All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Splunkers, My clients are experiencing issue because of the formatting of the results which is present Splunk vs which is sent as a part of attchment. This is how it is showing in Splunk   ... See more...
Hello Splunkers, My clients are experiencing issue because of the formatting of the results which is present Splunk vs which is sent as a part of attchment. This is how it is showing in Splunk   jacquetta@evie.com LOU - HONG hong-lou-victorina-sid-001k1.active.zenobia hong-lou-victorina-sid-000r1.active.zenobia hong-lou-victorina-sid-001e1.active.zenobia hong-lou-victorina-sid-003f1.active.zenobia hong-lou-victorina-sid-004i0.active.zenobia hong-lou-victorina-sid-002d0.active.zenobia hong-lou-dvpqlqwpy005-001k1.active.zenobia hong-lou-dvpqlqwpy005-000r1.active.zenobia hong-lou-dvpqlqwpy005-001e1.active.zenobia hong-lou-dvpqlqwpy005-003f1.active.zenobia hong-lou-dvpqlqwpy005-004i0.active.zenobia hong-lou-dvpqlqwpy005-002d0.active.zenobia hong-lou-dvpqlqwpy005-004r1.active.zenobia hong-lou-dvpqlqwpy005-006z0.active.zenobia hong-lou-stephany-001k1.ae.active.zenobia hong-lou-stephany-000r1.ae.active.zenobia hong-lou-uvyycdyjewys-001k1.ae.active.zenobia hong-lou-uvyycdyjewys-000r1.ae.active.zenobia hong-lou-uvyycdyjewys-001e1.ae.active.zenobia hong-lou-uvyycdyjewys-003f1.ae.active.zenobia hong-lou-jackeline-001k1.ae.active.zenobia hong-lou-jackeline-000r1.ae.active.zenobia hong-lou-jackeline-001e1.ae.active.zenobia hong-lou-jackeline-003f1.ae.active.zenobia hong-lou-proxy-001k1.active.zenobia hong-lou-proxy-000r1.active.zenobia Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs jacquetta@evie.com AE Member Services - HONG hong-member-001k1.ae.active.zenobia hong-member-000r1.ae.active.zenobia hong-member-001e1.ae.active.zenobia hong-member-003f1.ae.active.zenobia hong-jackeline-001k1.ae.active.zenobia hong-jackeline-000r1.ae.active.zenobia hong-jackeline-001e1.ae.active.zenobia hong-jackeline-003f1.ae.active.zenobia hong-ymefvuphccrj-001k1.ae.active.zenobia hong-ymefvuphccrj-000r1.ae.active.zenobia hong-ymefvuphccrj-001e1.ae.active.zenobia hong-ymefvuphccrj-003f1.ae.active.zenobia hong-raymonde-001k1.ae.active.zenobia hong-raymonde-000r1.ae.active.zenobia hong-raymonde-001e1.ae.active.zenobia hong-raymonde-003f1.ae.active.zenobia Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs jacquetta@evie.com AE Member Services - HUI hui-member-001k1.ae.active.zenobia hui-member-000r1.ae.active.zenobia hui-jackeline-001k1.ae.active.zenobia hui-jackeline-000r1.ae.active.zenobia hui-ymefvuphccrj-001k1.ae.active.zenobia hui-ymefvuphccrj-000r1.ae.active.zenobia hui-raymonde-001k1.ae.active.zenobia hui-raymonde-000r1 Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs Insufficient Logs MgDzvf   And this is how it is going in attachment, as single line which is disturbing my output a lot Can anyone please advice how to correct it.  Thanks in advance.    
Unlike multi-select, checkboxes do not preserve the order in which selections were made, so you have to use them slightly differently. If nothing is selected, set the selection to the default (this c... See more...
Unlike multi-select, checkboxes do not preserve the order in which selections were made, so you have to use them slightly differently. If nothing is selected, set the selection to the default (this cannot be "Any field"), else, is "Any field" is checked, make it the only selection, otherwise leave it as is. When it comes to using it, if "Any field" is checked, it must be unchecked (which will revert to the default), before another option can be checked. <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">replace($tokcheck$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>
I just need the information about disk space availabilty from various servers or servers in various applications/tiers etc. I need this information as an API response. So i was requesting to overlay ... See more...
I just need the information about disk space availabilty from various servers or servers in various applications/tiers etc. I need this information as an API response. So i was requesting to overlay if their is any specific API that gives the above asked infromation . Thanks.
Thanks for the input. I can definitely do that but I need to make sure that the regex searches are chained with ORs to the previous searches.
@ITWhisperer  : I tried this. But I am not seeing any log for action=disable_tag. I am just seeing for action=enable_tag.
Code has been sanitized of identifying info, note this is filtering just on event code 200, but original search is filtered on both 200 and 201 event codes index=wineventlog source="WinEventLog:... See more...
