I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
↧
Would you create rex or regex to extract a string and create a new field?
↧
Palo Alto - usage by category
We're collecting Palo Alto logs into Splunk and palo alto app dashboards are currently not enabled. I'd like to create a Splunk paloalto report that does site by site category and usage by category with no named users? Any sample queries that would helpful for my query development.
↧
↧
How do you turn this test string into a regular expression
Hello
How do you convert the following test string to a regular expression, if the test string contains spaces? Because the string "type" appears several time in the log, to differentiate the instance I need, I need "type" that's followed by a negative amount.
Test string:
"type"=>"fun_bucks", "amount"=>"-$
rex field=_raw type\"\=\>\"(?[^\"]+)\"\,\ \ \"amount\"\=\>\"\-\$
Example log text
"type"=>"fun_bucks", "amount"=>"-$21.00", "request_id_link"=>{"content"=>nil, "href"=>"https://ebc.cybersource.com/ebc/transactionsearch/TransactionSearchDetailsLoad.do?requestId="}, "status"=>"succeeded", "action"=>"refund", "convert_to_cash_url"=>nil}], "v2_return_service_enabled"=>true, "inventory_service_id"=>"voucher", "order_reversal_url"=>"/order_reversal/refund",
↧
how to download a heavy forwarder on my mac to test a use case ?
Any link please ?
↧
timediff based on non-sequential sequence IDs
I have a requirement wherein I have to find timedifference of 2 events. Below is an example on the event type:
Host Time SeqID Transaction
a 1:00:00 5 Start
b 1:30:00 7 Start
a 1:45:00 9 Complete
b 2:00:00 14 Complete
a 4:00:00 19 Start
c 4:30:00 23 Start
a 4:45:00 25 Complete
I need to calculate the timedifferences between 'Start' and 'Complete' for every Host using their SeqID.
To translate roughly, its like
concat(hostname,Time@Complete,SeqId@Complete) - concat(hostname,Time@Start,SeqID@Start)
But in the above calculation, i need to ensure the SeqID@Complete is the most numerically nearest one to the SeqID@Start.
Any thoughts / suggestions?
↧
↧
Mysterious Illogical Error - Trying to Forward - Parameter name: Path does not exist.
Hello Team,
I am trying to do a simple thing. I am trying to forward a log file to my remote Splunk indexer. I am using the command : `./splunk add monitor /path/to/log/file/appname.log`
This command has worked in the past. However I have been receiving the below error, Figure 1, for the last four hours and counting.
![Screenshot of the error actually occurring on my computer][1]
*Figure 1*: Add Monitor Error
I saw someone had a similar question but I did not see any helpful answers. I think this must be a permissions issue. Splunk does not have the same privileges as the normal user of the operating system. Can anyone point me in right direction?
Thank-you for reading this.
Regards,
rogue_carrot
[1]: /storage/temp/252082-pathdoesnotexist-6-27-2018-5-45-52-pm.png
↧
How to create a chart to show count of events by hour over days in a week?
Below is the search query i used in order to get a similar chart but the hours are not consecutive, as shown in the Legend's table on the right side. What i have in mind was to create a chart that displays the count of high severity events by hour in a day for a week and have the chart start on a Monday and ends on a Sunday instead of starting on the current day
I have went and search for various and multiple sources on how to solve this problem and tried using %w, earliest=+7d@w1, | bin span=1d, and so on in my queries in trying to create the desired chart
Thanks and looking forward to replies
![alt text][1]
[1]: /storage/temp/252084-hours-in-days-in-week.png
↧
Convert IP address to lat and long to use the Missile Map
Hi all, I'm using the Missile Map app in Splunk to visualize multiple connections from staring point to destination. But I have trouble converting my two fields `FromIPAddr` and `ToIPAddr`, which are in IP address format, to four required fields in Missile Map `start_lat| start_lon |end_lat |end_lon`
Missile Map reference:
[https://splunkbase.splunk.com/app/3511/#/details][1]
Does anyone know how to do that? Thanks!
[1]: https://splunkbase.splunk.com/app/3511/#/details
↧
why collect command not working ??
Hello everyone
I have a SH and two IDX
I run a search in SH and using "collect" command i push the results to a index=sql which is available in IDX1 and IDX2 (load balanced based upon the availability)
so it was pushing results until may28 and after that it stopped pushing
i ran the search separately still it doesnot push the results.
but it says "Successfully wrote file to '/opt/splunk/var/spool/splunk/63g3hs73g37sh_events.stash_new'."
so what is happening?
is there anyway i can see whether the data is getting push to IDX1 or IDX2
Thank you
↧
↧
how do I filter the error logs of that particular container?
