Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kepffr
kepffr
Explorer
Member since:
11-10-2020
11-16-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 11-10-2020 |
Activity Feed
- Got Karma for External python search - How do I resolve Error "Failed to parse transport header"?. 07-19-2023 01:12 AM
- Got Karma for Re: External python search - Error "Failed to parse transport header". 07-19-2023 01:12 AM
- Posted Re: External python search - Error "Failed to parse transport header" on Splunk Search. 06-17-2021 12:26 AM
- Posted External python search - How do I resolve Error "Failed to parse transport header"? on Splunk Search. 06-15-2021 01:02 AM
- Posted Re: Filtering data out with RegEx based on blacklist works only partially on Getting Data In. 01-28-2021 06:32 AM
- Posted Re: Filtering data out with RegEx based on blacklist works only partially on Getting Data In. 01-28-2021 12:26 AM
- Posted Re: Filtering data out with RegEx based on blacklist works only partially on Getting Data In. 01-27-2021 08:21 AM
- Posted Filtering data out with RegEx based on blacklist works only partially on Getting Data In. 01-25-2021 06:20 AM
Topics I've Started
06-17-2021
12:26 AM
1 Karma
Hi guys. Any ideas?
... View more
06-15-2021
01:02 AM
1 Karma
Hi guys, I'm trying to write a very simple external python search but it's just not working. I get the following error message in search_messages.log: 06-15-2021 09:44:22.543 +0200 ERROR SearchMessages - orig_component="script" app="search" sid="1623743052.198909" message_key="EXTERN:SCRIPT_NONZERO_RETURN" message=External search command 'pyTest' returned error code 1. Script output = "chunked 1.0,241,0\n{"inspector":{"messages":[["ERROR","RuntimeError at \"D:\\Splunk\\etc\\apps\\pyTest\\bin\\splunklib\\searchcommands\\search_command.py\", line 884 : Failed to parse transport header: b'splunkVersion:8.2.0\\n'"]]},"finished":true}". It says message_key="EXTERN:SCRIPT_NONZERO_RETURN" and "Failed to parse transport header". This is how I call the script in a splunk search: | makeresults 1 | eval something="just_a_value" | script pyTest or | script pyTest This is my commands.conf: [pyTest]
python.version = python3
chunked = true
filename = pyTest.py This is my code: #!/usr/bin/python3
import os, sys
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
import splunk.Intersplunk
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration
@Configuration()
class pyTest(StreamingCommand):
def stream(self, events):
for event in events:
event['nothing'] = 'world'
yield event
dispatch(pyTest, sys.argv, sys.stdin, sys.stdout, __name__) I have also tried to replace \r\n with \n in the code but that didn't help. What am I doing wrong here?
... View more
- Tags:
- error
Labels
- Labels:
-
other
01-28-2021
06:32 AM
Hi thanks for your response. The regex matches it, that's my problem.
... View more
01-28-2021
12:26 AM
Both, I want to execute both stanzas. Is that not possible?
... View more
01-27-2021
08:21 AM
Hi again. I've tried more things but nothing worked. I think my assumption that it works with less substrings is wrong, I cannot reproduce that anymore. Things I've tried: - Set MATCH_LIMIT to a higher value - Replaced the sourcetype in the stanza specified in props.conf with source::tcp:1422 - Included a named group in the regex, e.g: REGEX=(\t)hostname=(.*\.)?(?<site>amazon|ebay)\.(de|com|net) Data to test: 2021-01-27 16:55:42 action=Allowed event_id=6922469125184356358 protocol=SSL category=Corporate Marketing dest=1.1.1.1 http_referrer=None http_user_agent=XXXXXXX clientpublicIP=1.1.1 status=NA user=something.something@something.com url=ebayimg.ebay.com hostname=ebayimg.ebay.com clientIP=1.1.1 threatcategory=None threatname=None appname=XXX pagerisk=0 department=XXXX supercategory=XXXX appclass=File Share urlclass=XXXXX threatclass=None
bytes_out=2272 bytes_in=5100 props.conf [XXXXXX]
DATETIME_CONFIG = CURRENT
TZ = UTC
[source::tcp:1422]
TRANSFORMS-DeleteStuff = deleteAdvertisingTracking,deleteShopping transforms.conf [deleteAdvertisingTracking]
REGEX=(\t)hostname=.*(adnxs|doubleclick|adsafeprotected|pubmatic|xiti|smartadserver|lijit|ads\.yahoo|insurads)\.(com|net)
DEST_KEY = queue
FORMAT = nullQueue
[deleteShopping]
REGEX=(\t)hostname=(.*\.)?(amazon|ebay)\.(de|com|net|cn)
DEST_KEY = queue
FORMAT = nullQueue This is what the command "cmd btool transforms list deleteAds" says: CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEPTH_LIMIT = 1000 DEST_KEY = queue FORMAT = nullQueue KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MATCH_LIMIT = 100000 MV_ADD = False REGEX = (\t)hostname=(.*\.)?(amazon|ebay)\.(de|com|net|cn) SOURCE_KEY = _raw WRITE_META = False
... View more
01-25-2021
06:20 AM
Hi guys! I want to filter data out on my forwarder by using Regular Expression in transforms.conf. The strange thing is, that it only works partially but my regex itself is or should be fine. transforms.conf [deleteAdvertisingTracking]
REGEX=(\t)hostname=.*(adnxs|doubleclick|adsafeprotected|pubmatic|xiti|smartadserver|lijit|ads\.yahoo|insurads)\.(com|net)
DEST_KEY = queue
FORMAT = nullQueue
[deleteShopping]
REGEX=(\t)hostname=.*(amazon|ebay)\.(com|net)
DEST_KEY = queue
FORMAT = nullQueue props.conf [STANZA_NAME]
TRANSFORMS-DeleteStuff = deleteAdvertisingTracking,deleteShopping The second Stanza named "deleteShopping" works just fine but not the first. I could observe that it stopped working with 3 or more substrings (e.g adnxs|doubleclick|adsafeprotected|pubmatic) in the regex. I've tried adding "LOOKAHEAD = 65535" but that didn't help. Of course I restarted the forwarder after the changes. Do you have any idea what's going wrong? I'm using Splunk v8.1.1.
... View more
Labels
- Labels:
-
heavy forwarder
-
transforms.conf
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-16-2022
11:08 AM
|
