Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- About saurabhkharkar
saurabhkharkar
Path Finder
Member since:
12-14-2018
01-20-2022
Community Statistics
| Posts | 35 |
| Solutions | 2 |
| Karma Given | 3 |
| Karma Received | 5 |
| Member Since | 12-14-2018 |
Activity Feed
- Got Karma for Re: Use rex to remove leading zeros. 03-31-2022 06:17 AM
- Posted is there a way to find out when a correlation search was created in Splunk ES ? on Splunk Enterprise Security. 01-20-2022 06:54 AM
- Posted Regex to match lines with multiple src_ip on Splunk Search. 09-03-2021 08:46 AM
- Karma Re: How do you extract a string within a longer string using regex? for whrg. 06-05-2020 12:50 AM
- Got Karma for Re: How do you exclude results based on multiple fields?. 06-05-2020 12:50 AM
- Got Karma for Re: Is it possible to search for a specific email scheme? (not a specific string of characters). 06-05-2020 12:50 AM
- Got Karma for Re: regex not working. 06-05-2020 12:50 AM
- Got Karma for Re: Can you help me figure out why the regex in my search results is coming back blank?. 06-05-2020 12:50 AM
- Karma How to extract field using mode=sed for name extraction? for karthi2809. 06-05-2020 12:49 AM
- Karma Re: Count By Date for yannK. 06-05-2020 12:46 AM
- Posted Re: Need help to write regex. on Splunk Enterprise Security. 08-01-2019 12:04 PM
- Posted Re: regex not working on Splunk Search. 06-13-2019 12:24 PM
- Posted Re: regex not working on Splunk Search. 06-13-2019 12:06 PM
- Posted Re: Regex ignore adding underscore if there is a dash on Splunk Search. 04-18-2019 10:51 AM
- Posted Re: Is it possible to search for a specific email scheme? (not a specific string of characters) on Splunk Search. 04-16-2019 11:21 AM
- Posted Re: How do I group two fields (multivalued)? on Splunk Search. 02-14-2019 06:24 AM
- Posted Re: With regex, can you help me with a matching issue for a blank space? on Splunk Search. 02-10-2019 11:02 AM
- Posted Re: With regex, can you help me with a matching issue for a blank space? on Splunk Search. 02-10-2019 07:48 AM
- Posted Re: regex field extraction - match field in double quotes after sting match on Splunk Search. 02-01-2019 10:20 AM
- Posted Re: Can you help me figure out why the regex in my search results is coming back blank? on Splunk Search. 01-29-2019 07:41 AM
Topics I've Started
01-20-2022
06:54 AM
I was able to find the date when the correlation search was last updated, but cant seem to find the original creation date of a correlation search.
... View more
Labels
09-03-2021
08:46 AM
Hello, To pull in specific events in splunk i am trying to write a regex to identify lines that matches both the conditions 1: app_protocol=http or https 2. src_ip = starts with 15. or 16. This is what i have , but doesnt seem to be working , am i doing somting wrong ? .*app_protocol=HTTP|S\s.*(src_ip\=15\.\d+\.\d+\.\d+|16.\.\d+\.\d+\.\d+)*
... View more
Labels
- Labels:
-
regex
08-01-2019
12:04 PM
| makeresults
|eval string="Jan 2 20:29:35 10.10.10.10 -: SampleLog%%1428 # MINOR # jegan # SSO # User login # SSO # Success # User login successful.#"
| rex mode=sed field=string "s/\#*$//"
| rex field=string "(?<message>[^\#]*$)"
| table string message
Explanation :
| rex mode=sed field=string "s/\#*$//" -> replaces the last # with nothing
| rex field=string "(?<message>[^\#]*$)" -> captures everything after the last # and dumps it in a new field 'message'
... View more
06-13-2019
12:24 PM
1 Karma
| makeresults
| eval string ="c:\ABC\DEF\LOGS\1.LOG"
| rex field=string ".*?\\\\\w+\\\(?<extract_attribute>\w+).+"
| table string extract_attribute
... View more
04-18-2019
10:51 AM
Try this
| makeresults
| eval attachment="Filename ABC - 2019 111 CT.pdf"
| rex mode=sed field=attachment "s/\s-\s/-/g"
| rex mode=sed field=attachment "s/\s/_/g"
| table attachment
... View more
04-16-2019
11:21 AM
1 Karma
Does this help ?
