All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

For some reason my |tstats count query is returning a result of 0 when I add an OR condition in my where clause if the field doesn't exist in the dataset, or if the OR condition specifies a string va... See more...
For some reason my |tstats count query is returning a result of 0 when I add an OR condition in my where clause if the field doesn't exist in the dataset, or if the OR condition specifies a string value when the value for the field in the data is always an integer. For example: This query returns the correct event count (or at least it's non-zero):   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857")     Adding this OR condition returns a count of zero -- why? Note that for this time range there are no events with a serviceType field, but for other time ranges there are events with a serviceType field.   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmanaged")     Adding this OR condition also returns zero -- why? It's true that accountId should normally be an integer, but it's an OR, so I still expect it to count those events.   |tstats count where index="my_index" eventOrigin="api" (accountId="19783038942" OR accountId="aaa")     Using a * results in the same non-zero count as the first query, which is expected, even though there are no events with a serviceType field:   |tstats count where index="my_index" eventOrigin="api" (accountId="8674756857" OR serviceType="unmana*")     Why would adding an OR condition in tstats cause the count to be zero? The same problem does not occur with a regular search query. I am on Splunk 9.1.0.2.
I have a data set for web traffic.  A sessionID ties all traffic for an individual browsing session together - all events from the time you open a new tab until you close it.  There is also a memberI... See more...
I have a data set for web traffic.  A sessionID ties all traffic for an individual browsing session together - all events from the time you open a new tab until you close it.  There is also a memberID field.  Some records do NOT have a value populated for memberID, so I want to return each record for the sessionID with the FIRST non-null value found in the sessionID.  For instance time sessionID memberID evalField 12:01 1 <NULL> abc 12:02 1 <NULL> abc 12:03 1 abc abc 12:04 1 <NULL> abc Can someone help me out with how to get this evalField column?  Thanks so much!
Overall our requirement is that " We are passing a lookup where both Primary and Secondary devices defined , if only both stopped sending the events then we need to display the hosts "  this is the... See more...
Overall our requirement is that " We are passing a lookup where both Primary and Secondary devices defined , if only both stopped sending the events then we need to display the hosts "  this is the query I prepared , but not giving the exact requirement , can you optimize , help . | tstats count max(_time) AS latest_event_time where index=firewall sourcetype="cisco:ftd" [| inputlookup Firewall_list.csv | table Primary | Rename Primary AS host] groupby host | append [|inputlookup Firewall_list.csv | table Primary | Rename Primary AS host | eval count=0] | stats sum(count) as count max(latest_event_time) AS latest_event_time by host |rename host as Pri |append [| tstats count max(_time) AS latest_event_time where index=firewall sourcetype="cisco:ftd" [| inputlookup Firewall_list.csv | table Secondary | Rename Secondary AS host] groupby host | append [|inputlookup Firewall_list.csv | table Secondary | Rename Secondary AS host | eval count=0] | stats sum(count) as count max(latest_event_time) AS latest_event_time by host |rename host as Sec] Host are in lookup   
Thanks a lot it worked .   Adding to that I m passing two values from lookup as below , if both hosts event count is zero then I need the result to display the host name which are passing from look... See more...
Thanks a lot it worked .   Adding to that I m passing two values from lookup as below , if both hosts event count is zero then I need the result to display the host name which are passing from lookup . Can you help me here .    
You are missing the new line in the split command as shown in my suggestion - try using the command exactly as I suggested
index=index host=host source="/Emblinksautomation/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\"" | eval filenames=split(_raw,"") | mvexpand filenames | rex fi... See more...
index=index host=host source="/Emblinksautomation/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\"" | eval filenames=split(_raw,"") | mvexpand filenames | rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
Paste your search into a code block (like I have with mine) so it preserves formatting.
This is still not working. Data count is not matching. Can you confirm the complete query again: index=index host=server source="/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filenames>[^\"]*)\"\,\... See more...
This is still not working. Data count is not matching. Can you confirm the complete query again: index=index host=server source="/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\"" | eval filenames=split(_raw,"") | mvexpand filenames | rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
First, a table "row" in CSV is not defined by linefeed in the document.  If some of your ingested CSV events do not contain CSV header, you need to focus on fixing the ingestion linebreaker problem. ... See more...
First, a table "row" in CSV is not defined by linefeed in the document.  If some of your ingested CSV events do not contain CSV header, you need to focus on fixing the ingestion linebreaker problem.  No amount of regex can save broken ingestion and corrupt raw events.
OK it looks like all your data is in _raw? | eval filenames=split(_raw," ") | mvexpand filenames | rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""
@bowesmana Could you help me to understand what does it actually mean ?
Thanks for the response @ITWhisperer .  It helps to add the value of the schedule in the HTML header but it also shows the result in the panel.  Can we hide/remove the panel with the value of the f... See more...
Thanks for the response @ITWhisperer .  It helps to add the value of the schedule in the HTML header but it also shows the result in the panel.  Can we hide/remove the panel with the value of the field Schedule.  Current code :  <row> <panel> <html> <div style="display:inline-block;text-align:right;font-style:bold;color:white;font-size:100%">$schedule$</div> </html> </panel> </row> <row> <panel> <table> <search> <query>| inputlookup T2S-PPE-Calendar.csv | eval today = strftime(now(), "%d/%m/%Y") | where DATE = today | eval Schedule = Schedule." (".today.") in PPE" | fields Schedule</query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> <done> <set token="schedule">$result.Schedule$</set> </done> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>  
Okay let me show the exact requirment. Now if you look at the event below. Below data is coming from CSV data. Now 1st event  has muliple csv lines, which is creating confusion when counting the data... See more...
