This is in follow-up to https://answers.splunk.com/answers/578105/help-with-search-to-access-json-data.html#comment-577285
Please find the attached image for sample event.
The query provided by is returning :- ABC.machine_cat:_attributes.ID.ABC.machine_cat
`<>`
_attributes.ID.ABC.machine_cat
`<>`
ABC.machine_cat
I want ABC.machine_cat : `<>`
Example: ABC.machine_cat : 01
![alt text][1]
[1]: /storage/temp/216684-123.png
↧
Access JSON data
↧
File not being read by Splunk in a directory while others are
Hi,
I have a directory which is defined in inputs.conf on a host (which has UF running), directory is:
/var/middleware/inventory/var
As per the logs (splunkd.log), the directory is now monitored:
10-04-2017 11:50:50.105 +0200 INFO TailingProcessor - Adding watch on path: /var/middleware/inventory/var.
In this directory there are nine different files. But only eight of them are read. They all have the same permissions and the content format is also the same.
Does anyone know why the last file is not being read by Splunk? There is no log about it.
Thanks for your help.
↧
↧
In a Index, one month data has been uploaded two times.
Hi Experts,
I am now in a strange situation, we have a index in which we uploaded .csv files for every month and for previous month data has been uploaded two times. now splunk is showing duplicate entries.
Can someone please suggest how can I get through this situation?
I want to remove duplicate entries for last month from index.
Thanks.
Regards,
Sud
↧
What is the difference between 'Splunk Insights for AWS Cloud Monitoring' and the 'Splunk App for AWS'
So i'm currently working with the Splunk App for AWS and come across this article by Splunk.
https://www.splunk.com/en_us/products/splunk-insights/aws-cloud-monitoring.html
It offers AWS cloud monitoring for a minimum of $4 a month but seems to reference the Splunk App for AWS which so far has incurred no costs.
My question therefore is, is there a difference between the Splunk App for AWS and the Splunk Insights for AWS Cloud Monitoring and if so, what are those differences ?
↧
How can I customize my dashboard using CSS?
How to hide the time option in the dashboard without using the css but should function in the background ?
↧
↧
How does Splunk parse german Umlauts?
Hi everyone,
I've been confronted with the problem, that the case insensitive search command ```search```, differentiates between ö / Ö, ä / Ä and ü / Ü. My question now is, how does splunk parse the german Umlauts exactly and will it support case insensitivity searches for these characters in the near future?
I'm aware of the workaround using ```eval lower() / upper()```, so this question is not about solving the issue, but trying to understand where the issue really originates from.
Thanks in advance and best regards,
Bojan
↧
What is the correct method to consume symlinks?
Hi,
I'm attempting to consume MSSQL ERROR logs from 800+ systems with different log locations.
The current approach is to configure a common directory on the C drive c:\mssql logs\ with up to 10 symlink links within.
Each link corresponds to LOG folders of different MSSQL Instances.
C:\MSSQL LOGS\LOG1
C:\MSSQL LOGS\LOG2
C:\MSSQL LOGS\LOG3 ... etc
For example symlink LOG1 points to C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Log
My current inputs.conf is not working however one that points to the actual does.
I need 2 questions answered.
1. What is the correct method to consume symlinks
2. Is there a better approach to deploy & consume MSSQL ERROR logs from a large amount of systems.
Thanks
[monitor://C:\MSSQL LOGS\*] - Does not work
[monitor://C:\MSSQL LOGS\LOG4\*] - Does not work
inputs.conf
[monitor://C:\MSSQL LOGS\*]
followSymlink = true
recursive = true
index = stage_idx
sourcetype = mssql:errorlog
disabled = 0
↧
Issue with an ELB dashboard -- added via Cloudwatch and ELB access logs
Hi
We have configured Splunk Enterprise on a single server with inputs for ELB. We use a classic ELB and have inputs for ELB via Cloudwatch and via ELB access logs (SQS based S3). The ELB dashboard window for 'Requests by ELB' is blank. When looking at the search query it is highlighting the last 2 pipes below as failing.
search (metric_dimensions!="*],*" aws_account_id="*" eventtype="aws_cloudwatch_elb_events" metric_dimensions="LoadBalancer*" metric_name=RequestCount region="" sourcetype="aws:cloudwatch" (index="default" OR index="main")) | rex field=metric_dimensions "([ ,]|^)LoadBalancer=\[app/(?.*?)/" | lookup regions region | eval uniq_label=(((((name . " (") . account_id) . ", ") . location) . ")") | stats sum(Sum) as count by uniq_label | rename uniq_label as "ELB Name"
I have removed the entry from RequestCount region "" for privacy but everything else is how the search string looks. If we replace 'stats sum(Sum) as count by uniq_label | rename uniq_label as "ELB Name"' with 'stats sum(Sum) as count by metric_dimensions' it then displays the pie chart with a breakdown of each of our ELBs. However, if we then drill in further to each ELB from the chart we get similar failures so it looks like amending the search string for the dashboard is not an option without further breaking the drill down areas. I think the issue lays somewhere around the 'eval uniq_label' as one of the messages shown when inspecting the search is 'verify that the fields expected by the report commands are present in the events' but I'm not sure how or where to check or change this.
For info we have added the required metadata inputs and enabled the 'Addon Metadata - Summarize AWS Inputs' saved search. http://docs.splunk.com/Documentation/AWS/5.1.0/Installation/Metadata Any help would be appreciated.
