Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About gvmorley
gvmorley
Contributor
Member since:
10-03-2012
06-08-2021
Community Statistics
| Posts | 86 |
| Solutions | 16 |
| Karma Given | 5 |
| Karma Received | 41 |
| Member Since | 10-03-2012 |
Activity Feed
- Got Karma for Change & Condition within From Text Inputs. 01-28-2022 08:07 AM
- Got Karma for Re: Regex field != expression not matching. 08-30-2021 08:31 AM
- Got Karma for Fortigate TA Config Queries. 01-13-2021 07:12 AM
- Got Karma for Re: Regex field != expression not matching. 06-25-2020 10:01 AM
- Karma Re: Change & Condition within From Text Inputs for jeffland. 06-05-2020 12:48 AM
- Karma Re: Why are my multi-line events getting broken in the middle of a string? for tmarrazzo. 06-05-2020 12:48 AM
- Karma Re: rex command help for jkat54. 06-05-2020 12:48 AM
- Karma Re: Using IF with multiple conditions for woodcock. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: Is it possible to run Splunk Light with 2 indexers and a search head?. 06-05-2020 12:48 AM
- Got Karma for Re: Tried DELIMS, REPORT but cannot get neither working. 06-05-2020 12:48 AM
- Got Karma for Re: Tried DELIMS, REPORT but cannot get neither working. 06-05-2020 12:48 AM
- Got Karma for Re: How to extract particular value using regular expression?. 06-05-2020 12:48 AM
- Got Karma for Re: How to sort my table columns?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I create a table from 3 different lookup table and get the data to line up?. 06-05-2020 12:48 AM
- Got Karma for Re: DateTime Convertion. 06-05-2020 12:48 AM
- Got Karma for Re: DateTime Convertion. 06-05-2020 12:48 AM
- Got Karma for Re: Unpivot multi-value fields. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 3 | |||
| 0 | |||
| 6 | |||
| 0 | |||
| 1 |
03-20-2019
08:28 PM
Thanks for the quick response. And thanks again for supporting Splunk (and Splunkers) with your TA. It's greatly appreciated. G.
... View more
03-20-2019
01:34 AM
1 Karma
This is one for the folks at Fortigate regarding their TA.
I had a couple of queries on the latest version (1.6.0), specifically around the transforms.conf
Looking at the force_sourcetype_fgt_traffic stanza:
[force_sourcetype_fgt_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = devid=\"?F[G|W|6K].+type=\"?traffic
FORMAT = sourcetype::fgt_traffic
I'm 99% sure that you can't do alternation inside a character class. So [G|W|6K] actually means any character from the set GW6K or the literal | .
Was the intention that it should actually be (?:G|W|6K) , which would be a non-capturing group of either G , W or 6K ?
Secondly, you might want to reconsider the structure of these a bit. Taking that same stanza as above, it would actually match a utm event like this:
date=2019-03-15 time=05:12:28 logver=52 timestamp=1552626748 tz="UTC+0" devname="example-dev" devid="FG600C9999999999" logid="12345" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" appid=12345 user="" srcip=10.1.1.1 srcport=64224 srcintf="INTERNAL" dstip=8.8.8.8 dstport=80 dstintf="EXTERNAL" proto=6 service="HTTP" policyid=42 sessionid=158758809 applist="standard" appcat="Web.Others" app="HTTP.BROWSER" action="pass" hostname="test.example.com" url="/net/WebService.aspx?type=traffic&Password=fred8" msg="Web.Others: HTTP.BROWSER," apprisk="medium"
It's the first of the force transforms tried against fgt_log . So even though the event has type="utm" , it matches later in the event due to data in the url field. So the result would be that this event would be sourcetype=fgt_traffic . Now, as the remaining force transforms continue to be applied, it would probably then match the force_utm one later and then get set to that. 🙂 But it would probably be better to get it set correctly once.
One approach might be to combine your 3 force stanzas into one. So look to do this:
default/props.conf
[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt
default/transforms.conf
[force_sourcetype_fgt]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = devid=\"?F(?:G|W|6K).+type="?(traffic|utm|event)
FORMAT = sourcetype::fgt_$1
You also get the advantage that Splunk only has to try the one stanza / regex per event, as opposed to three.
Finally, although it's a bit beyond the scope here, so may also want to look to anchor the regex and consider some backtracking control.
This proved more performant for a lot of my testing:
[force_sourcetype_fgt]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = ^.+?\sdevid=(*COMMIT)\"?F(?:G|W|6K).+?\stype=(*COMMIT)\"?(traffic|utm|event)
FORMAT = sourcetype::fgt_$1
The (*COMMIT) is a way of saying, "It you get this far in the match, but fail later, don't backtrack past this".
