All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick As per the below screenshot I can see huge delays in the indexing. So is this the cause that data is not visible on time.  What actions I need to perform for summary index? ... See more...
@PickleRick As per the below screenshot I can see huge delays in the indexing. So is this the cause that data is not visible on time.  What actions I need to perform for summary index?  
This discussion has been very informative.
1. There is no such thing as "subindex". Indexes are separate entities and do not form any kind of hierarchy. 2. Unless you have a Very Good Reason (tm) there's not much sense in splitting data into... See more...
1. There is no such thing as "subindex". Indexes are separate entities and do not form any kind of hierarchy. 2. Unless you have a Very Good Reason (tm) there's not much sense in splitting data into multiple indexes - you use search-time filters to return just a subset of your events when needed 3. Summary indexing is usually used for - as the name says - storing pre-aggregated summaries of your data so you can later usse those aggregates to speed up your searches. Using collect to simply copy events from one index to another _usually_ doesn't make much sense (see also 2.) So, what's the use case?
Apart from the technicalities which @yuanliu already tackled, there is also a logical flaw in your approach. Even if you aggregate your second search output into a single count you have two relativel... See more...
Apart from the technicalities which @yuanliu already tackled, there is also a logical flaw in your approach. Even if you aggregate your second search output into a single count you have two relatively unrelated values. Substracting cardinalities makes sense only if one set is a subset of another one. In your case those sets may overlap but one doesn't have to be included in the other.
Again - where do the users have this message with a return to Splunk button? I don't recall anything with this functionality in core Splunk installation.
Do you mean something like this: | rex "^\S+\s+\((?<transaction_id>[^\)]+)" | transaction transaction_id startswith="Starting execution for request" endswith="Successfully completed execution" Here... See more...
Do you mean something like this: | rex "^\S+\s+\((?<transaction_id>[^\)]+)" | transaction transaction_id startswith="Starting execution for request" endswith="Successfully completed execution" Here is an emulation of your mock sample data you can play with and compare with real data | makeresults format=csv data="_raw 2024-08-12T10:04:16.962-04:00 (434-abc-345789-de456ght) Extended Request Id: cmtf1111111111111111= 2024-08-12T10:04:16.963-04:00 (434-abc-345789-de456ght) Verifying Usage Plan for request: AAAAAAAAAAAAAAAAAAAAAAAA 2024-08-12T10:04:16.964-04:00 (434-abc-345789-de456ght) BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 2024-08-12T10:04:16.964-04:00 (434-abc-345789-de456ght) AAAAAAAAAABBBBBBBBBBBBBCCCCCCCCCCCCCCCCCC 2024-08-12T10:04:16.964-04:00 (434-abc-345789-de456ght) Starting execution for request: 8hhhhh-cdcd-434444-8bbb-dedr44444 2024-08-16T10:04:16.964-04:00 (434-abc-345789-de456ght) HTTP Method: POST, Resource Path: /ddd/Verifyffghhjj/ddddddd 2024-08-16T10:04:25.969-04:00 (434-abc-345789-de456ght) Successfully completed execution 2024-08-16T10:04:25.969-04:00 (434-abc-345789-de456ght) Method completed with status: 200 2024-08-16T10:04:25.969-04:00 (434-abc-345789-de456ght) AAAAAA Integration Endpoint RequestId: 11111111111111111111" | rex "^(?<_time>\S+)" | eval _time = strptime(_time, "%FT%T.%3N") | sort - _time ``` data emulation above ```  
You realize that the first search results in one single row, and the second gives a series of rows, right?  Without illustrating or describing what your desired output look like, you are asking volun... See more...
