All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

<form theme="light"> <label>Logical Test</label> <fieldset submitButton="true" autoRun="false"> <input type="checkbox" token="command" searchWhenChanged="false"> <label>Logically OR'ed Search Com... See more...
<form theme="light"> <label>Logical Test</label> <fieldset submitButton="true" autoRun="false"> <input type="checkbox" token="command" searchWhenChanged="false"> <label>Logically OR'ed Search Command</label> <default>*</default> <initialValue>*</initialValue> <choice value="*">Index</choice> <choice value="**">SourceType</choice> <choice value="***">Index OR Sourcetype</choice> </input> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Search</title> <table> <search> <progress> <set token="adhoc"></set> </progress> <query>index=_audit sourcetype=audittrail info!=granted | rex field=_raw "search=\'(?&lt;search&gt;.*)\'," | rex field=search max_match=0 "[\w^]*index=\s*\"*(?&lt;idx&gt;[^\s\"]+)" | rex field=search max_match=0 "sourcetype=[\"]?(?&lt;st&gt;[\S]+)" | table search user idx st</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">5</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="number" field="time_ago(seconds)"> <option name="precision">0</option> </format> <format type="number" field="seconds_ago"> <option name="precision">0</option> </format> <format type="number" field="exec_time"> <option name="precision">0</option> </format> <format type="number" field="search_lt"> <option name="precision">0</option> </format> <format type="number" field="search_et"> <option name="precision">0</option> <option name="useThousandSeparators">false</option> </format> </table> </panel> </row> </form>
Please share the source of your dashboard in a code block for ease of understanding
@ITWhisperer  currently csv raw data refelcting in splunk as mentioed below: If you notice event at 2:48:32.000 AM there are multiple csv lines, which is causing confusion.  I am looking for splunk ... See more...
@ITWhisperer  currently csv raw data refelcting in splunk as mentioed below: If you notice event at 2:48:32.000 AM there are multiple csv lines, which is causing confusion.  I am looking for splunk out put as mentioned in 2:49:30.000 AM and 2:50:30.000 AM.   Hope this helps. 8/5/24 2:48:32.000 AM "filename_Time15151515.html","http://testdata1.html" "filename_Time15151515.html","http://testdata2.gif" "filename_Time15151515.html",""http://testdata3.doc" "filename_Time15151515.html",""http://testdata4.xls" "filename_Time15151515.html",""http://testdata5.aspx" 2:49:30.000 AM "filename_Time15151515.html",""http://testtest.aspx" 2:50:30.000 AM "filename_Time46657555.html",""http://tessttestsest.aspx"
What settings have you used for your pie chart visualisation?
The Splunk Enterprise version 5.0 documentation from 2012 is no longer available. Similar information is available in newer versions of the Splunk documentation. Replace "5.0" in the URL with "latest... See more...
The Splunk Enterprise version 5.0 documentation from 2012 is no longer available. Similar information is available in newer versions of the Splunk documentation. Replace "5.0" in the URL with "latest" or a more recent version number to view the topics.  dedup: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup  stats: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions 
actually need to convert each line into seperate event so that each line can be counted correctly.
actual want to splink into miultiple lines.
Do you mean something like this? ^\"(?<file_name>[^\"]*)\"\,\"(?<links_emb>[^\"]*)\" Or is this one event that you want to split into multiple lines?
Yes its part of my dashboard, for example if i select checkbox or radio button ( logical AND or Logical OR) will show the result accordingly in panel either is simple search or any other panels.  co... See more...
Yes its part of my dashboard, for example if i select checkbox or radio button ( logical AND or Logical OR) will show the result accordingly in panel either is simple search or any other panels.  could you please give me example search to define the token
Hi @AnanthaS , as I said, you have to create a dashboard A containing soma Key Indicators. clicking on each one of them (e.g. CPU status) you open a second dashboard with a detail of the informatio... See more...
Hi @AnanthaS , as I said, you have to create a dashboard A containing soma Key Indicators. clicking on each one of them (e.g. CPU status) you open a second dashboard with a detail of the information about CPU. To do this, you need a main dashboard (A) containing all the Key Indicators and then one or more dashboards to call clicking on the Key Indicator. If the secondary  dashboard is general (only one panel with the time distribution of the metric) you could also use one dashboard that chooses the search based on the click on the primary key Indicator, otherwise two or more dashboards. As I said, the only tokens that you must pass to the secondary dashboard are Time.earliest and Time.latest. Ciao. Giuseppe
Tokens are used in dashboards - how does this relate to ad-hoc or saved searches? Are these part of your dashboard?
