All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Emre , Splunk has many ways to ingest logs: syslog, HEC, API, etc..., which way can be implemented on Mendix? anyway, see at https://docs.mendix.com/developerportal/operate/splunk-metrics/ and ... See more...
Hi @Emre , Splunk has many ways to ingest logs: syslog, HEC, API, etc..., which way can be implemented on Mendix? anyway, see at https://docs.mendix.com/developerportal/operate/splunk-metrics/ and you should find the solution. Ciao. Giuseppe
Hi @Anders333 , which kind of fail are you reporting? your situation has an internal issue: the log is checked by Splunk every  few seconds, but if the rotation overrides the file before reading, y... See more...
Hi @Anders333 , which kind of fail are you reporting? your situation has an internal issue: the log is checked by Splunk every  few seconds, but if the rotation overrides the file before reading, you lose the last logs. then, if the content is always the same (first 256 chars by default) Splunk doesn't read twice the file. Ciao. Giuseppe
Hi @av3rag3 , at first, don't use the search command after the main search because you'll have slower searches: put all the search terms as left as possible, possibly in the main search. Then, why ... See more...
Hi @av3rag3 , at first, don't use the search command after the main search because you'll have slower searches: put all the search terms as left as possible, possibly in the main search. Then, why do you use the source as BY clausein stats command, if you always have only one source? In general, without the condition source="xyz", it's normal that you haven't the results of source=0 because you don't have them from the search. If you have a list of the sources to monitor, you could insert them in a lookup and add them to the search with count=0, something like this: index=abc | stats count by source | append [ | inputlookup my_source_lookup.csv | eval count=0 | fields source count ] | stats sum(count) AS total BY source Ciao. Giuseppe
Hi everyone, I am a Mendix developer and i would like to implementSplunkCloud for monitoring. I already have the HEC token port and hostname in my Mendix cloud environment. I would like to send er... See more...
Hi everyone, I am a Mendix developer and i would like to implementSplunkCloud for monitoring. I already have the HEC token port and hostname in my Mendix cloud environment. I would like to send error logs to SplunkCloud from Mx.  Based on my research JSON format is a common practice. Is there any way where i can send my data to Splunk as a JSON format? Idk how that works for Splunk. Any suggestions?
Hello, I have a Windows machine with an UF installed that logs various logs such as wineventlog. These logs work correctly and are ingested into Splunk, and have for some time. I wanted to add a new... See more...
Hello, I have a Windows machine with an UF installed that logs various logs such as wineventlog. These logs work correctly and are ingested into Splunk, and have for some time. I wanted to add a new log from a Software that runs on the machine and added it to the the input.conf file. The log is a tracelog for the software and is seen added to monitoring in the _internal index with no errors. The log is ingested correctly initially in batch input, but the UF fails to monitor the file afterwards. The log is a a fixed size of 50MB and once the log is full it will start overwriting the oldest event in the log, meaning it will start at the top. I have already tried: change the initCrcLength change the ignoreOlderThan Set NO_BINARY_CHECK = true - this fixed some previous errors where Splunk believed the file to be binary, it's just Ansi encoded. Sett alwaysOpenFile = true - this did not seem to change anything.   Thanks in advance for any tips, tricks or advice.
Hello, with this query : index=abc | search source = "xyz" | stats count by source I can see the count of sources having count more than 0.  But I cant manage to get the ones with 0 count.  An... See more...
Hello, with this query : index=abc | search source = "xyz" | stats count by source I can see the count of sources having count more than 0.  But I cant manage to get the ones with 0 count.  Anyone able to help me please ?  Thank you 
Hi @jrodriguezap  As others have said, it isnt clear how "Search execution time" for instance3.com is known to be blank. How are you getting the data to this point, there may be something you can do... See more...
Hi @jrodriguezap  As others have said, it isnt clear how "Search execution time" for instance3.com is known to be blank. How are you getting the data to this point, there may be something you can do further back in your search to create a known empty placeholder for empty results.  Based on the logic for "Last phone home" where you have a single date that is associated with all your rows, it could be interpreted that any one of the search execution times could be associated with instance3.com. Are you able to share more info on how you got to your initial table?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
trying that now, does it require a restart?
You need to clarify a fundamental gap in your problem: What determines that it is instance3.com that is missing Search execution time, and not instance1.com, instance2.com, or any other Instance name... See more...
