All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @yuanliu , your suggestion was exactly what I needed. Thanks to your initial query, I was able to achieve the desired outcome with some adjustments. Your detailed explanation was greatly apprec... See more...
Hello @yuanliu , your suggestion was exactly what I needed. Thanks to your initial query, I was able to achieve the desired outcome with some adjustments. Your detailed explanation was greatly appreciated.
Thank you @richgalloway     for your insightful article that provided me with a good starting point.
Assuming events are already sorted in time order, try something like this | streamstats window=1 current=f values(eventOrder) as previous by formDataId | where previous > eventOrder
Please share your full event in raw format, anonymised appropriately.
Hi All, We have an application that gets events in from an external party but occasionally we see out of sequence events that occur due to underlying issues with the MQ interface [guaranteed deliver... See more...
Hi All, We have an application that gets events in from an external party but occasionally we see out of sequence events that occur due to underlying issues with the MQ interface [guaranteed delivery but not necessarily in correct order].  Identifying out of sequence events would then point to an issue with the underlying MQ.  Given this set of data.. | makeresults format=csv data="timelogged, formDataId, eventOrder 00:02,AA,2 00:03,AA,3 00:04,AA,3 00:05,AA,4 00:06,AA,5 00:07,AA,9 01:02,BB,2 01:03,BB,3 01:04,BB,3 01:05,BB,4 01:07,BB,9 01:08,BB,5 02:02,CC,2 02:03,CC,3 02:04,CC,3 02:05,CC,4 02:06,CC,5 02:07,CC,9 03:01,DD,1 04:02,EE,2 04:03,EE,4 04:04,EE,3 04:05,EE,9" | table timelogged, formDataId, eventOrder ...how could the highlighted transactions be identified? Note: We do not get all types of events and the 'first' event is not usually seen [as indicates an error on vendor side]
I am trying to get DeviceName and DeviceToken to var from 365 log first I use eval Device =mvindex('ModifiedProperties{}.NewValue', 0) which retuns another MV with the data I want but can seem to g... See more...
I am trying to get DeviceName and DeviceToken to var from 365 log first I use eval Device =mvindex('ModifiedProperties{}.NewValue', 0) which retuns another MV with the data I want but can seem to get to the field. Below is what Device shows in editor. Any help? What something like eval DeviceName = ModifiedProperties{}.NewValue{0}.DeviceName but nothing is right I try. Tried to save as sting and extract but even that I cant figure out. Its the Mv in a MV I think is throwing me.  [ { "DeviceName": "iPhone 13 mini", "DeviceToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "DeviceTag": "SoftwareTokenActivated", "PhoneAppVersion": "6.8.11", "OathTokenTimeDrift": 0, "DeviceId": "00000000-0000-0000-0000-000000000000", "Id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "TimeInterval": 0, "AuthenticationType": 3, "NotificationType": 2, "LastAuthenticatedTimestamp": "2024-06-27T15:00:42.8784693Z", "AuthenticatorFlavor": null, "HashFunction": null, "TenantDeviceId": null, "SecuredPartitionId": 0, "SecuredKeyId": 0 } ]
Was there ever a solution for this? I am having the same error except using Apache
Try something like this index=main ExportConfigInfo "MessageJob started" OR "MessageJob completed" | eval start=if(searchmatch("MessageJob started"),_time,null()) | eval end=if(searchmatch("MessageJ... See more...
Try something like this index=main ExportConfigInfo "MessageJob started" OR "MessageJob completed" | eval start=if(searchmatch("MessageJob started"),_time,null()) | eval end=if(searchmatch("MessageJob completed"),_time,null()) | bin _time span=1d | stats min(start) as start, max(end) as end by _time | eval diff=end-start | eval difference=tostring(diff, "duration")
I have a search that returns two results per day (a job's log entry of when it started and when it ended). I want to be able to see the time difference between the two entries, grouped by day. I'm a... See more...
I have a search that returns two results per day (a job's log entry of when it started and when it ended). I want to be able to see the time difference between the two entries, grouped by day. I'm a newbie to Splunk advanced searching so hopefully you can help. My query is: index=main ExportConfigInfo AND ("Message=Job started" OR "Message=Job completed")  
Is it that you want to replace the spaces with new lines? Something like this perhaps?   | eval hosts=replace(hosts," "," ")  
First, you want to familiarize yourself with where command and how it differs from search command.  As @ITWhisperer said, search operates on _raw field.  Because inputlookup does not produce raw even... See more...
First, you want to familiarize yourself with where command and how it differs from search command.  As @ITWhisperer said, search operates on _raw field.  Because inputlookup does not produce raw events, you need to specify which field or fields from data_source.csv to apply that regex.  Suppose all you want to do is to match a field named somefield, your search can be simply: | inputlookup data_source.csv | where (isnull(count) AND isnull(percent)) OR match(somefield, "[^0-9a-zA-Z\-\._,]") Here, there is no need to fillnull because isnull function test the condition without a spurious assignment. Now, if you want to apply that regex to every field from this lookup, the following should work but that's really not what Splunk is designed to do. | inputlookup data_source.csv | foreach * [eval allfields = if(isnull(allfields), "", allfields) . <<FIELD>>] | where (isnull(count) AND isnull(percent)) OR match(allfields, "[^0-9a-zA-Z\-\._,]")  
Try something like this | inputlookup data_source.csv | fillnull value="MISSING" | where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\... See more...
