I think what you’re asking is about subsearches (but it’s hard to tell from your description) Do you mean something like this? index=ndx1 sourcetype=srctp1 val=abc [| search index=ndx2 sourcetype=src2 id=* | stats count by id | fields – count ] | stats count by val id from User warren – Stack Overflow https://stackoverflow.com/questions/74118480/output-of-1-query-to-be-used-a-input-of-another-to-get-results/74124349#74124349 via IFTTT
Tag:stackexchange
Answer by warren for Splunk: Is there a way to remove the Clone dashboard option
Unless you export the data outside Splunk, anyone can clone a Dashboard (perhaps only to their own private view, but clone it nonetheless) If they’re not supposed to have access to various data sources, you need to restrict their access to those sourcetype(s) or index(es) from User warren – Stack Overflow https://stackoverflow.com/questions/74100354/splunk-is-there-a-way-to-remove-the-clone-dashboard-option/74102038#74102038 via IFTTT
Answer by warren for Splunk eventstats dc(field) is including null values as unique
The value "null" is not "null" A "null" field in Splunk has no contents (see fillnull) If you have the literal string "null" in your field, it has a value (namely, "null") If you do not want to count them, you need to filter them out before doing the | stats dc(Field) For example, you …
Continue reading Answer by warren for Splunk eventstats dc(field) is including null values as unique
Answer by warren for How Splunk field contains double quote
| makeresults | eval bub="hell\"o" | table bub Puts a double-quote mark right in the middle of the bub field If you want to search for the double-quote mark, use | where match() like this: | where match(bub,"\"") from User warren – Stack Overflow https://stackoverflow.com/questions/74063311/how-splunk-field-contains-double-quote/74063544#74063544 via IFTTT
Answer by warren for Why doesn’t splunk convert log in json format to json
Looks like you have JSON embedded in JSON – Splunk doesn’t ‘know’ that nested JSON should be another JSON: it views it as the contents of the higher-level JSON item. The way to handle this is either: don’t encapsulate JSON inside JSON use inline rex statements or props.conf/transforms.conf to handle field extractions from User warren …
Continue reading Answer by warren for Why doesn’t splunk convert log in json format to json
Answer by warren for splunk query to extract multiple fields from single field
@Mads Hansen‘s answer will most likely work, but experience shows multiple individual rex statements to be safer (ie, they allow for corner cases / data in different sequences, etc): | rex field=message "OUT:\s+(?<method>\S+)" | rex field=message "taken:\s+(?<executiontime>\d+)" Speed for sequential regular expressions – 9 & 23 steps, respectively If you want to use an all-at-once …
Continue reading Answer by warren for splunk query to extract multiple fields from single field
Answer by warren for Splunk Regex formatting
This regular expression is simpler, and should match for you: <spl> | rex field=_raw "status\W+(?<status>\w+)" | search status="error" <rest of spl It matches the literal string status followed by non-word characters, then puts all found word characters into a field named status from User warren – Stack Overflow https://stackoverflow.com/questions/73910663/splunk-regex-formatting/73939954#73939954 via IFTTT
Answer by warren for Exclude multiples values splunk
If you want to exclude events that contain "[error]", just do the following – it’s much simpler: index=ndx sourcetype=srctp transid=* NOT "[error]" | <rest of spl goes here> from User warren – Stack Overflow https://stackoverflow.com/questions/73802042/exclude-multiples-values-splunk/73803588#73803588 via IFTTT
Answer by warren for Is their a way to exclude a transaction if one of its event contain the string “error” on Splunk
Put your condition of NOT "[error]" in your initial search like this: index=ndx sourcetype=srctp transid=* eventcount=* NOT "[error]" | transaction transid endswith="completed OK." | stats count by eventcount | eval fcount=eventcount*count | stats sum(fcount) from User warren – Stack Overflow https://stackoverflow.com/questions/73784530/is-their-a-way-to-exclude-a-transaction-if-one-of-its-event-contain-the-string/73788880#73788880 via IFTTT
Answer by warren for How to check if two field match in SPLUNK
Try using where with match: <spl> | where !match(field1,field2) | stats count by field1 field 2 from User warren – Stack Overflow https://stackoverflow.com/questions/73722651/how-to-check-if-two-field-match-in-splunk/73722923#73722923 via IFTTT
Answer by warren for Splunk: How to implement “max(Index) by Version”
Basically I want to know if there’s an implementation for this kind of condition: max(Index) by Version What you’re asking for seem to be precisely how you would call max with stats: index=ndx sourcetype=srctp Version=* datacenter=* | stats max(Version) by datacenter Does that not do what you’re looking for? from User warren – Stack Overflow …
Continue reading Answer by warren for Splunk: How to implement “max(Index) by Version”
Answer by warren for How do I remove specific parameters from URL in splunk?
