Нello, I have some log streams that unfortunately are a mix of both json and non-json items; e.g. (every line is a separate item):
{ msg: "User 'bob' logged in", noisy: "context", please: "ignore this attribute" }
{ msg: "User 'bob' called api endpoint /example/endpoint", noisy: "context", please: "ignore this attribute" }
Error reaching DB
Error reaching config server
{ msg: "User 'bob' logged out", noisy: "context", please: "ignore this attribute" }
In grafana I am using a query like this:
{ cloud="azure", pod="example-pod-blue-wlk92uw-a6e9l" }
| json
| line_format "{{.msg}}"
This successfully formats every json-formatted log item, but the non-json items do not appear
User 'bob' logged in
User 'bob' called api endpoint /example/endpoint
<error>
<error>
User 'bob' logged out
Here's what a bunch of sequential non-json-formatted lines look like in the grafana ui under this query:
I would like to see this information:
User 'bob' logged in
User 'bob' called api endpoint /example/endpoint
Error reaching DB
Error reaching config server
User 'bob' logged out
It feels like I need a way to say "parse as json and perform line_format, but if json parse fails just show the original line". Is there a way to do this? Thanks!
The following works (the UI still indicates there are json-parsing issues, but it at least shows the full message when these parsing issues occur). There are two parts to this:
Regex captures full message as named property
We can capture the full message under a named property (I'll call it "fullMsg") using the regexp directive:
{ cloud="azure", pod="example-pod-blue-wlk92uw-a6e9l" }
| regexp "(?P<fullMsg>.*)"
If/else/end block in line_format
The "msg" property will only exist if the json stage executed correctly. We'll say:
...
| line_format "{{if .msg}}{{.msg}}{{else}}{{.fullMsg}}{{end}}"
which will show fullMsg if msg doesn't exist (because json parsing failed)
Overall solution
{ cloud="azure", pod="example-pod-blue-wlk92uw-a6e9l" }
| regexp "(?P<fullMsg>.*)"
| json
| line_format "{{if .msg}}{{.msg}}{{else}}{{.fullMsg}}{{end}}"
Related
Im trying to get values from a splunk search into an email alert Message. My splunk search query used to trigger an alert is "resourceGroup="myResourceGroup" severity="Error" (simplified version). The output of the search looks like this
{
msg: Error encountered will getting details from API
resourceGroup: myResourceGroup
severity: Error
sourceContext: SystemContext
success: false
}
Q1: How do i get the msg value from the search result in my email alert? Below is a screen shot of splunk Alert Email Message Box?
Q2: Say i wanted to send msg and sourceContext, is there a way to insert ONLY these fields into a custom table?
.
The first step is to extract the fields you want to use in the alert. A simple way to do that (if not already done) is with rex.
resourceGroup="myResourceGroup" severity="Error"
| rex "msg: (?<msg>[^\n}+)"
| rex "sourceContext: (?<sourceContext>\S+)"
Then reference the fields within $ in the alert message.
Msg = $msg$
sourceContext = $sourceContext$
Here is the scenario to reproduce the error:
Take a Microsoft Education Tenant (Demo Tenant is sufficient)
Create a fresh user with valid office 365 license and usage location
Disable the account (set block sign-in) to true in Azure Portal
Create a group and add this user as member
That's the minimum scenario we need. It is also possible to have other (enabled) users within the group, but that doesn't change the behaviour. Now let's follow the documentation to create a class notebook:
POST https://www.onenote.com/api/v1.0/myOrganization/groups/{groupId}/notes/classNotebooks/?omkt=de-de
{
"name": "Class notebook of my group",
"teachers": [],
"students": [],
"studentSections": [],
"hasTeacherOnlySectionGroup": true
}
So, the unified group has just one member with an disabled account, but this specific user is NOT added into the teachers or students section of the create request. Nevertheless the following error message occurs:
System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (NotFound).
{
"error": {
"code": "30109",
"message": "The following users are invalid: Message: Der angegebene Benutzer disabled.user#mydomain.com wurde nicht gefunden., ServerErrorCode: -2146232832, ServerErrorTypeName: Microsoft.SharePoint.SPException",
"#api.url": "https://aka.ms/onenote-errors#C30109"
}
}
After getting the clarification from Marc our current procedure is as follows:
Get a list of all disabled users.
