Tag:stackexchange

First, I think what you’re looking for is the value of site to match request_type (in the initial multisearch search line) – but what you’re actually checking for in the where clause is whether the text "site" equals the text "request_type". And, of course, that is not the case! Start by removing the second line …
Continue reading Answer by warren for Multisearch not doing what I expect

It sounds like you want to extract as many key-value pairs as there may be in the query portion of a URL If this is correct, here’s a way to approach it: index=ndx sourcetype=srctp url=* | eval query=split(url,"?") | eval query=mvindex(query,-1) | rex field=query max_match=0 "(?<pair>[^&]+)" | mvexpand pair Alternatively, if you have a reason …
Continue reading Answer by warren for regular expression for url query params that differ in size, order and topic

You might consider using a combination of the eval functions split and mvindex: index=ndx sourcetype=srctp url=* | eval url_parts=split(url,"/") | eval segment=mvindex(url_parts,4) from User warren – Stack Overflow https://stackoverflow.com/questions/71326356/using-regex-to-specify-delimited-fields/71329606#71329606 via IFTTT

Enable WILDCARD matching in your lookup definition, then do something like: <first part of search> | lookup mylookup user AS name_last OUTPUT date intel_source <rest of search> Of course, this will only be potentially helpful if user names incorporate aspects of real names If you have a John Smith whose username is rockinrutabega1970 or 829911882 …
Continue reading Answer by warren for How to search a lookup based on partial match of field values of a base search in splunk

So long as you have at least three segments to a fully-qualified domain name, this should work (without using a regular expression) index=ndx sourcetype=srctp host=* | makemv delim="." host | eval piece=substr(mvindex(host,3),1,4) … makemv converts a field into a multivalue field based on the delim you instruct it to use Then use eval to grab …
Continue reading Answer by warren for Extract substring from Splunk String

Not sure how Python and Splunk are relating here – but this is just a matter of doing some field extractions. Something like this should do it: index=ndx sourcetype=srctp | field field=_raw "PlatformVersion\W+(?<platform_version>[^\"]+)" | rex field=_raw "PlatformClient\W+(?<platform_client>[^\"]+)" from User warren – Stack Overflow https://stackoverflow.com/questions/71019040/splunk-extraction-from-the-log-entries/71036484#71036484 via IFTTT

I’m going to presume you have no field extractions yet built (except for message) for the sample data you provided, and that – as provided – it’s in the correct format (though, since it seems to be missing timestamps, I can tell something is likely amiss) This should get you down the right road: index=ndx …
Continue reading Answer by warren for how to write splunk query to create a dashboard

You have to convert your human-readable timestamp to Unix epoch time – since _time is always in Unix epoch time Check out strftime.org for the exact calls Then you can send this in your curl call: curl -u "$user:$pass" -k https://$splunkserver/services/search/jobs/export -d search=’search "’"$search"’" | search index=$index sourcetype=$sourcetype’ earliest=$STARTTIME latest=$ENDTIME’ from User warren – Stack …
Continue reading Answer by warren for Splunk: search with starttime and endtime with format “%Y%m%d %H:%M:%S”

The only way to "reduce the production of logs" going into Splunk is to not log as much that the Universal Forwarder picks up, or that is sent via the HTTP Event Collector If you want to filter events based on criteria in your SPL, then you need to look at the field(s) in question, …
Continue reading Answer by warren for Reduce logging for retry_count in splunk

The first time an event matches a sourcetype, it will fall into it And if you tag an event with a given sourcetype in the actual HEC submission, it will always use that sourcetype If you want something to come in differently, tag it differently in your HEC submission from User warren – Stack Overflow …
Continue reading Answer by warren for Splunk HEC sourcetype override mapping all events to a single transform

Check out strftime.org, and the related strptime function used with eval Something on the order of this (pulled the microseconds out of your rex, since Unix epoch time has no concept of subsecond intervals): | rex field=_raw "timeStamp\>(?<timeStamp>[^\.]+)\.\d+Z" | eval unixepoch=strptime(timeStamp,"%Y-%m-%dT%H:%M:%S") from User warren – Stack Overflow https://stackoverflow.com/questions/70802593/splunk-extract-string-and-convert-it-to-date-format/70803673#70803673 via IFTTT

In the Alert actions, have it send a message when there are no results: from User warren – Stack Overflow https://stackoverflow.com/questions/70780625/what-search-terms-should-i-use-when-creating-alert-that-is-triggered-when-there/70787222#70787222 via IFTTT

timechart requires the hidden field _time still exist – in this example, there is no _time field So you’re going to need to "fake" your timechart – or you’re going to need to get _time back somehow or other Something along these lines should work: index=ndx ("Request" OR "Response") | rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" | stats …
Continue reading Answer by warren for Splunk: How to get a timechart regarding the extracted _time values for which range() was applied?

