Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About michaelrosello
michaelrosello
Path Finder
Member since:
08-09-2017
07-06-2020
Community Statistics
| Posts | 60 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 10 |
| Member Since | 08-09-2017 |
Activity Feed
- Got Karma for Re: How can i convert negative values to positiv. 02-03-2025 02:02 AM
- Karma Re: field value is being extracted as fieldname in regex for thomasroulet. 06-05-2020 12:50 AM
- Got Karma for Re: How can i convert negative values to positiv. 06-05-2020 12:50 AM
- Got Karma for Re: How can i convert negative values to positiv. 06-05-2020 12:50 AM
- Got Karma for Re: How can i convert negative values to positiv. 06-05-2020 12:50 AM
- Karma Re: Compute last two columns with dynamic table for nryabykh. 06-05-2020 12:49 AM
- Karma Re: Jquery datepicker in splunk for niketn. 06-05-2020 12:49 AM
- Karma Re: How to change the Y-axis label on a chart overlay? for niketn. 06-05-2020 12:49 AM
- Karma Re: How to change the Y-axis label on a chart overlay? for niketn. 06-05-2020 12:49 AM
- Karma Re: How to change the Y-axis label on a chart overlay? for niketn. 06-05-2020 12:49 AM
- Karma Re: Change Modal Value of Chart for niketn. 06-05-2020 12:49 AM
- Got Karma for customize stacked column chart order. 06-05-2020 12:49 AM
- Got Karma for mvexpand multiple fields. 06-05-2020 12:49 AM
- Got Karma for Display Duration, Start Time, End Time in chart visualization. 06-05-2020 12:49 AM
- Got Karma for Re: How to use other values if the token is undefined in a dashboard?. 06-05-2020 12:49 AM
- Posted Re: How can i convert negative values to positiv on Knowledge Management. 09-05-2019 04:53 AM
- Posted Re: Extracting XML value with <> using regex on Splunk Search. 07-23-2019 03:32 AM
- Posted Re: Extracting XML value with <> using regex on Splunk Search. 07-23-2019 12:11 AM
- Posted Extracting XML value with <> using regex on Splunk Search. 07-21-2019 11:15 PM
- Tagged Extracting XML value with <> using regex on Splunk Search. 07-21-2019 11:15 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-05-2019
04:53 AM
4 Karma
| eval mynum=abs(mynum)
... View more
07-23-2019
03:32 AM
Here is the complete event, I also update the question with my props and transforms.
https://regex101.com/r/Pr0Xag/6
... View more
07-23-2019
12:11 AM
I've tried this and It is working in regex101 but not in Splunk, I suspect because of too many steps?
... View more
07-21-2019
11:15 PM
I need to create a regex to match the fieldname for first match and fieldvalue for the second match.
Issue happens when the field value contains "<" and ">" in the value using the regex I created. example below.
<Recommendation><![CDATA[<p><ul><li>Remove all backup files, binary archives, alternate versions of files, and test files from the web document root of production servers.</li><li>Amend your deployment policy to include the removal of these file types by an administrator.</li></ul></p>]]></Recommendation>
I am currently using this regex to get the desired result. providing the regex and sample data I am dealing with. https://regex101.com/r/Pr0Xag/2
this is currently the regex I am using.
<([^>]+)>([^<]*)<\/\1>
transforms.conf
[xml-extr11]
REGEX = <([^>]+)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true
[setnull]
REGEX = <VulnSummary>
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[nexpose_appspider]
TRANSFORMS-null= setnull
BREAK_ONLY_BEFORE = <Vuln>
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = <ScanDate>
MAX_TIMESTAMP_LOOKAHEAD = 19
TRUNCATE = 0
disabled = false
pulldown_type = true
REPORT-xmlext11 = xml-extr11
KV_MODE = none
MAX_EVENTS = 400
... View more
07-18-2019
05:10 AM
I am trying to extract xml fields using regex but I am encourtering this issue for this specific tags, It is working with other tags. I have tested my regex in regex101 and it is working properly. https://regex101.com/r/ivJjTE/1
In this example below, CrawlTraffic is being extracted properly, but CrawlTraffic value is also being extracted as a new field with "" as a value.
props.conf
[nexpose_appspider]
TRANSFORMS-null= setnull
BREAK_ONLY_BEFORE = <Vuln>
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = <ScanDate>
MAX_TIMESTAMP_LOOKAHEAD = 19
TRUNCATE = 0
disabled = false
pulldown_type = true
REPORT-xmlext11 = xml-extr11
transforms.conf
[xml-extr11]
REGEX = <([^>]+)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true
[setnull]
REGEX = <VulnSummary>
DEST_KEY = queue
FORMAT = nullQueue
... View more
05-16-2019
12:01 AM
I am trying to make a field extraction from xml data and but I am having a problem with special ascii characters being captures as well.
what is the best approach to exclude this characters?