@RichG suggested rex in sed mode You can also use a pair of eval replace calls: | eval URL=replace(URL,"\&PN[^\&]+","") | eval URL=replace(URL,"\&accessType[^\&]+","") from User warren – Stack Overflow https://stackoverflow.com/questions/73641768/how-do-i-remove-specific-parameters-from-url-in-splunk/73649313#73649313 via IFTTT
Answer by warren for Alert setting, in case of a large interval between messages
Something like this should work: index=ndx sourcetype=srctp srcMsgId=* system=* | stats min(_time) as early max(_time) as late by srcMsgId system | where (late-early)>N Use a value (in seconds) for "N" – like | where (late-early)>90 for a minute and a half, or | where (late-early)>300 for 5 minutes from User warren – Stack Overflow https://stackoverflow.com/questions/73543582/alert-setting-in-case-of-a-large-interval-between-messages/73546893#73546893 …
Continue reading Answer by warren for Alert setting, in case of a large interval between messages
Answer by warren for How do I check if Splunk has received logs from hundreds of different sources/hosts/devices?
Searching for non-existent data is always harder than searching for existing data … because finding "nothing" isn’t possible However, you can simulate finding nothing like this: index=ndx sourcetype=srctp ip=* earliest=-7d | stats count by ip | append [| inputlookup myListOfIPs | fields ip ] | stats values(count) as filter by ip | where isnull(filter) That …
Continue reading Answer by warren for How do I check if Splunk has received logs from hundreds of different sources/hosts/devices?
Answer by warren for Splunk: how to get the last logins on the host that triggered an event?
Look for lines like these in /var/log/auth.log: Aug 24 20:10:01 bolo CRON[46362]: pam_unix(cron:session): session closed for user root Aug 24 20:12:00 bolo sshd[46950]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0) Across whatever timeframe is appropriate from User warren – Stack Overflow https://stackoverflow.com/questions/73478817/splunk-how-to-get-the-last-logins-on-the-host-that-triggered-an-event/73478963#73478963 via IFTTT
Answer by warren for Not able to match the regex
If for some reason RichG‘s suggestion of using multikv doesn’t work, the following should: | rex field=_raw "(?<type>\w+)\s+(?<time>[\d\.]+)\s+(?<ops>[\d\.]+)\s+(?<tps>[\d\.]+)\s+(?<net>[\d\.]+)\s+(?<get_miss>[\d\.]+)\s+(?<min>[\d\.]+)\s+(?<max>[\d\.]+)\s+(?<avg>[\d\.]+)\s+(?<std_dev>[\d\.]+)\s+(?<geo_dist>[\d\.]+)" Where is your data coming from? from User warren – Stack Overflow https://stackoverflow.com/questions/73386907/not-able-to-match-the-regex/73389699#73389699 via IFTTT
Answer by warren for How to combine count from two different mstats in where clause Splunk?
