All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have the following csv file:     id,name,age,male 1,lily,10,girl 2,bob,12,boy 3,lucy,12,girl 4,duby,10,boy 5,bob,11,boy 6,bob,10,boy 7,lucy,11,girl     Now, I want to use splunk to count the ... See more...
I have the following csv file:     id,name,age,male 1,lily,10,girl 2,bob,12,boy 3,lucy,12,girl 4,duby,10,boy 5,bob,11,boy 6,bob,10,boy 7,lucy,11,girl     Now, I want to use splunk to count the number of times each name is repeated, and the result after counting should be as follows:     id,name,age,male,result 1,lily,10,girl,1 2,bob,12,boy,3 3,lucy,12,girl,2 4,duby,10,boy,1 5,bob,11,boy,3 6,bob,10,boy,3 7,lucy,11,girl,2       How can I use SPL to accomplish this task?  
Hi @kp_pl , yes, it's correct. I'd use coalesce instead if: index IN (db, app) | eval key=coaesce(processId,pid) | stats sum(rows) AS rown sum(cputime) AS cputime by key Ciao. Giuseppe
Hi Team, I have a dashboard with 7 panels I need an alert to monitor the dashboard and alert us if any one of the panel shows percentage is > 10 Is there a possibility to create alert with the das... See more...
Hi Team, I have a dashboard with 7 panels I need an alert to monitor the dashboard and alert us if any one of the panel shows percentage is > 10 Is there a possibility to create alert with the dashboard link?
index=db OR index=app | eval join=if(index="db",processId,pid) | stats sum(rows) sum(cputime) by join Above is simple example how to join two indexes. But how to join two indexes where the key ... See more...
index=db OR index=app | eval join=if(index="db",processId,pid) | stats sum(rows) sum(cputime) by join Above is simple example how to join two indexes. But how to join two indexes where the key value has two fields ? K.  
Hi @lucilleddajab , let me understand: you have problems to access Splunk or the OS? if Splunk, you can reset the admin password, but you said that you already have this password. If you don't hav... See more...
Hi @lucilleddajab , let me understand: you have problems to access Splunk or the OS? if Splunk, you can reset the admin password, but you said that you already have this password. If you don't have the OS password, you have to ask to yor network or systems administrators to reset this password. Ciao. Giuseppe
Hi @isoutamo , nice to hear you! yes, I'm using HEC on premise, so I cannot use Edge. Ciao. Giuseppe
Hi @AliMaher , in internet and on the YouTube Splunk Channel, you can find many videos or documents to describe what are Data Models and how and why use them, like the following: https://www.youtub... See more...
Hi @AliMaher , in internet and on the YouTube Splunk Channel, you can find many videos or documents to describe what are Data Models and how and why use them, like the following: https://www.youtube.com/watch?v=WBzKUYAfGsk https://www.youtube.com/watch?v=n0HPe175k24 https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Aboutdatamodels  and so on ... Anyway summarizing, aData Models is a database containing structured and normalized (this is the password of the concept!) data that you can use, only for structured searches (there's no sense to put _raw on the DMs!) to have faster searches. This means that you have always to choose add-ons CIM compliant, and if you have custom add-ons, you have to normalize them. then you can run your searches having very faster results. Then You can have still faster results using DM Acceleration. When to use DMs? you should use DMs all the times that you have to perform a search on structured data, in other words when you have to perform a search "field=value" on normalized data. You cannot use DMs if you have to run a search on free text (as usual in Splunk) or on not normalized data; in this second case, my hint is to normalize your data and use DMs. DMs give you another advantage: you can run a search on very heterogeneous data on the same DM, e.g.: if you're searching for a failed login, you should run a search on many indexes with different contraints (e.g. 4625 in windows), instead you can run a search on a DM only using the correct one and you'll have the failed login for all the data you have. Last information: identify the DMs that you need to use and accelerate them, but only the ones that you have to use to avoid to consume unuseful resources. Ciao. Giuseppe
Hi All, This is the first time I encountered this. I have an HF which I have admin access to Splunk, from the server's backend. However, I can't seem to login to the its web portal using my LDAP cre... See more...
Hi All, This is the first time I encountered this. I have an HF which I have admin access to Splunk, from the server's backend. However, I can't seem to login to the its web portal using my LDAP credentials (authentication is via LDAP). And the former admins of this instance had already left without leaving any documentation or handed over any account we can use. Do you know how I can get around from the backend side in order for me to successfully login to the web portal eventually? I have viewed the passwd file but it is hashed so I'm not sure where to look and what to do with the limited access I have. I also tried creating an account using a command from the the bin folder (splunk add user), however it asks me to authenticate first before completing it. Any help is deeply appreciated!
Hi Team, I was having the permission issue . When I was logging to the UI , I could see the authentication success message and later i could see that there is permission issue. Can you please help o... See more...
