All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you ever so much
I appreciate the explanation and example. The search that I have is very long and doing a lot of calculation, so it's not that easy to do your suggestion I've been doing similar thing, but much s... See more...
I appreciate the explanation and example. The search that I have is very long and doing a lot of calculation, so it's not that easy to do your suggestion I've been doing similar thing, but much simpler I just decode the URL using URL decoder, then open a new search and paste the search. Thank you for your suggestion.
Specifically, in my use case, let's just say the display returns Status failed: unique id, can i still pattern match the Status failed part?
I just had this exact issue installing Splunk on a Windows 2022 Server running on ESXi. Followed your advice and worked like a charm. Thank you, sir.
Intestesting because I didn't decide to uninstall first, I was told by support to do it.
It's not necessary to uninstall a universal forwarder before upgrading it.  Just run the installer and it will perform the steps needed for the upgrade.
|union [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example1 b... See more...
|union [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example1 by field5 field6 DATE] [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example2 by field5 field6 DATE] [ search index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx field1=* field3=xxx NOT field3=xxx field4="" | eval DATE = strftime(strptime(xxx, "%Y%m%d"), "%Y-%m-%d") | stats latest(source) as example3 by field5 field6 DATE] | stats count(example1) as "example 1", count(example2) as "example 2", count(example3) as "example 3" by DATE The data is populating correctly for example 1 and example 3, individually, and if I just use two queries. However, I need all 3 queries for my data but data is missing from example 2.
I have created a simple addon on Splunkbase that can identify bad CSV files in your environment: https://splunkbase.splunk.com/app/7497  
I have created a simple addon on Splunkbase that can identify bad CSV files in your environment: https://splunkbase.splunk.com/app/7497  
Verify your network allows connections *out* to your Splunk Cloud stack's port 8089.
Also, I am trying to refrain from using css styling. is there an alternative way?
Is there a way for me to match a background color if the output from the panel involves rex. For example,  if the output displays a unique error how do i still match the background color to red wi... See more...
Is there a way for me to match a background color if the output from the panel involves rex. For example,  if the output displays a unique error how do i still match the background color to red without changing the display text for single visualization panels 
Also in A&I 08-03-2024 03:38:37.525 INFO ChunkedExternProcessor [25501 searchOrchestrator] - Running process: /opt/splunk/bin/python3.9 /opt/splunk/etc/apps/SA-IdentityManagement/bin/entitymerge_com... See more...
Also in A&I 08-03-2024 03:38:37.525 INFO ChunkedExternProcessor [25501 searchOrchestrator] - Running process: /opt/splunk/bin/python3.9 /opt/splunk/etc/apps/SA-IdentityManagement/bin/entitymerge_command.py 08-03-2024 03:38:37.845 ERROR ChunkedExternProcessor [25506 ChunkedExternProcessorStderrLogger] - stderr: (AttributeError) module 'time' has no attribute 'clock' I searched around and changed: vi /opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/cexe.py Change time.clock to time.time
Hi I think that this helps you https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 In that answer there is defi... See more...
Hi I think that this helps you https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 In that answer there is define those joins and how you should do those in Splunk. r Ismo
Hi if I understood right you issue, you have used too much of SPLUNK_DB space on your system. There are many instructions  on net, how to move/change SPLUNK_DB into another Drive on Windows which yo... See more...
Hi if I understood right you issue, you have used too much of SPLUNK_DB space on your system. There are many instructions  on net, how to move/change SPLUNK_DB into another Drive on Windows which you need to do. Another option is limit your disk space to lower, but probably this will denied to collect enough events to your system. Another option is ask some local Splunk Partner to fix this for you. r. Ismo
That worked! but im trying to color the words " Large Effect " and "No"  to red not sure what I did wrong here? <colorPalette type="expression">case (match(value,"Large Effect") OR (match(value,... See more...
That worked! but im trying to color the words " Large Effect " and "No"  to red not sure what I did wrong here? <colorPalette type="expression">case (match(value,"Large Effect") OR (match(value,"No"),"#ff0000", match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette>
Thanks @KendallW  We are using automatic header-based field extraction for our JSON documents as described here: https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Extractfieldsfromfileswithst... See more...
Thanks @KendallW  We are using automatic header-based field extraction for our JSON documents as described here: https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Extractfieldsfromfileswithstructureddata#Use_configuration_files_to_enable_automatic_header-based_field_extraction So when fields like serviceType are present in the events I believe they are getting indexed. You are correct that serviceType is completely missing from the events for time ranges where my tstats query returns 0, but I don't understand why it would work this way, especially since adding a wildcard to either OR value returns the correct non-zero result: |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857*" OR serviceType="unmanaged") |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged*") This really seems like a bug. Thanks for the tip about |append, though this is very undesirable and possibly infeasible for us considering the complexity of our queries and how many we have.
You will need to mvexpand the field for that you can colour rows of the field
?
It is an old thread but I feel with more experience under my belt I should fix the solution. Map is hardly ever _the_ solution so in this case it isn't either. It's better to count and filter. inde... See more...
It is an old thread but I feel with more experience under my belt I should fix the solution. Map is hardly ever _the_ solution so in this case it isn't either. It's better to count and filter. index=logins | streamstats count by login | where count<=5 And that's it.