Thanks
↧
Path Support for AWS IAM Role for Splunk Add-On
Hello,
I am attempting to add and IAM role to the Splunk Add-on for AWS with a path. However, the regex used to validate does not allow paths.
Regex:
Characters of Name should match regex ^arn:[^\s:]+:iam::\d+:role(:|/)[^/:\s]+$ .
My role ARN (example):
arn:aws:iam::123456789012:role/path/my-role
↧
↧
Infoblox Event Collection
I need to bring in Infoblox into my SPLUNK. Is this by infoblox sysloggin to my forwarder or does the splunk add-on for infoblox allow for me to configure?
Thanks!
↧
Splunk Universal Forwarder 6.5.2 -- 100% CPU Solaris
Can someone help me in resolving the issue? Splunkd Universal Forwarder is taking 100% process.
I am monitoring around 50 logs files and the data is not more than 30GB daily.
For monitoring i am not having any wild characters and have given full path of log files.
↧
How can I add an IAM to the Splunk Add-on for AWS?
Hello,
I am attempting to add an IAM role to the Splunk Add-on for AWS with a path. However, the regex used to validate does not allow paths.
Regex:
Characters of Name should match regex ^arn:[^\s:]+:iam::\d+:role(:|/)[^/:\s]+$ .
My role ARN (example):
arn:aws:iam::123456789012:role/path/my-role
↧
Splunk Add-on for Infoblox -- Can I configure this to bring in my Infoblox events, or should I use a forwarder?
I need to bring in Infoblox into my Splunk. Is this by Infoblox syslogging to my forwarder or does the Splunk add-on for infoblox allow for me to configure?
Thanks!
↧
↧
summing two event counts by source
so, I am trying to parse out syslog stats data, trying to get a velocity of the events to figure out which log source is spiking when backlogs occur.
events: the count of events for a particular source type
src: the individual device sending logs to the syslog server.
as syslog stats don't reset until syslog is hup'd or otherwise restarted taking the list of events isn't specifically helpful.
So what I'm trying to figure out is how to get a velocity of trying to get something like: stats min(events, by source) and compare it to a stats max(events) by src. However I haven't been able to combine this properly.
Output would preferably be a table that has (src, maxevents, minevents, diff)
↧
How to extract Windows fields at search time using regex?
How to extract the Account Name and other fields in the description field from the below windows event from azure? It has both JOSN and XMl data in JSON event. At![alt text][1]tahced are RAw event and JSON event. Please advise.
[1]: /storage/temp/217754-test2.png
↧
After we deleted a job it popped back up -- How can we delete it for good?
For some reason, we are not able to delete expired jobs as admin and as a power user who owns the jobs.
We choose, Job and then Delete Job. A pop message appears and disappears for a brief moment and the job remains with us.
Any ideas?
![alt text][1]
[1]: /storage/temp/217757-jobexpire.jpg
↧
Has anyone used MineMeld to send logs to Splunk?
Has anyone ever sent logs to Splunk using MineMeld? If so how? I currently have access to MineMeld but I was looking for away to set up the config to send the logs to Splunk
↧
↧
Exporting reports to a different search head... how do I cleanup the move and get rid of the search_migration app on SH2?
So I successfully created an app called search_migration on SH1 to move reports to SH2.
1) I set all reports on SH1 (in search app) that I wanted to move as shared globally
2) I created an app called search_migration on SH1
3) I verified all reports were in search_migration
4) I copied the directory for search_migration app to a location where I could move it to SH2
5) I moved the search_migration app to SH2
6) I verified all reports are now populated under the search_app as well as the search_migration app on SH2
Here is my question, how do I cleanup the move and get rid of the search_migration app on SH2?
If I delete the search_migration app from SH2 then all the reports will disappear from the search app on SH2. Is there a way to change permissions on the reports so they will remain after I remove the search_migration app???
Thank you
↧
Hello , is it possible to include sequence sunburst chart in visualization picker of search app ?
Hello , I am trying to add sequence sunburst chart in visualization picker of search app . Could anybody please help me with that .
↧
How can I correlate results from two separate searches?
I have syslog formatted events that correlate together based on one value, and a search that will pull a single line of those events:
s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
The search to be performed is to pull events matching 'mid' value: 2jhsd9asdhjs9s2hn2u
This search results in the following events found:
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
I would like to search for all events relating to the two 's' values found (1js832fc and 28s72d) from the initial search by 'mid' (2jhsd9asdhjs9s2hn2u).
I am finding it difficult to perform a search based on values found in a search, and sub-searches seem to be limited to the events that were found within the search, instead of searching back through the entire index? The result I would like is a search that initially searches for 'mid', and then searches back through the index for events that match the found events 's' value, and the end result would be all of the events above:
s=1js832fc event=A somedata=9sdsh
s=1js832fc event=B someotherdata=3s2jd
s=1js832fc event=C someotherotherdata=12s93d
s=1js832fc event=D someotherotherotherdata=32s8d2 mid=2jhsd9asdhjs9s2hn2u
s=28s72d event=A somedata=8sd6d
s=28s72d event=B someotherdata=27sh2d
s=28s72d event=C someotherotherdata=28s7s2
s=28s72d event=D someotherotherotherdata=2s73hd mid=2jhsd9asdhjs9s2hn2u
Is this possible?
↧