| makeresults
| eval email="recipient1234@gmail.com"
| rex field=email "(?<username>[A-Za-z]+\d{3,})\@(?<domain>\S+)"
| table email username domain
[A-Za-z]+\d{3,} -> will find a string with upper case or lower case characters followed by three or more numbers and will extract it to the field username
\S+ -> Captures anything but a white space after the @ and extracts it to the dield domain
... View more
02-14-2019
06:24 AM
just | stats values(Group) as Group by User should be enough
... View more
02-10-2019
11:02 AM
seems to be working fine for me
run this search - string is your sample log
| makeresults
| eval string="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ]"
|rex field=string "SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+"
| table SHA File Time
... View more
02-10-2019
07:48 AM
Try this
SHA:\s(?<SHA>[^\,\"]+)\,\sFile:\s(?<File>.*?)Time:\s(?<Time>\d+)\s.+
| table SHA File Time
... View more
02-01-2019
10:20 AM
Try this
|rex field=_raw "POST\"\,\"\w+\"\,\"\w+\"\,\"\w+\"\,\"\w+\"\,\"(?<optuput>\w+)\""
... View more
01-29-2019
07:41 AM
1 Karma
| rex field=_raw ".*?fname\=(?<fname>\S+).*?fileHash\=(?<fileHash>\S+)\s+"
| table _raw fname fileHash
... View more
01-23-2019
09:04 AM
Try This
| makeresults
| eval string="2019-01-23T15:37:13.634437+00:00 0e994c4c-d2c9-43fa-94fa-818a9268c892[[APP/PROC/WEB/35]]: cf_app_id=0e994c4c-d2c9-43fa-94fa-818a9268c892 cf_org_id=0664105f-6c56-49b9-b113-c80afd99426a cf_space_id=a580638c-03f8-4c45-84cd-6cd97ab463ec .source.s_cf_apps 2019-01-23 07:37:13.634 INFO 15 --- [nio-8080-exec-4] .t.s.c.SqlManagerSqlStatementsController"
| rex field=string ".*?\.\d{3}\s+(?<Transaction>\w+)\s+"
| table string Transaction
... View more
01-22-2019
05:48 AM
|makeresults
|eval string="The team performs checks for the following dashboards"
| rex field=string "(?<output>\w+\s+\w+\s+\w+\s+\w+).+"
... View more
01-15-2019
10:31 AM
the if statement will return 1 if the fields match else it will return 0
| eval match=if(field1_foo==field2_foo,1,0)
| where match=1
If you want to set an alert - save the search where 'match=1' (to get events where the fields are same) as an alert where you can schedule it to run periodically or create a correlation search in Splunk ES to create a notable event.
... View more
01-15-2019
10:10 AM
Try adding this regex to your search
| rex field=Properties.Response "\{\"Id\":\"(?<Id>\d+)\",\"Reference\":\"(?<Reference>[^\"]+)\",\"IsFallback\":(?<IsFallback>[^\,]+)\,\"RegistrationDate\":\"(?<RegistrationDate>[^\"]+)\",\"ErrorResult\":(?<ErrorResult>[^\}]+)"
| table Properties.Response Id Reference IsFallback RegistrationDate ErrorResult
... View more
01-12-2019
02:25 PM
try this
| makeresults
| eval string="ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE"
| rex field=string ".*?\-(?<output>[^\-]+).+"
| table string output
... View more
01-04-2019
09:23 AM
1 Karma
if you convert the string to integer, it will get rid of the leading zeros
| makeresults
| eval String="00147"
| eval StringInt = tonumber(String)
| table String StringInt
Else if you want to keep it as a string, you can try using this regex
| makeresults
| eval String="00147"
|rex field=String "(?<Output>[^0+]\S+)"
| table String Output
... View more
12-28-2018
06:38 AM
yeah, all you have to use is
index=index1 OR index=index2
| eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)
| where field1Index1New!=""
| table field2Index1 field1Index1New
... View more
12-28-2018
06:17 AM
Can you try this ?
This will return results only if field1Index1=field1Index2
| makeresults
| eval field1Index1= 4
| eval field2Index1= 7
| eval field1Index2= 4
| eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)
| where field1Index1New!=""
| table field2Index1 field1Index1New
... View more
12-27-2018
11:21 AM
1 Karma
if you are trying to delete duplicates
eg:
2018-12-27 13:14:08 host
2018-12-27 13:14:08 host
you can use - | dedup _time host (you will have just 1 event left)
if you are trying to completely exclude the events, try using
| stats dc(host) as count by _time | where count =1
... View more
12-27-2018
06:06 AM
| makeresults
| eval message="2018-12-10 15:15:40 [Thread-34-TestBolt-executor[4 4]] INFO com.learn.code.StringQ.execute:67 - Bolt=StringQBolt | source=XYZ | dom=xyz| groupId=21239 | npid=ABC"
|rex field=message ".*Bolt\=(?<Bolt>[^\|]+)"
|rex field=message ".*source\=(?<source>[^\|]+)"
|rex field=message ".*dom\=(?<dom>[^\|]+)"
|rex field=message ".*groupId\=(?<groupId>[^\|]+)"
|rex field=message ".*npid\=(?<npid>[^\|]+)"
|table message Bolt source dom groupId npid
... View more
12-21-2018
06:54 AM
Thanks for the tip about entering the string as a code.
If the string is going to be 'is/are' always you are right (this wont work).
I was guessing it would be either 'is' or 'are' based on the number of threads.
... View more
12-21-2018
06:36 AM
The above regex should work , but this should take care of the singular / plural aspect of the number of threads - Please remove spaces before msec and threads in the regular expression below.
"approximately\s+(?< msec>\d+).*?[is|are]\s+(?< threads>\d+)"
... View more
12-17-2018
11:59 AM
add 'extract' - enclosed in <>
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-20-2022
10:15 AM
|