This is what the data looks like and when I try to capture "Process Name" using regex below.
index=main | rex field=_raw "Process Name\:(?<process_name>.+)Permissions\W
this is the result I am getting for process_name field
\tC:\Windows\System32\svchost.exe\n\n
... View more
03-15-2019
05:18 AM
You are correct with the potential issue with the checkpoints
... View more
03-15-2019
03:42 AM
Is it possible to deploy Splunk dbconnect app through deployment server?
I am facing an issue where splunk dbconnect app is installed in one of secured server(no copy/paste option). So it is a challenge to make changes because I need to type all the queries when creating an input.
Also there is no issue in connecting Deployment server and HF were db connect is installed.
... View more
10-11-2018
06:47 PM
i have a dropdown that has some duplicate values, but I don't want to remove them.
Is there a way to remove the error "Duplicate values causing conflict" in the dropdown?
... View more
10-04-2018
01:23 AM
I have a data that comes from Splunk DB Connect in batch, this comes multiple times a day, But I only want to use latest batch.
This is what the data looks like. given this example the latest is the 10/04/18 10:19
Snapshot_date timestamp someotherfieldstocalculate
10/04/18 10/04/18 1:30
10/04/18 10/04/18 1:30
10/04/18 10/04/18 1:30
10/04/18 10/04/18 5:49
10/04/18 10/04/18 5:49
10/04/18 10/04/18 5:49
10/04/18 10/04/18 10:19
10/04/18 10/04/18 10:19
10/04/18 10/04/18 10:19
I was able to get the result using eventstats comamnd below but by using that the search runs slower than without filtering. is there other way to filter this early or without using event stats that will improve the overall search time. my normal search takes 5secs but when I add the eventstats command and filtering it takes 15seconds.
| base search
| eventstats max(time_stamp) as latest_timestamp
| where time_stamp = latest_timestamp
... View more
09-27-2018
03:21 AM
I want to use field value as column name.
... View more
09-27-2018
03:01 AM
So I have a field day_Today=Friday
Now I want to use the value of day_Today as a field in my table
| table Date value(day_Today)
the result of this should be
| table Date Friday
... View more
09-25-2018
10:16 PM
I'm on Splunk 4.0. Is there a way to export a table a pdf?
Maybe add a button to my dashboard which will download a pdf which contains my table panel?
... View more
09-18-2018
10:18 PM
I was using Custom Decorations from the Splunk Dashboard Examples.
Is there a way to implement a progress bar when I change a value in my filter, because what happens is there is no indicator that the search is still loading, It will just update the value once the search is done.
... View more
08-28-2018
06:19 AM
Hmm I tried typing it manual IN(20, 30).
weirdly enough when I search index=myindex eventtype=AIOPS_COE_REPORT I still get the same error.
But when I search for just the index. i can see an eventtpe in my interesting field with the correct eventtype value which is the AIOPS_COE_REPORT
I also tried clicking it to add it to search, then I get again the same error.
... View more
08-26-2018
08:01 AM
@kamlesh_vaghela Hi, I've updated my question with the configuration.
... View more
08-26-2018
07:24 AM
Why do I get this error when using eventtype?
This is the eventtype configuration and I also tried running that search and it works fine.
... View more
08-21-2018
09:40 PM
The reason is I'm trying to make it look like a horizontal traffic light. there would be no null value as we can always use the fillnull function.
| have provided the query, there would be three values with different fieldname
... View more
08-20-2018
04:50 AM
I'm trying to create a single column with status indicator for three different values from my table. just like the Table Icon Set in the Splunk Dashboard Example App.
Looking at this example of what output i'm trying
I have one column for rangemap with three different values
my data would look like this.
index=_internal
| stats count by sourcetype,source,host
| eval count2 = count*1.5
| eval count3=count*1.6
... View more
08-17-2018
10:00 AM
I have this data set of data coming in multiple times a day.
I want to select all the latest timestamp and the latest timestamp of second to last date.
On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)
Note that ingestion is not consistent and there might be days where no data will come in.
1 2018-08-10 19:58:24.0
2 2018-08-11 01:14:43.0
3 2018-08-11 03:22:09.0
4 2018-08-11 06:28:03.0
5 2018-08-11 08:01:30.0
6 2018-08-11 09:08:25.0
7 2018-08-12 03:21:44.0
8 2018-08-12 23:52:02.0
9 2018-08-14 00:39:34.0
10 2018-08-14 03:09:33.0
11 2018-08-14 06:21:39.0
12 2018-08-14 07:53:53.0
... View more
08-16-2018
03:42 AM
So our current set up is the Splunk DBConnect is installed in one of our indexers. So i put my props and transforms in the indexer instance.
