Tag:stackexchange

For readibility, try using IN(): index=sne host=nwbsnep* sourcetype IN(sne_CAS_elilogs,sne_CMS_elilogs) Service.Operation IN("A","B","C","D","E","F","G","H") The issue seems to have been, though, that in your second parenthesized set of ORs, you had this: OR "Service.Operation"="D "OR "Service.Operation"="E" OR "Service.Operation"="F" In SPL, the OR has to be separated from what it’s or’ing by at least one space You had one …
Continue reading Answer by warren for Searching for specific values in Splunk query

In answering a Splunk question on SO, the following sample text was given: msg: abc.asia – [2021-08-23T00:27:08.152+0000] "GET /facts?factType=COMMERCIAL&sourceSystem=ADMIN&sourceOwner=ABC&filters=%257B%2522stringMatchFilters%2522:%255B%257B%2522key%2522:%2522BFEESCE((json_data-%253E%253E’isNotSearchable’)::boolean,%2520false)%2522,%2522value%2522:%2522false%2522,%2522operator%2522:%2522EQ%2522%257D%255D,%2522multiStringMatchFilters%2522:%255B%257B%2522key%2522:%2522json_data-%253E%253E’id’%2522,%2522values%2522:%255B%25224970111%2522%255D%257D%255D,%2522containmentFilters%2522:%255B%255D,%2522nestedMultiStringMatchFilter%2522:%255B%255D,%2522nestedStringMatchFilters%2522:%255B%255D%257D&sorts=%257B%2522sortOrders%2522:%255B%257B%2522key%2522:%2522id%2522,%2522order%2522:%2522DESC%2522%257D%255D%257D&pagination=null The person wanted to extract everything in the "filters" portion of the URL if "factType" was "COMMERCIAL" The following all-in-one regex pulls it out neatly (presuming the URL is always in the right order (ie factType …
Continue reading Why are sequential regular expressions more efficient than a combined experession?

Try this: index=ndx sourcetype=srctp msg=* | rex field=msg "factType=(?<facttype>\w+).(?<params>.+)" | stats count by facttype params | fields – count | search facttype="commercial" The rex will extract the facttype and any following parameters (note – if the URL is submitted with the arguments in a different order, you’ll need to adjust the regular expression) Then use …
Continue reading Answer by warren for Splunk Count Specific String in a Field

If you have not defined a sourcetype in an appropriate props.conf (and associated transforms.conf), Splunk will try to determine the sourcetype based on heuristics Those heuristics are not generally very accurate on custom data sources Instead of trying to "programatically set the sourcetype to be the namespace from where the logs were generated", add a …
Continue reading Answer by warren for Fluentd sending to Splunk HEC: Want to set sourcetype to the namespace

If you want to pass results of a Dashboard elsewhere, you need to use a drilldown See the Dashboard XML reference for more Splunk will only send to a URL, however – so if you want it to go to a "custom python script", it will need to be accessible via URL What does your …
Continue reading Answer by warren for Choose one result in Splunk table Query

If you’d like a full regex for extracting all of the bracketed fields, this is the most efficient one-shot I could make: | rex field=_raw "(?<extid>[\d\.]+).+D\[(?<fieldtype>[^\]]+).+T\[(?<format>[^\]]+).+L\[(?<ll>[^\]]+).+N\[(?<len>[^\]]+).+E\[(?<type>[^\]]+).+S\[(?<charset>[^\[]+).+A\[(?<data>[^\]]+)" Most often I do sequential rex calls, just in case some fields aren’t present in all events, but your sample data shows each of these items present Once you’ve …
Continue reading Answer by warren for Splunk search query

Checking your regex on regex101 shows that it fails – you’re looking to match a literal ", but it’s not there for your "null" value This regular expression is both simpler to read, and pulls what you’re looking for (without the extraneous comma): | rex field=Message "TimesAccessed[[:punct:]]+(?<TimesAccessed>[^\",]+)" Use the [[:punct:]] character class to match any …
Continue reading Answer by warren for Splunk rex Search – Unable to tabulate because of NULL

Non-streaming commands, by definition, run on the Search Head that initiated the search – and nowhere else. They’re typically expected to run after all the streaming searches have happened, for any finalization/manipulation of the returned data from all Search Peers running the search If you run non-streaming commands earlier than necessary in your SPL, you …
Continue reading Answer by warren for Is there a similar command to multisearch in Splunk for non-streaming searches?

You can trigger an Alert on anything you like. If you want the Alert to run a script, just parse-out the information you need into a field so you can pass it to your script. from User warren – Stack Overflow https://stackoverflow.com/questions/53413721/splunk-alert-with-run-a-script-action/73082697#73082697 via IFTTT

Splunk organizes data into indexes by sourcetype. When data is sent to Splunk (via Universal Forwarder, HTTP Event Collector (HEC), etc), it’s tagged with what index and sourcetype it is so that it gets stored properly for later searching. from User warren – Stack Overflow https://stackoverflow.com/questions/50471867/bind-logs-to-applications/73082639#73082639 via IFTTT

This works for the range aspect of your question (eg choosing 17-20 Jul) It distinctly does not work for the "Presets" or "Relative" options from a time picker When you select a date range from a time picker, you’ll get a pair of Unix epoch times returned If you subtract $picker.earliest$ from $picker.latest$, multiply by …
Continue reading Answer by warren for Splunk – Calculate time and doubling it from the user selection

What you’re describing can be done either with join (the more "obvious" path), or stats: join: index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="1" | stats count by uniquehash times | fields – count | rename times as unique1 | join uniquehash [| search index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="2" | stats count by uniquehash times | …
Continue reading Answer by warren for Comparing search results from two separate searches

