cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
padresman
Engager
Member since: ‎03-14-2024
‎03-15-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎03-14-2024
View All

Re: Excluding Special Characters from OTEL Splunk ...

by in Getting Data In
‎03-14-2024 08:13 PM
‎03-14-2024 08:13 PM
Thanks for the response yuanliu, much appreciated, and sorry for the confusion. You're right that those fields should match up - it should look like the following: - id: extract-audit-group type: regex_parser regex: '\"resourceGroup\"\:\"(?P<extracted_group>[^\"]+)\"' - id: filter-group type: filter expr: 'attributes.extracted_group == "batch"' - id: remove-extracted-group type: remove field: attributes.extracted_group   The Id field can be named just about anything, so difference among names there doesn't matter. We've gone through quite a few iterations of testing which is why there was a discrepancy there. What we have narrowed down the problem in our testing is either the camelCase is causing a regex issue with the field, or special characters within a value are causing an issue (or both, my hunch is that it is the camelCase, but we haven't had success with either).  Putting these results into a regex RE2 parser gets the results we expect, but not with the actual deployed OTEL. ... View more

Excluding Special Characters from OTEL Splunk Form...

by in Getting Data In
‎03-14-2024 12:48 PM
1 Karma
‎03-14-2024 12:48 PM
1 Karma
We are having difficulty getting exclusions of logs that have fields in Camelcase or have entries that have special characters related to OTEL logs. Fields without capitalization and/or special character values are able to be parsed out, but not others. Here is an example log that we are looking at (attached as yaml and key portion).         filelog/kube-apiserver-audit-log: include: - /var/log/kubernetes/kube-apiserver.log include_file_name: false include_file_path: true operators: - id: extract-audit-group type: regex_parser regex: '\s*\"resourceGroup\"\s*\:\s*\"(?P<extracted_group>[^\"]+)\"\s*' - id: filter-group type: filter expr: 'attributes.extracted_beta == "batch"' - id: remove-extracted-group type: remove field: attributes.extracted_group - id: extract-audit-api type: regex_parser regex: '\"level\"\:\"(?P<extracted_audit_beta>[^\"]+)\"' - id: filter-api type: filter expr: 'attributes.extracted_audit_beta == "Metadata"' - id: remove-extracted-api type: remove field: attributes.extracted_api - id: extract-audit-verb type: regex_parser regex: '\"verb\"\:\"(?P<extracted_verb>[^\"]+)\"' - id: filter-verb type: filter expr: 'attributes.extracted_verb == "watch" || attributes.extracted_verb == "list"' - id: remove-extracted-verb type: remove field: attributes.extracted_verb The resourceGroup field is compared to something else and failing, verb and level are succeeding. Here is an example log that would be pulled in. {"apiVersion":"batch/v1","component":"sync-agent","eventType":"MODIFIED","kind":"CronJob","level":"info","msg":"sent event","name":"agentupdater-workload","namespace":"vmware-system-tmc","resourceGroup":"batch","resourceType":"cronjobs","resourceVersion":"v1","time":"2024-03-14T18:17:11Z"} ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-15-2024 04:42 PM
Karma from
View All