All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, is it possible in Splunk HEC from Kafka to receive raw events on HF in order to parse fields with addons? It seems we can only receive json data with "event" field and may not be able to extr... See more...
Hello, is it possible in Splunk HEC from Kafka to receive raw events on HF in order to parse fields with addons? It seems we can only receive json data with "event" field and may not be able to extract fields within standard addons? The HEC event may also contain target index and sourcetype. Thanks.  
Hi @SN1  I would start by adding a console.log(rowKey); and also one after searchQuery - console.log(searchQuery); and then validate that these are outputting what you expect. Can you check to see... See more...
Hi @SN1  I would start by adding a console.log(rowKey); and also one after searchQuery - console.log(searchQuery); and then validate that these are outputting what you expect. Can you check to see if this prints out what you are expecting and let us know how you get on as this might help drill down further.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Emre  Try the following: | eval message=json_extract(_raw,"message") | spath input=message    Did this answer help you? If so, please consider: Adding karma to show it was useful Ma... See more...
Hi @Emre  Try the following: | eval message=json_extract(_raw,"message") | spath input=message    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
As you have used depends attribute on your input, I'm quite sure that this is not a capability issue, instead of it is undefined token. The easiest way to debug tokens is use simple_xml_examples app... See more...
As you have used depends attribute on your input, I'm quite sure that this is not a capability issue, instead of it is undefined token. The easiest way to debug tokens is use simple_xml_examples app and add this to your dashboard <form version="1.1" theme="light" script="simple_xml_examples:showtokens.js"> After this addition, you see all used tokens and their values on bottom of page. https://splunkbase.splunk.com/app/1603  Helsinki UG presentation how to create and debug SXML dashboards https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf
Hi @uagraw01  Im not sure how you ended up with this list, there may be a better way, but if you really do need to split these back out then the following snippet should work - This combined the fie... See more...
Hi @uagraw01  Im not sure how you ended up with this list, there may be a better way, but if you really do need to split these back out then the following snippet should work - This combined the fields into a single JSON string so you can use mvexpand once. | foreach FunctionGroup mode=multivalue [ |eval json=mvappend(json, "{". "\"FunctionGroup\":\"".mvindex(FunctionGroup,<<ITER>>)."\",". "\"MsgNr\":\"".mvindex(MsgNr,<<ITER>>)."\",". "\"alarm_severity\":\"".mvindex(alarm_severity,<<ITER>>)."\",". "\"area\":\"".mvindex(area,<<ITER>>)."\",". "\"equipment\":\"".mvindex(equipment,<<ITER>>)."\"". "}" ) ] | mvexpand json | eval _raw=json | fields _raw | spath Ive tested it as best as I can:    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
You have a depends attribute on this input, perhaps these tokens are not defined for the user?
Perhaps go back a step - how did you get these multivalue fields in the first place? Can you separate into events prior to this? What does your raw data look like?
Hello, this query seems to be working but the clients field is a multivalue field for some sourcetype ,so it results are spread out ,can you modify it ?
Hey @uagraw01 , mvexpand command works with only one field. And if you use it multiple times, it'll cause n number of duplicate values. Here's what I used in one scenario -  Combine all the multiva... See more...
Hey @uagraw01 , mvexpand command works with only one field. And if you use it multiple times, it'll cause n number of duplicate values. Here's what I used in one scenario -  Combine all the multivalue fields using mvzip and a delimeter. In your case, it would be eqvivalent to -  | eval combined_multivalue_field = mvzip(mvzip(FunctionGroup, MsgNr, "|"),mvzip(alarm_severity,area,"|"),"|") This will give you one single column with all the field values separated by pipe (|) delimeter. You can then use mvexpand on combined_multivalue_field Then if you want to utilize each individual values, you can use string functions to separate out each values that you need and progress with the SPL query.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.
Try like this <change> <condition value="A"> <set token="T1">myRegex1(X)</set> <set token="T2">myRegex2(Y)</set> </condition> </change>
Hi @uagraw01 , could you share your search? Ciao. Giuseppe
Hi @Emre , beware because this seems to be a json file, and the raw text is different than the one you display (there are backslashes before each quotes), Then I suppose that you missed some quotes... See more...
