Tag:stackexchange

You need to look into mvfilter – once the data is in multivalue fields in Splunk, you can do something like the following: | eval missing_item_list = mvfilter(!match(full_list,"bb")) from User warren – Stack Overflow https://stackoverflow.com/questions/77579583/regex-search-for-absence-of-a-string-inside-a-string-multiline/77607025#77607025 via IFTTT

You can use a time picker, and then select from it the earliest and latest in your search Say you name your time picker timetok The search would look like this: index=ndx sourcetype=srctp earliest=$timetok.earliest$ latest=$timetok.latest$ … from User warren – Stack Overflow https://stackoverflow.com/questions/77497243/how-do-i-use-a-specific-date-time-in-splunk-dashboard-with-earliest-and-latest/77532620#77532620 via IFTTT

You want a variable-list of field names extracted from delimited data in reverse order? How many entries could you possibly have? Three? Five? Two hundred seventy four? Are you trying to do this at search time (ie in SPL you are writing/running), or in props.conf? If you are trying to do this at search time, …
Continue reading Answer by warren for Regex extraction from Right to Left

The simplest way to do this will be to create a list in your dropdown who entry values are the field names (ie Model.Old & Model.New) Call the name of that token, say, modelchoice Then have a single search on your dashboard that looks like this: index=’splunk_demo’ source=’demo.zip’ | fields Name, Model.New, Model.Old, Price | …
Continue reading Answer by warren for How Can a Dropdown be Used to Filter Splunk Query Results

Yes, you can force a given field in the JSON data coming into the HEC to be the timestamp If you do not, _time will populate with the timestamp of when it is received by Splunk This line in props.conf will set _time to index/received time: DATETIME_CONFIG = CURRENT Check out the props.conf docs for …
Continue reading Answer by warren for Splunk HTTP collection ignores props.conf file

What IS the common field across these events? IP address? Hostname? Something else? Something along the lines of this will get you started: index=ndx sourcetype=srctp ip=* | fields – _raw | fields _time ip req_id session_id app_id cust_id | fillnull value="n/a" req_id session_id app_id cust_id | stats count by ip req_id session_id app_id cust_id | …
Continue reading Answer by warren for In Splunk, how do I efficiently map data from separate searches into the same row?

Perhaps timechart will suffice? index=’xyz’ sourcetype=’abc’ status=’completed’ | timechart span=1h count by status from User warren – Stack Overflow https://stackoverflow.com/questions/77001574/how-to-write-a-splunk-query-to-get-the-result-for-every-hour-in-a-day/77004668#77004668 via IFTTT

@Jerry‘s response is interesting – I would do something similar: index="association" sourcetype="escaplogs" | rex field=data.val max_match=0 "(?<slashes>\/)" | where isnotnull(slashes) AND mvcount(slashes)<2 <rest of search> This is going to find everything that a) has at least one slash (isnotnull(slashes)) in the field data.val, and b) throwout everything with more than 1 (mvcount(slashes)<2) from User warren …
Continue reading Answer by warren for Splunk regex filter events only one occurrence of special character

You might try something like this (presuming you have a common field like hostname in each event): index=ndx sourcetype=srctp ("a.string" OR "another.string") | rex field=_raw "some text that exists in events with a.string (?<xx>\S+) (?<yy>\s+)" | rex field=_raw "other text found with another.string (?<zz>\S+)" | fields xx yy zz hostname | stats values(*) as * …
Continue reading Answer by warren for splunk map pass multiple values

You only have "enough space in [y]our index" if there is enough disk space Splunk rolls data on the following conditions: maximum index size reached maximum retention reached out of disk space If you run out of disk space, Splunk starts rolling data out of Hot/Warm into Cold (or, out of Cold into Frozen) as …
Continue reading Answer by warren for SPLUNK data trim

presuming your sample stats line works, add this where clause after the stats: | where isnotnull(status) from User warren – Stack Overflow https://stackoverflow.com/questions/76839007/how-to-use-splunk-eval-to-show-a-list-from-an-object-property/76851409#76851409 via IFTTT

Use an eval replace() It’s still regex based, but simpler to understand (and, often, faster to run) than rex mode=sed: | eval myfield=replace(myfield,"e2_quote_policy_ask_zipcode[^\/]+","AskZipcode") from User warren – Stack Overflow https://stackoverflow.com/questions/76784785/splunk-queryspl-replace-a-value-or-anything-that-comes-after-the-value-until/76805109#76805109 via IFTTT

stats will be your friend here: index=myIndex container_name="abc-mno-pqr" "status code :: 50*" | stats latest(status) as Status-Code by transactionId If the fields transactionId and status are not yet extracted, you’ll need to pull them out A way to do this at search time is with rex: | rex field=_raw "code\D+(?<status>\d+)" | rex field=_raw "^\[(?<transactionId>[^\]]+)" regex101 …
Continue reading Answer by warren for List unique values from splunk events

