Given the small sample you gave us, this should do what you’re looking for (without using transaction): index=ndx sourcetype=srctp STR=* (MIT="Local Step started" OR MIT="Copy Step successful") | eval status=if(match(MIT,"started"),"begin","end") | stats values(status) as status by STR | where mvcount(status)<2 What this does: only look for entries where there is a STR values, and MIT …
Continue reading Answer by warren for What’s the best strategy to monitor Splunk log for missing event successful?
Tag:stackexchange
Answer by warren for (Splunk) How can I use the rex command to pattern match wildcards enclosed by double quotes?
These rex commands should work: | rex field=Message "rror in \w+\s\w+\s(?<error>[^,]+)" | rex field=Message ", table name\s[^\"]+(?<table_name>[^,]+?)\"\." | rex field=Message "The maximum[^\"]+\"(?<max_bun_length>[^\"]+)" | rex field=Message "data is currently set to (?<current_length>\S+)" from User warren – Stack Overflow https://stackoverflow.com/questions/76066710/splunk-how-can-i-use-the-rex-command-to-pattern-match-wildcards-enclosed-by-do/76082391#76082391 via IFTTT
Answer by warren for Splunk query for rarity without AI
I would try something like this: index=ndx sourcetype=srctp user=* [| inputlookup my_list_of_10_hosts.csv ] earliest=0 | fields _time user host | stats min(_time) as early max(_time) as recent by user host | eval early_diff=now()-early | where early_diff<604800 | eval early=strftime(early,"%c"), recent=strftime(recent,"%c") This will go back through all your data (hence the earliest=0), and find all the …
Continue reading Answer by warren for Splunk query for rarity without AI
Answer by warren for Regex that picks up words separated by hashtags
I think what you want is much simpler: [A-Z\#]+ from User warren – Stack Overflow https://stackoverflow.com/questions/75996854/regex-that-picks-up-words-separated-by-hashtags/75996895#75996895 via IFTTT
Answer by warren for Can dictionary/json like objects be created using eval in splunk?
You can use sequential eval statements to make/overwrite fields in Splunk like this: | eval publishedToIntegrator=if(len(raw)>0,"True","False") | eval time=if(len(publishedToIntegrator)<5,_time,NULL) However, knowing what you’re trying to accomplish will help us answer better. from User warren – Stack Overflow https://stackoverflow.com/questions/75993438/can-dictionary-json-like-objects-be-created-using-eval-in-splunk/75995457#75995457 via IFTTT
Answer by warren for How to display the total count in a page and overall total count for a column in splunk dashboard
Sounds like you want to sort your data to put the totals row on top (though, of course, it might move if you sort by clicking afterwards): <search> | addcoltotals | sort 0 – someFieldThatHasBeenTotaled Always use | sort 0 so that if you have more than 10k rows, Splunk doesn’t truncate the resultset at …
Continue reading Answer by warren for How to display the total count in a page and overall total count for a column in splunk dashboard
Answer by warren for Assigning a subsearch result to a variable
I would probably do this as separate searches on the dashboard, unless there was an overwhelming need to have it all in one Alternatively, you could | append each search, & | stats values at the ed like this: index=ndx sourcetype=srctp "middleware 1" "domain1.tld" userid=* | stats dc(userid) as domain1users | append [| search index=ndx …
Continue reading Answer by warren for Assigning a subsearch result to a variable
Answer by warren for Find duration between 2 events in splunk
Is it safe to assume the id field is unique? If so, you can improve on @Tom‘s answer thusly: index=ndx sourcetype=srctp ("start mode" OR "stop mode") | stats min(_time) as start max(_time) as end by id | eval duration=end-start | eval start=strftime(start,"%c"), end=strftime(end,"%c") from User warren – Stack Overflow https://stackoverflow.com/questions/75871034/find-duration-between-2-events-in-splunk/75879110#75879110 via IFTTT
Answer by warren for Splunk – Remove Curly Braces from Result
Is it safe to assume the fields statusCode and duration currently hold "{ 200 }" and "{ 277.429137ms }", respectively? Instead of using a regular expression to create a new field, use eval .. replace to clean up the fields you have: | eval statusCode=replace(statusCode,"\D","") | eval duration=replace(duration,"[^\.\w]","") Alternatively, if you don’t have those fields …
Continue reading Answer by warren for Splunk – Remove Curly Braces from Result
Answer by warren for Splunk Phantom API Retrieve Document from Vault
Based on https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTVault, it appears you’re doing the right thing already: What seems not to be happening when you hit that API endpoint? from User warren – Stack Overflow https://stackoverflow.com/questions/75750855/splunk-phantom-api-retrieve-document-from-vault/75758158#75758158 via IFTTT
Answer by warren for Final comma in regex
This seems to do what you’re asking for [\D^]\d\d?(\,\d{1,2})$ Start with either a non-digit or the beginning of the line Match one or 2 digits Then a comma plus 1-2 digits (but no more) from User warren – Stack Overflow https://stackoverflow.com/questions/75672986/final-comma-in-regex/75673993#75673993 via IFTTT
Answer by warren for How can I extract all fields from my DB Connect results in Splunk?
