*)<\/\1> FORMAT = $1::$2 MV_ADD = true REPEAT_MATCH = true [setnull] REGEX = <VulnSummary> DEST_KEY = queue FORMAT = nullQueue props.conf [nexpose_appspider] TRANSFORMS-null= setnull BREAK_ONLY_BEFORE = <Vuln> NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%d %H:%M:%S TIME_PREFIX = <ScanDate> MAX_TIMESTAMP_LOOKAHEAD = 19 TRUNCATE = 0 disabled = false pulldown_type = true REPORT-xmlext11 = xml-extr11 KV_MODE = none MAX_EVENTS = 400 ... View more

I am trying to make a field extraction from xml data and but I am having a problem with special ascii characters being captures as well. what is the best approach to exclude this characters? This is what the data looks like and when I try to capture "Process Name" using regex below. index=main | rex field=_raw "Process Name\:(?<process_name>.+)Permissions\W this is the result I am getting for process_name field \tC:\Windows\System32\svchost.exe\n\n ... View more

Is it possible to deploy Splunk dbconnect app through deployment server? I am facing an issue where splunk dbconnect app is installed in one of secured server(no copy/paste option). So it is a challenge to make changes because I need to type all the queries when creating an input. Also there is no issue in connecting Deployment server and HF were db connect is installed. ... View more

i have a dropdown that has some duplicate values, but I don't want to remove them. Is there a way to remove the error "Duplicate values causing conflict" in the dropdown? ... View more

I have a data that comes from Splunk DB Connect in batch, this comes multiple times a day, But I only want to use latest batch. This is what the data looks like. given this example the latest is the 10/04/18 10:19 Snapshot_date timestamp someotherfieldstocalculate 10/04/18 10/04/18 1:30 10/04/18 10/04/18 1:30 10/04/18 10/04/18 1:30 10/04/18 10/04/18 5:49 10/04/18 10/04/18 5:49 10/04/18 10/04/18 5:49 10/04/18 10/04/18 10:19 10/04/18 10/04/18 10:19 10/04/18 10/04/18 10:19 I was able to get the result using eventstats comamnd below but by using that the search runs slower than without filtering. is there other way to filter this early or without using event stats that will improve the overall search time. my normal search takes 5secs but when I add the eventstats command and filtering it takes 15seconds. | base search | eventstats max(time_stamp) as latest_timestamp | where time_stamp = latest_timestamp ... View more

So I have a field day_Today=Friday Now I want to use the value of day_Today as a field in my table | table Date value(day_Today) the result of this should be | table Date Friday ... View more

I'm on Splunk 4.0. Is there a way to export a table a pdf? Maybe add a button to my dashboard which will download a pdf which contains my table panel? ... View more

I was using Custom Decorations from the Splunk Dashboard Examples. Is there a way to implement a progress bar when I change a value in my filter, because what happens is there is no indicator that the search is still loading, It will just update the value once the search is done. ... View more

Why do I get this error when using eventtype? This is the eventtype configuration and I also tried running that search and it works fine. ... View more

I'm trying to create a single column with status indicator for three different values from my table. just like the Table Icon Set in the Splunk Dashboard Example App. Looking at this example of what output i'm trying I have one column for rangemap with three different values my data would look like this. index=_internal | stats count by sourcetype,source,host | eval count2 = count*1.5 | eval count3=count*1.6 ... View more