Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise. I have a datamodel "Test", a dataset "datasetA" in...
See more...
Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise. I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB". All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above. The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA. Is there anyone have the same problem? More information: Sorry because i do not capture it example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions |stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found The data samples in datasetA and datasetB is the same Thank you for reading
This is expected behaviour - if the panel search has no dependencies, it will execute - why would this be a problem, since there are no dependencies, shouldn't the result be the same whenever it runs?
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log....
See more...
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log. But this action had no effect and yet I just see one sourcetype: elastic:auditbeat:log any ideas are appreciated. Thanks.
I have a dashboard where I have multiple form inputs and using them in multiple panels(which i have not given here). I don't want any panel to run the search before clicking on Submit button. But ...
See more...
I have a dashboard where I have multiple form inputs and using them in multiple panels(which i have not given here). I don't want any panel to run the search before clicking on Submit button. But for one panel where I have not used any of the user inputs or tokens, it simply runs as soon as the dashboard loads, not sure if this is the expected behaviour and if I have to do additional token dependencies separately for that panel search to stop it from autorun, appreciate your valid suggestions here. <form version="1.1" theme="dark"> <fieldset autoRun="false" submitButton="true"> <input type="time" token="token_time" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-1d@d</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <chart> <title>Dashboard Title</title> <search> <query>Search Query </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row>
Please clarify what you mean by "except any field" - do you want to filter to search all your fields for any of them having the value defined in the text field? If so, you need to identify all the fi...
See more...
Please clarify what you mean by "except any field" - do you want to filter to search all your fields for any of them having the value defined in the text field? If so, you need to identify all the field names. Or do you simply want to search for the string value defined in the text field anywhere in the event?
Hello, I have a dashboard with multiselection + text input field. <form version="1.1" theme="light">
<label>Multiselect Text</label>
<init>
<set token="toktext">*</set>
</init>
...
See more...
Hello, I have a dashboard with multiselection + text input field. <form version="1.1" theme="light">
<label>Multiselect Text</label>
<init>
<set token="toktext">*</set>
</init>
<fieldset submitButton="false">
<input type="multiselect" token="tokselect">
<label>Field</label>
<choice value="category">Group</choice>
<choice value="severity">Severity</choice>
<default>category</default>
<valueSuffix>=REPLACE</valueSuffix>
<delimiter> OR </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
<change>
<eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
</change>
</input>
<input type="text" token="toktext">
<label>Value</label>
<default>*</default>
<change>
<eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<event>
<title>$tokfilter$</title>
<search>
<query>| makeresults</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</event>
</panel>
</row>
</form> Now it works like that if I choose something from 'Field' and add an optional text to 'Value' start searching like this category="*" OR severity="*". I'd like to build a free form where option where if the user choose that option from the 'Field' and add something in the 'Value', the search is only looking for the 'Value', like this "*" - except any field. Could you please help me? Thanks in advance!
Assuming the stanza [Reports5min] points to the right sourcetype, try placing a capture group in the regex property, like this: REGEX = ^(null,null,0,null,null,null,null,null,null,)$ Also are you s...
See more...
Assuming the stanza [Reports5min] points to the right sourcetype, try placing a capture group in the regex property, like this: REGEX = ^(null,null,0,null,null,null,null,null,null,)$ Also are you sure there is ni blacnk spaces at the end of each line? The rest of the settinggs seems fine.
Your constraints look reasonable. You appear to have an easy-to-find timestamp, which presumably will help split your log into separate events, and your field definition appears robust. I suggest you...
See more...
Your constraints look reasonable. You appear to have an easy-to-find timestamp, which presumably will help split your log into separate events, and your field definition appears robust. I suggest you go with what you have.
I see some post about rules for splunk logs. But I don't find a list of rules. My applications logs a lot of lines for splunk (100GB/day) and we prefere use the default integration in splunk (witho...
See more...
I see some post about rules for splunk logs. But I don't find a list of rules. My applications logs a lot of lines for splunk (100GB/day) and we prefere use the default integration in splunk (without transformation, extraction...) in order to save time during indexing. I propose to my developeurs to logs with these constraints. Where can I find all constraints, or the better constraints ... Please log like that : [%m-%d-%Y %H:%M:%S.%Q]key1=value1,key2=value2,... keys : not begin with number or '_' values : no spaces or commas else between quote
Hi Splunkers, I need to know how to comment out a single line in an SPL query when working in search and reporting. Could someone please provide an example? Thanks,
Are you using XML dashboard or Dashboard Studio XML documentation is here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML What have you got so far?