So the regex above is saying, "Going from the start of the line ( ^ ), look for any character 1 or more times (lazily). When you find devid= , then we know we're in the right place. If our F(?:G|W|6K) doesn't match, then don't go back and try to find it anywhere else. Once we got to devid= we were committed - there's no going back now..."
Basically, it's a handy way to stop the regex being tried later in the event. But I'm not regex guru, so do some testing and see how it works. It just proved useful for us in our environment.
The main one is really to see if you need to fix-up the alternation in the character class and possibly combine the stanzas in a future TA release.
... View more
06-12-2018
12:24 AM
Hi all,
Would anyone be able to elaborate on what these settings mean in user-prefs.conf
[general]
render_version_messages =
checked_new_maintenance_version =
checked_new_version =
new_maintenance_version =
new_version =
They are not documented in the online Splunk Docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/User-prefsconf
And they're not in the spec file in: $SPLUNK_HOME/etc/system/README/
I'd would be good to know if setting:
[general]
render_version_messages = 0
Would disable the display of the 'New version available' in the Messages drop-down:
But in general, it would be good to have these settings documented. 😉
... View more
- Tags:
- doc
05-11-2017
11:56 PM
HI,
Doh. I feel like a bit of an idiot... After re-downloading multiple times and getting nowhere, I cleared my Browser Cache.
Yeah, that fixed it.
Appologies to the Splunk folks!
... View more
05-05-2017
01:19 AM
One for the Splunk folks...
I was keen to check out the updates to the 6.x Dashboard Examples App today, as version 6.6.0 was released.
But it looks like there are a couple of issues... A number of the dashboard xml files are either missing, or incorrectly referenced from the Examples (contents.xml) page.
Here's a screenshot:
Taking the 'Drilldown Single Value' link as an example. The linking URL is: /simple_xml_examples/simple_drilldown_single
A quick look in the ../default/data/ui/views directory shows that this is missing. Heres a snippet:
├── simple_display_controls_example.xml
├── simple_drilldown_no_action.xml
├── simple_drilldown_to_custom_url.xml
├── simple_drilldown_to_dashboard.xml
├── simple_drilldown_to_report.xml
├── simple_drilldown_to_search.xml
├── simple_drilldown_to_tokens.xml
├── simple_environment_tokens.xml
Might be one to check out before too many people download the updated app.
Looking forward to version 6.6.1
Thanks.
... View more
04-18-2017
01:41 PM
1 Karma
Hi,
You should just be able to do a positive lookahead and an empty capture group. So:
[ofx]
SHOULD_LINEMERGE = False
LINE_BREAKER = (?m)(?=^Event logged at {[\d;]+})()
I did a quick test and it looked fairly successful:
Hopefully this gets you closer to what you're looking for.
... View more
04-18-2017
12:54 PM
Hi,
Absolutely. You simply need to specifiy the earliest_time and latest_time as their epoch values.
So for your example, you could do something like this in your times.conf :
[my_custom_time]
label = January 1st 2017
earliest_time = 1483228800
latest_time = 1483315199
If you want to work out epoch times, there are many online tools which you could use.
Or, Splunk can always help you. Here's an example search, which you could change as required:
| makeresults
| fields - _time
| eval t1="01/01/2017:00:00:00", t2="01/01/2017:23:59:59"
| eval t1_epoch=strptime(t1,"%d/%m/%Y:%H:%M:%S"), t2_epoch=strptime(t2,"%d/%m/%Y:%H:%M:%S")
I hope this helps.
... View more
04-18-2017
12:37 PM
1 Karma
Hi,
Have a go with this for your props.conf
[qpbatch]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_TIME = True
TRUNCATE = 10000
This way you're telling Splunk that the timestamp starts at the beginning of lines and the exact format to look for.
I did a quick test and got this:
See if that helps you get closer to a solution.
... View more
03-22-2017
11:39 PM
Hi,
Sorry for the delayed reply.
If you've got it working for 1 IP, then that's a great start.
My guess it that you may need to amend your search slightly with regards to where you are using the token.
Assuming you select a single IP in your dropdown (for example 1.1.1.1), your eval becomes:
| eval TrueClientIP=1.1.1.1
But if you have an 'All' label, with the value '*', then this mean your eval becomes:
| eval TrueClientIP=*
Since '*' is not an IP address, it's not going to work with the iplocation command.
Perhaps you could use the token in the initial search string. So something like:
sourcetype=iis_dominos_online_adv CookieData="\"UNKNOWN\"" RedirectTo="\"UNKNOWN\"" TrueClientIP=$PublicIP_tkn$
This would then return the single result (assuming the IP from your dropdown is unique), or return multiple results if you select 'All/*'.
See if that gets you a bit closer to what you're looking for.
... View more
03-14-2017
09:20 AM
Hi,
I'm pleased to hear that you've got a workaround.