Okay let me show the exact requirment. Now if you look at the event below. Below data is coming from CSV data. Now 1st event  has muliple csv lines, which is creating confusion when counting the data. These multile events are counted has one event which is not the case. But if you look at second even which has one row with filename and link. I need to seperate 1st event (which has multple lines) into spereate events and need to use table command to list the data in the dashboard.   When I am runing the regex it shows on 24000 records. But in CSV the files line counts are more than 200000 count. Which is not matching. Not sure why splunk is reading mulitple rows into 1 event. Hope this helps.      
I am looking for custom index in splunk not audit index used in choice.  I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud i... See more...
I am looking for custom index in splunk not audit index used in choice.  I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud in checkbox <form theme="light"> <label>Logical Test</label> <fieldset submitButton="true" autoRun="false"> <input type="multiselect" token="index"> <label>Index</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>index_name</fieldForLabel> <fieldForValue>index_name</fieldForValue> <search> <query>| REST /services/data/indexes |dedup title | rename title as index_name | table "index_name"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter>","</delimiter> <initialValue>*</initialValue> </input> <input type="multiselect" token="sourcetype_name"> <label>Sourcetype</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>sourcetype_name</fieldForLabel> <fieldForValue>sourcetype_name</fieldForValue> <search> <query>| tstats count WHERE index IN ("$index$") by sourcetype | rename sourcetype as sourcetype_name</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <delimiter>","</delimiter> <initialValue>*</initialValue> </input> <input type="checkbox" token="field3"> <label>Logical</label> <choice value="index_name=index AND sourcetype_name=sourcetype">Index AND Sourcetype</choice> <choice value="index_name=index OR sourcetype_name=sourcetype">Index OR Sourcetype</choice> <delimiter> </delimiter> </input> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Search</title> <table> <search> <progress> <set token="adhoc"></set> </progress> <query>index=_audit sourcetype=audittrail info!=granted provenance="UI:Search" | rex field=_raw "search=\'(?&lt;search&gt;.*)\'," | rex field=search max_match=0 "[\w^]*index=\s*\"*(?&lt;index_name&gt;[^\s\"]+)" | rex field=search max_match=0 "sourcetype=[\"]?(?&lt;sourcetype_name&gt;[\S]+)" | where isnotnull(search) | search $field3$ | rename info as Completion | table _time index_name sourcetype_name search, user | rename user as "accessed by"</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">5</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="time_ago(seconds)"> <option name="precision">0</option> </format> <format type="number" field="seconds_ago"> <option name="precision">0</option> </format> <format type="number" field="exec_time"> <option name="precision">0</option> </format> <format type="number" field="search_lt"> <option name="precision">0</option> </format> <format type="number" field="search_et"> <option name="precision">0</option> <option name="useThousandSeparators">false</option> </format> </table> </panel> </row> </form>  
It depends on what you events look like i.e. what the fields are called and what is in them. You should give more accurate information as I don't have access to your data and only know what you have ... See more...
It depends on what you events look like i.e. what the fields are called and what is in them. You should give more accurate information as I don't have access to your data and only know what you have shared so far.
Try something like this <row> <panel> <html> <div style="text-align:center;font-style:bold;color:blue;font-size:150%">Report : <div style="display:inline-block;text-align:center;font-style:bold;colo... See more...
Try something like this <row> <panel> <html> <div style="text-align:center;font-style:bold;color:blue;font-size:150%">Report : <div style="display:inline-block;text-align:center;font-style:bold;color:red;font-size:100%">$schedule$</div> </div> </html> </panel> </row> <row> <panel> <table> <search> <query>| inputlookup T2S-PPE-Calendar.csv | eval today = strftime(now(), "%d/%m/%Y") | where DATE = today | eval Schedule = Schedule." (".today.") in PPE" | fields Schedule</query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> <done> <set token="schedule">$result.Schedule$</set> </done> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>
  @ITWhisperer , As you are suggesting to use; index=indexname host=server source="/SEM/Emblinksautomation/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filename>[^\"]*)\"\,\"(?<url>[^\"]*)\"" |... See more...
  @ITWhisperer , As you are suggesting to use; index=indexname host=server source="/SEM/Emblinksautomation/UploadEmblinks/Uploadlinks.csv" | rex "^\"(?<filename>[^\"]*)\"\,\"(?<url>[^\"]*)\"" | eval filename=split(filename,"") | mvexpand filename | rex field=filename "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""  
Try something like this <input type="checkbox" token="command" searchWhenChanged="false"> <label>Logically OR'ed Search Command</label> <default>index=_audit</default> <initialValue>index=_audit</in... See more...
Try something like this <input type="checkbox" token="command" searchWhenChanged="false"> <label>Logically OR'ed Search Command</label> <default>index=_audit</default> <initialValue>index=_audit</initialValue> <choice value="index=_audit">Index</choice> <choice value="sourcetype=audittrail">SourceType</choice> <choice value="index=_audit OR sourcetype=audittrail">Index OR Sourcetype</choice> </input> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Search</title> <table> <search> <progress> <set token="adhoc"></set> </progress> <query>$command$ info!=granted
...does a visualization for pie chart render when you click on the visualizations tab?
Assuming the filenames are in a field called filenames, you could try this | eval filenames=split(filenames," ") | mvexpand filenames | rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""