Hi Team, We are trying to upgrade Splunk OpenTelemetry Collector to the version v0.104. So, we wanted to know its compatibility with the Kubernetes version v.1.29. Kindly assist. Thanks
Hello,   Ive tried to create a Pie Chart depicting the different Disks and it's free/used space. via trellis I want to show it by instance (the disk in question for example c:/)  now I've used t... See more...
Hello,   Ive tried to create a Pie Chart depicting the different Disks and it's free/used space. via trellis I want to show it by instance (the disk in question for example c:/)  now I've used the following spl to find the needed values for free and used(full) diskspace but it doesn't give me a correct pie chart. I'm fairly sure it is because I need to turn the headers or the fields in a way to be usable by the pie chart but I can't seem to find a good way how.    can anyone help me ?    Thanks a lot! André
Could you please give me some example because i need to use this into ad-hoc search and saved search
OK tried that and still no results-
Hi  Can someone please tell me how i can add the output of a search in the HTML Panel ?  Example : In the below attached dashboard , i want to add the value of the field Schedule in the HTML Pane... See more...
Hi  Can someone please tell me how i can add the output of a search in the HTML Panel ?  Example : In the below attached dashboard , i want to add the value of the field Schedule in the HTML Panel "Report : EOD"  Output Required : In the HTML Panel , we need the value as  Report : EOD                     T2S Synchronized Standard day (05/08/2024) in PPE Current code :  <row> <panel> <html> <div style="text-align:center;font-style:bold;color:blue;font-size:150%">Report : <div style="display:inline-block;text-align:center;font-style:bold;color:red;font-size:100%">EOD</div> </div> </html> </panel> </row> <row> <panel> <table> <search> <query>| inputlookup T2S-PPE-Calendar.csv | eval today = strftime(now(), "%d/%m/%Y") | where DATE = today | eval Schedule = Schedule." (".today.") in PPE" | fields Schedule</query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row>    
Create a dropdown or radio buttons to select either "index" or "sourcetype" and use that token in your search $type_of_search$=$value_of_search$
We have a scheduled report that passes data using "collect" & targeting an index which was running fine on schedule and the information was appearing in the index. It started only intermittently work... See more...
We have a scheduled report that passes data using "collect" & targeting an index which was running fine on schedule and the information was appearing in the index. It started only intermittently working and now the scheduled occurrences have stopped placing data into the index. The search is still perfectly functional and has results, I cannot work out why these are not being recorded. No change to the search used or the systems. Search used: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="pwdLastset,sAMAccountName,extensionAttribute8,info" | fields "_time", "extensionAttribute8", "pwdLastSet", "sAMAccountName","info" | where isnotnull('extensionAttribute8') | collect index="ldap_ad"   Tried adding 'spool=true' at the end and doing 'addinfo' prior to the collect, neither makes a difference to the search or the report, no data appears in ldap_ad
I have a CSV raw data which has files names and data inside the files which is seperated by double quotes and comma.  I am trying to create following regex  (^\"(?<file_name>\w.*)\"\,\"(?<links_emb>\... See more...
I have a CSV raw data which has files names and data inside the files which is seperated by double quotes and comma.  I am trying to create following regex  (^\"(?<file_name>\w.*)\"\,\"(?<links_emb>\w.*)\") which is taking results as one event and results. Due to which count is mismaching.  One event has multiple CSV data mentioned below and few events has one file name and data inside the file name.  One file containts multiple files types.  Can you help me with regex which can can take one line as one event.   "filename_Time15151515.html","http://testdata1.html" "filename_Time15151515.html","http://testdata2.gif" "filename_Time15151515.html",""http://testdata3.doc" "filename_Time15151515.html",""http://testdata4.xls" "filename_Time15151515.html",""http://testdata5.aspx"     ^\"(?<file_name>\w.*)\"\,\"(?<links_emb>\w.*)\"
how to get add a radio button or a checkbox for the user selection of Index and the Sourcetype, to select between logically AND or logical OR between the Index and the Sourcetype. This will allow to ... See more...
how to get add a radio button or a checkbox for the user selection of Index and the Sourcetype, to select between logically AND or logical OR between the Index and the Sourcetype. This will allow to view in one selection searches that could be performed by users either by the index or by the sourcetype.