It's been a while. If memory serves me well...I ended up creating a modular input using the Splunk Python SDK. https://dev.splunk.com/enterprise/docs/python/sdk-python/howtousesplunkpython/howtoworkwithusersroles/ ... View more

you could use append to join the data together. Then run your stats after you've combined them: | inputlookup SF_Week41.csv | eval src="sf_week_1" | append [|inputlookup SF.csv | eval src="sf"] ... View more

Two ideas... Use Tokens: You could have your search include the logic for determining where to send the alert. Then use this value via a token when you configure your alert. I have not tried this myself but I would be surprised if it didn't allow to tokenize the "TO" address. base search | eval send_to=case(wwwsite="mysite1.com","group1@asite.com",wwwsite="anothersite1.com",anothergroup@asite.com",1=1,"defaultgroup@asite.com") When you configure your alert you could look at using a token for the to value: $result.send_to$ Another option is to use the sendmail command and save your search. It won't behave exactly like a normal saved search configured with alert actions but you can achieve what what you're asking. It's been a while so you want to read the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Sendemail base search | eval send_to=case(wwwsite="mysite1.com","group1@asite.com",wwwsite="anothersite1.com",anothergroup@asite.com",1=1,"defaultgroup@asite.com") | sendmail to=send_to from="your@email.com" Suggestion: Use a lookup file For either method you may want to use a lookup file. This way you don't have to include all the details in each search. What you'd do is create a CSV file that matches your alert email addresses to whichever website they should get paired to. alert_email_to_domain.csv wwwsite,alert_email_address "asite1.com","alert_email1@asite.com" "asite2.com","alert2_email@asite.com" "asite3.com","alert3_email@asite.com" "asite4.com","alert4_email@asite.com" Then in your search you could use the lookup command to pull in the email address that matches the website. If the field in your logs that tells what the website is were "wwwsite" base search | lookup alert_email_to_domain.csv wwwsite OUTPUT alert_email_address Then you can use the field alert_email_address with either of the first two methods I explained. Either in a search that uses sendmail command or use it as a token in the alert configuration using $result.alert_email_address$ Please upvote and/or accept if you find my answer helpful. Good luck! ... View more

Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to: Step 1: extract the user field (transforms.conf): [getusername] INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2") Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf): [userhash] INGEST_EVAL = user_hash = md5(user) Step 3: replace the occurrence of the username in _raw with the value of user_hash created from step 2 (transforms.conf): [replaceuserinraw] INGEST_EVAL = _raw = replace(_raw,user,user_hash) What I'm left with: a user field with actual username a user_hash field with hash value of username _raw has been modified before being indexed to replace the username with the hash What I need to figure out: - user_hash field should be available to all users - user field should only be available to special users with this privileged ... View more

Use INGEST_EVAL and cryptographic functions to create a hash at index time. ... View more

Splunk 6.6 introduced cryptographic functions md5() sha1() etc. You can encrypt fields at index time using these functions along with INGEST_EVAL. You can also use calculated fields in props.conf to encrypt fields at search time. But one can easily view the source of the log data to see unencrypted values if done at search time. See: https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/CryptographicFunctions ... View more

I think I have the same issue. Basically the event is not recognized by splunk as valid json becuase of the string before your json object: "Mar 26 13:44:57 myserver java". You may also need to remove \" if these are what is in your _raw event text. The solution I ended up with was to have the application team modify the log format so the string of fields that starts before the json object was included within the json object itself so as to deliver valid json to splunk. Another option is use index time feature: ingest_eval: ingest_eval - Modify _raw at index time to remove or re-arrange _raw see: https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/IngestEval props.conf [mysourcetype] TRANSFORMS = evalatindextime transforms.conf (remove string) [evalatindextime] ingest_eval = _raw=replace(_raw,"^(.*?)({.*)$))","\2") You could also use REPLACE() here to, instead of removing the text, capture parts of _raw and then compile each part in a way that produces valid JSON. [evalatindextime] ingest_eval = _raw=replace(_raw,"^([a-zA-Z]{3}\s\d{2}:\d{2}:\d{2})\s(.?)\s(.?)({)(.*)$","\4\"timestamp\":\"\1\",\"server\":\"\2\":\"type\":\"\3\",\5") another issue I had was my main event text was a json object nested inside the main json object. I'm using the Splunk http event collector & splunk java logging btw. The issue I had was the nested json object had "\ around values & fields and the object itself had quotes around it. I replace() the \" with " and removed the quotes around the nested object. replace(_raw,"\\\"","\"") finally I had to also remove the " around the nested json object. Here's what my bad events looked like: { "field":"value", "field2":"value2", "message":"12:50:43.222 Username Company address {\"nestedfield1\":\"nestedvalue1\",\"nestedfield3\",:\"nestedvalue3\" }" } Here's what my good event looks like after using REPLACE() { "field":"value", "field2":"value2", "message":{"timestamp":"12:50:43.222","username":"foo","company":"mycompany","address":"an address here","nestedfield1":"nestedvalue1","nestedfield2":"nestedvalue2","nestedfield3","nestedvalue3"} } Splunk parses out the top level fields/values fine (field1,field2,message). But the json object in message was not being parsed. After replacing "\ with " and removing the " around the the nested json object all worked as expected. ... View more