If you pull the extra question marks from your regex, it runs as expected: | rex field=_raw "(?<jobRunTimeMs1>\d+)ms|(?<jobRunTimeS2>\d+)s(?<jobRunTimeMs2>\d+)ms|(?<jobRunTimeM3>\d+)m(?<jobRunTimeS3>\d+)s(?<jobRunTimeMs3>\d+)ms" Append a couple coalesces to bring them together, and drop the extraneous fields with fields: | eval ms=coalesce(ms1,ms2,ms3), s=coalesce(s2,s3), m=m3 | fields – ms1 ms2 ms3 s2 s3 m3 However, I generally prefer to run sequential individual …
Continue reading Answer by warren for Splunk regex matching for spring batch job times

Based on your sample data, this rex will pull what you’re looking for into a new field msg: | rex field=_raw ":\s+(?<msg>\d+\s+\w+.+)" You can then stats it into a table: | stats count by msg from User warren – Stack Overflow https://stackoverflow.com/questions/73039433/splunk-rex-command-to-search-exception-and-count-the-error-codes/73042485#73042485 via IFTTT

Normally Splunk will pull key-value pairs out automatically However, when it doesn’t, go try your regular expression(s) on regex101 – the field extractor is often a good[ish] start, but rarely creates efficient (or complete) regular expressions An inline version of this would be as follows (presuming the "value" half of the key-value pair is contiguous …
Continue reading Answer by warren for Splunk field extractor unable to extract all values

Try the eval function round() first (presuming "value" is just a number): | eval value=round(value)+"°C" Alternatively … use replace(): | eval value=replace(value,"\.[^°]+","") from User warren – Stack Overflow https://stackoverflow.com/questions/72952479/get-rid-of-characters-between-two-characters-in-splunk/72952798#72952798 via IFTTT

If these are two lookup files, you can do an | inputlookup followed by a | lookup like this: | inputlookup firstlookup.csv | lookup secondlookup.csv title Everywhere they have a match, the lookup will output the matching columns Say your first table has columns title, price, location, and the second has title, author, pub_date For …
Continue reading Answer by warren for Compare two product lists in splunk

See if this simplified version helps you at all (dedup is rarely the proper tool to use, and is almost always pointless to run before stats in the manner you’re doing it): index=test source=mysource vendor=* myaddress=* myneighboraddress=* | fields – _raw | fields myaddress myneighboraddress vendor | stats count by myaddress myneighboraddress Depending on the …
Continue reading Answer by warren for 3D Graph Network Topology Visualization: Lengthy Time to Build Graph Visualizer

Since you seem to be concerned only about whether "found" equals either "hit" or "miss", try this: index=app (splunk_server_group=bex OR splunk_server_group=default) sourcetype=rpm-web* host=rpm-web* "CACHE_NAME=RATE_SHOPPER" method=GET found IN("hit","miss") | stats count by found from User warren – Stack Overflow https://stackoverflow.com/questions/71836567/how-to-make-pie-chart-of-these-values-in-splunk/71844522#71844522 via IFTTT

You could try doing a replace() on your URL field with eval before calling stats: | eval url=replace(url,"\/\d+\/settings","/settings") If it turns out the userid is important to hold onto, pull it into its own field prior to running replace(): | rex field=url "\/(?<userid>\d+)\/settings" from User warren – Stack Overflow https://stackoverflow.com/questions/71791315/merge-url-with-parameters-into-1-in-splunk/71798806#71798806 via IFTTT

Fairly confident something akin to this should work (without using join: index=ndx sourtype=srctp uuid=* msg=* | stats min(_time) as first_time max(_time) as last_time earliest(msg) as first_msg latest(msg) as last_msg by uuid | eval diff_seconds=last_time-first_time | eval first_time=strftime(first_time,"%c"), last_time=strftime(last_time,"%c") This approach will presume that _time has been set properly in the sourcetype’s props.conf, but if it …
Continue reading Answer by warren for How to show the time difference between two events in a Splunk join query?

Per the docs, the fact you have multiple types of quote marks is most likely causing the error you’re seeing. Your excised query: (select top 1 a.Message.value (‘(//Transaction[@transactionID=sql:column("t.Txn_Ref_Num")]/LifeSupportNotification/LifeSupportData/Status)[1]’, ‘varchar(50)’) Note you have both single (‘) and double (") quotes in the string. Per the dbxquery page on Docs.Splunk, the query you send is supposed to …
Continue reading Answer by warren for SPLUNK : .Message.value()]: A string literal was expected

There are several ways to do drilldowns in Splunk, but to highlight the value of the clicked field (which is how your question sounds to me), set the following using the Drilldown Editor: Change the "On Click" action Choose the right App & Dashboard name. Under Advanced, set the target Dashboard’s token(s) to the relevant …
Continue reading Answer by warren for drilldown in splunk dashboard stats table

This is going to come down to you how you group your stats calls: | stats count(src_ip) by dst_ip will be different from | stats count(dst_ip) by src_ip will be different from | stats count by dst_ip src_ip will be different from | stats count by src_ip dst_ip What are you actually trying to accomplish? …
Continue reading Answer by warren for how to group out different ip address and count their total numbers in Splunk

Since this is taking place on a dashboard (else you wouldn’t have tokens), you may be best-off building the possible searches into separate panels, and only displaying the one you choose by using the depends="$token$" option on each panel – using a conditional eval when a dropdown item is chosen https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML from User warren – …
Continue reading Answer by warren for Splunk conditional search