But you should still be able to get the EXTRACTs working; there's nothing wrong with your approach.
As such, it might be worth raising a Support Case with Splunk to try and get to the bottom of what's going on.
Just incase there is a bug, or something else is happening within your setup. You don't want to come across it down the line!
... View more
03-13-2017
10:56 PM
Hi,
Looks like the logging format for these events is a bit of a pain!
I'm not 100% sure your:
(?<_KEY_1>\w+)(:\s)(?<_VAL_1>[a-zA-Z0-9\\]+)(U|E)
Is going to work for you? What if one of the values you're trying to capture (like a Username), ends in a U or and E?
I also noticed that the Keys in the 'Event Data' are different in the two event samples. You're also going to want to cater for this and the associated spaces. The default Splunk Key/Value extractor is only going to get you:
Profile=iOS
Whereas you probably want:
Profile=iOS Visual Privacy Webclip
Ultimately you may just need to keep refining your regex(s) until you cater for 100% of your data. I get that this is pretty dull...
And whilst I'd always go with the 'keep it simple' wherever possible, you may end up with something slightly more complex.
For example, I don't like it, but this below works for both of your sample data events:
| makeresults
| eval _raw="Mar 9 13:52:33 10.0.2.24 March 09 19:52:33 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceDataModfiedUser: domain\JoeUserEvent Source: ServerEvent Module: DashboardEvent Category: DeviceEvent Data: Device=User iPhone iOS 10.2.1 X0XX;DeviceData=OwnerGroup;LoginSessionID=xx1xxx0xxxxx"
| append
[| makeresults
| eval _raw="Mar 9 13:52:32 10.0.2.24 March 09 19:52:32 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: RemoveProfileRequestedUser: sysadminEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: Profile=iOS Visual Privacy Webcli"]
| fields - _time
| rex "Event\sType:\s(?<EventType>[^\s]+)Event:\s(?<Event>[^\s]+)User:\s(?<User>[^\s]+)Event\sSource:\s(?<EventSource>[^\s]+)Event\sModule:\s(?<EventModule>[^\s]+)Event\sCategory:\s(?<EventCategory>[^\s]+)Event\sData:\s(?<EventData>(?:(?:Device=(?<Device>[^;\r\n]+);?)|(?:DeviceData=(?<DeviceData>[^;\r\n]+);?)|(?:LoginSessionID=(?<LoginSessionID>[^;\r\n]+);?)|(?:Profile=(?<Profile>[^;\r\n]+);?))*)"
| table EventType Event User EventSource EventModule EventCategory EventData Device DeviceData LoginSessionID Profile
You can play and test with it here: https://regex101.com/r/GEpAOP/1/
I.e. You may need to expand the (?<EventData>) grouping to cater for different Keys in that section.
Good luck - I hope you find a much simpler way!
... View more
03-13-2017
09:03 PM
Great to hear that you got it working!
If you're happy that the question is resolved, just accept this as the answer, then it gets marked a 'done' when others are looking.
Happy Splunking!
... View more
03-12-2017
11:37 PM
1 Karma
Hi,
You could try using a combination of iplocation and geostats to generate a report.
Here's an example.
This first part is just to create a result to test with (you'd use the actual data from your search):
| makeresults
| fields - _time
| eval TrueClientIP="222.205.40.26"
You can then pipe the results to the iplocation command, which will lookup that latitude and longitude:
| iplocation TrueClientIP
Which returns:
Then pipe this to geostats with the aggregation function. So something like this:
| geostats count by TrueClientIP
If you then go to the Visualization tab and select the 'Cluster Map' chart, you should get something like this:
Have a go with those commands and see how you get on.
... View more
03-11-2017
06:35 PM
Hi,
One approach you could try is to rule out the 'unknown' characters problem by trying your extractions as rex commands first.
I tried this with:
| makeresults | fields - _time
| eval _raw="Mar 9 13:52:33 10.0.2.24 March 09 19:52:33 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceDataModfiedUser: domain\JoeUser Source: ServerEvent Module: DashboardEvent Category: DeviceEvent Data: Device=User iPhone iOS 10.2.1 X0XX;DeviceData=OwnerGroup;LoginSessionID=xx1xxx0xxxxx"
| rex "Device=(?P<Device>[^;]+);"
| rex "DeviceData=(?P<DeviceData>[^;]+);"
| rex "Event:\s+(?P<Event>\w+)User"
| rex "Category:\s+(?P<EventCategory>\w+)Event"
| rex "Module:\s+(?P<EventModule>\w+)Event"
| rex "Event\sType:\s+(?P<EventType>\w+)Event"
| rex "User:\s+(?P<User>[^\s]+)"
| rex "Source:\s+(?P<EventSource>\w+)Event"
A number of your regex statements were slightly off, so I've modified them. This now returns:
I'm not 100% sure it would be the cause, but I'd avoid using the 'space' character in the regex, especially when you put them in props.conf I always go with the \s just to be explicit.