I have configured splunk with http event collector on docker, so I am storing the logs of all the container into splunk index
I am able to filter the logs of each container with tag name , but how do I filter the error logs of that particular container, thanks
↧
How to configure Splunk statistics table to display more than 100 rows
Hi all,
How to configure Splunk statistics table to display more than 100 rows? can this be achieved by editing a specific .conf, .js files?
Thanks in advance :)
↧
Extracting delimited values from a field with a dynamic length?
I have a field that contains column names delimited by spaces that I need to break out into separate fields for filtering purposes. The values are simply the column names, like shown below:
THIS_COLUMN THAT_COLUMN
I currently have an `mvexpand` solution in place which works but takes a huge amount of time to process through the duplicate events. I really want to parse the column names out into separate columns **in the same event** and pass them through a `foreach` statement, or something similar.
I've seen solutions that would work given a finite amount of column names but not for when the amount of values vary. Is there a structure I can apply to recognize the amount of columns and add them to the event. Here's my current search for reference:
base search | eval UID = _cd + index+splunk_server | eval singleColumns=split(column_name, " ") |mvexpand singleColumns | search NOT [|inputlookup Known_Bad_Columns | rename bad_columns as singleColumns ] | dedup UID | stats count by field1, field2 | sort by count desc
↧
How to split multiple lines in table to separate rows
I have some data from Tenable and I am trying to weed out the rows with multiple values into its own row.
![alt text][1]
[1]: /storage/temp/252085-capture1.png
A good example would be is the 4th row with 3 CVE-IDs (CVE-2003-1567, CVE-2004-2320, and CVE-2010-0386).
Instead, I would like to break it out to look like this:
CVE-2003-1567 Disable these methods. Refer to the plugin output for more information.
CVE-2004-2320 Disable these methods. Refer to the plugin output for more information.
CVE-2010-0386 Disable these methods. Refer to the plugin output for more information.
Any ideas?
Thanks
↧
↧
How to add "edit visualization" outside edit mode?
Hi, would like to ask how to add the "edit visualization" button outside edit mode? That way users can choose what visualization they'd want to see in a panel without having to click the edit to change visualization. Please see attached below.
![alt text][1]
![alt text][2]
[1]: /storage/temp/252091-v2.jpg
[2]: /storage/temp/252090-visual.jpg
↧
eval case match a fields value as a substring to other field
Hi All,
index="index1" sourcetype="SC1" OR sourcetype="SC2" | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")
For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract Ticket_Main5 first. Then check this field in another field LINK_LIST inside eval case. There are other arguments in eval case as well, which I removed here.
Or is there any other way, where I can check if a field value is a substring of other field value.
↧
How to assign value to a field which is not present in some of the events and compare that value with other values from other events where that field is present?
How to assign value to a field which is not present in some of the events and compare that value with other values from other events where that field is present?
I have events where field named "SSLProxyEngine" have values "ON" or "OFF" for some of the events but for some events that field is not present. I want to assign value "NONE" to SSlProxyEngine where the field is not present and then compare this value with othere events value.
How can I do that?
↧
Tried to edit the viz_editor_schema.js but nothing changed
Hi all,
I've edited the viz_editor_schema.js to change the maximum limit of rows displayed of a statistic table, I did some bumps, debug refresh and I even restarted my Splunk instance several times but nothing seems to work. How can I make this work? can someone help me with this.
path: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\js\views\shared\results_table\viz_editor_schema.js
Thanks in advance :)
↧
↧
How can a forwarder monitor a dynamic path?
How can a forwarder be setup to monitor files with a dynamic path?
For instance, I have a folder structure such as this:
`\\shared\tests\{DateTime.NOW}\logs\xxx_yyy_{DateTime.NOW}.xml`
`DateTime.NOW` represents the time which the xml file was generated. There will be multiple `{DateTime.NOW}` folders in the `\\shared\test` path.
I have tried some of the solutions stated here: https://answers.splunk.com/answers/33436/monitor-file-with-dynamic-directiory-name.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
such as:
`\\shared\test\\logs\xxx*`
`\\shared\test...logs\xxx*`
`\\shared\test\...\logs\xxx*`
but they did not work.
Any help would be appreciated. Thanks!
↧
website monitoring inputs.conf file configuration
Trying to find out the inputs.conf configuration to add Website via directly editing the inputs.conf file for availability monitoring.
Please suggest with examples
-Thanks
↧
How to create tag cloud drilldown?
In the dashboard, I am created a tag cloud Visualization but the tag cloud Visualization "edit drilldown" is invalid.
how to make the drilldown function use directly?![alt text][1]
[1]: /storage/temp/252092-aaa.jpg
↧