I'm trying to change the source field using the data from the query, So far I have successfully done this by copying one of the raw events from splunk then tried indexing it with the sourcetype that i configured.
But I when create an input in the dbconnect and applying that sourcetype, the source is not overriden.
the props/transforms work in my local when i upload the sample data below
props
[coe]
TRANSFORMS-get_source = get_source
transforms
[get_source]
REGEX = SNPSHOT_DTTM="(?<capture1>\d+)-(?<capture2>\d+)-(?<capture3>\d+)\s(?<capture4>\d+):(?<capture5>\d+):\d+.\d",\smetric_period="(?<capture6>\w+)",\scurrent_or_prior="(?<capture7>\w+)"
DEST_KEY = MetaData:Source
FORMAT = source::coe_$6_$7_$1$2$3$4$5
sample data
2018-08-14 04:58:25.000, SNPSHOT_DTTM="2018-08-14 04:58:25.0", metric_period="lcd", current_or_prior="current", OWNRSHP_ID="10", BTLR_SETL_BRANCH_NO="0000086023", LCD_BEG_DT="2018-07-10", LCD_END_DT="2018-07-10", LCD_QTY_RAW="0.00000", LCD_QTY_SPC="0.00000", LCD_QTY_KEQ="0.00000", LCD_OFF_INV_DISC="0.00000", LCD_OFF_INV_CTM_DISC="0.00000", LCD_OFF_INV_CMA_DISC="0.00000", LCD_ON_INV_DISC="0.00000", LCD_ON_INV_CTM_DISC="0.00000", LCD_ON_INV_CMA_DISC="0.00000", RECV_FILE_NAME="INVCCE_8602320180126.CMP", RECV_TIME_STAMP="2018-03-09 10:14:17.28", RECV_BAL_FLAG="B", RECV_CMPLT_FLAG="C"
... View more
08-01-2018
06:20 PM
So far this what I came up to. I was able to add a new row but I can only add the word count and the value is not displaying.
Average :30
Count:
require([
'underscore',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/searchmanager',
'splunkjs/mvc/simplexml/ready!'
], function (_, $, mvc, SearchManager) {
// get the search manager
var search = splunkjs.mvc.Components.getInstance("line");
// get its results
var myResults = search.data("results");
var resultArray = [];
myResults.on("data", function() {
resultArray = myResults.data().rows;
});
// add info when opening tooltip (delegate event listening)
$(document).on("mouseover", "#chart g.highcharts-series-group > g.highcharts-series-hover", function(){
// get title to compare which series of the chart we're looking at
setTimeout(function(){
var title = $(".highcharts-tooltip tbody tr:nth-child(1) td:nth-child(2)").text();
// select right row
var Count = "";
for (var i = 0; i < resultArray.length; i++){
if (title == resultArray[i][0]){
Count = resultArray[i][5];
break;
}
}
// add (or change) the date shown in the tooltip
var text = '<tr class="unique"><td style="text-align: left; color: #cccccc; max-width: 663.9180019451253px;">Count</td><td style="text-align: right; color: #ffffff; max-width: 572.0819980548747px;">';
if ($("table.highcharts-tooltip > tbody").find("tr.unique").length == 0) {
$("table.highcharts-tooltip > tbody").append(text+Count+'</td></tr>');
} else {
$("table.highcharts-tooltip > tbody > tr.unique").replaceWith(text+Count+'</td></tr>');
}
// re-calculate the size of the black box behind the text
var height = $("table.highcharts-tooltip").height();
var width = $("table.highcharts-tooltip").width();
var node = $("g.highcharts-tooltip")[0];
var bbox = node.getBBox();
var w = width / bbox.width;
var h = height / bbox.height;
var scalex = w*1.15, scaley = h*1.15;
var scalestr = scalex + ',' + scaley;
var regex = /(\w+\(\d+\,\d+\))/; // one way to make sure we only add scale once
node.setAttribute('transform',regex.exec(node.getAttribute("transform"))[0]+'scale('+scalestr+')');
}, 15);
});
});
... View more
07-31-2018
05:58 PM
Thanks. I did that, but based on my testing. it works on 6.6 but not on 7.0, It seem it has to do with how the css class is being reference
... View more
07-31-2018
01:58 AM
@niketnilay I've updated my question with sample query and data in table. I also think @jeffland answer doesn't work on 7.x version
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-06-2020
08:57 AM
|