For example. I've avoid this:
EXTRACT-EventType = Event Type:\s+(?P<EventType>\S+)Event
And go instead with:
EXTRACT-EventType = Event\sType:\s+(?P<EventType>\w+)Event
It should be fine, it's more just force of habit for me.
If the rex command work but then don't when you move them over to the props.conf file, you can check the config for that sourcetype with btool .
For example, if the sourcetype for your data was 'extract-test' you could run the command:
./splunk btool props list extract-test --debug
This will give you all of the props config for that sourcetype and which file the config is coming from. It would look a bit like this:
/Splunk/etc/system/local/props.conf [extract-test]
/Splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/Splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/Splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/Splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/Splunk/etc/system/default/props.conf CHARSET = UTF-8
/Splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/Splunk/etc/system/local/props.conf EXTRACT-Device = Device=(?P<Device>[^;]+);
/Splunk/etc/system/local/props.conf EXTRACT-DeviceData = DeviceData=(?P<DeviceData>[^;]+);
/Splunk/etc/system/local/props.conf EXTRACT-Event = Event:\s+(?P<Event>\w+)User
/Splunk/etc/system/local/props.conf EXTRACT-EventCategory = Category:\s+(?P<EventCategory>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventModule = Module:\s+(?P<EventModule>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventSource = Source:\s+(?P<EventSource>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventType = Event\sType:\s+(?P<EventType>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-User = User:\s+(?P<User>[^\s]+)
/Splunk/etc/system/default/props.conf HEADER_MODE =
/Splunk/etc/system/default/props.conf LEARN_MODEL = true
/Splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/Splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/Splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/Splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/Splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/Splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/Splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/Splunk/etc/system/default/props.conf MAX_EVENTS = 256
/Splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/Splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/Splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/Splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/Splunk/etc/system/default/props.conf SEGMENTATION = indexing
/Splunk/etc/system/default/props.conf SEGMENTATION-all = full
/Splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/Splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/Splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/Splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/Splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/Splunk/etc/system/default/props.conf TRANSFORMS =
/Splunk/etc/system/default/props.conf TRUNCATE = 10000
/Splunk/etc/system/default/props.conf detect_trailing_nulls = false
/Splunk/etc/system/default/props.conf maxDist = 100
/Splunk/etc/system/default/props.conf priority =
/Splunk/etc/system/default/props.conf sourcetype =
Have a go with some of the tweaked regular expressions via rex first, then move them into props.conf , restart then check with btool and see where you're at.
Your approach is fine and should work, there's just going to be a small niggle tripping you up somewhere!
With the regex and props.conf above, I think I get the result you're looking for in my test:
... View more
03-10-2017
09:59 PM
Hi,
I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.
I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.
Some things to note:
You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown
The <condition></condition> element works slightly differently in <drilldown></drilldown> . You can't use it with a match command.
Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown.29
One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames
Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.
Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.
Then when your users click on a row, you can take that Macro Name token and use it to create later searches.
Like this:
I know that this may not be exactly what you're looking for, but it might spark some ideas.
Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/
Best of luck.
Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search , that was just to create some data to work with):
<dashboard>
<label>Test - Table Drilldown</label>
<row>
<panel>
<title>My Data</title>
<table>
<search>
<query>
<![CDATA[| makeresults
| fields - _time
| eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234")
| mvexpand HostName
| eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
| eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
| table HostName Time OtherTime Environment
]]>
</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="my.click.name">$click.name$</set>
<set token="my.click.value">$click.value$</set>
<set token="my.click.name2">$click.name2$</set>
<set token="my.click.value2">$click.value2$</set>
<set token="my.row.hostname">$row.HostName$</set>
<set token="my.row.time">$row.Time$</set>
<set token="my.row.othertime">$row.OtherTime$</set>
<set token="my.row.environment">$row.Environment$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div>click.name = $my.click.name$</div>
<div>click.value = $my.click.value$</div>
<div>click.name2 = $my.click.name2$</div>
<div>click.value2 = $my.click.value2$</div>
<div>row.HostName = $my.row.hostname$</div>
<div>row.Time = $my.row.time$</div>
<div>row.OtherTime = $my.row.othertime$</div>
<h3>row.Environment = $my.row.environment$</h3>
<h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
</html>
</panel>
</row>
</dashboard>
... View more
03-07-2017
06:42 PM
And finally,
This might be closer to what you want, but I'm pretty sure that it won't scale (if terms of configuration overhead) if you've got a lot of single panels.
You can set an eval / case statement in each single panel search to set the 'range'.