were you able to achieve this? ... View more

Adding some information in case others might find it helpful. For me this is what happens: In Splunk 7.2.4 for custom Splunk App: - there is no way from Splunk Web to update the password for a username already stored in passwords.conf without deleting passwords.conf - adding credentials in splunk web when you first setup the app works with no error and passwords.conf is created and creds are stored as expected - if you add credentials with a different username it throws the error but a new entry is added to the passwords.conf file - if you try to add creds w/ username that already exists in passwords.conf, it throws an error and no changes are made to passwords.conf It's not a big deal but my goal was to avoid having users to ever have to edit conf files. I wonder if I can write something into the app using python sdk to do the work. We'll see. ... View more

Did you ever figure this out? I'm having the same problem. ... View more

I know this is a bit old but here's how I authenticate with Basic HTTP Auth: import requests from requests.auth import HTTPBasicAuth username = "<user>" apikey = "<pass>" apiurl = "<theurlyouconnectto>" with requests.Session() as s: s.auth = (username,apikey) r = s.get(apiurl) ... View more

Yes thank you much. ... View more

Maybe your search is not correct. Can you post some sample event data? ... View more

I did it by adding this to the end of my search. your_single_val is changed to whatever field populates your singlevalue. | appendpipe [| stats count AS mycount] | EVAL your_single_val =IF(mycount==0,"NO EVENTS",your_single_val) | ... View more

This might work. Use rex command to match status values and create a single multivalue field. Then use eventstats to sum the values of your multivalue field. If the sum of status = 0, set a new_field to "OK". Otherwise, set new_field to "FAILURE". In the search below you can disregard the 'makeresults' and 'eval _raw =' commands. I just add those to generate an example event like yours that I can use. You want REX & EVENTSTATS | makeresults | EVAL _raw = "status=0 status=0 status=0" | REX max_match=0 field=_raw "status=(?P<status>[0-9])" | EVENTSTATS sum(status) AS status_sum | EVAL new_field=IF(status_sum==0,"OK","FAILURE") ... View more

Check that the user splunk runs under has permission to access the folders & log files you want to index. ... View more

Easy enough. Thanks! ... View more

Something else to consider is using postprocess search. This way your base search doesn't have to run every time someone chooses an option in the dropdown. See: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches Here's the basic idea: dashboard loads and runs a base search that generates the full list of stats: | STATS count BY Service your input dropdown could access the values of 'Service' to dynamically populate your input options you'll need to still add a static value to cover the * (all) option your post process search, which dictates the values displayed on your dashboard, is simply: | SEARCH Service = $dropdown_value$ ... View more

do your search as: | STATS count BY Service | SEARCH Service = $dropdown_value$ So your drop down has an option for "ALL" who's value is: * When the user selects A: | STATS count BY Service | SEARCH Service = "A" When user selects ALL: | STATS count BY serivce | SEARCH service = * ... View more

worked perfectly thank you so much. ... View more

Yes, Z_f always stays the same. Only the number changes. So the number is what ties the fields together. I would like to see this look like this in a table with the group name as the column headers and the count value under neath like this: first_group_name second_group_name third_group_name fourth_group_name 32 49 100 49 ... View more