As RichG commented, seeing this sourcetype’s props.conf is going to aid greatly In lieu of that, however, you can start with the regular expression in this run-anywhere example: | makeresults | eval _raw="2023-02-28 15:40:50.760, AUDIT_TYPE=\"Standard\", OS_USERNAME=\"Administrator\", TERMINAL=\"unknown\", DBUSERNAME=\"RACOON\", CLIENT_PROGRAM_NAME=\"SQL Developer\", STATEMENT_ID=\"978\", EVENT_TIMESTAMP=\"2023-02-28 18:40:50.76\", ACTION_NAME=\"ALTER USER\", OBJECT_NAME=\"SPLUNK\", SQL_TEXT=\"ALTER USER \"SPLUNK\" DEFAULT ROLE \"CONNECT\",\"AUDIT_VIEWER\"\", SYSTEM_PRIVILEGE_USED=\"SYSDBA\", CURRENT_USER=\"SYS\", UNIFIED_AUDIT_POLICIES=\"ORA_SECURECONFIG\"" …
Continue reading Answer by warren for How can I extract all fields from my DB Connect results in Splunk?
Answer by warren for Run predefined search sub-query in splunk
@RichG‘s suggestion is a good one However, you may also want to look at making a lookup table so you can do something like this: index=ndx sourcetype=srctp [| inputlookup myhosts.csv ] "MyClass" id IN(3,6) If you "always" want to look for hosts out of a list (inclusively), using an manageable lookup table is likely going …
Continue reading Answer by warren for Run predefined search sub-query in splunk
Answer by warren for Need Powershell script to point client machines to new splunk deployment server
Have you considered just deploying a new app from your old Deployment Server that updates where every UF should check-in to the new Deployment Server(s)? This is how I’ve done it every time I’ve needed to from User warren – Stack Overflow https://stackoverflow.com/questions/75559924/need-powershell-script-to-point-client-machines-to-new-splunk-deployment-server/75560351#75560351 via IFTTT
Answer by warren for When loading a CSV via the UI, is it possible to use the filename to obtain the timestamp?
I have not tried this, but per docs.Splunk: Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk Enterprise does not look at the text of the event for the timestamp and instead uses the event time of receipt, the time the event arrives through its input. For …
Continue reading Answer by warren for When loading a CSV via the UI, is it possible to use the filename to obtain the timestamp?