Again, this really is just a bit of a workaround to look at a different approach; probably not ideal for what you want.
But paste it into a blank dashboard and see if it helps:
<form>
<label>Test - Single Value 2</label>
<fieldset submitButton="false">
<input type="radio" searchWhenChanged="true" token="tok_level">
<label>Pick a Level to Display</label>
<choice value="all">All</choice>
<choice value="low">Healthy</choice>
<choice value="medium">Warning</choice>
<choice value="high">High</choice>
<default>All</default>
<change>
<condition match=" $value$ == $single_1_result$ ">
<set token="show_single_1">true</set>
<unset token="show_single_2"></unset>
<unset token="show_single_3"></unset>
</condition>
<condition match=" $value$ == $single_2_result$ ">
<set token="show_single_2">true</set>
<unset token="show_single_1"></unset>
<unset token="show_single_3"></unset>
</condition>
<condition match=" $value$ == $single_3_result$ ">
<set token="show_single_3">true</set>
<unset token="show_single_1"></unset>
<unset token="show_single_2"></unset>
</condition>
<condition match=" $value$ == "all" ">
<set token="show_single_1">true</set>
<set token="show_single_2">true</set>
<set token="show_single_3">true</set>
</condition>
<condition>
<unset token="show_single_1"></unset>
<unset token="show_single_2"></unset>
<unset token="show_single_3"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<single id="single_1" depends="$show_single_1$">
<search>
<query>
<![CDATA[| makeresults
| eval test=30
| append [| makeresults
| eval test=1
| eval _time=_time-86400]
| timechart span=1d sum(test) as my_result
| eventstats latest(my_result) as latest
| eval level=case(latest<=30,"low",latest<=70,"medium",latest>=71,"high")]]>
</query>
<sampleRatio>1</sampleRatio>
<done>
<condition match=" $result.level$ == "low"">
<set token="single_1_result">low</set>
</condition>
<condition match=" $result.level$ == "medium"">
<set token="single_1_result">medium</set>
</condition>
<condition match=" $result.level$ == "high"">
<set token="single_1_result">high</set>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="useColors">1</option>
</single>
<single id="single_2" depends="$show_single_2$">
<search>
<query>
<![CDATA[| makeresults
| eval test=70
| append [| makeresults
| eval test=1
| eval _time=_time-86400]
| timechart span=1d sum(test) as my_result
| eventstats latest(my_result) as latest
| eval level=case(latest<=30,"low",latest<=70,"medium",latest>=71,"high")]]>
</query>
<sampleRatio>1</sampleRatio>
<done>
<condition match=" $result.level$ == "low"">
<set token="single_2_result">low</set>
</condition>
<condition match=" $result.level$ == "medium"">
<set token="single_2_result">medium</set>
</condition>
<condition match=" $result.level$ == "high"">
<set token="single_2_result">high</set>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="useColors">1</option>
</single>
<single id="single_3" depends="$show_single_3$">
<search>
<query>
<![CDATA[| makeresults
| eval test=101
| append [| makeresults
| eval test=1
| eval _time=_time-86400]
| timechart span=1d sum(test) as my_result
| eventstats latest(my_result) as latest
| eval level=case(latest<=30,"low",latest<=70,"medium",latest>=71,"high")]]>
</query>
<sampleRatio>1</sampleRatio>
<done>
<condition match=" $result.level$ == "low"">
<set token="single_3_result">low</set>
</condition>
<condition match=" $result.level$ == "medium"">
<set token="single_3_result">medium</set>
</condition>
<condition match=" $result.level$ == "high"">
<set token="single_3_result">high</set>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Check Token for Condition</title>
<html>
<div>Token 'tok_level': $tok_level$</div>
<hr></hr>
<div>Token 'single_1_result': $single_1_result$</div>
<div>Token 'single_2_result': $single_2_result$</div>
<div>Token 'single_3_result': $single_3_result$</div>
<hr></hr>
<div>Token 'show_single_1': $show_single_1$</div>
<div>Token 'show_single_2': $show_single_2$</div>
<div>Token 'show_single_3': $show_single_3$</div>
</html>
</panel>
</row>
</form>
... View more
03-07-2017
03:57 PM
Ah,
OK, I think I'm with you now.
So you're driving your single panel elements with timechart , so that you can get a timeline.
One option then, is to create another field in the search for these panels and use this in the conditional match, to set the panel depends token.
So something like this:
<search>
<query>| makeresults
| eval test=$tok_input$
| append [| makeresults
| eval test=1
| eval _time=_time-86400]
| timechart span=1d sum(test) as my_result
| eventstats latest(my_result) as latest</query>
<sampleRatio>1</sampleRatio>
<done>
<condition match=" $result.latest$ > 100">
<set token="show_panel">true</set>
</condition>
<condition>
<unset token="show_panel"></unset>
</condition>
</done>
</search>
Try that in the example above and see if it works for you. Then maybe adapt the logic to fit into your scenario.
