Quantcast
Channel: Latest Questions on Splunk Answers
Viewing all 13053 articles
Browse latest View live

Regular Expression (RegEX) Extracting Field from String Contains

June 12, 2014, 1:54 pm
$
0
0

Hi,

I'm trying to extract the third comma deliminated column with the string "ABC" in it.

example data:

QWE ALL,06/12/2014 15:36:14,0.9678687876
QW,06/12/2014 15:36:12,0.5645564664
ERM,06/12/2014 15:36:11,0.3424234242
MJK,06/12/2014 15:36:10,0.2342344342
ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326
ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835
FGH FG456,06/12/2014 15:36:06,0.543574354

I need the expression to extract 0.654354326 and 3.564647835.

I was trying (^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?

Search

Duplicate entries produced by saved search in summary index

June 11, 2014, 11:31 pm
$
0
0

I have 28 saved searches and each one of the searches is executed in 5 mins gaps. Even though I have dispersed the schedule, the summary index has double the entries of saved searches. Any ideas or solutions are appreciated.

How to extract date and time in Splunk?

June 12, 2014, 12:36 pm
$
0
0

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below. 

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you, Don

Dashboard panels

June 12, 2014, 2:40 pm
$
0
0

Are you able to export data from a dash board panel with this app? If so would you have to use advance xml?

Stop Indexing at License Cap

June 9, 2014, 9:08 am
$
0
0

I have a 10GB Indexing License, which for the first time we have exceeded the limit. I know for sure exactly which input that caused this, and I would like to know if there is a way to tell Splunk to stop this indexing input from this data if the license quota hits 90%.

This data is coming directly from tcp, so the data will be lost but this is preferred over the other data on the system. Is there any way to do this?

Thanks.

How to input checkbox visualization in dashboard or use Sideview Utils?

June 12, 2014, 12:46 pm
$
0
0

Hi, I am trying to use the checkbox input in my dashboard, I was following the same example in the link bellow but did not work. It does not show me the input itself.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML#input_.28checkbox.29

Then I downloaded the SideView Utils but I did not understand how that works too, I know it's possible to do it in SideView Utils but I could not figure it out .... :(

Any help with steps in how to do the checkbox will be much appreciated.

Thanks

How to setup Splunk Alert between given times

June 12, 2014, 2:24 pm
$
0
0

I kept cycling through the options for the Alert, and I couldn't figure out a way that allows me to setup an alert to run realtime but only start between the hours 7:00PM-6:00AM?

Find a users first logon and last logoff for the day over 30 days

June 12, 2014, 6:22 am
$
0
0

I am able to get the users first and last logon/logoff event for a single day but I cannot figure out how to get it to work per day over 30 days. This is the search I am using now that works for a single day.

sourcetype=wineventlog:security user=<userid>| eval time=strftime(_time, "%m/%d/%y %H:%M:%S") |timechart span=1d earliest(time) as start, latest(time) as stop by user

Anyone have an idea how I can make it show this data for multiple days?

Thanks in advance!

Search

PDF Export and Eval

June 12, 2014, 6:41 am
$
0
0

6.1.1 known issues: Events format settings like list, table, max lines, wrapping do not apply to PDF reports and are not used. (SPL-67491)

Were using Eval to do comma formatting on some fields: eval Merch=tostring(Merch,"commas")

and noticed that in the generated pdf fields formatted with commas are not in line like they are with the dashboard. The other numbers are right aligned, they are left aligned

(dashboard) |Merch | | 1,260.00|

(exported pdf) |Merch | |1,260.00 |

Disable the Universal Forwarder Clients

June 13, 2014, 9:23 am
$
0
0

what is the best ways to disable the universal Forwarder Clients sending data to the indexer.

I tried deploying an apps with inputs.conf

[default] disabled=1

to disable all inputs, so there is no data sending the indexer.

or could change the outputs.conf on the client using deployment server

want to able to disable the UF clients.

Sendemail to recipient from a field

December 6, 2013, 5:00 am
$
0
0

Hello,

is it possible with Splunk V6 to dynamically mail an alert based on a field which contains the mail addy?

i have a lookup list where i can show the owner of IP's or Host Systems. And i want that if an error/outage happens the system owner will be notified via mail.

i want to avoid to develop an python script and use this with script execution within alerts or scheduled reports.

Thanks a lot Matthias

db connect giving an error: no such database available for this user

May 28, 2014, 5:54 am
$
0
0

Hi,

We recently migrated to new servers and upgraded to Splunk 6.1.1. One of our our dashboards, the db connect reports are blank, and an error icon appears, with the message "there is no such database available for this user". As an admin, I can see this feed, and it works. Do I need to do something to make it available to everyone? (Oh yeah, we implemented ldap and new roles as well...)

Checking conf files for problems...

