I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable t...
See more...
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources(indexes). Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users within that AD group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am worried to click on it.
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, co...
See more...
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, count = count + 1]
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that gro...
See more...
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources. Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users involved in that group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am hesitant to click on it.
"Approved", "Declined" etc are not series, they are values on the x-axis. You need to refactor your search to create series. If you need help doing that, please share your data source code.
It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to neg...
See more...
It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to negative e.g. change the "(" to "-" and remove the ")".
we have a centralized collector via WEF for our windows logs where a uf with windows addon is sending logs to splunkcloud,where also we have a ta addon .
Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;O...
See more...
Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD Test;Abc2;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc2;UPD Test;Abc3;DONE;2022-09-09;Me;Null;INS Hello;Abc5;OPEN;2022-09-09;Me;Abc4;UPD So in above example, I would like to find records where reference with status DONE is not found in any other record under field New Reference with status OPEN. In abov example, abc1 and abc2 finds matched record but Abc3 &Abc5 doesn't find. many Thanks
Hi, Thanks for your inputs , its working but not fulfilling the requirements. can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and w...
See more...
Hi, Thanks for your inputs , its working but not fulfilling the requirements. can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and want to get expand field values for the one column name which we have selected(specific) but not to expand all the columns where this drilldown is used.
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search>
[ sear...
See more...
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search>
[ search <your_search> | rename Reference AS NewReference | fields NewReference ]
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) AS Status_count
values(*) AS *
BY Reference
| where Status_count=2
| table Name Reference Status Date Creator NewReference Type if you have more conditions, you can add them to the where. Ciao. giuseppe
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-...
See more...
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD So I would like to find records where Reference(Abc1) with status (Done) is present in another record whose NewReference is equal to Referenc eof earlier record (Abc1) and status is OPEN The logs will have thousands of records Thanks
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did y...
See more...
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did you enabled? are you using a Load Balancer? Ciao. Giuseppe
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: K...
See more...
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster, you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Depl...
See more...
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster, you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Deployer and after it deployes apps to the Cluster. Ciao. Giuseppe
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. ...
See more...
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. My glass orb is undergoing annual maintenance...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why...
See more...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why you got the error "Error in 'makeresults' command: This command must be the first command of a search.". What splunk receives from your query "search | makeresults | eval nombre=\"denis\"" with api call is this: makeresults | eval nombre="denis" AND NOT | makeresults | eval nombre="denis" https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearch_id.7D.2Fresults