Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pmittal
pmittal
Engager
Member since:
10-10-2022
08-08-2023
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-10-2022 |
Activity Feed
- Posted Recommended way to join large dataset from multiple data sources? on Splunk Search. 03-11-2023 10:55 AM
- Posted Re: How to extract, kv pair from jvm_cmd value & print those in Splunk search? on Splunk Search. 12-05-2022 02:23 AM
- Posted Re: extracting jvm arguments on Splunk Search. 11-16-2022 09:03 AM
- Posted Re: extracting jvm arguments on Splunk Search. 11-16-2022 06:02 AM
- Posted Re: extracting jvm arguments on Splunk Search. 11-16-2022 05:31 AM
- Posted Re: extracting jvm arguments on Splunk Search. 11-16-2022 05:26 AM
- Posted Re: extracting jvm arguments on Splunk Search. 11-16-2022 04:41 AM
- Posted How to extract, kv pair from jvm_cmd value & print those in Splunk search? on Splunk Search. 11-16-2022 03:35 AM
- Posted Re: multi column join not working whereas single column join is working fine on Splunk Search. 10-10-2022 05:33 AM
- Posted Re: multi column join not working whereas single column join is working fine on Splunk Search. 10-10-2022 04:13 AM
- Posted Re: multi column join not working whereas single column join is working fine on Splunk Search. 10-10-2022 04:02 AM
- Posted Why is multi column join not working whereas single column join is working fine? on Splunk Search. 10-10-2022 02:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-11-2023
10:55 AM
Hi, I am new to Splunk and have very little knowledge. I am seeking help for following use case:
Query1 gives process data, Query 2 gives container data, Query 3 gives container image data, Query 4 gives container tags data. The way data is joined is:
query 2 and query3 is joined based on image id param.
The resultant data is then joined with query 4 using container id param.
This resultant is then joined with Query 1 using pid param.
To make matter more complex, data from different hosting env such as DC, private cloud, public cloud needs to be joined but problem is some field names are different and needs to be mapped before that. E.g. query 1 will give process data for DC, private cloud, public cloud but not all fields are same. Hence, query 1 can't be directly use to query all three hosting env in one go. Right now, I run query 1 for all hosting env separately and then append data.
I am hitting 50k records limit with join. I went through multiple previous posts and all suggested using stats & avoid using join and append. Example uses two data sources which is not sufficient in my case:
https://community.splunk.com/t5/Splunk-Search/How-to-join-large-tables-with-more-than-50-000-rows-in-Splunk/m-p/152136
https://community.splunk.com/t5/Splunk-Search/Large-scale-join-between-two-sourcetypes/m-p/549019#M155748
https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-without-join/td-p/113477
How stats will look like in this case?
Looking for answer like this: https://community.splunk.com/t5/Splunk-Search/Large-scale-join-between-two-sourcetypes/m-p/549065/highlight/true#M155761
... View more
12-05-2022
02:23 AM
Apologies for the delayed response. I used REX meanwhile to extract required fields but it was not a full proof solution because I should know fields to be extracted in advance which is not possible. This is where @yuanliu solution worked as expected. One final clarification - This solution worked only if jvm_cmd is renamed as _raw. Is it possible to avoid renaming and worked directly on jvm_cmd?
... View more
11-16-2022
09:03 AM
I don't have to retrieve field value. I have to retrieve key value pair located inside field value. Either you are not getting my point or I am not getting yours at all. Please see java_cmd param value. need to get K,V pair out of it
... View more
11-16-2022
06:02 AM
log entry is a json. i can fetch jvm_cmd parmeter as it is a JSON key. that's not the issue. I need to parse value of jvm_cmd. can't share full log due to sensitive information. I tried following Splunk query (few other variations too). It just print log/raw json fields but it won't extract fields out of jvm_cmd value index=abc jvm_cmd=*xyz* | spath | table *
... View more
11-16-2022
05:31 AM
it's there in initial post. I need that P1=v1, p2=v2 ... key pairs extracted
... View more
11-16-2022
05:26 AM
I tried it before posting without any success. All the example in that link has value itself as either JSON or XML whereas in this case no fixed pattern in value
... View more
11-16-2022
04:41 AM
I am not sure how that's gonna solve the problem. I am trying to parse jvm_cmd value and it's not a JSON. Can you share some sample spath if I misunderstood you?
... View more
11-16-2022
03:35 AM
raw event
{... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."}
How to extract, kv pair from jvm_cmd value & print those in Splunk search?
I am not admin. So, I can't change props.conf or transform.conf. I tried https://community.splunk.com/t5/Splunk-Search/Using-KV-MODE-auto-in-props-conf-how-do-I-get-a-search-time/m-p/240834 and rex without any success. Any help will be much appreciated
... View more
Labels
- Labels:
-
field extraction
-
rex
10-10-2022
05:33 AM
Since, I required regex; I used | search path IN (*/log4j-core*) NOT path=*/log4j*2.17* insetad of where command. Thank you for your support!!
... View more
10-10-2022
04:13 AM
got it working with search command instead of where. However, still not getting expected output but on right track. Will update in sometime
... View more
10-10-2022
04:02 AM
Hi @gcusello , The problem seems to be due to no. of records greater than 50k as you pointed out. However, comma between the join fields is not an issue. There is one problem with your solution, it's not providing left join functionality. It just combine records from both the indexes. E.g. final output should have only 4 records but what I am getting is like 70k records. After stats, I tried filtering data using where but no success. What I want is only path containing vulnerable log4j i.e. the path filter used in first query. Sorry, I am new to Splunk. So, this might be a very basic ask
... View more
10-10-2022
02:58 AM
single column join is working
index=* source=jar columns.path="*/log4j-core*" NOT columns.path=*/log4j*2.17* host IN (*.test.com)
| rename columns.pid AS pid, columns.pid_ts as pid_ts, columns.path as path,
| dedup host path pid
| join pid type=left max=1 [search index=* source=process host IN (*.test.com) earliest=-25h latest=now
| rename columns.pid AS pid, columns.cmdline as cmd, columns.username as user, columns.uid as uid, columns.groupname as group, columns.gid as gid
| dedup host pid]
| table host, path, pid, user, uid, group, gid, cmd
but multi column join is not working
index=* source=jar columns.path="*/log4j-core*" NOT columns.path=*/log4j*2.17* host IN (*.test.com)
| rename columns.pid AS pid, columns.pid_ts as pid_ts, columns.path as path,
| dedup host path pid
| join host,pid type=left max=1 [search index=* source=process host IN (*.test.com) earliest=-25h latest=now
| rename columns.pid AS pid, columns.cmdline as cmd, columns.username as user, columns.uid as uid, columns.groupname as group, columns.gid as gid
| dedup host pid]
| table host, path, pid, user, uid, group, gid, cmd
Splunk Enterprise
Version:8.2.6Build:a6fe1ee8894b
... View more
Labels
- Labels:
-
join
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-08-2023
06:56 AM
|