Per the docs.Splunk entry for mstats, you can append another mstats call. So something like this should work: | mstats count(_value) as count2 WHERE metric_name="*metric2*" AND metric_type=c AND status="success" by metric_name,env,status | where count2=0 | append [| mstats count(_value) as count1 WHERE metric_name="*metric1*" AND metric_type=c AND status="success" by metric_name,env,status | where count1>0 ] You should …
Continue reading Answer by warren for How to combine count from two different mstats in where clause Splunk?
Answer by warren for 10k Curl post request to splunk
It seems you’ve answered your own question – namely, the JSO blob you’re trying to POST is too big for the HEC to handle Split it into smaller chunks instead of trying to batch it all at once from User warren – Stack Overflow https://stackoverflow.com/questions/73158177/10k-curl-post-request-to-splunk/73208072#73208072 via IFTTT
Answer by warren for How to get particular field in splunk search for a nested JSON event
There are at least two approaches you can use If your sourcetype’s JSON is not being parsed properly by Splunk, this rex will pull it for you: | rex field=_raw "userid=(?<userid>\w+)" If it is being parsed properly, then you can probably get it by a variation on the theme of: | rename applicationTags{}.userid as userid …
Continue reading Answer by warren for How to get particular field in splunk search for a nested JSON event
Answer by warren for Regular expression to exclude UUID from capture group
Instead of trying to capture everything but a [possibly-present] UUID, just remove it instead (and then remove extra spaces): index=ndx sourcetype=srctp message=* | eval error_msg=replace(message,"\w{8}-\w{4}-\w{4}-\w{4}-\w{12}","") | eval error_msg=replace(error_msg,"\s+"," ") If you know that the UUID is always contained inside whitespace, you could make the first replace() more efficient thusly: | eval error_msg=replace(message,"\s\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\s","") from User warren …
Continue reading Answer by warren for Regular expression to exclude UUID from capture group
Answer by warren for Parsing last part of URL in Splunk
This regular expression will match the last part of the URL that ends with (case-insensitive) "exe", and that ends the string: | rex field=URL_Field "\/(?<exename>[^\/]+[eExXeE]{3})$" THe format is this: start with a front slash, then match everything that’s not a front slash that ends with "exe","EXE", etc, and that is at the end of the …
Continue reading Answer by warren for Parsing last part of URL in Splunk
Answer by warren for Splunk need help in extracting ERROR messages from logs
You’ve got the first extraction correct, just do another like it: | rex field=_raw "message[[:punct:]]+(?<message>[^\"]+) This will grab everything after "message":"" until it hits another quote mark from User warren – Stack Overflow https://stackoverflow.com/questions/73136831/splunk-need-help-in-extracting-error-messages-from-logs/73138969#73138969 via IFTTT
Answer by warren for Splunk search doesn’t match CSV lookup file
There are a couple ways to do what you’re asking for The first is to use the lookup table as a filter in your initial search, like this: index=ndx sourcetype=srctp NOT [|inputlookup mylookup | fields ip] Or, do a lookup, and keep all the entries that have a null value in the lookup’s other field …
Continue reading Answer by warren for Splunk search doesn’t match CSV lookup file
Answer by warren for Extracting particular value using regex in splunk
Presuming Splunk hasn’t already extracted these automatically (it looks close to JSON, perhaps), this will do it: index=ndx sourcetype=srctp | rex field=_raw "status\":(?<status>\d+)" | search status=0 from User warren – Stack Overflow https://stackoverflow.com/questions/42234216/extracting-particular-value-using-regex-in-splunk/73129772#73129772 via IFTTT
Answer by warren for Regex working on regex101 and not on Splunk
This will do it, based on your sample data: (?<username>[a-z0-9A-Z\-\_\.\w]+)(\s?)+$ There are probably more efficient formulations. If you don’t have spaces at the end of the line, you can use this: (?<username>[a-z0-9A-Z\-\_\.]+)$ from User warren – Stack Overflow https://stackoverflow.com/questions/56115480/regex-working-on-regex101-and-not-on-splunk/73129494#73129494 via IFTTT