Try something like this | inputlookup data_source.csv | fillnull value="MISSING" | where (count="MISSING" AND percent="MISSING") OR match(count, "[^0-9a-zA-Z\-\._,]") OR match(percent, "[^0-9a-zA-Z\-\._,]")
Hello Splunkers, My clients are experiencing issue because of the formatting of the results which is present Splunk vs which is sent as a part of attchment. This is how it is showing in Splunk   ... See more...
Hello Splunkers, My clients are experiencing issue because of the formatting of the results which is present Splunk vs which is sent as a part of attchment. This is how it is showing in Splunk   jacquetta@evie.com LOU - HONG hong-lou-victorina-sid-001k1.active.zenobia hong-lou-victorina-sid-000r1.active.zenobia hong-lou-victorina-sid-001e1.active.zenobia hong-lou-victorina-sid-003f1.active.zenobia hong-lou-victorina-sid-004i0.active.zenobia hong-lou-victorina-sid-002d0.active.zenobia hong-lou-dvpqlqwpy005-001k1.active.zenobia hong-lou-dvpqlqwpy005-000r1.active.zenobia hong-lou-dvpqlqwpy005-001e1.active.zenobia hong-lou-dvpqlqwpy005-003f1.active.zenobia hong-lou-dvpqlqwpy005-004i0.active.zenobia hong-lou-dvpqlqwpy005-002d0.active.zenobia hong-lou-dvpqlqwpy005-004r1.active.zenobia hong-lou-dvpqlqwpy005-006z0.active.zenobia hong-lou-stephany-001k1.ae.active.zenobia hong-lou-stephany-000r1.ae.active.zenobia hong-lou-uvyycdyjewys-001k1.ae.active.zenobia hong-lou-uvyycdyjewys-000r1.ae.active.zenobia hong-lou-uvyycdyjewys-001e1.ae.active.zenobia hong-lou-uvyycdyjewys-003f1.ae.active.zenobia hong-lou-jackeline-001k1.ae.active.zenobia hong-lou-jackeline-000r1.ae.active.zenobia hong-lou-jackeline-001e1.ae.active.zenobia hong-lou-jackeline-003f1.ae.active.zenobia hong-lou-proxy-001k1.active.zenobia hong-lou-proxy-000r1.active.zenobia Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs jacquetta@evie.com AE Member Services - HONG hong-member-001k1.ae.active.zenobia hong-member-000r1.ae.active.zenobia hong-member-001e1.ae.active.zenobia hong-member-003f1.ae.active.zenobia hong-jackeline-001k1.ae.active.zenobia hong-jackeline-000r1.ae.active.zenobia hong-jackeline-001e1.ae.active.zenobia hong-jackeline-003f1.ae.active.zenobia hong-ymefvuphccrj-001k1.ae.active.zenobia hong-ymefvuphccrj-000r1.ae.active.zenobia hong-ymefvuphccrj-001e1.ae.active.zenobia hong-ymefvuphccrj-003f1.ae.active.zenobia hong-raymonde-001k1.ae.active.zenobia hong-raymonde-000r1.ae.active.zenobia hong-raymonde-001e1.ae.active.zenobia hong-raymonde-003f1.ae.active.zenobia Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs jacquetta@evie.com AE Member Services - HUI hui-member-001k1.ae.active.zenobia hui-member-000r1.ae.active.zenobia hui-jackeline-001k1.ae.active.zenobia hui-jackeline-000r1.ae.active.zenobia hui-ymefvuphccrj-001k1.ae.active.zenobia hui-ymefvuphccrj-000r1.ae.active.zenobia hui-raymonde-001k1.ae.active.zenobia hui-raymonde-000r1 Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs MgDzvf   And this is how it is going in attachment, as single line which is disturbing my output a lot Can anyone please advice how to correct it.  Thanks in advance.    
Unlike multi-select, checkboxes do not preserve the order in which selections were made, so you have to use them slightly differently. If nothing is selected, set the selection to the default (this c... See more...
Unlike multi-select, checkboxes do not preserve the order in which selections were made, so you have to use them slightly differently. If nothing is selected, set the selection to the default (this cannot be "Any field"), else, is "Any field" is checked, make it the only selection, otherwise leave it as is. When it comes to using it, if "Any field" is checked, it must be unchecked (which will revert to the default), before another option can be checked. <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">replace($tokcheck$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>
I just need the information about disk space availabilty from various servers or servers in various applications/tiers etc. I need this information as an API response. So i was requesting to overlay ... See more...
I just need the information about disk space availabilty from various servers or servers in various applications/tiers etc. I need this information as an API response. So i was requesting to overlay if their is any specific API that gives the above asked infromation . Thanks.
Thanks for the input. I can definitely do that but I need to make sure that the regex searches are chained with ORs to the previous searches.
@ITWhisperer  : I tried this. But I am not seeing any log for action=disable_tag. I am just seeing for action=enable_tag.
Code has been sanitized of identifying info, note this is filtering just on event code 200, but original search is filtered on both 200 and 201 event codes index=wineventlog source="WinEventLog:... See more...
Code has been sanitized of identifying info, note this is filtering just on event code 200, but original search is filtered on both 200 and 201 event codes index=wineventlog source="WinEventLog:Application" (SourceName=ABC OR SourceName=DEF) Message="*$Projlookup$*" *$openfilter$* [ | inputlookup csvfile.csv | search Environment="$envlookup$" Hostname IN ( $hostname$) | fields Hostname Message EventCode | rename Hostname as host ] | search (EventCode=200) | stats count by EventCode  
The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have ... See more...
The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have a _raw field, which means you need to specify a field for the regex command to filter on. Can you rewrite your filter requirement such that it can be applied to fields returned by your inputlookup?
Please share your current search, preferably in a codeblock </> Also, what do you want to be made green?