... View more
03-06-2017
07:46 PM
Hi,
Rather than trying to use the range colour, could you not use the field/value which is driving the colour?
If you're search looked like this:
| makeresults
| fields - _time
| eval test=101
| stats sum(test) as my_result
You can access the value in the field my_result with $result.my_result$
In a condition block, you could use it like this to set a token for your depends panels:
<done>
<condition match=" $result.my_result$ > 100">
<set token="show_panel">true</set>
</condition>
<condition>
<unset token="show_panel"></unset>
</condition>
</done>
To see how that would look in a working example, you could paste this as source into a new Dashboard to play with:
<form>
<label>Test - Single Value</label>
<fieldset submitButton="false">
<input type="radio" token="tok_input" searchWhenChanged="true">
<label>Pick a number</label>
<choice value="10">10</choice>
<choice value="51">51</choice>
<choice value="101">101</choice>
<default>10</default>
</input>
</fieldset>
<row>
<panel>
<single>
<search>
<query>| makeresults
| fields - _time
| eval test=$tok_input$
| stats sum(test) as my_result</query>
<sampleRatio>1</sampleRatio>
<done>
<condition match=" $result.my_result$ > 100">
<set token="show_panel">true</set>
</condition>
<condition>
<unset token="show_panel"></unset>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Check Token for Condition</title>
<html>
<p>Token 'show_panel': $show_panel$</p>
</html>
</panel>
</row>
<row>
<panel depends="$show_panel$">
<title>'Depends' Panel</title>
<html>
<h1>Only show me if result > 100</h1>
</html>
</panel>
</row>
</form>
I'm not sure if that's exactly what you want, but it may give you a few more ideas.
Example where value is <100 and colour is 'blue':
Example where value is >100 and colour is 'red'. The additional panel is now shown:
... View more
03-06-2017
07:10 PM
1 Karma
Hi,
To refresh some elements of the configuration, you can use the 'debug/refresh' link.
I.e. On your server go to: http://[splunk server hostname]:8000/debug/refresh
This should give you a little 'refresh' button.
Give this a go and see if it help.
... View more
03-06-2017
06:48 AM
Hi,
You could try:
| makeresults
| eval _raw="Mar 1 21:45:39 XDSauth: 1488433539 |ConnectorSession.setNextServiceName |next service name = WIN7-007"
| eval fld_key="3a4822"
| append
[| makeresults
| eval _raw="Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = WIN7-007"
| eval fld_key="3a4822"]
| append
[| makeresults
| eval _raw="Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = WIN7-007"
| eval fld_key="145c414"]
| fields - _time
| rex "^(?<orig_time>\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\s\w+:\s(?<epoch_time>\d+)\s\|(?<status>[^|]+)\s\|[^=]+=\s(?<user>.+)$"
| eval _time=epoch_time
| sort + _time
| eval user_key=user."-".fld_key
| dedup user_key
| sort - _time
| table user status epoch_time fld_key
| eval epoch_time=strftime(epoch_time,"%d-%m-%Y %H:%M:%S")
It will keep the earliest event where fld_key and user are the same. It's hard to tell without seeing the data, but if this is always the "ConnectorSession" event, then you should be OK.
You'll definitely need to test this against a much larger set of data, to make sure that the assumptions are correct.
... View more
03-05-2017
07:30 PM
1 Karma
Hi,
Not sure if this is exactly what you're looking for, but you could try using a transaction for this.
This first bit of code is to simulate your data:
| makeresults
| eval _raw="Mar 1 21:45:39 XDSauth: 1488433539 |ConnectorSession.setNextServiceName |next service name = WIN7-007" | eval fld_key="3a4822"
| append [|makeresults | eval _raw="Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = WIN7-007" | eval fld_key="3a4822"]
| append [|makeresults | eval _raw="Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = WIN7-007" | eval fld_key="145c414"]
| fields - _time
| rex "^(?<org_time>\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\s\w+:\s(?<epoch_time>\d+)\s\|(?<status>[^|]+)\s\|[^=]+=\s(?<user>.+)$"
Which give us:
Note: Your example logs and subsequent results are slightly different with regards to time. I've used the data where all of the times are different, as I suspect this is more likely to be the case.
