×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
newrose
Explorer
Member since: ‎05-13-2020
‎05-17-2023
Community Statistics
Posts 7
Solutions 1
Karma Given 12
Karma Received 1
Member Since ‎05-13-2020
Activity Feed
View All

Re: Why am I receiving ModuleNotFoundError with cu...

by in Splunk Search
‎05-17-2023 01:57 PM
‎05-17-2023 01:57 PM
I appreciate your help. I didn't provide all the detais about the script, and actually was missing another file inside the bin folder. I'll be using a custom app to keep the search app folder clean. ... View more

Re: Why am I receiving ModuleNotFoundError with cu...

by in Splunk Search
‎05-17-2023 01:53 PM
1 Karma
‎05-17-2023 01:53 PM
1 Karma
That was my bad. The import is actually calling another file, the gib_detect_train.py, and was required inside the bin folder as well. And I will be following the @richgalloway advice of storing the files in a custom app. ... View more

Re: Why am I receiving ModuleNotFoundError with cu...

by in Splunk Search
‎05-17-2023 01:30 PM
‎05-17-2023 01:30 PM
I have this same .py file both in my home directory and inside /opt/splunk/etc/apps/search/bin. Should I create a lib folder inside the search app to store the .py file? Shouldn't the binaries be stored inside a bin folder? ... View more

Why am I receiving ModuleNotFoundError with custom...

by in Splunk Search
‎05-17-2023 12:32 PM
‎05-17-2023 12:32 PM
I'm trying to use a Python script with a custom module for a external lookup on Splunk. When running /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/search/bin/gib_detect.py to test the script I get the following error:   Traceback (most recent call last): File "/opt/splunk/etc/apps/search/bin/gib_detect.py", line 18, in <module> import gib_detect_train ModuleNotFoundError: No module named 'gib_detect_train'   But when running the same script outside Splunk folders with /opt/splunk/bin/splunk cmd python /home/myuser/gib_detect.py It works as intended. What I am doing wrong? ... View more
Labels

Re: Search not returning results

by in Splunk Search
‎04-07-2022 03:32 PM
‎04-07-2022 03:32 PM
If I correctly understood your logic, it isn't exactly how Splunk is interpreting your query, although the selected events will probably be the same. Your base search, index=* host="storelog*" "store license for " will extract all events which have the "store license for " string, including the single whitespace. Then it will run the rex over all the selected commands, and the regex will try the match starting from the beginning of the event, not from where you stopped from the previous command. To overcome the newline issue, check if it is possible given your dataset to run something like this: index=* host="storelog*" "store license for Store 123456" | rex field=_raw "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}\s(?P<errortext>.*)path" | stats count by errortext  The "Store 123456" was moved to the main search, and the regex will try to match starting from the timestamp. Also you should probably look over this data input parameters, as the raw events doesn't look to have the right boundaries from what you showed here. ... View more

Re: Search not returning results

by in Splunk Search
‎04-07-2022 01:59 PM
‎04-07-2022 01:59 PM
The regex will not work considering the sample events you provided. If the event starts with the timestamp and is single lined maybe you should try this regex: | rex field=_raw "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}\s(?P<errortext>.*)path"   ... View more

Re: Search not returning results

by in Splunk Search
‎04-07-2022 01:06 PM
‎04-07-2022 01:06 PM
Is the  errortext  field created by the rex command being populated correctly? One possible explanation could be that the regex is not matching the text in the events. You can execute the search again without the stats command and see if the  errortext  field is present for the desired events. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-17-2023 06:18 PM
Karma from
View All
Karma given to