×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
stevegadd
Explorer
Member since: ‎12-29-2017
‎12-02-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎12-29-2017
Activity Feed
View All

Re: Can you help me with an issue with a dashboard...

by in Dashboards & Visualizations
‎04-01-2019 12:09 PM
‎04-01-2019 12:09 PM
Thanks. That did it ... View more

Can you help me configure my props.conf to parse o...

by in Getting Data In
‎11-20-2018 10:51 AM
1 Karma
‎11-20-2018 10:51 AM
1 Karma
I have the following coming in via an XML file. Most of the attributes parse just fine using the default parser, but I cannot figure out what i need to put into a props.conf file to parse out all of the applications that are coming over. I am new to Splunk, so any suggestions would be greatly appreciated. `<computer>` `<name>ACC1582</name>` `<udid>0D935CF2-ECFD-5A04-8303-34B6564EC820</udid>` `<id>291</id>` `<Computer_Name>ACC1582</Computer_Name>` `<JAMF_Binary_Version>10.8.0-t1539715549</JAMF_Binary_Version>` `<Last_Check_in>2018-11-20 18:18:08</Last_Check_in>` `<Make>Apple</Make>` `<Model>15-inch Retina MacBook Pro (Mid 2012)</Model>` `<Serial_Number>C02J362MDKQ5</Serial_Number>` `<FileVault_Status>1/2</FileVault_Status>` `<Operating_System>Mac OS X 10.10.5</Operating_System>` `<Operating_System_Build>14F2511</Operating_System_Build>` `<Operating_System_Name>Mac OS X</Operating_System_Name>` `<Operating_System_Version>10.10.5</Operating_System_Version>` `<Service_Pack/>` `<Applications>` `<Application>` `<Application_Title>8x8 - Virtual Office.app</Application_Title>` `<Application_Version>5.4.0.19776</Application_Version>` `</Application>` `<Application>` `<Application_Title>Adium.app</Application_Title>` `<Application_Version>1.3.10</Application_Version>` `</Application>` `</Applications>` `</computer>` ... View more

Re: Using form input to search for multiple token ...

by in Dashboards & Visualizations
‎12-29-2017 07:43 AM
‎12-29-2017 07:43 AM
if you know dropdown format, you can achieve this in search like: (Let's say there is a space between) index=foo.. | eval mval=$token$| rex field=mval "^(?<firstname>\w+)\s(?<lastname>\w+)$" | search (user=mval OR user=firstname.".".lastname Having 'user=' in first pipe next to index would be more optimized. However, it would require some tweaking in Dashboard XML or Macro. Macro: you need to create a macro that takes only one parameter (your token), and returns a string like: (user="fname lname" OR user=fname.lname) Ex: [| makeresults | eval mval=$param$ | rex field=mval "^(?<fname>\w+)\s(?<lname>\w+)$" | eval search = "(user=".fname," ".lname." OR user=".fname.".".lname.")" | return $search] Then you can call it in your search as: index=foo 'mymacro($token$)' XML: I couldn't think of a way now using 'change' or 'set' tags. however, I am sure there are ways. I am sure somesoni will explain this part 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-02-2021 03:57 PM
Karma from
View All