IF your pattern is actually in the format of com.abc.xyz.service.exception.MY ERROR: null And you want whatever is between the last dot and the colon, then this works: | rex field=_raw "\.(?<errcode>[\w\s]+)\:" from User warren – Stack Overflow https://stackoverflow.com/questions/76690264/parsing-raw-text-in-splunk-between-a-word-pattern/76699892#76699892 via IFTTT

this sounds like a job for transforms.conf or maybe just to properly extract all those fields with props.conf. If you’re waiting until search time to mask data, you’re still storing all of what you’re trying to mask Lastly, eval myfield=replace(my_field,"regex","literal string") is almost always faster, in my experience, than rex mode=sed Doc.Splunk references for eval, …
Continue reading Answer by warren for Alternative to 30+ `| rex field=path mode=sed…` in order to replace path parameters in urls

This answer presumes your fields are already properly extracted If they are not, you’ll need to do that first (and we can help you with it) Something like this should do the trick for you: ((index=ndxA sourcetype=srctpA) OR (index=ndxB sourcetype=srctpB)) thread=* spanid=* loglevel=* | stats values(errorCode) as errorCode values(httpUrl) as httpUrl values(httpMethod) as httpMethod max(_time) …
Continue reading Answer by warren for Splunk query to map Exceptions to Endpoints

Without knowing a lot more about your use case(s), specific advice is going to be difficult to give However, you can easily hit the Splunk REST endpoint for saved searches, reports, and ad-hoc searches from anything that can speak REST with proper credentials/tokens There are limits to how much data can be returned via REST, …
Continue reading Answer by warren for Query Splunk using Power BI

Instead of running an alert twice, run it once (at quarter past), but compare the results of the last 5m to those from 15m-10m ago from User warren – Stack Overflow https://stackoverflow.com/questions/76476439/splunk-re-run-alert-when-count-1-and-alert-only-if-both-have-count-1/76482448#76482448 via IFTTT

First, like is a function – so it needs to be used as one This should work: index=log_ad | eval tag=case(like(Hostname,"%SRV%"), "server", like(Hostname,"%DC%"), "controller", 1=1, "not matched") | top tag, Hostname from User warren – Stack Overflow https://stackoverflow.com/questions/76404006/case-like-does-not-work-in-splunk-no-string-is-matched/76406646#76406646 via IFTTT

First, you need to break the multivalue field into separate entries This is one way to do it: | makemv delim="," product_category | mvexpand product_category | stats values(product_category) as vpc dc(product_category) as dpc count by user_id from User warren – Stack Overflow https://stackoverflow.com/questions/76386274/get-statistical-distribution-of-multivalue-entry-in-splunk/76400300#76400300 via IFTTT

Splunk is case-senstive … except where it isn’t 🙂 By default search ANDs But if you want to be explicit, you must all-caps AND – just like you must all-caps OR: index=ndx sourcetype=srctp "someval" "someotherval" Is the same as: index=ndx AND sourcetype=srctp AND "someval" AND "someotherval" Splunk views "and" as raw text to look for, …
Continue reading Answer by warren for How to trigger an custom alert condition of multiples from the basic search of Splunk?

If I understand correctly, you have some NULL fields after your join If that is correct, the following should get you at least close: <search that gets through the `join`> | stats values(*) as * by <unique fields you know exist> | fillnull value="-" stats values(…) will only include fields for which there is at …
Continue reading Answer by warren for how to remove dynamic column

Instead of using rex, this can all be done with eval and mvexpand A run-anywhere example: | makeresults | eval urls="https://www.example.org/|http://example.com/|ca.gov|http://blade.example.com/bikes/airplane.php|http://alarm.example.com/|smugmug.com|shop-pro.jp|https://example.org/|qq.com|pcworld.com|symantec.com|360.cn|http://example.com/?brother=bike|http://www.example.com/behavior/bead.php|army.mil|https://example.com/boy/bedroom.php|https://example.com/|https://www.example.com/brother?activity=believe|https://www.example.net/achiever/bottle.html|http://believe.example.com/bit?bait=base&bone=ball|aboutads.info|http://www.example.com/|http://www.example.edu/afternoon|livejournal.com|http://border.example.com/box/afterthought|oaic.gov.au|https://www.example.edu/base.php|house.gov|smh.com.au|http://www.example.edu/|https://www.example.org/|lycos.com|https://border.example.com/?bridge=basket&blood=animal|hibu.com|http://example.com/" | eval urls=split(urls,"|") | mvexpand urls | eval busted=split(urls,":") | eval busted=mvindex(trim(split(trim(replace(mvfilter(match(busted,"\.")),"\/"," "))," ")),0) I combined the last several steps into one line, but this is what it’s doing: break the URL list based …
Continue reading Answer by warren for Regex breaks with “/” character instead of newline

Just use stats to do this – there shouldn’t be a need to rex-out the end (or, at least, not the way you’re attacking it so far): index=ndx sourcetype=srctp peer=* securityName=trap* | stats values(securityName) as securityName by peer | where mvcount(securityName)>1 from User warren – Stack Overflow https://stackoverflow.com/questions/76133855/splunk-finding-results-of-a-field-that-have-the-same-peer-but-two-or-more-diff/76146566#76146566 via IFTTT

The SPL you shared shows the rename after you attempt to coalesce(): base search | eval test=coalesce(field1,field2) | rename "space field 1" AS field1, "space field 2" AS field2 | table field1 field2 test Pretty sure what you want is this: base search | rename "space field 1" AS field1, "space field 2" AS field2 …
Continue reading Answer by warren for Splunk Coalesce Function