All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bun... See more...
Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bundle
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Stat... See more...
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Status is "Done" - what about non-successes, do you get a different value in Status?
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whet... See more...
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whether this works the same way for Splunk Cloud / DDAS, or whether if I run "| delete" from search,  will it free up space in my DDAS entitlement? 
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-c... See more...
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-corp.cloud/splunk I asked the my splunk administrator to add “ssnc-corp.cloud” to the allow list, but it didn't seem to work. Do we need to restart splunk? What if I can check the reason why it does not take effect?
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the ... See more...
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the first result of your alert search will be added to the body's result field. See https://docs.splunk.com/Documentation/Splunk/latest/Alert/Webhooks for more information. The webhook source code is very simple. You can view it directly in $SPLUNK_HOME/etc/apps/alert_webhook/bin/webhook.py or by downloading and extracting a copy of Splunk Enterprise for any platform if you don't have access to your Splunk instance.
/opt/splunk/bin/splunk cmd openssl x509 -enddate -noout -in <PATH TO CERTIFICATE>
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to... See more...
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to delete it)
Awesome, this works as well. Thanks again for your help on this one. 
This works! thanks man for your help on this one. 
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" ... See more...
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" | stats count by policies{} | sort -count | where 'policies{}' != "default" | head 10  
Put my additional SPL - AFTER your original search - you've added it in the middle
I am not sure I understood the additional dimension - too many numbers for my head, 8 windows, 6 samples, 5 samples... so I got lost. However, if this helps, in the first search, the range bands wer... See more...
I am not sure I understood the additional dimension - too many numbers for my head, 8 windows, 6 samples, 5 samples... so I got lost. However, if this helps, in the first search, the range bands were simply defined as the age and then a fixed 14400 window. If you want to change the window as well, then you can use another array, i.e. | eval age_ranges=split("1,6,11,31,61,91,121,241",",") | eval window=split("1800,3600,5400,7200,14400,14400,14400,14400",",") ... ``` Band calculation ``` | foreach 0 1 2 3 4 5 6 7 [ eval r=tonumber(mvindex(age_ranges, <<FIELD>>))*60, s=tonumber(mvindex(window, <<FIELD>>)), zone=if(age < s + r AND age > r, <<FIELD>>, null()), range=mvappend(range, zone) ] but again, not sure I understood the requirement
Yeah, I am a bit confuse as well. Seems like the last part of the query "| sort - count | head 10" does not really do anything.  So I've modified my search to be like: type="request" "request.path"... See more...
Yeah, I am a bit confuse as well. Seems like the last part of the query "| sort - count | head 10" does not really do anything.  So I've modified my search to be like: type="request" "request.path"="prod/" | stats count by account_namespace | eval namespace="" | xyseries namespace account_namespace count | sort - count | head 10 by using the above, it gives me a result where the account_namespace shows as a column with all the count as the value. In the column it is showing all of it and not only the top 10 that has highest count. 
Hi there, I have this query below to search the top policies that has been used.    type="request" "request.path"="prod/" | stats count by policies{} | sort -count | head 10   by default all th... See more...
Hi there, I have this query below to search the top policies that has been used.    type="request" "request.path"="prod/" | stats count by policies{} | sort -count | head 10   by default all the policies is being generated with "default" which I wanted to get rid of when searching so properly shows the top 10 policies only.  The search query above example results are:   policies: default policies_1 policies_2 policies_3 ....   I wanted to get rid of the default showing on my result. Any idea or help is really appricated. 
Your original search will already limit the top 10, as you are doing sort+head, so not sure I understand how you are getting all results?
Thanks @bowesmana for your reply and sharing the below. I have now managed to make it multiseries chart by applying you've shared below. However, it is showing the result of all of the account_namesp... See more...
Thanks @bowesmana for your reply and sharing the below. I have now managed to make it multiseries chart by applying you've shared below. However, it is showing the result of all of the account_namespace, is there a way for me to filter the highest 10 count and only shows that?
below are the logs. source=gettomcat 240628 05:59:41 6677 gettomcat: ===> TRN@q1: abbb-acabca-adste112 [Priority=Medium]. 240628 05:59:41 6677 gettomcat: <--- TRN: abbb-acabca-adste112 - S. sourc... See more...
below are the logs. source=gettomcat 240628 05:59:41 6677 gettomcat: ===> TRN@q1: abbb-acabca-adste112 [Priority=Medium]. 240628 05:59:41 6677 gettomcat: <--- TRN: abbb-acabca-adste112 - S. source=puttomcat 240628 05:59:58 32296 puttomcat: ---> TRN: abbb-acabca-adste112 - Done. From the gettomcat source extracted the priority and time, from the puttomcat i have extracted the time, i did a calculation to see the round trip of a request and also percentage of passed request. Now i need to disable as per the below screenshot. Priority, percentage of each prioirty per day for the last 7 days.    
Thanks for all the little cleanup suggestions.  They were something I was going to get to after I got the first iteration working. I am going to put them into my notes for later... I have incorpo... See more...
Thanks for all the little cleanup suggestions.  They were something I was going to get to after I got the first iteration working. I am going to put them into my notes for later... I have incorporated them along with getting rid of the appendcols (I was aware of a single search looking for both strings, then doing a if / case / match to determine the 'type' of event). I was not aware of the 'fix' to the range index # but like the adding of 1 to get rid of 0 indexing. Then, what I wanted was the % of the # of A / B, so at the end: | eval percentage{range} = round(A / B) * 100) | stats values(percentage*) AS percentage*   All tested for the first scenario.  I am working on one more enhancement where I have the same 8 'windows' but have 6 different sampling that range for 5 different 4 hour samples but using decreasing window sizes. (4Hr, 2Hr, 1.5Hr, 1Hr, 30Min)  then the last is still a 4 Hr sample but staring with a 5 min window then a 10Min, 15Min, 30Min, 60Min, 90Min, 120Min, 240Min window. Thanks for the help and suggestions !
Apart from the problems already identified by @PickleRick you should do as advised and provide anonymised representative examples of your events and a description of what it is you are trying to do, ... See more...
Apart from the problems already identified by @PickleRick you should do as advised and provide anonymised representative examples of your events and a description of what it is you are trying to do, because your current approach does not look very performant or even workable. If you want daily statistics, you should include some sort of time factor in your by clause | bin _time span=1d | stats values(*) as * by _time, TRN
Thanks PickleRick, I get each field details from different sources, my bad I updated the same source for all the searches, actually those are different.