June 13, 2014, 8:12 am
$
0
0

On Splunk start up I see:
Undocumented key used in transforms.conf; stanza='anon' setting='DEST_KEY' key='raw'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

How can I run this check from the CLI? Is there some python script I can kick off?

How to set alert emails to send in plain text in splunk 6?

June 13, 2014, 7:58 am
$
0
0

Hi,

In Splunk 5, there was an option for sending plain text for emails. I don't see that option anywhere in Splunk 6. How do I set that? The system settings had "Results format when included inline". That option is now gone.

Transaction with changing transitive field?

May 29, 2014, 1:57 pm
$
0
0

I am trying to create transactions based on two fields where one changes and one is not always present. For example, I want single transaction of the following events:

event=1 pid=1 event=2 pid=1 qid=2 event=3 pid=2 qid=2

But what I get is 2 transactions, with "...|transaction qid pid":

event=1 pid=1 event=2 pid=1 qid=2

and

event=3 pid=2 qid=2

Is it possible to make transaction do this? The only solution I have been able to think of is to null the pid field for the "event=3" sort of events, but that seems ugly. I have tried the various parameters to transaction, such as connected, unifyends, but they have made no difference.

Just in case my simplified example is inconsistent with reality, the real events are Sendmail submission logs, where the name of the authenticated sender has no queue ID and can only be correlated with the actual messages sent by the PID (and host). (No idea what's going to happen if/when I get looking for multiple messages related to a single authentication event.)

Here's a scrub'd example of my results.

First transaction:

madonna sendmail[10102]: r2RPOYuJ011100: to=<Hildred_Joan@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=000404, relay=marget-h0.example.com. [178.115.54.001], dsn=2.0.0, stat=Sent (Ok: queued as 502VQ10L21)

Second transaction:

madonna sendmail[02104]: AUTH=server, relay=host-167-042.dina.ben.edu [031.002.167.042], authid=hpjmm1@ben.edu, mech=PLAIN, bits=0 madonna sendmail[02104]: r2RPOYuJ011100: from=<hpjmm1@ben.edu>, size=10405, class=0, nrcpts=1, msgid=<V2K3020H-7264-3WMX-632E-T4X004IM01A0@ben.edu>, proto=ESMTP, daemon=MSA, relay=host-167-042.dina.ben.edu [031.002.167.042]

FWIW, I'm still on 5.0.3.

Search

How to configure environment and EMC CEE Framework to audit an Isilon Cluster?

June 13, 2014, 7:35 am
$
0
0

Hi,

I try to test your application to audit an Isilon Cluster. I'm running splunk v6.1 on my server.

First I installed the EMC CEE Framework and configure it in the regedit to enabled it. Twice I configure my cluster with the CEE url. Third I installed your apps on splunk. Fourth I configure your app in managed input (splunkweb).

I doesn't find the file emc_cee_config.xml, could indicated where I can found it.

For the moment I didn't have any input in the index (created for that) of splunk.

Kind regards,

External script max input limit

October 29, 2013, 6:52 am
$
0
0

I am trying to run an external python script on an index with 100,000 events, but everytime I run the script only 50,000 events are processed by the script. I tried adding the parameter maxinputs but that did not work either. Do I have to change any of the conf files?

How to group together events based on their relative distance in _time?

June 6, 2014, 11:21 am
$
0
0

Hello All,

I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened <= one second from each other).

Current search as an example example:

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03"  | stats  values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount > 1

What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.

Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.

Any ideas?

How to extract fields from vsftpd logs in Splunk 6.0.1?

June 13, 2014, 11:10 am
$
0
0

I'm struggling to get Splunk 6.0.1 to properly extract fields from vsftpd logs. The log format is space separated values like so:

Thu Jun 12 23:50:13 2014 1 11.22.33.44 551 /example.tif a _ o r ftpuser4 ftp 0 * c

Those break down as follows, in example fieldname format Thu Jun 12 23:50:13 2014 current-time 1 transfer-time 11.22.33.44 remote-host 551 byte-count /example.tif filename this one can be complicated by additional directories in the path, eg /images4/example.tif a transfer-type _ special-action-flag o direction r access-mode ftpuser4 username ftp service-name 0 authentication-method * authenticated-user-id c completion-status

What I'm struggling with is that the field extractions are sometimes picking up the current-date year as the transfer-time value, which then throws the rest of the extractions out of whack.

How to format X-axis in hour increments?

June 13, 2014, 1:28 pm
$
0
0

Hello,

I have a timechart consisting of performance values on the Y-axis and time on the X-axis. The longest time it will cover is 24 hours, sometimes it covers less. I want the chart to be displayed on the dashboard with 1 hour increments on the X-axis. I tried following the advice here: http://answers.splunk.com/answers/91717/timechart-x-axis but this solution did not work for me (I changed P0Y0M0DT0H30M0S to P0Y0M0DT1H0M0S, but neither worked).

Thanks!

Viewing all 13053 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>