All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If you look into the opening message of this thread you'll see a json entity with a message field containing a string which - when parsed out from the original event and then parsed as a json structu... See more...
If you look into the opening message of this thread you'll see a json entity with a message field containing a string which - when parsed out from the original event and then parsed as a json structure returns fields. And I suppose that's the problem - the "sub-json" is actually a string within the original json structure.
Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to... See more...
Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to the right" is. Is it a real Splunk interface or some mockup? How are we supposed to know that?
Thank you, but I am already using All Time. I've tried to follow the tutorial as closely as possible, and I think I've been successful in that, which is why this "No Results Found" is so confounding.
SQL Monitoring - I'd like to know how to write a Splunk SPL query to alert on the top users running long running SQL queries on my databases.  I'm currently using the MS SQL add-on for Splunk and ... See more...
SQL Monitoring - I'd like to know how to write a Splunk SPL query to alert on the top users running long running SQL queries on my databases.  I'm currently using the MS SQL add-on for Splunk and monitoring the included monitors for  Perfmon:sqlserver:* and sourcetypes "mssql:agentlog" and "mssql:errorlog"   Thank you in advance!
Hi Manjunatha, Are you having a Splunk issue? Otherwise, If this is an issue just about a (Cisco) switch, that is out of scope for this forum, and you should check with Cisco support.
Thank you for reposting data as plain text and not emojis .  Let this be a lesson for everyone using this board: make use of the text block (that </> button in editor) and you can avoid mishaps.  An... See more...
Thank you for reposting data as plain text and not emojis .  Let this be a lesson for everyone using this board: make use of the text block (that </> button in editor) and you can avoid mishaps.  Another good practice is to use Splunk's autoformat function in search window. Anyway, the logic behind | spath | eval message="{\"message\":".message."}" escapes me, because first, without any prompt, Splunk should have given you a whole number of multi-valued fields such as {}.TARGETSYSTEM and {}.ARUNAME.  Adding another spath only doubles their entry.  Second, I do not see any field name message.   Are your event illustrations of _raw events or of a particular field named message that has been extracted by Splunk?  If it is the latter, there is no reason why your search wouldn't give the desired results. Here is an emulation of "message" field in your illustrations:   | makeresults | eval message=mvappend("[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":6,\"FAILED\":6,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":7295,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00052Med\",\"TOTAL\":0,\"PROCESSED\":273,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":23,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00303\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":22,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01015\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":38,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":44,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":7177,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":116,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":37,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":215,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00061\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":14,\"FAILED\":14,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":21,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":546,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":801,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":150,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":69,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":542,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":335,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":10,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":12,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":637,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":88,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":24,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5}]", "[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00797H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":511,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":210,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":21,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4}]") | mvexpand message ``` the above emulates the "message" field from index = ***** host=**** source=*** ```   Apply your search (skip that first spath) with Splunk autoformat   | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE   I get this table: DAYHOUR Processed: 7/9/2024 SKIPPED: 7/9/2024 TotalClaims: 7/9/2024 4 218 536 754 5 16644 1862 18506 If the two illustrations are for raw events, emulation is like the following:   | makeresults | eval data=mvappend("[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":6,\"FAILED\":6,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":7295,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00052Med\",\"TOTAL\":0,\"PROCESSED\":273,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":23,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00303\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":22,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01015\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00011H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":38,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00355\",\"TOTAL\":0,\"PROCESSED\":44,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00364\",\"TOTAL\":0,\"PROCESSED\":7177,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00302\",\"TOTAL\":0,\"PROCESSED\":116,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":37,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":215,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00061\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":14,\"FAILED\":14,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":21,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":546,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00030\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":801,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":150,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":69,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00075Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":542,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00607Bundle\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":335,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00473H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":10,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":12,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":637,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":88,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00086\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00079MEDICA\",\"TOTAL\":0,\"PROCESSED\":24,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00304\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00022AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":5}]", "[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00797H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":511,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00365\",\"TOTAL\":0,\"PROCESSED\":210,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00396\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00410\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":21,\"PROCESSING\":0,\"DATE\":\"7/9/2024\",\"DAYHOUR\":4}]") | mvexpand data | rename data as _raw | spath ``` the above emulates index = ***** host=**** source=*** ```   Use a slightly modified search from your original,   | fields - {}.* ``` opitional - just to clear view during development ``` | spath path={} ``` you can directly use {} as fieldname, no need to append ``` | mvexpand {} | fields - _* | spath input={} | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE   This gives the exact same result.  Could you clarify?
Finally it is working now Thank you so much. You made my day.  
Check that the timeframe for the search covers the times your events have been timestamped with (or simply use all time).
OK try it with double quotes on the stats command (which is counter-intuitive!) index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR... See more...
OK try it with double quotes on the stats command (which is counter-intuitive!) index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode"
If I increase the RF on a SmartStore enabled indexer cluster what happens on SmartStore? Is a 2nd copy actually created on SmartStore, or is the same copy referenced by more than 1 indexer in the clu... See more...