You realize that the first search results in one single row, and the second gives a series of rows, right?  Without illustrating or describing what your desired output look like, you are asking volunteers to read your mind.  This is generally a bad idea on a forum like this. If your requirement is to subtract singular Count in the first search from "Bookmark Status" in every row in the second search, you can do something as simple as   | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" | appendcols [sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count   Here I am using appendcols instead of the usual approach using append because one of the searches only gives out one single row.  This is not the most semantic approach but sometimes I like code economy.  In fact, this method applies to any two searches as long as one of them yields a single row. Here is an emulation as proof of concept:   | tstats count AS Count where index=_internal ``` the above emulates | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" ``` | appendcols [tstats count AS "Bookmark Status" where index=_introspection by sourcetype | rename sourcetype AS bookmark_status_display ``` this subsearch emulates | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display ``` ] | eventstats values(Count) as Count | eval diff = 'Bookmark Status' - Count   You will get something like Count Bookmark Status bookmark_status_display diff 151857 201 http_event_collector_metrics -151656 151857 2365 kvstore -149492 151857 57 search_telemetry -151800 151857 462 splunk_disk_objects -151395 151857 303 splunk_telemetry -151554
Try https://github.com/whackyhack/Splunk-org-chart.  (Play with the dashboard to find who's the big boss:-)
Not totally clear what the eventstats is doing here.  It would help if you could illustrate the desired results from mock data.  Do you mean to produce two tables like these? 1. superhero archet... See more...
Not totally clear what the eventstats is doing here.  It would help if you could illustrate the desired results from mock data.  Do you mean to produce two tables like these? 1. superhero archetype id strengths superhero superman super strength, flight, and heat vision superhero batman exceptional martial arts skills, detective abilities, and psychic abilities 2. villan archetype id strengths villain joker cunning and unpredictable personality To do these, you can use   index=characters | spath path={} | mvexpand {} | spath input={} | fields id, strengths, archetype | where archetype="superhero" | stats values(*) as * by id   for superhero; for villan, use   index=characters ``` | spath path={} | mvexpand {} | spath input={} | fields id, strengths, archetype | where archetype="villan" | stats values(*) as * by id   Here is an emulation for you to play with and compare with real data   | makeresults | eval _raw="[ { \"id\": \"superman\", \"strengths\": \"super strength, flight, and heat vision\", \"archetype\": \"superhero\" }, { \"id\": \"batman\", \"strengths\": \"exceptional martial arts skills, detective abilities, and psychic abilities\", \"archetype\": \"superhero\" }, { \"id\": \"joker\", \"strengths\": \"cunning and unpredictable personality\", \"archetype\": \"villain\" } ]" | spath ``` the above emulates index=characters ```    
@PickleRick  “Whenever I click on ‘Return to Splunk,’ it redirects to the Splunk login page. Instead, I want it to redirect to a custom URL. When users face login issues, a message will pop up, and w... See more...
@PickleRick  “Whenever I click on ‘Return to Splunk,’ it redirects to the Splunk login page. Instead, I want it to redirect to a custom URL. When users face login issues, a message will pop up, and when they click ‘Return to Splunk,’ they will be redirected to the custom URL.” How can I do this?
If you have identifier of each transaction such as transaction id, use stats to get the earliest and latest for e.g. your search |earliest(_time) as starttime,latest(_time) as endtime by transactio... See more...
If you have identifier of each transaction such as transaction id, use stats to get the earliest and latest for e.g. your search |earliest(_time) as starttime,latest(_time) as endtime by transactionID|eval duration=endtime-starttime  
@DATT , try using stats on those values | stats delim="," list(INTEL) as INTEL,list(WEIGHT) as WEIGHT | nomv INTEL | nomv WEIGHT Here is a run anywhere example . Add/remove your columns according... See more...
@DATT , try using stats on those values | stats delim="," list(INTEL) as INTEL,list(WEIGHT) as WEIGHT | nomv INTEL | nomv WEIGHT Here is a run anywhere example . Add/remove your columns according to the requirements | makeresults | fields - _time | eval INTEL="A B C D E" | makemv INTEL | mvexpand INTEL | streamstats count | eval WEIGHT=count | rename count as ID | makemv delim="," INTEL | rename comment as "Above is just data generation" | stats delim="," list(INTEL) as INTEL,list(WEIGHT) as WEIGHT | nomv INTEL | nomv WEIGHT
Thanks, i find the error, it was a silly mistake of mine.
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values... See more...