Enable all of them.
Wait one minute (cause Graph needs some time to propagate this).
Create the course notebook through OneNote API.
Disable all users from the initial list again.
With this everything works as expected.
The error message isn't clear but Teachers maps Owners and Students maps to Members. So even though you didn't specify this user in the students collection, they are a member of the Group and therefore they're considered part of the students collection.
When an 30109 error like this is encountered, the only workaround is either iterate through the Owners and Members and remove any disabled accounts, or parse the message property for the UPN (disabled.user#mydomain.com). It is less than ideal I know.
I'm using GraphAPI getting users by email for months. Something happened to a specific user. Right now I can't get this user using the following approach:
signInNames/any(x:x/value eq '{email}'
This is working with all users excepting the one I said before.
I'm getting this when trying to retrieve by email:
{
"odata.metadata": "https://graph.windows.net/jsmaddev.onmicrosoft.com/$metadata#directoryObjects",
"value":[]
}
If I try to get by ObjectId I can access user's info but the signInNames seems to be empty:
"signInNames":[]
Is there something that could cause this? You should remember that this particular access was working as intended.
Thanks!
This is normal. The filter signInNames/any(x:x/value eq '{email}' returns the users whose signInNames.value equals the email.
The signInNames part sample:
"signInNames": [
{
"type": "userName",
"value": "AlexW"
},
{
"type": "emailAddress",
"value": "AlexW#example.com"
}
]
If I try to get by ObjectId I can access user's info but the signInNames seems to be empty
Since the signInNames property is empty, "signInNames":[], it will returns the "value":[].
You should remember that this particular access was working as intended.
Of course, if the signInNames is not empty, it will work fine.
I'm trying to search for a given user on a Sharepoint site using "lastname, firstname". I was able to use the following url to get the total list of site users as a large XML document:
https://thissite.com/sites/thatsite/_api/web/siteusers/
However, I haven’t been able to figure out how to search by Title. When I use the following url:
https://thissite.com/sites/thatsite/_api/web/siteusers/getbytitle(“lastname,%20firstname”)
I get this error:
<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<m:code>
-1, Microsoft.SharePoint.Client.InvalidClientQueryException
</m:code>
<m:message xml:lang="en-US">
The expression "web/siteusers/getbytitle("lastname, firstname")" is not valid.
</m:message>
</m:error>
When I use the following url to get the same user's data:
https://thissite.com/sites/thatsite/_api/web/siteusers/getbyid(41)
Then I successfully get XML returned with that user's data.
I guess I could just parse the list obtained from /siteusers and load it into a searchable data object, but I was hoping for something more direct.
UserCollection resource does not expose getbytitle method, that's the reason why you get this exception.
In order filter user by title you could utilize $filter query option as demonstrated below:
https://contoso.sharepoint.com/_api/web/siteusers?$filter=Title eq '<Title>'
We are using a student management system/CRM (axcelerate) which doesn't have bulk import tools for contacts. but they do provide API for this.
I have tested on a coldbox module which allows me to test with single sets of parameter names and values.
It is confirmed the URL and API headers I am using are correct, the single parameter data was sent and shows up correctly in the CRM.
Now I am trying to send thousands of contacts. I guess to do this with a CSV file and I have tried with Postman.
I have put API headers into the Headers section, and I have put api.contact as a key, and for the value, I have uploaded a CSV file that has FIELDNAMES same as CRM advised: I used givenName and surname.
I created Elvis and Presley as values and this is the error:
{
"DATA": "",
"ERROR": true,
"MESSAGES": "Validation Error.",
"CODE": 412,
"FIELDNAMES": "givenName,surname",
"DETAILS": "Required field givenName is undefined in the request collection.,Required field surname is undefined in the request collection."
}
Any advice to execute this task successfully?
Thank you.
Looking at the API docs for the /contact route it requires you to add the givenName and surname to the URL as params
You could use your data file in the Collection Runner and reference these using the {{...}} placeholder syntax in the URL.
<basePath>/contact?givenName={{givenName}}&surname={{surname}}
The Postman docs will explain how to add the data file to the Collection Runner but once added, when you run the collection, it will populate the placeholders in the URL and hopefully create the new contacts for you in the CRM tool.