You need to clarify a fundamental gap in your problem: What determines that it is instance3.com that is missing Search execution time, and not instance1.com, instance2.com, or any other Instance name?  Without a definitive condition, your task is an impossible one.
@richgalloway I disagree with your disagreeing | makeresults | eval s="c:\\windows" | regex s="c:\\\\windows" This one returns a result while this one | makeresults | eval s="c:\\windows" |... See more...
@richgalloway I disagree with your disagreeing | makeresults | eval s="c:\\windows" | regex s="c:\\\\windows" This one returns a result while this one | makeresults | eval s="c:\\windows" | regex s="c:\\windows" doesn't. @Bhart1 I'm not sure what you mean by "exclude" here. In any case you just need a single regex to match. If you wan to match anything having parts matching both regexes, you might simply join them with a "match anything" .*. Like |regex field!="C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe.*Resolve-DnsName \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\| Select-Object -Property NameHost"  
Hi @livehybrid  Thank you for responding. I've installed both the apps. I'm not able to get logs from next DNS in my splunk dashboard. There's no configuration option in TA NextDNS (Community App) (... See more...
Hi @livehybrid  Thank you for responding. I've installed both the apps. I'm not able to get logs from next DNS in my splunk dashboard. There's no configuration option in TA NextDNS (Community App) (https://splunkbase.splunk.com/app/7042). 
@livehybrid  Yes its Trace ID
You can only expand that if you can correlate the instance name with the search execution time MV fields. In your desired output you show that instance3 does not have a search execution time. How ca... See more...
You can only expand that if you can correlate the instance name with the search execution time MV fields. In your desired output you show that instance3 does not have a search execution time. How can that be "known" by the search? Is the presence of Last Phone home for instance3 relevant. But generally if you have a 1:1 relationship with the MV elements in more than one field, the solution is as @PrewinThomas suggests, in that you mvzip the two MV fields together, remove those fields, mvexpand and split again, i.e. ... | eval combined=mvzip('Instance name', 'Search execution time', "##") | fields - "Instance name" "Search execution time" | mvexpand combined | rex field=combined "(?<Instance name>.*##)##(?<Search execution time>.*)" | fields - combined but in your case that won't work because you have 5 elements in one field and 4 in the other, so you have to understand how to deal with the missing instance3 data.
@chrisboy68  If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by... See more...
@chrisboy68  If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by ID _time | table bill_date ID Cost _time Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hello @new , Can you please share the exact issue you are seeing? l.e., what part of add-on is not working ? are you seeing any ERRORs to check ? 
@new  You can start with  _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer ... See more...
@new  You can start with  _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@jrodriguezap  Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=... See more...
@jrodriguezap  Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=mvindex(split(pair,"||"),1) | fields "Domain Name" "Instance name" "Last Phone home" "Search execution time" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi  I have Created a Splunk Addon builder using Splunk Enterprise version 9. And i installed in Splunk Cloud now i am facing some issues with addon , how can i check the logs of this addon in splun... See more...
Hi  I have Created a Splunk Addon builder using Splunk Enterprise version 9. And i installed in Splunk Cloud now i am facing some issues with addon , how can i check the logs of this addon in splunk cloud?Pls assist.
@Bhart1 wrote: So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mea... See more...
@Bhart1 wrote: So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost You can do that, and it's done all the time.  However, the regular expression MUST be a single quoted string.  Something like this. | regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$" I disagree with @PickleRick about the escaping.  I think you have that part right.
I'm trying to split a pair of rows with a pair of multivalued columns. The value in both columns is related to each position of the multivalued column. To make myself clear, I'm displaying the initia... See more...
I'm trying to split a pair of rows with a pair of multivalued columns. The value in both columns is related to each position of the multivalued column. To make myself clear, I'm displaying the initial result table, and below that is the table for the desired result. I tried mvexpand, but that doesn't give me the expected result. Example: I have rows like this: Domain Name Instance name Last Phone home Search execution time Domain1.com instance1.com                      instance2.com instance3.com            instance4.com             instance5.com             2022-02-28 2022-03-1 2022-03-2 2022-03-4 2022-03-5   And I would like to transform them into this: Domain Name Instance name Last Phone home Search execution time Domain1.com instance1.com 2022-02-28 2022-03-01 Domain1.com instance2.com 2022-02-28 2022-03-02 Domain1.com instance3.com 2022-02-28   Domain1.com instance4.com 2022-02-28 2022-03-04 Domain1.com instance5.com 2022-02-28 2022-03-05