Code has been sanitized of identifying info, note this is filtering just on event code 200, but original search is filtered on both 200 and 201 event codes index=wineventlog source="WinEventLog:Application" (SourceName=ABC OR SourceName=DEF) Message="*$Projlookup$*" *$openfilter$* [ | inputlookup csvfile.csv | search Environment="$envlookup$" Hostname IN ( $hostname$) | fields Hostname Message EventCode | rename Hostname as host ] | search (EventCode=200) | stats count by EventCode  
The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have ... See more...
The search command and regex command by default work on the _raw field. This is normally present in the events in your index. Since your events are coming from a lookup, it is unlikely that you have a _raw field, which means you need to specify a field for the regex command to filter on. Can you rewrite your filter requirement such that it can be applied to fields returned by your inputlookup?
Please share your current search, preferably in a codeblock </> Also, what do you want to be made green?
Greetings all, I'm trying to search inside a lookup table and I need to use a search command follow by an OR and regex I need the regex to match anything in the lookup table and not just the two fi... See more...
Greetings all, I'm trying to search inside a lookup table and I need to use a search command follow by an OR and regex I need the regex to match anything in the lookup table and not just the two fields before it. Below is some sample SPL, I know it won't work this way but I'm including it to give an idea of what I'm trying to accomplish.     | inputlookup data_source.csv | fillnull value=MISSING | search (count=MISSING AND percent=MISSING) OR regex "[^0-9a-zA-Z\-\._,]"     Thanks in advance for the help, I really appreciate it.
Hello, I have a dashboard with multiselection + text input field.  I'd like to use checkbox instead of multiselect but if I modify it and click the 'Any field' option the dashboard is crashed.    ... See more...
Hello, I have a dashboard with multiselection + text input field.  I'd like to use checkbox instead of multiselect but if I modify it and click the 'Any field' option the dashboard is crashed.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>    Could you please help to modify my dashboard from multiselect option to checkbox?   Thank you very much in advance!
It is currently built out in studio so studio is needed. They are different event codes in the same type of event (same field). I am comparing 200 code to 201 codes, and if they match, make it gre... See more...
It is currently built out in studio so studio is needed. They are different event codes in the same type of event (same field). I am comparing 200 code to 201 codes, and if they match, make it green, if the count differs, then red.
Are these two values in the same event, in the same field e.g.  in a multivalue field, in the same field on different events, the result of two different aggregations, values from two different time ... See more...
Are these two values in the same event, in the same field e.g.  in a multivalue field, in the same field on different events, the result of two different aggregations, values from two different time periods? Please provide more details of what you are trying to achieve. Also, does it have to be Studio or would a Classic dashboard solution meet your needs?
Hi @Narendra.Rao, Is this meant to be a feature request or are you asking if it's possible to do what you're asking?
I am using dashboard studio and i want to compare 2 values and if they are different, highlight it red. What is the best vizualization type for this, and how do i have it color based on the compariso... See more...
I am using dashboard studio and i want to compare 2 values and if they are different, highlight it red. What is the best vizualization type for this, and how do i have it color based on the comparison of the 2 values?
Essentially, yes. The value set when the multi-select is emptied should be the default value you configured. If you are changing the default from category to group, then it needs to change in the cas... See more...
Essentially, yes. The value set when the multi-select is emptied should be the default value you configured. If you are changing the default from category to group, then it needs to change in the case function too.
Thank you, that's what I thought. Small question about this part: <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect'... See more...
Thank you, that's what I thought. Small question about this part: <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval>   If I want to modify the value of the fields at here: <choice value="Any field">Any field</choice> <choice value="category">Group</choice>   Should I modify these values in the above code as well? So e.g. if I want the category value to be group. I have to modify the 'category' to 'group' at this part like this:   <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"group",mvcount   Am I correct?
I want to custom payload for webhook ,but in webhook UI,only a input box for url ,I don't know where I can configure the payload parameter . thanks  
simple as that, thank you! worked for me. 
First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after... See more...
First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after another selection (make "Any field" the only selection), whether another selection has been made after "Any field" (remove "Any field" from the selection, otherwise leave the form token as is. Then you need to reset the token if the form token is "Any field" (so that it just contains "REPLACE". Now, the existing setting of the filter token can replace "REPLACE" with the value from the text input: <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>
Greetings !! I want a dashboard where I have put only four columns in a table visualization : ServerName Location UserName Password Server1            CA          admin           SHOW Server2    ... See more...
Greetings !! I want a dashboard where I have put only four columns in a table visualization : ServerName Location UserName Password Server1            CA          admin           SHOW Server2             LA          admin            SHOW Now, I want "Show" button in place of value in the "Password" column, so that every time I want to see the password, I will click on the show button to see then will Hide it.   Thanks for your understanding !!