If I understand you correctly, you need to look at two different time ranges in two different indices, In that case, it is most likely to be true that a join will be needed Here’s one way it can be done: index=ndx1 sourcetype=srctp1 field1="someval" src="*" earliest=-1h | stats count by src | join src [| …
Continue reading Answer by warren for Splunk query to take a search from one index and add a field’s value from another index?

Based on the samples you provided, this regex seems to match what you’re looking for: ([\$]|[\%24]){1,3}(?<suspicious_log4j>([\{]|[\%7B]{1,3}).*[jJnNdDiI]{1,4}.+[lLdDaApPsS]{1,5}.+([\/|\%2F]).+) Check out Regex101’s "EXPLANATION" box for what it’s doing But it returns 8 matches in 686 steps from User warren – Stack Overflow https://stackoverflow.com/questions/70613366/please-help-me-improve-this-log4j-regex-that-pulls-out-possible-malicious-source/70624021#70624021 via IFTTT

Based on the samples you provided, this regex seems to match what you’re looking for: ([\$]|[\%24]){1,3}(?<suspicious_log4j>([\{]|[\%7B]{1,3}).*[jJnNdDiI]{1,4}.+[lLdDaApPsS]{1,5}.+([\/|\%2F]).+) Check out Regex101’s "EXPLANATION" box for what it’s doing But it returns 8 matches in 686 steps from User warren – Stack Overflow https://stackoverflow.com/questions/70613366/please-help-me-improve-this-log4j-regex-to-pulls-out-possible-malicious-sources/70624021#70624021 via IFTTT

What you’re describing is precisely how the [monitor:…] stanza of an inputs.conf works for the Universal Forwarder from User warren – Stack Overflow https://stackoverflow.com/questions/70588571/can-we-avoid-splunk-indexing-lines-from-a-file-that-gets-overwritten/70594775#70594775 via IFTTT

40 gigs a day off a single appliance can be high, normal, or very (very) low That you don’t have enough storage indicates your environment likely wasn’t architected properly Proper sizing and implementation is done by Splunk PS and/or PS partners – or you may even be able to get what you need via your …
Continue reading Answer by warren for fortigate generates 40G data in splunk

The way to filter time the way you’re describing is by putting it directly in your SPL instead of using the time picker using earliest and latest For example: index=ndx sourcetype=srctp ((earliest=-24d latest=-20d) OR (earliest=-10d latest=-6d) | <rest of SPL> from User warren – Stack Overflow https://stackoverflow.com/questions/70258679/splunk-enterprise-exclude-certain-time-ranges-for-a-bigger-time-range/70260840#70260840 via IFTTT

You may find a solution similar to one I needed a while back to be helpful – timechart without using timechart index=ndx sourcetype=srctp correlationId=* service=* earliest=-60m | eval secs=strftime(_time, "%S") | stats dc(correlationId) as TPS by secs service | stats avg(TPS) as avgTPS by service Or chart instead of stats: | chart avg(TPS) as avgTPS …
Continue reading Answer by warren for Splunk getting average TPS for each service

Here’s a simpler way to do it – and one which will return all the matches in a given event into a multivalue field: index=ndx sourcetype=srctp rex field=_raw max_match=0 "\[[^\[=]+\=(?<new_field>[^\]]+)" Start with skipping the opening bracket, and anything up to an equal sign Then everything after the equal sign to a closing bracket will be …
Continue reading Answer by warren for Extract string in square bracket with regex

One possible major issue you could have is that process IDs get reused all the time – so even if you know the ID of what spawned your current process, you may not actually be able to find the process that spawned that process If you’re OK with that, and you have a pretty definite …
Continue reading Answer by warren for Splunk – “grandparent from process and parent process”

Investigate dashboard tokens In your input field(s) (radio, dropdown, etc) on your dashboard, set the token to have multiple possible options (static or dynamic – your choice) Then in your SPL, do the following: index=ndx "$mytoken$" msg=* | sort 0 – _time | table msg from User warren – Stack Overflow https://stackoverflow.com/questions/69981364/splunk-create-customized-query-for-splunk-dashboard-based-on-input-selection/69991522#69991522 via IFTTT

What configuration of the add-on have you done? According to https://splunkbase.splunk.com/app/3703/#/details, you need to have Chat & Bot IDs (ref: https://core.telegram.org/bots/api) Do you have them? from User warren – Stack Overflow https://stackoverflow.com/questions/69895159/splunk-issue-with-telegram-alert-action-can-not-configure-the-action-splunk-ent/69898858#69898858 via IFTTT

First, I’d strongly recommend you take the free courses available from Splunk: https://www.splunk.com/en_us/training.html?sort=Newest&filters=filterGroup1FreeCourses Second, you need to look for field=value pairs in your data Like this: index=ndx sourcetype=srctp fieldA=valA fieldB=valB* fieldC=valC | stats values(host) as host values(valB) by fieldA fieldC from User warren – Stack Overflow https://stackoverflow.com/questions/69792540/search-for-specific-patterns-in-splunk-cloud-platform/69797053#69797053 via IFTTT