All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello everyone, I'm trying to filter out some logs in the IA-WindowsSecurity Application. The indexed values are when: - The EventCode=4634 AND the Security_ID="*$" I created an app deployed ... See more...
Hello everyone, I'm trying to filter out some logs in the IA-WindowsSecurity Application. The indexed values are when: - The EventCode=4634 AND the Security_ID="*$" I created an app deployed on an index with the following props and transforms config: Props.conf [WinEventLog] TRANSFORMS-remove_computer_logoff = remove_logoff Transforms.conf [remove_logoff] REGEX = DEST_KEY = queue FORMAT = nullQueue I made the following regex for matching the event: - EventCode=4634 - Security_ID=".*\$$" I'm not sure how to correctly "put together" these two REGEXES. I did a lot of testing with different types of regexes (in PCRE Format), but I wasn't able to make it work.   Can someone please help me? Thanks in advance
Or | stats list(SourceType) as "Source-Type", list(GB) as GB by Index | appendpipe [| stats sum(GB) as GB | eval Index="Overall Total"]
Try switching the last two lines | addtotals col=t row=f labelfield=Index label="Overall Total" | stats list(SourceType) as "Source-Type", list(GB) as GB by Index
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage | stats sum(b) as bytes by st , idx | eval GB=round(bytes/(1024*1024*1024),6) | table st, idx, GB | sort -GB | eventstat... See more...
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage | stats sum(b) as bytes by st , idx | eval GB=round(bytes/(1024*1024*1024),6) | table st, idx, GB | sort -GB | eventstats sum(GB) as total | eval Percentage=round((GB/total)*100,6) | rename st as SourceType | rename idx as Index | stats list(SourceType) as "Source-Type", list(GB) as GB by Index | addtotals col=t row=f labelfield=Index label="Overall Total"
What search did you use to get this table?
Please find teh below sample values Index Source-Type GB aws_vpcflow aws:vpcflow 10 aws:cloudwatchlogs:vpcflow 20 windows windows:fluentd 30 windows 40 WinEventLog:Security... See more...
Please find teh below sample values Index Source-Type GB aws_vpcflow aws:vpcflow 10 aws:cloudwatchlogs:vpcflow 20 windows windows:fluentd 30 windows 40 WinEventLog:Security 50 cloud  cloud_watch 60 aws_cloud 70
The settings should be fine.  MAX_TIMESTAMP_LOOKAHEAD starts after TIME_PREFIX ends.
Please share your actual events (anonymised appropriately) in a codeblock
It is not clear from this what you are expecting as your output. How do the failure_reason lines relate to the status lines?  Please can you share some actual events (anonymised as appropriate), pref... See more...
It is not clear from this what you are expecting as your output. How do the failure_reason lines relate to the status lines?  Please can you share some actual events (anonymised as appropriate), preferably in a code block?
If this is indeed your actual event and those are your actual props settings, Splunk will never find the timestamp because you have a very low lookahead set. There is no timestamp within first 20 cha... See more...
If this is indeed your actual event and those are your actual props settings, Splunk will never find the timestamp because you have a very low lookahead set. There is no timestamp within first 20 characters of the event. Additionally - are you using indexed extractions?
Hi @altink , if you are the customer, you can indicate some reference people to open cases, usually they are contractual reference ,but it's better to indicate one contractual reference and two or t... See more...
Hi @altink , if you are the customer, you can indicate some reference people to open cases, usually they are contractual reference ,but it's better to indicate one contractual reference and two or three operational people. To do this, one of the already active contractual reference people must open a case to Splunk Support to indicate the other reference people to open cases. Ciao. Giuseppe
Tank You @gcusello  We (Unionbank) are the customer. It seems it is a contractual matter. But I would like Splunk support to put some message about this after logon, instead of not being able ... See more...
