All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Update. I have found I can use this API to approve. But still need username password or token T^T. curl -X POST -k -u "username:password" https://10.250.74.118:8443//rest/approval/15/responses -d "... See more...
Update. I have found I can use this API to approve. But still need username password or token T^T. curl -X POST -k -u "username:password" https://10.250.74.118:8443//rest/approval/15/responses -d "{\"responses\": [\"deny\"]}" But it showing the error that: {"failed": true, "message": "Invalid resolution. must be one of approve, deny, delegate"} Anyone know why?  
Sure, it seems it was only needed for a particular eventhub, and there I am running: SEDCMD-remove_quot_infront= s/^\"{/{/g SEDCMD-remove_quot_behind = s/}\"$/}/g SEDCMD-remove_slash = s/\\"/"/g
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each ser... See more...
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each server second column status, if any of the second column value is No for that server then consider No as final status for that server, if all the second column values are Yes for a Server, then consider that server final status as Yes. sample.csv: ServerName,Status Server1,Yes Server1,No Server1,Yes Server2,No Server2,No Server3,Yes Server3,Yes Server4,Yes Server5,No Server6,Yes Server6,No Server6,Yes Server6,No Server7,Yes Server7,Yes Server7,Yes Server7,Yes Server8,No Server8,No Server8,No Server8,No Output should looks similar to below:  ServerName,FinalStatus Server1,No Server2,No Server3,Yes Server4,Yes Server5,No Server6,No Server7,Yes Server8,No
All I learning for prompt is that I need to open broser and prompt with SOAR GUI. Is any Rest API or link available for answer prompt ? I want to pass some variable in the mail. If somebody click ... See more...
All I learning for prompt is that I need to open broser and prompt with SOAR GUI. Is any Rest API or link available for answer prompt ? I want to pass some variable in the mail. If somebody click certain link, It will accept or reject the prompt for event "4" base on API automatically. It will reduce IT's workload!
Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forward... See more...
Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forwarder patches. At this point the Windows server stops being able to send logs and never recovers even when the HF is available again. I wonder if this is related to v9.3.0 of the agent, because we didn't see any issues before this was upgraded. 
can you check your direct messages
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by ca... See more...
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by category | sort - count This will give you output of all the categories present with event count in decreasing order (i.e. highest count first).   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.!!
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the ne... See more...
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the new panel.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Thank you @rohit1793, this spreadsheat is very helpfull!
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", ... See more...
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" }, { "bad_strptime": "%y-%m-%d %H:%M:%S%", "conf_file": "props.conf", "stanza": "iislogs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" } ] affected event " btoolTag = btool_validate_regex" [ { "bad_regex": "(?i)id_618_(?<eventfield_1>\\\\w*).*i_Media=MEDIA_(?<eventfield_2>\\\\w*).*i_Dnbits=(?<eventfield_3\\\\w*).*cs_PERString=(?<eventfield_4>\\\\w*)", "conf_file": "props.conf", "stanza": "fansfms:aaio", "attribute": "EXTRACT-AoIP_message1", "reason": "syntax error in subpattern name (missing terminator?)", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" }, { "bad_regex": "([\\i\\\\fr\\n]+---splunk-admon-end-of-event---\\r\\n[\\r\\n]*)", "conf_file": "props.conf", "stanza": "source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))", "attribute": "LINE_BREAKER", "reason": "unrecognized character follows \\", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" } ]  
Please provide the config that you've implemented on HF for the described setup.
Please check out following blog post for Dashboard studio: Dashboard Studio: How to Configure Show/Hide and Token Eval in Dashboard Studio | Splunk
Please provide the affected event and an event that is parsed correctly.
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain ho... See more...
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe
If I want to exclude multiple fields by using NOT condition how can to use NOT query   NOT sessionId=X AND groupID=Y Is this works? please suggest
Please execute your original search without testmode=true and after the execution please click on Job --> Inspect Job. Check if you see any error message in the popup.    
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. ... See more...
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. Giuseppe
Hi ,   I would like to exclude particular session under multiple session ID's    
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.j... See more...
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.json] INDEXED_EXTRACTIONS=json EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)     *On IDX*     [sourcetype_name] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=\"timestamp\"\:\s\" MAX_TIMESTAMP_LOOKAHEAD=19 TIME_FORMAT=%Y-%m-%dT%H:%M:%S TRUNCATE=999999     *on Search Head*     [sourcetype_name] KV_MODE=none       Parsing works for all files except one Here is an excerpt, timestamp with none value Can you help me on this ?   
If you only wanna see events that do not contain the field sessionId You must search as follows   host="*" NOT sessionId