All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

But you can use field alias.
Once a field is renamed the original name no longer exists and cannot be referenced.  All subsequent uses of the field must use the new name.
Ahhh, I misread. You wrote "no uf, no hf" I read "no uf, on hf I'm using..." My bad. Forget it
Hi, I had been using  search syntax "rename "_raw" AS errortrace" in my custom search but one of my app team needs _raw data to extract some header info. How can i still pass _raw filed data still ... See more...
Hi, I had been using  search syntax "rename "_raw" AS errortrace" in my custom search but one of my app team needs _raw data to extract some header info. How can i still pass _raw filed data still with renamin syntax still in place Thanks
My actually event look like below. And I am searching on last 24 Hours events. When I am using below query index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc| spath | eval message="... See more...
My actually event look like below. And I am searching on last 24 Hours events. When I am using below query index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc| spath | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection |eval totalCount = SKIPPED + PROCESSED|chart sum(totalCount) as TotalClaims by DAYHOUR DATE   its not giving me below given events  if I am removing the spath then its start matching below events only and rest of the events not matching. not sure why its behaving like this.  index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc| spath | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection |eval totalCount = SKIPPED + PROCESSED|chart sum(totalCount) as TotalClaims by DAYHOUR DATE Event-   [{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00031AdjPro","TOTAL":0,"PROCESSED":1,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00031AdjPro","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2118,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00035","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00035Med","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00052Med","TOTAL":0,"PROCESSED":2898,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00052Med","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":3,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00075","TOTAL":0,"PROCESSED":94,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00075","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":2,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00075","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":59,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00119","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":3,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00201H","TOTAL":0,"PROCESSED":1,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00243","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00243","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00283H","TOTAL":0,"PROCESSED":7,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00283H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":104,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00302","TOTAL":0,"PROCESSED":1395,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00302","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":5,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00304","TOTAL":0,"PROCESSED":299,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00304","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":16,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00310","TOTAL":0,"PROCESSED":2,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00365","TOTAL":0,"PROCESSED":588,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00365","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":619,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00479H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":4,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00479H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00607Bundle","TOTAL":0,"PROCESSED":1,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00646","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00646","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00681","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00721H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_02071","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":2,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_02229","TOTAL":0,"PROCESSED":1,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_02278","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_HOSPICE_CLM","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":15}]     Event-   [{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00011H","TOTAL":0,"PROCESSED":1,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00011H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":35,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00061","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_HOSPICE","TOTAL":0,"PROCESSED":27,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_HOSPICE","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":60,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_HOSPICE_CLM","TOTAL":0,"PROCESSED":1240,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_HOSPICE_CLM","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":14,"PROCESSING":0,"DATE":"7/14/2024","DAYHOUR":16}]      
Hi @Michael.Mom, Have any of the replies helped answer your question? If so, please click the "Accept as Solution" button, so we know your question has been resolved. If you still need more help, p... See more...
Hi @Michael.Mom, Have any of the replies helped answer your question? If so, please click the "Accept as Solution" button, so we know your question has been resolved. If you still need more help, please reply and keep the conversation going.
Hi @vijreddy30  the props.conf is needed to understand the line breaking.  then only the it can be troubleshooted, thanks. 
The above screen shot Blue color line event into one Event and above Blue color lines in to single event  please provide line break event queries.  
Hi! Yes, my end goal is to setup splunk to recieve all the github logs.   I got audit logs to go, but its missing quite a bit of data.
Hi @Zhanali ..  "OEL 8" ,...you meant RHEL 8? i assume you have got the Splunk Support.. may i know if you have contacted the Splunk Support team
Hello, do you found out, where the problem was?  It looks like, that i have also an performance issues with this TA. After deaktivation, i can run the search in seconds... When it´s active, the se... See more...
Hello, do you found out, where the problem was?  It looks like, that i have also an performance issues with this TA. After deaktivation, i can run the search in seconds... When it´s active, the search don´t finish...  Thanks for your answer!
Hello, Anyone knows if we can use eval-ingest with lookup command in Splunk Cloud? The problem is that in Splunk Cloud we can only add configuration via custom app in SH.  Eval-ingest in genera... See more...
Hello, Anyone knows if we can use eval-ingest with lookup command in Splunk Cloud? The problem is that in Splunk Cloud we can only add configuration via custom app in SH.  Eval-ingest in general working, but when I'm trying to use lookup command I'm receiving error that lookup was not found. I guess that problem is in this that lookup is on SH level, not on IDX level. but maybe I'm doing something wrong. Fields.conf - ok props.conf - ok transforms.conf - ok for simple eval-ingest without lookup command   Example from transforms.conf [test_lookup_manual2] INGEST_EVAL = test_lookup=json_extract(lookup("test.csv",json_object("hostname_test",hostname_test), json_array(value)),"value")   lookup added in directory lookups, permissions are ok, visible in splunk from every context
@PickleRick No, I am using standalone windows machine. On the same machine I am using props.
We are currently using "MIME Decoder Add-on for Cisco ESA" to decode email subjects. It seems that this add-on is not supported in the cloud. Is there another way to decode UTF-8  
I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1.  That explains how to get the settings configured, but not how to... See more...
I've read the documentation for how to accept input for things like "Interval" (typically in seconds) which I think is your point #1.  That explains how to get the settings configured, but not how to actually achieve the scheduled interval when running your API calls. As for alerts and scheduled reports - it seems like what you are saying is one approach is to write some code that will generate custom SPL functions that will call your API, then use the normal search scheduler to make that custom function run on a regular basis.  That sounds oddly difficult - is that a common approach that technical app developers use for scheduling their API calls?
Hello, Splunk Cloud does not support "MIME Decoder Add-on for Cisco ESA". Did your colleague publish a decoder? I haven't found anything on Splunkbase.
OK. And you have your props.conf on that HF?
@PickleRick Here I am monitoring the network files from the network folder. No UF, No HF I am using.
Fisrtly, https://docs.splunk.com/Documentation/SecureGateway/3.5.15/Admin/ConfigureSecureGatewayConf "In Splunk Secure Gateway version 3.4.25 and higher, Splunk Secure Gateway no longer reads from t... See more...
Fisrtly, https://docs.splunk.com/Documentation/SecureGateway/3.5.15/Admin/ConfigureSecureGatewayConf "In Splunk Secure Gateway version 3.4.25 and higher, Splunk Secure Gateway no longer reads from the securegateway.conf file. Configure Secure Gateway using the UI in Administration > Deployment configuration > Advanced settings" Secondly, you should not need SSG on HFs.
No, no, no. Don't add it anywhere. Where are you ingesing the data from? A file on this Splunk server or by means of a remote UF?