As we're going to use transaction, we need a _time field, so just eval this with:
| eval _time=epoch_time
We'll also want to sort the data by this _time field, so that transaction is consistent with regards to start and end.
| sort - _time
Next, use a transaction where you define the startswith and endswith parameters. We also want to keep all of the fields as multi-value fields, so use mvlist=t . Finally, we're saying that there will only be 2 events in each transaction and that the user and fld_key will how we do the grouping.
| transaction mvlist=t maxevents=2 startswith=eval(status == "ConnectorSession.setNextServiceName") endswith=eval(status == "ServiceHdlr.serviceTerminated") fld_key user
We only want the transactions. I.e. we don't want that 3rd event which you were looking to get rid of. So:
| where eventcount=2
Finally, we can use stats to get the results, format the times to be a bit more readable and drop the _time field as we don't need it:
| stats first(eval(mvsort(epoch_time))) as earliest last(eval(mvsort(epoch_time))) as latest values(duration) as duration values(status) as status by _time,user,fld_key
| eval earliest=strftime(earliest,"%d-%m-%Y %H:%M:%S"), latest=strftime(latest,"%d-%m-%Y %H:%M:%S")
| fields - _time
Which should then look like this:
Again, I'm not 100% sure this is what you're looking for, but it's another approach. Just be careful with the parameters for the transaction command, to ensure that it fits with your data.
Here's the whole thing, as it may be easier to copy and paste:
| makeresults
| eval _raw="Mar 1 21:45:39 XDSauth: 1488433539 |ConnectorSession.setNextServiceName |next service name = WIN7-007"
| eval fld_key="3a4822"
| append
[| makeresults
| eval _raw="Mar 1 21:45:41 XDSauth: 1488433541 |ServiceHdlr.serviceTerminated |next service = WIN7-007"
| eval fld_key="3a4822"]
| append
[| makeresults
| eval _raw="Mar 1 21:47:05 XDSauth: 1488433625 |ServiceHdlr.serviceTerminated |next service = WIN7-007"
| eval fld_key="145c414"]
| fields - _time
| rex "^(?<org_time>\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\s\w+:\s(?<epoch_time>\d+)\s\|(?<status>[^|]+)\s\|[^=]+=\s(?<user>.+)$"
| eval _time=epoch_time
| sort - _time
| transaction mvlist=t maxevents=2 startswith=eval(status == "ConnectorSession.setNextServiceName") endswith=eval(status == "ServiceHdlr.serviceTerminated") fld_key user
| where eventcount=2
| stats first(eval(mvsort(epoch_time))) as earliest last(eval(mvsort(epoch_time))) as latest values(duration) as duration values(status) as status by _time,user,fld_key
| eval earliest=strftime(earliest,"%d-%m-%Y %H:%M:%S"), latest=strftime(latest,"%d-%m-%Y %H:%M:%S")
| fields - _time
... View more
03-02-2017
05:59 PM
No worries. I'm pleased that it helped. Enjoy your Splunk journey!
(And if you're happy with the answer, just mark the question as 'answered' - as it helps the rest of the community know that this one is sorted.)
... View more
03-01-2017
11:25 PM
It's not pretty, but adding this at the end of the Search should fix-up the duplicate inverse problem:
| eval Checks=mvappend(sha256(Email1.Email1_Type.Email2.Email2_Type.email_id),sha256(Email2.Email2_Type.Email1.Email1_Type.email_id))
| mvexpand Checks
| dedup Checks
| dedup Email1,Email1_Type,Email2,Email2_Type,email_id
| fields - Checks
| sort + email_id,Email1,Email1_Type,Email2,Email2_Type
But worth trying with a bigger dataset to make sure that the whole thing scales enough for you.
... View more
03-01-2017
11:12 PM
1 Karma
Hi,
I'm not sure if this is the 'best' way, as it feels somewhat overly complicated, but I think I can achieve close to what you're looking for with the following...
This first bit of code is just to simulate your data:
| makeresults
| fields - _time
| eval Sender="xxx@gmail.com", Subject="something", Date="3/1/2017", ToRecipient="xxx@hotmail.com", CcRecipient="xxx@msn.com", BccRecipient="xxx@wa.com"
| eval CcRecipient=mvappend(CcRecipient,"xxx@yahoo.com","xxx@splunk.com")
| append
[| makeresults
| fields - _time
| eval Sender="yyy@gmail.com", Subject="something else", Date="3/1/2017", ToRecipient="yyy@hotmail.com", CcRecipient="yyy@msn.com", BccRecipient="yyy@wa.com"
| eval CcRecipient=mvappend(CcRecipient,"yyy@yahoo.com","yyy@splunk.com")]
This gives 2 results like this:
Next we need some sort of unique ID for each result. You may well have this in your original data, but if not, you can just hash some (or all) fields:
| eval email_id=sha256(Sender.Subject.Date)
Then we add the 'type' to the different address, so that when we manipulate these address later, we don't lose what track of what they were:
| rex max_match=0 mode=sed field=CcRecipient "s/(.*)/\1|Cc/g"
| rex max_match=0 mode=sed field=BccRecipient "s/(.*)/\1|Bcc/g"
| rex max_match=0 mode=sed field=ToRecipient "s/(.*)/\1|To/g"
| rex max_match=0 mode=sed field=Sender "s/(.*)/\1|Sender/g"
Next, put all of the addresses together into a single field and drop the other fields that we don't need:
| eval AllEmails=mvappend(ToRecipient,CcRecipient,BccRecipient,Sender)
| fields - ToRecipient,CcRecipient,BccRecipient,Sender,Date,Subject
Now we want to create a result for each individual email address. This is where the 'email_id' field is useful, so that we have an association between the addresses of individual emails:
| mvexpand AllEmails
And we can now create a 'Type' field to represent if the address was Sender,To,Cc or Bcc. And at the same time, tidy up the original fields:
| rex field=AllEmails "^[^|]+\|(?<Email_Type>(?:To|Cc|Bcc|Sender))"
| rex field=AllEmails mode=sed "s/([^|]+).*/\1/g"
At this point, you should now have a result for every single address.