Hi @Emre , beware because this seems to be a json file, and the raw text is different than the one you display (there are backslashes before each quotes), Then I suppose that you missed some quotes copying the text because there are not closed quotes. then, please put this text using the Insert/Edit Code Sample button "</>" Ciao. Giuseppe  
I want to set two token at the same time when a value is selected from a dropdown input. I have dynamic drop down input. Let's say possible values are A,B and C in the drop down. If A is selected I w... See more...
I want to set two token at the same time when a value is selected from a dropdown input. I have dynamic drop down input. Let's say possible values are A,B and C in the drop down. If A is selected I want to set two token  token1=X and token2=Y. And I will use those token in different panel. Tried below but one token is not getting the value  <change> <condition value="A"> <set token="T1">myRegex1(X)</set> </condition> </change> <change> <condition value="A"> <set token="T2">myRegex2(Y)</set> </condition> </change> Thanks
@isoutamo I am using only time selector in the dashboard and code for the time selector as mentioned below. <input id="time" type="time" token="time" depends="$operational_start_time$, $operationa... See more...
@isoutamo I am using only time selector in the dashboard and code for the time selector as mentioned below. <input id="time" type="time" token="time" depends="$operational_start_time$, $operational_end_time$" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum('earliest'),'earliest'+($operational_start_time$*3600),relative_time(now(),'earliest')))+($operational_start_time$*3600)</eval> <eval token="time.latest_epoch">if('earliest'="",0,if(isnum('earliest'),'earliest'+(86400)+($operational_start_time$*3600),relative_time(now(),'earliest')))+(86400)+($operational_start_time$*3600)</eval> </change>
Hello Splunkers !! How can I efficiently use the mvexpand command to expand multiple multi-value fields, considering its high resource consumption and expensive command? Please guide me  
With a racetrack which is typically into single kilometers across you shouldn't need to go to such lengths. Just use calculate approximate distance per degree of longitude at your latitude to calcula... See more...
With a racetrack which is typically into single kilometers across you shouldn't need to go to such lengths. Just use calculate approximate distance per degree of longitude at your latitude to calculate normal cartesian plane distance. Unfortunately the match versus lookup is only done for data treated as text so you can't easily do the "shortest distance" match. You'd still need to calculate the difference for all points anyway. Depending on the number of data points both to match and to match against there could be multiple approaches. You could do simple X by Y calculation of all distances and find the nearest points, you could do something akin to @bowesmana 's solution - create narrowing bounding boxes to pre-select points for fine calculations.
@gcusello Here you are, i hope it works.  This is the Message: {"Module": SplunkTest""Microflow": ACT_Omnext_Create_Test""latesterror_message": "401: Access Denied   at SplunkTest.ACT_Omnext_Create... See more...
@gcusello Here you are, i hope it works.  This is the Message: {"Module": SplunkTest""Microflow": ACT_Omnext_Create_Test""latesterror_message": "401: Access Denied   at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)') Advanced stacktrace:"http_status": "401"http_response_content": "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }"http_reasonphrase": "Access Denied"session_id": "912651c4-127f-4f02-a348-c79373e84444}   What i want is  app: application_name: env: environment_id: hostname: instance index level: ERROR  Module: SplunkTest Microflow:ACT_Omnext_Create_Test latesterror_message: 401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)') http_status: 401 http_response_content: "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." } http_reasonphrase: Access Denied session_id: "1111111-127f-4f02-a348-c79373e86a5d}        
What do you mean by "Saas" here? It's either a Splunk Enterprise instance (either administered by you or a third party) or a Splunk Cloud service subscription.
Won't work. As you can see in the spec - it doesn't work on the event level but on the file's mtime. It is a setting for this particular input type and doesn't make sense in another context. BTW, if... See more...
Won't work. As you can see in the spec - it doesn't work on the event level but on the file's mtime. It is a setting for this particular input type and doesn't make sense in another context. BTW, if you had files created sufficiently long time ago but containing events with present timestamps, it still wouldn't ingest those files.
Hi @Emre , you should create some field extractions using regexes from the message field. If you can share a sample of your data in text format (not screenshot), we can help you. Ciao. Giuseppe