Hi Team, I was having the permission issue . When I was logging to the UI , I could see the authentication success message and later i could see that there is permission issue. Can you please help on that. Best Regards, PadmaPriya
You can do this - here's a simple example where the lookup regexes.csv contains two rows, the first with an IPv6 regex and the second with an IPv4, i.e. made with this SPL | makeresults | fields - ... See more...
You can do this - here's a simple example where the lookup regexes.csv contains two rows, the first with an IPv6 regex and the second with an IPv4, i.e. made with this SPL | makeresults | fields - _time | eval regex=split("([A-Za-z0-9]{1,4}:){7}##([0-9]{1,3}\.){3}[0-9]{1,3}", "##") | mvexpand regex | fields regex | outputlookup regexes.csv This SPL then creates 3 ip values and matches them against the regexes | makeresults | fields - _time | eval ipv4="bla 10.1.2.3 bla" | eval ipv6="bla 2021:1431:aaaa:bbbb:cccc:dddd:1234:0 bla" | eval ipvbad="bla not an ip address bla" ``` Show how the regexes are evaluated ``` | eval regexes=[ | inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" | return $regex ] | foreach ipv* [ | eval ipv<<MATCHSTR>>_match_direct_from_lookup=if(match(<<FIELD>>, [ | inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" | return $regex ]), 1, 0), ipv<<MATCHSTR>>_match_from_field=if(match(<<FIELD>>, regexes), 1, 0) ] | transpose 0 You can see the ipv4 and 6 match but the bad one does not.  
I have a lookup table containing a list of regular expressions, and am trying see if there are matches against a field in one of my index.  I can't figure how to do it as it is not a direct comparis... See more...
I have a lookup table containing a list of regular expressions, and am trying see if there are matches against a field in one of my index.  I can't figure how to do it as it is not a direct comparison of values.  Appreciate any help on this.
So is there any fix for this. So that you can align the label  to the middle, or nudge it over a bit so that left edge of the label, aligns with the first bar of the day instead of way over on the le... See more...
So is there any fix for this. So that you can align the label  to the middle, or nudge it over a bit so that left edge of the label, aligns with the first bar of the day instead of way over on the left  
Not sure how your token can be * as there is nothing defined like that, but you DO have a mismatch between your defined token in the input and it's use <input type="dropdown" token="Index" searchWhe... See more...
Not sure how your token can be * as there is nothing defined like that, but you DO have a mismatch between your defined token in the input and it's use <input type="dropdown" token="Index" searchWhenChanged="true"> where it's upper case Index and you are using it as lower case $index$
I tried to use  as shown below: index IN ($index$)...   but my token expanded in search its taking up as  index IN (*), which is not working, can u suggest other solution.
When your token is expanded in your search, it becomes index IN ("dev_index, sit_index")... so that is actually a SINGLE value, which will never match. There are several ways, but the simplest for... See more...
When your token is expanded in your search, it becomes index IN ("dev_index, sit_index")... so that is actually a SINGLE value, which will never match. There are several ways, but the simplest for you is to just remove the quotes around your search definition, so index IN ($index$)...
Hello all, I am using steamstats with time_window=60m to calculate the moving average over the past hour.  However, when I set current=f i receive an error in the search log, "Error in 'streamstats'... See more...
Hello all, I am using steamstats with time_window=60m to calculate the moving average over the past hour.  However, when I set current=f i receive an error in the search log, "Error in 'streamstats' command:  Cannot set current to false when using a time window."  Is there a way to get around this?  Steam stats is exactly what i need to calculate the moving average, but I do not want to include the current event.  If there is not a way around this, is there another way to calculate the moving average and not including the current event?  Thanks
Hi All,  Created a drop down for index but when i added the token value in the panel query not working as expected when i select ALL option from the drop down. But when i select DEV_INDEX or SIT_IND... See more...
Hi All,  Created a drop down for index but when i added the token value in the panel query not working as expected when i select ALL option from the drop down. But when i select DEV_INDEX or SIT_INDEX its working fine. How to tweak the code to show up 2 indexes  data in the panel query when we select ALL option from the drop down??? <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Index" searchWhenChanged="true"> <label>Indexes</label> <choice value="dev_index, sit_index">All</choice> <choice value="dev_index">DEV_INDEX</choice> <choice value="sit_index">SIT_INDEX</choice> </input> </fieldset> <row> <panel> <table> <title>Total Count</title> <search> <query>index IN ("$index$") source=application.logs |stats count by codes</query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>  
can anyone help on this, not knowing what is the issue.
@ITWhisperer can i created a meeting with you tomorrow? THANKS  
build a search query that captures the desired data. Assuming that the bookmarked content is logged with an event type or field that specifies when content is bookmarked (e.g., action = "bookmark"), ... See more...
build a search query that captures the desired data. Assuming that the bookmarked content is logged with an event type or field that specifies when content is bookmarked (e.g., action = "bookmark"),   here's a query you could use:   | tstats count where index="your_index" sourcetype="your_sourcetype" action="bookmark" earliest=-7d@d latest=now by content | rename content as "Content", count as "Bookmark Count" but having problem to find the exact field name.