All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You could do something like this | rex "process (?<process>\d+) start date (?<start>\S+), end date (?<end>\S+)" | eval startdate=strptime(start,"%d/%m/%Y") | eval enddate=relative_time(strptime(end,... See more...
You could do something like this | rex "process (?<process>\d+) start date (?<start>\S+), end date (?<end>\S+)" | eval startdate=strptime(start,"%d/%m/%Y") | eval enddate=relative_time(strptime(end,"%d/%m/%Y"), "+1d") | eval days=mvappend(startdate, enddate) | eval row=mvrange(0,2) | mvexpand row | eval _time=mvindex(days, row) | eval count=1-(row*2) | stats sum(count) as change by _time | streamstats sum(change) as total | makecontinuous _time | filldown total | fillnull value=0 change
@R15 wrote: Neither are working for me. Their search gives an unwieldy table with 100+ columns, yours has only blanks for avg and max.  Splunk 9.1.2 If not here's the query,   |rest /servi... See more...
@R15 wrote: Neither are working for me. Their search gives an unwieldy table with 100+ columns, yours has only blanks for avg and max.  Splunk 9.1.2 If not here's the query,   |rest /services/search/jobs | stats count avg(performance.command.search.expand_search.duration_secs) AS avg max(performance.command.search.expand_search.duration_secs) AS max BY search    
  The following query retrieves confroom_ipaddress values from the lookup table that do not match IP addresses found in the indexed logs: | inputlookup lookup_ist_cs_checkin_rooms.csv where NOT [s... See more...
  The following query retrieves confroom_ipaddress values from the lookup table that do not match IP addresses found in the indexed logs: | inputlookup lookup_ist_cs_checkin_rooms.csv where NOT [search index=fow_checkin message="display button:panel-*" | rex field=message "ipaddress: (?<ipaddress>[^ ]+)" | stats values(ipaddress) as confroom_ipaddress | table confroom_ipaddress] | rename confroom_ipaddress as ipaddress1 I would like to add an additional condition to include IP addresses that match those found in the following logs:   index=fow_checkin "Ipaddress(from request header)" | rex field=message "IpAddress\(from request header\):\s*(?<ip_address>\S+)$" | stats values(ip_address) as ip_address2 This means we need to include IP addresses from lookup_ist_cs_checkin_rooms.csv that match with the message "Ipaddress(from request header)" andexclude IP addresses from lookup_ist_cs_checkin_rooms.csv that match with the message "display button:panel-*"  as well. Please help.
Hi @AL3Z , yes, it's possible, but you should define the purpose, the borders and the Use Cases of your lab. In other words: what architecture you need to test: a distributed environment? only forw... See more...
Hi @AL3Z , yes, it's possible, but you should define the purpose, the borders and the Use Cases of your lab. In other words: what architecture you need to test: a distributed environment? only forwarder and Indexer? what else? In my lab I have seved virtual machines with two Indexers, three Search Heads, a Management Node (Cluster Manager, Deployer, License Master, Monitoring Console and Deployment Server), one Universal Forwarder. I did it on pc pc that hase 16 vCPUs and 32 GB TAM). As I said, you can do this, it depends on your requirements and the resources you have. Ciao. Giuseppe
Hi all, hoping someone can help me with this query. i have a data set that looks at a process and how long it takes to implement. for example, each event will be populated with a start date and an... See more...
Hi all, hoping someone can help me with this query. i have a data set that looks at a process and how long it takes to implement. for example, each event will be populated with a start date and an end date. i want to create a calendar view that shows the schedule of the processes in implementation, for example: process 1 start date 12/08/2024, end date 16/08/2024 (5 days implementation) process 2 start date 12/08/2024, end date 12/08/2024 (1 day implementation) process 3 start date 13/08/2024, end date 15/08/2024 (3 days implementation) process 4 start date 14/08/2024, end date 16/08/2024 (2 days implementation) I want to be able to produce a graph or a calendar view that will show how many process' we have in implementation, counting each day of their implementation period (based on start and end date) so for the above example it would look like: Date                        count of Process' in implementation 12/08/2024       2 (process 1 and 2) 13/08/2024       2 (process 1 and 3) 14/08/2024       3 (process 1, 3 and 4) 15/08/2024       3 (process 1, 3 and 4) 16/08/2024       2 ((process 1 and 4) any help greatly appreciated 
Hi, I want to setup a home lab like splunk Enterprise and splunk forwarder on the same os to pull the logs into splunk. Is it possible to setup in this way.  
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line 2023 data from Now to -30 days 2022 data from "now-1y" to -30 days   Can we plot this in single time chart ? You... See more...