Now the fun bit. Since you want to associate some data that you've already got, with itself, we can use an appendpipe and a bit of stats to 'duplicate' the results. At the same time, we rename a number of fields to Email2 and Email2_Type:
| appendpipe
[| stats list(AllEmails) AS Email2 list(Email_Type) AS Email2_Type list(email_id) AS email_id by AllEmails
| fields - AllEmails]
Now we use a selfjoin on the email_id to match results from the first part with the second part. Importantly we need to max=0 to ensure that there is an 'everything-to-everything' result:
| selfjoin max=0 email_id
Finally we rename some of the original fields to make more sense. And we filter out the results which didn't have a join, plus a bit of sorting:
| rename AllEmails AS Email1 Email_Type AS Email1_Type
| where isnotnull(Email2) AND Email1!=Email2
| sort + email_id,Email1,Email1_Type,Email2,Email2_Type
And finally, we should have the table which you were looking for:
At this point you can drop the email_id field as it's no longer needed.
IMPORTANT: There is still one problem with this. It doesn't yet deal with the 'inverse' duplication problem.
I.e. Where you have:
Email1 Email1_Type Email2 Email2_Type
yyy@gmail.com Sender yyy@hotmail.com To
yyy@hotmail.com To yyy@gmail.com Sender
Sorry - I ran out of time for that bit, but if I get a chance, I'll see if I can figure it out later!
Hope that helps.
Below is the full search, so it's easier to copy and paste:
| makeresults
| fields - _time
| eval Sender="xxx@gmail.com", Subject="something", Date="3/1/2017", ToRecipient="xxx@hotmail.com", CcRecipient="xxx@msn.com", BccRecipient="xxx@wa.com"
| eval CcRecipient=mvappend(CcRecipient,"xxx@yahoo.com","xxx@splunk.com")
| append
[| makeresults
| fields - _time
| eval Sender="yyy@gmail.com", Subject="something else", Date="3/1/2017", ToRecipient="yyy@hotmail.com", CcRecipient="yyy@msn.com", BccRecipient="yyy@wa.com"
| eval CcRecipient=mvappend(CcRecipient,"yyy@yahoo.com","yyy@splunk.com")]
| eval email_id=sha256(Sender.Subject.Date)
| rex max_match=0 mode=sed field=CcRecipient "s/(.*)/\1|Cc/g"
| rex max_match=0 mode=sed field=BccRecipient "s/(.*)/\1|Bcc/g"
| rex max_match=0 mode=sed field=ToRecipient "s/(.*)/\1|To/g"
| rex max_match=0 mode=sed field=Sender "s/(.*)/\1|Sender/g"
| eval AllEmails=mvappend(ToRecipient,CcRecipient,BccRecipient,Sender)
| fields - ToRecipient,CcRecipient,BccRecipient,Sender,Date,Subject
| mvexpand AllEmails
| rex field=AllEmails "^[^|]+\|(?<Email_Type>(?:To|Cc|Bcc|Sender))"
| rex field=AllEmails mode=sed "s/([^|]+).*/\1/g"
| appendpipe
[| stats list(AllEmails) AS Email2 list(Email_Type) AS Email2_Type list(email_id) AS email_id by AllEmails
| fields - AllEmails]
| selfjoin max=0 email_id
| rename AllEmails AS Email1 Email_Type AS Email1_Type
| where isnotnull(Email2) AND Email1!=Email2
| sort + email_id,Email1,Email1_Type,Email2,Email2_Type
... View more
02-27-2017
07:20 AM
Hi,
I put your original data from the question into a CSV for testing, then did:
| from inputlookup:"test-mvzip.csv"
| table TransID,ProductID,ProductPropertyB,ProductPropertyC,ProductPropertyD
| streamstats last(TransID) as TransID
Which produces the table:
You'd want to test it with your original data and Search. But I hope that helps.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-08-2021
01:07 AM
|
Karma from