Answer by warren for Splunk Alert when no events/ zero count of events
Most likely, this is not a search problem, it’s an Alert config change needed Edit your Alert actions thusly: from User warren – Stack Overflow https://stackoverflow.com/questions/75527983/splunk-alert-when-no-events-zero-count-of-events/75534864#75534864 via IFTTT
Answer by warren for Finding optimum CPU limit for docker containers in Splunk
"Optimum" is going to depend greatly on your own environment (resources available, application priority, etc) You probably want to look at a combination of the following factors: avg(CPU) max(CPU) (and time spent there) min(CPU) (and time spent there) I suspect your "optimum" limit is going to be a % below your max…but only if you’re …
Continue reading Answer by warren for Finding optimum CPU limit for docker containers in Splunk
Answer by warren for Search using previous query’s values
You certainly can sequentially build a search like this, but you’re likely better off doing it this way: index=ndx sourcetype=srctp someField IN("my","list","of","values") "string_value" | stats values(someField) as someField The more you can put in your initial search, the better (in general) from User warren – Stack Overflow https://stackoverflow.com/questions/75454910/search-using-previous-querys-values/75460544#75460544 via IFTTT
Answer by warren for How to find time duration between two splunk events which has unique key
Try doing it with stats instead: index=ndx sourcetype=srctp | rex field=_raw "req\-id\S+(?<req_id>\d+)" | rex field=_raw "com.a.b.App \- (?<sequence>Making a GET Request)" | rex field=_raw "com.a.b.App \- (?<sequence>Output Status Code)" | eval sequence=sequence+";"+_time | stats values(sequence) as sequence by req_id | mvexpand sequence | rex field=sequence "(?<sequence>[^;]+);(?<time>\d+)" | eval time=strftime(time,"%c") This will extract the "req-id" into …
Continue reading Answer by warren for How to find time duration between two splunk events which has unique key
Answer by warren for Splunk filter one search by another
I believe this is what you’re looking for: index=main sourcetype=srctp orderNumber=* "failed insert" NOT [search index=main sourcetype=srctp orderNumber=* "successful insert" | stats count by orderNumber | fields – count ] | stats count by orderNumber | fields – count First, stats is going to be a lot more performant than dedup Second, so long as …
Continue reading Answer by warren for Splunk filter one search by another
Answer by warren for Splunk subsearch is not returning the data I expect it to return
You should be able to combine it all in one go: index=ndx (souerce=source1 OR source=source2) | rex field=_raw "Naam[^:]+:\s(?<user1>\S+) | rex field=_raw "User:(?<user2>\S+)\s(?<msg>.+) | eval user=coalesce(user1,user2) | stats max(_time) as _time latest(lsg) as msg by user What this does: extract two field (user1 & user2) from your two sources coalesce them into one field named …
Continue reading Answer by warren for Splunk subsearch is not returning the data I expect it to return
Answer by warren for Extracting a count from raw splunk data by id
Presuming the pin status and ID have not been extracted: index=ndx sourcetype=srctp "pin" "match" OR "mismatched" | rex field=_raw "pin (?<pin_status>\w+)" | rex field=_raw "id (?<id>\S+)" | eval status_time=pin_status+"|"+_time | stats earliest(status_time) as beginning latest(status_time) as ending by id | eval beginning=split(beginning,"|"), ending=split(ending,"|") | eval begining=mvindex(beginning,-1), ending=mvindex(ending,-1) | table id beginning ending | sort 0 …
Continue reading Answer by warren for Extracting a count from raw splunk data by id
Answer by warren for Regex to match part of a hex
Is the f2 surrounded by asterisks? Without asterisks: 00 00 00 [a-f0-9]+ (?<hexits>[a-f0-9]+).+78 With asterisks: \*(?<hexits>[a-f0-9]+)\* from User warren – Stack Overflow https://stackoverflow.com/questions/75315320/regex-to-match-part-of-a-hex/75315348#75315348 via IFTTT
Answer by warren for Capture last element either between or after / and before?
Go simple – regular expressions are all well and good, but split() is much easier (and, very often, much faster): index=ndx sourcetype=srctp url=* | eval url=split(URL,"/") | eval lastpart=mvindex(url,-1) This splits the field url into a multivalue field using the forward slash (‘/‘) as the delimiter Then select the last entry using mvindex and the …
Continue reading Answer by warren for Capture last element either between or after / and before?
Answer by warren for Splunk Query to get comma separated value as single value
You may need to custom-extract the value (until you can get the sourcetype’s props.conf and transforms.conf updated). Something like this should work: <search> | rex field=_raw "device=(<device>\S+)" <rest of search> from User warren – Stack Overflow https://stackoverflow.com/questions/75235524/splunk-query-to-get-comma-separated-value-as-single-value/75248139#75248139 via IFTTT