Hello everybody, I'm working on a query that does the following: 1. Pull records, mvexpand on a field named INTEL. This is a multi-value field that could have anywhere from 1 to 11 different values. 2. Once expanded, perform a lookup using INTEL to retrieve a field WEIGHT. A weight is assigned to each INTEL value, between 1 and 5. 3. After the lookup, collapse the split records back into one record.  At first glance I figured I could do `... | mvexpand | lookup | mvcombine | nomv` but since the records are no longer identical because both INTEL and WEIGHT are different, I don't think I can use mvcombine anymore. To Visually demonstrate the issue ID INTEL 12345 A, B, C, D   After mvexpand ID INTEL 12345 A 12345 B 12345 C 12345 D   After Lookup ID INTEL WEIGHT 123456 A 1 123456 B 2 123456 C 3 123456 D 4   Ultimately, I would like to get back to this ID INTEL WEIGHT 123456 A,B,C,D 1,2,3,4   Any tips?
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions... See more...
I have a dataset to visualize my organization in Splunk. When I search for Org=CDO, I get all the direct reports under the CDO, which include positions like CSO and CIO. Under each of these positions, there are many VPs, and under each VP, there are many directors. How can I retrieve the results for the entire hierarchy under the CDO using Splunk? We have a field named Org and another field name job_title When I search Org=CDO I get only direct reports of CDO, no other value in the raw event to extract. any help would be appreciated
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the ... See more...
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario) My query for  the alerts is : | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" My query for bookmarks is:  | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display
Hi  @ITWhisperer  Thanks for your response. I had not extracted any yet cause the logs are not yet in splunk but will be soon  Yes, the transaction ID are unique.  The below is what i got from cloud ... See more...
Hi  @ITWhisperer  Thanks for your response. I had not extracted any yet cause the logs are not yet in splunk but will be soon  Yes, the transaction ID are unique.  The below is what i got from cloud watch.   2024-08-12T10:04:16.962-04:00          (434-abc-345789-de456ght) Extended Request Id: cmtf1111111111111111= 2024-08-12T10:04:16.963-04:00          (434-abc-345789-de456ght) Verifying Usage Plan for request: AAAAAAAAAAAAAAAAAAAAAAAA 2024-08-12T10:04:16.964-04:00          (434-abc-345789-de456ght)  BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 2024-08-12T10:04:16.964-04:00          (434-abc-345789-de456ght) AAAAAAAAAABBBBBBBBBBBBBCCCCCCCCCCCCCCCCCC 2024-08-12T10:04:16.964-04:00          (434-abc-345789-de456ght) Starting execution for request: 8hhhhh-cdcd-434444-8bbb-dedr44444 2024-08-16T10:04:16.964-04:00          (434-abc-345789-de456ght) HTTP Method: POST, Resource Path: /ddd/Verifyffghhjj/ddddddd 2024-08-16T10:04:25.969-04:00          (434-abc-345789-de456ght) Successfully completed execution 2024-08-16T10:04:25.969-04:00          (434-abc-345789-de456ght) Method completed with status: 200 2024-08-16T10:04:25.969-04:00          (434-abc-345789-de456ght)  AAAAAA Integration Endpoint RequestId: 11111111111111111111
Which (if any) fields do you already have extracted? Are the transaction ids unique i.e will there be only one "Starting ..." message and one "Successfully completed" message per transaction id? Pl... See more...
Which (if any) fields do you already have extracted? Are the transaction ids unique i.e will there be only one "Starting ..." message and one "Successfully completed" message per transaction id? Please can you share text versions of your events rather than pictures as they are easier to deal with when simulating a solution.
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Gr... See more...
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Green)  2) Now, I want to  get the transaction time  based on the below-highlighted  (Yellow) Below is the raw event log.   Thanks In advance!      
And how did you determine that the events are not collected? The typical issue with events which seem to be not collected (when the status does show returned events which should have been collected) ... See more...
And how did you determine that the events are not collected? The typical issue with events which seem to be not collected (when the status does show returned events which should have been collected) is when there is something wrong with timestamps so that the events are collected and indexed but are put somewhere (or rather somewhen ;-)) else than you expect them to be. Check your | tstats count on summary index over all time before and after you run the collecting search. This will tell you if your index grows.