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line 2023 data from Now to -30 days 2022 data from "now-1y" to -30 days   Can we plot this in single time chart ? You need to very carefully state your use case (without using SPL).  Your sample code definitely does not suggest two time intervals.  Now that you need two time intervals, you also need to specify How do you "select 2023, Aug 12 for last 30 days?"  Do you use a time input? (I will assume yes.) Is this input independent of the other user selection of version, i.e., 2024 or 2023? (I will also assume yes.) Without these specifics, your question is unanswerable.  You also should specify how the result should look like, and give some mock data, then illustrate some mock result.  SPL should be the last thing to illustrate; if you illustrate SPL that does not give you desired results, you should illustrate actual output from the code when applied to the exact illustrated dataset. Anyway, my solution is the same: set up tokens to modify search terms.  As I mentioned, you can set up auxiliary tokens based on user selection.  In this example, I add two additional tokens $early_start$ and $early_end$ base on the time selector $interval$.  Your search term should be index=cls_prod_app applicationversion IN ($applicationversion$) ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 Here is a demo dashboard in Simple XML. (Token management in Dashboard Studio is different, but the same principle applies.) <form version="1.1" theme="light"> <label>Set token applicationversion</label> <description>https://community.splunk.com/t5/Splunk-Search/YoY-query-for-comparing-two-products-together/m-p/695943</description> <search> <query> | makeresults </query> <progress> <eval token="early_start">if(match($interval.earliest$, "-"), $interval.earliest$ . "-1y", relative_time($interval.earliest$, "-1y"))</eval> <eval token="early_end">case(match($interval.latest$, "-"), $interval.latest$ . "-1y", $interval.latest$ == "now", relative_time(now(), "-1y"), true(), relative_time($interval.latest$, "-1y"))</eval> </progress> </search> <fieldset submitButton="false"> <input type="dropdown" token="applicationversion" searchWhenChanged="true"> <label>Version</label> <choice value="2024,2023">2024</choice> <choice value="2023,2022">2023</choice> <initialValue>2024,2023</initialValue> </input> <input type="time" token="interval"> <label></label> <default> <earliest>-30d@d</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>(earliest = $interval.earliest$, latest = $interval.latest$) OR (earliest = $early_start$ latest = $early_end$) applicationversion IN ($applicationversion$)</title> <html>Your end search would be <pre> index=cls_prod_app applicationversion IN ($applicationversion$) ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 </pre> </html> </panel> </row> </form> Play with this dashboard.  If you select applicationvesion: 2023 and date range July 13, 2023 - August 12, 2023, your search will be rendered as index=cls_prod_app applicationversion IN (2023,2022) ((earliest=1689231600 latest=1691910000) OR (earliest = 1691218800 latest = 1691834497)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0
Also requesting a working way of adding newline to description in a servicenow incident generated by this addon
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/rout... See more...
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 5-03aca501-42b3-11ef-ad89-0a2944cc61cb] error.notification.details: { "correlationId" : "5-03aca501-42b3-11ef-ad89-0a2944cc61cb", "message" : "Error Details", "tracePoint" : "FLOW", "priority" : "ERROR", } ERROR 2024-08-09 14:19:31,389 email-slack-notification-impl-flow.BLOCKING @22feab4f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 38de9c30-49eb-11ef-8a9e-02cfc6727565] error.notification.details: { "correlationId" : "38de9c30-49eb-11ef-8a9e-02cfc6727565", "message" : "Error Details", "priority" : "ERROR", } The above 2 blocks of data are coming as one event but I want them to be 2 events each starting from keyword "Error". Below is my props.config entry for same but not working: applog_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true BREAK_ONLY_BEFORE = date SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N TIME_PREFIX=ERROR\s+ Please help how to fix this. Thanks in advance!    
Following up... I am facing the same issue...running Splunk Enterprise  version 8.2.6.1.
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure... See more...
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure that your release is still under maintenance. Ciao. Giuseppe
Facing the same issue in Splunk Enterprise version  - 8.2.6.1    Any fix? workaround? please share !!
Exactly the same issue facing in Splunk Enterprise version 8.2.6.1   Any fix? or workaround? 
Hi @gcusello , Did you get the solution for this issue?  I am using Splunk v8.2.6.1 and I am facing the same issue. Please help if you have any solution for this!
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want t... See more...
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want that whenever my website came back UP again or functions normally then I should receive and alert email also to notify me that website is working fine now. Could you please shower you knowledge here and help me to setup this alert.  TIA.
Hi Ismo, This solution seems to be amazing. However, I will have to try to solve this as far as possible without installing an extra app. Best regards, Sherwin
Hi this is known issue. You cannot disable some apps via GUI. Fortunately you could try this app to disable SSG and some other https://splunkbase.splunk.com/app/7319 r. Ismo
Hi @sherwin_r , this should occur if you try to enable some input in Secure Gateway not by itself, did you do it? Ciao. Giuseppe
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you ... See more...
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you want, copying the inputs.conf from the default to the local folder. In affition in these stanzas, you have to add the row: index = winpc There's another check that you could perform: running this search: index=_internal and viewing the hosts, do you see the hostnames of your pcs? Same procedure for sysmon: download and install the Splunk Add-On for Sysmon (https://splunkbase.splunk.com/app/5709) on your pcs, check the enablement state of the inputs and enable the ones you like, adding the index option. Ciao. Giuseppe
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regard... See more...
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regards, Sherwin