Tank You @gcusello  We (Unionbank) are the customer. It seems it is a contractual matter. But I would like Splunk support to put some message about this after logon, instead of not being able to select a field. It is confusing. regards Altin
If i use the  | addtotals col=t row=f labelfield=Index label="Overall Total" , I am getting incorrect total result , becuase one index and multiple sourcetype values are there. 
I presume atn_common_lookup_topology-technical-detail_001.csv has fields "key", "type" and "system"? Do you have proper access to the lookup file | inputlookup atn_common_lookup_topology-technical-... See more...
I presume atn_common_lookup_topology-technical-detail_001.csv has fields "key", "type" and "system"? Do you have proper access to the lookup file | inputlookup atn_common_lookup_topology-technical-detail_001.csv
You can use addtotals as below -  | addtotals col=t row=f labelfield=index label="Overall Total"   Please accept the solution and hit Karma, if this helps!
I need to add the total GB.  Please let me know how to add the over all total.  Index                Source-Type              GB aws_vpcflow   - aws:vpcflow    26192.00305                         ... See more...
I need to add the total GB.  Please let me know how to add the over all total.  Index                Source-Type              GB aws_vpcflow   - aws:vpcflow    26192.00305                             -   aws:cloudwatchlogs:vpcflow 32.695269 windows     -     windows:fluentd     19939.02727                          -     windows                9713.832884                          -     WinEventLog:Security   8.928759
@ITWhisperer  Now tried this but still no luck index=atn*infra*tier3* | bin span=6m@m metric_value as 6_min_data | stats count(eval(metric_value=0)) as uptime count(eval(metric_value=1)) as down... See more...
@ITWhisperer  Now tried this but still no luck index=atn*infra*tier3* | bin span=6m@m metric_value as 6_min_data | stats count(eval(metric_value=0)) as uptime count(eval(metric_value=1)) as downtime by 6_min_data, source_host | eval total_uptime = uptime*360 | eval total_dowtime = downtime*360 | eval total_uptime = if(isnull(total_uptime),0,total_uptime) | eval total_downtime = if(isnull(total_dowtime),0, total_dowtime) | eval avg_uptime_perc = round((total_uptime/(total_uptime+total_downtime))*100 ,2) | eval avg_downtim_perc = round((total_downtime/(total_uptime+total_downtime))*100,2) | eval total_uptime = tostring(total_uptime, "duration") | eval total_downtime = tostring(total_downtime, "duration") | lookup atn_common_lookup_topology-technical-detail_001.csv key as source_host | rename "total_uptime" as "Total Uptime", "total_downtime" as "Total Downtime", avg_uptime_perc as "Average uptime in %", avg_downtim_perc as "Average Downtime in %" source_host as "Source Host" | table "type" system "Source Host" "Total Uptime" "Total Downtime" "Average uptime in %" "Average Downtime in %"
Hi @altink , you must be enabled by the customer to open a case for them. Otherwise your customer must open the case by itself. To be enabled, the customer must send a request to Splunk Support or... See more...
Hi @altink , you must be enabled by the customer to open a case for them. Otherwise your customer must open the case by itself. To be enabled, the customer must send a request to Splunk Support or to your reference Splunk Sales Engineer. Ciao. Giuseppe
Hi ,   I have the logs written in the below manner 26/08/2024 10:27 method=are status=failed run_id_123 26/08/2024 10:28 method=are status=failed run_id_123 26/08/2024 10:29 method=are status=fa... See more...
Hi ,   I have the logs written in the below manner 26/08/2024 10:27 method=are status=failed run_id_123 26/08/2024 10:28 method=are status=failed run_id_123 26/08/2024 10:29 method=are status=failed run_id_123 26/08/2024 10:30 method=are status=completed run_id_123 failure_reason1 failure_reason_2 failure_reason_3 failure_reason_4     m trying to check the latest retry is completed or failed, if faile print the failure reason on the next 5 lines.   please help
Try doing the lookup before you rename the field you are using for the lookup! Also, does your lookup file really start with a "*", if so, try renaming it to something without a wildcard in it.