All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Because you have a no-enforcement license, there should be no ramifications from exceeding the daily indexing limit.  However, when it comes time to renew your license, Splunk may expect you to purch... See more...
Because you have a no-enforcement license, there should be no ramifications from exceeding the daily indexing limit.  However, when it comes time to renew your license, Splunk may expect you to purchase a higher quota.
Hello,   I have a dashboard with multiselection + text input field.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <... See more...
Hello,   I have a dashboard with multiselection + text input field.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>   Everything is working properly, so if I add something in the input 'Value' field then select an option from the multiselect tab 'Field' the search is looking for e.g. category="something" OR severity="something". I need help to build a plus multiselect option which is able to search for the string value defined in the text field anywhere in the event.  I can imagine like this: If I select the 'Group' and type 'something' into the input field, the search is looking for category="something", but if I select the 'Any Field' and type 'something' into the input field, the search is looking for only "something".   Could you please help to modify this dashboard in this direction?   Thank you so much in advance!
Have you tried looking in the _audit index? index="_audit" action=disable_tag
Does keep evicted help? | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True keepevicted=True
I am facing an issue with,  [otel.javaagent  [signalfx-metrics-publisher] WARN com.splunk.javaagent.shaded.io.micrometer.signalfx.SignalFxMeterRegistry - failed to send metrics: Unable to send datapo... See more...
I am facing an issue with,  [otel.javaagent  [signalfx-metrics-publisher] WARN com.splunk.javaagent.shaded.io.micrometer.signalfx.SignalFxMeterRegistry - failed to send metrics: Unable to send datapoints
The search attached below gives me the events between IDJO20P and PIDZJEA on daily basis. But it doesnot give the events of the current day as end event PIDZJEA is still not reached today.  Query ... See more...
The search attached below gives me the events between IDJO20P and PIDZJEA on daily basis. But it doesnot give the events of the current day as end event PIDZJEA is still not reached today.  Query : index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time file | append [ search index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="PIDZJEA" endswith="IDJO20P" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time | eval file="count after PIDZJEA" | table file eventcount _time] | chart sum(eventcount) AS eventcount OVER _time BY file Result :   
Hi All, I have created few tags in splunk which are getting disabled automatically. I want to check using splunk query the time they are getting disabled.  Please can anyone of you suggest me t... See more...
Hi All, I have created few tags in splunk which are getting disabled automatically. I want to check using splunk query the time they are getting disabled.  Please can anyone of you suggest me the query for this . I tried using REST but not getting exact details. I also tried below but not seeing any related logs. index=_internal sourcetype=splunk_audit action=edit status=disabled info=tags Thanks in advance, PNV
What steps did you follow when you installed the app? You should see "SA-Eventgen" listed under data inputs.
Please share your raw event in a code block </> to prevent the removal of important formatting information. Having said that, is seems unlikely that the ".*" is required in your rex. Try something l... See more...
Please share your raw event in a code block </> to prevent the removal of important formatting information. Having said that, is seems unlikely that the ".*" is required in your rex. Try something like this | rex field=_raw "Total Time taken in milliseconds: (?<totalTime>\d+)"
The transaction command gives you the event count in the eventcount field. It also gives you the duration in the duration field, as well as the _time field which is the time of the first event in the... See more...
The transaction command gives you the event count in the eventcount field. It also gives you the duration in the duration field, as well as the _time field which is the time of the first event in the transaction. Does this not give you the information you need?
I am writing a query which will give total time taken by a log/event for execution in milliseconds : index=xyz cluster_id = [cluster_id] "logs_statistics"| rex field=_raw "Total Time taken in millis... See more...
I am writing a query which will give total time taken by a log/event for execution in milliseconds : index=xyz cluster_id = [cluster_id] "logs_statistics"| rex field=_raw "Total Time taken in milliseconds: (?<totalTime>.*\d+) \n*"|table time totalTime This executes but totalTime is null as shown below : time                                                                    totalTime 2024-06-23T03:00:45.038422703Z   2024-06-23T03:00:15.453872121Z   2024-06-23T03:00:23.33625642Z   Expected : time                                                                    totalTime 2024-06-23T03:00:45.038422703Z 544 2024-06-23T03:00:15.453872121Z 528   What am I missing ?
Eventgen is not showing in Splunk data inputs what do please suggest
Hi Requirement: To fetch the count of events between the start and end of particular event.  Example :  i have to find the count of events (RPWARDA , SPWARAA , SPWARRA ) between events IDJO20P and ... See more...
Hi Requirement: To fetch the count of events between the start and end of particular event.  Example :  i have to find the count of events (RPWARDA , SPWARAA , SPWARRA ) between events IDJO20P and PIDZJEA.    Below query is created to find the events between IDJO20P and PIDZJEA but i am not able to fetch the data of the current date. Can you please help me to add the data of the current date too. Query:  index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time file | append [ search index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="PIDZJEA" endswith="IDJO20P" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time | eval file="count after PIDZJEA" | table file eventcount _time] | chart sum(eventcount) AS eventcount OVER _time BY file   Also , is it possible to have a visual graph like below to show the details in the graph :  IN_per_24h = count of RPWARDA between IDJO20P and PIDZJEA of the day.  Out_per_24h =  count of SPWARAA + SPWARRA between IDJO20P and PIDZJEA of the day.  Backlog = count after PIDZJEA  of the day.       
Hi @ITWhisperer  , not really 
Hi Guiseppe, thanks you for your answer.   Anyway, let me understand: you have one Indexer on Site1 and two in Site2 indexes on Site2 must be replicated only on Indexers in Site2, instead In... See more...
Hi Guiseppe, thanks you for your answer.   Anyway, let me understand: you have one Indexer on Site1 and two in Site2 indexes on Site2 must be replicated only on Indexers in Site2, instead Indexes in Site1 must be replicated also in Site2. Yes, that is correct. Greetings Roger
Would you look at Payload parameter. Result has many strings with spaces.
ok, got it !  Works perfect    
I feel it could be a good solution but how to use it ?  Should I extract new field with this regex ? 
I'm using a map visualization with markers and would like to use different colors based on the value of a categorical field. (eg. field = category, and its values are either "open" or "closed". I tr... See more...
I'm using a map visualization with markers and would like to use different colors based on the value of a categorical field. (eg. field = category, and its values are either "open" or "closed". I tried altering the code so that the color is based on the value of a certain field, and tried splitting the code to create multiple layers but all to no avail... Even when ignoring the color based on a field and just trying to change the standard purple color of the marker I'm out of luck... Any ideas?
Not quite sure what you're asking but, there are several things you can do there: If fields like "Client Address" are not extracted, you can do a rex command and then use the extracted fields in eva... See more...
Not quite sure what you're asking but, there are several things you can do there: If fields like "Client Address" are not extracted, you can do a rex command and then use the extracted fields in evals etc: | rex "Client Address = (?<address>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | eval address = ... If they are already extracted, but the field as a space you can do either: | rename "Client Address" as ClientAddress |eval ClientAddress = ... or | eval "Client Address" = ...