If I increase the RF on a SmartStore enabled indexer cluster what happens on SmartStore? Is a 2nd copy actually created on SmartStore, or is the same copy referenced by more than 1 indexer in the cluster? 
@ITWhispererthanks for being patient with me. I have copied the same query which you have mentioned and this is the result index="apigee" sourcetype!="apigee:nginx" (ProxyPath="/xyz" OR ProxyPat... See more...
@ITWhispererthanks for being patient with me. I have copied the same query which you have mentioned and this is the result index="apigee" sourcetype!="apigee:nginx" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'  
I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video.  I first run into trouble about two minutes in. I uploaded the logfil... See more...
I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video.  I first run into trouble about two minutes in. I uploaded the logfile successfully and successfully set the source type as access_combined_wcookie. My Event Break and Timestamp settings are the same as what is shown in the video. But in the large viewing window to the right, mine says "No results found. In the video there are Times and Events in this pane.  I thought that perhaps I just needed to follow all the steps through to see Times and events, so I created the new index, as per the tutorial, and submitted successfully. But then I got the same "No Results Found" message on the New Search screen. I should note that the only difference between me and the tutorial video is that in the bar underneath the words "New Search," the host = my computer's name instead of "thenson-desktop." What do I need to do to see results?
Please try it exactly as I showed you - I have already explained that you need double quotes to the left of the assignment and single quotes to the right - if you do not follow simple instructions li... See more...
Please try it exactly as I showed you - I have already explained that you need double quotes to the left of the assignment and single quotes to the right - if you do not follow simple instructions like this, you will struggle to get a working solution!
No luck    
Try without StatusCode on the stats index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coal... See more...
Try without StatusCode on the stats index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'
This was an issue I struggled with a bit at first, and while the Splunk team is very excellent, there own perspective is not always intuitive with respect to naming and function. Splunk DOCs describ... See more...
This was an issue I struggled with a bit at first, and while the Splunk team is very excellent, there own perspective is not always intuitive with respect to naming and function. Splunk DOCs describe the following about the deployment server, in particular the deployment clients have a defined deployment server that manages the configurations that are pushed out to it see the following: Plan a deployment - Splunk Documentation " Deployment server and clusters You cannot use the deployment server to update indexer cluster peer nodes or search head cluster members. Indexer clusters Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method. You can, however, use the deployment server to distribute updates to the manager node, which then uses the configuration bundle method to distribute them to the peer nodes. See "Update common peer configurations" in the Managing Indexers and Clusters of Indexers manual. Search head clusters Do not use deployment server to update search head cluster members. The deployment server is not supported as a means to distribute configurations or apps to cluster members. To distribute configurations across the set of members, you must use the search head cluster deployer. See "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual."   The reference for respective configuring is here: Deploying Apps: Use the deployer to distribute apps and configuration updates - Splunk Documentation (see this section: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Deploy_a_configuration_bundle) By contrast, apps and configurations are managed by the deployment server, here: Create deployment apps - Splunk Documentation
Hi, query : is it possible to use  expand and collapse for table column fields in splunk classic dashboards.   query2 : is it possible to add excel feature (overriding next column value untill... See more...
Hi, query : is it possible to use  expand and collapse for table column fields in splunk classic dashboards.   query2 : is it possible to add excel feature (overriding next column value untill we expand) as above image in splunk classic dashboard.  
Hi @Idodox , please see this approach: <unrelated part to collect proper events> error=4 | eventstats count as total by applicationId | search error=404 | stats count as error_404 values(total) AS ... See more...
Hi @Idodox , please see this approach: <unrelated part to collect proper events> error=4 | eventstats count as total by applicationId | search error=404 | stats count as error_404 values(total) AS total by applicationId | eval errorRate=((error_404/total)*100)."%" | table applicationId, errorRate Ciao. Giuseppe
I have a cisco ess -3300 con switch with 20 1G copper port and 4 1G Fiber cable .My issue is that out of 24 1G port one of my Fiber interface is showing err-disable status and one 1G copper port is a... See more...
I have a cisco ess -3300 con switch with 20 1G copper port and 4 1G Fiber cable .My issue is that out of 24 1G port one of my Fiber interface is showing err-disable status and one 1G copper port is also not showing connected status how to resolve the above issue. Please reply as soon as possible.
My environment contains two EC2s: one primary and one warm standby. Due to a series of unfortunate events, our database on the warm standby got corrupted and phantom would not start on it. Luckily, w... See more...
My environment contains two EC2s: one primary and one warm standby. Due to a series of unfortunate events, our database on the warm standby got corrupted and phantom would not start on it. Luckily, we had a volume backup in AWS of the SOAR directory, so it was saved.  However, after some research afterwards, we found a different method of backing up: https://docs.splunk.com/Documentation/SOARonprem/6.2.2/Admin/BackupOrRestoreAndWarmStandby I think I'm being dense and overthinking it, but the article mentions a "primary warm standby", a "primary" + a "secondary" + a "warm standby" later on in the article. How many servers are in this configuration? I am not understanding how it is being set up and what the secondary is referencing. Also, what is a "primary warm standby"? Would this article be helpful in the situation I described above with my failed warm standby?