All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@richgalloway I disagree with your disagreeing | makeresults | eval s="c:\\windows" | regex s="c:\\\\windows" This one returns a result while this one | makeresults | eval s="c:\\windows" |... See more...
@richgalloway I disagree with your disagreeing | makeresults | eval s="c:\\windows" | regex s="c:\\\\windows" This one returns a result while this one | makeresults | eval s="c:\\windows" | regex s="c:\\windows" doesn't. @Bhart1 I'm not sure what you mean by "exclude" here. In any case you just need a single regex to match. If you wan to match anything having parts matching both regexes, you might simply join them with a "match anything" .*. Like |regex field!="C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe.*Resolve-DnsName \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\| Select-Object -Property NameHost"  
Hi @livehybrid  Thank you for responding. I've installed both the apps. I'm not able to get logs from next DNS in my splunk dashboard. There's no configuration option in TA NextDNS (Community App) (... See more...
Hi @livehybrid  Thank you for responding. I've installed both the apps. I'm not able to get logs from next DNS in my splunk dashboard. There's no configuration option in TA NextDNS (Community App) (https://splunkbase.splunk.com/app/7042). 
@livehybrid  Yes its Trace ID
You can only expand that if you can correlate the instance name with the search execution time MV fields. In your desired output you show that instance3 does not have a search execution time. How ca... See more...
You can only expand that if you can correlate the instance name with the search execution time MV fields. In your desired output you show that instance3 does not have a search execution time. How can that be "known" by the search? Is the presence of Last Phone home for instance3 relevant. But generally if you have a 1:1 relationship with the MV elements in more than one field, the solution is as @PrewinThomas suggests, in that you mvzip the two MV fields together, remove those fields, mvexpand and split again, i.e. ... | eval combined=mvzip('Instance name', 'Search execution time', "##") | fields - "Instance name" "Search execution time" | mvexpand combined | rex field=combined "(?<Instance name>.*##)##(?<Search execution time>.*)" | fields - combined but in your case that won't work because you have 5 elements in one field and 4 in the other, so you have to understand how to deal with the missing instance3 data.
@chrisboy68  If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by... See more...
@chrisboy68  If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by ID _time | table bill_date ID Cost _time Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hello @new , Can you please share the exact issue you are seeing? l.e., what part of add-on is not working ? are you seeing any ERRORs to check ? 
@new  You can start with  _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer ... See more...
@new  You can start with  _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@jrodriguezap  Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=... See more...
@jrodriguezap  Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=mvindex(split(pair,"||"),1) | fields "Domain Name" "Instance name" "Last Phone home" "Search execution time" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi  I have Created a Splunk Addon builder using Splunk Enterprise version 9. And i installed in Splunk Cloud now i am facing some issues with addon , how can i check the logs of this addon in splun... See more...
Hi  I have Created a Splunk Addon builder using Splunk Enterprise version 9. And i installed in Splunk Cloud now i am facing some issues with addon , how can i check the logs of this addon in splunk cloud?Pls assist.
@Bhart1 wrote: So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mea... See more...
@Bhart1 wrote: So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost You can do that, and it's done all the time.  However, the regular expression MUST be a single quoted string.  Something like this. | regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$" I disagree with @PickleRick about the escaping.  I think you have that part right.
I'm trying to split a pair of rows with a pair of multivalued columns. The value in both columns is related to each position of the multivalued column. To make myself clear, I'm displaying the initia... See more...
I'm trying to split a pair of rows with a pair of multivalued columns. The value in both columns is related to each position of the multivalued column. To make myself clear, I'm displaying the initial result table, and below that is the table for the desired result. I tried mvexpand, but that doesn't give me the expected result. Example: I have rows like this: Domain Name Instance name Last Phone home Search execution time Domain1.com instance1.com                      instance2.com instance3.com            instance4.com             instance5.com             2022-02-28 2022-03-1 2022-03-2 2022-03-4 2022-03-5   And I would like to transform them into this: Domain Name Instance name Last Phone home Search execution time Domain1.com instance1.com 2022-02-28 2022-03-01 Domain1.com instance2.com 2022-02-28 2022-03-02 Domain1.com instance3.com 2022-02-28   Domain1.com instance4.com 2022-02-28 2022-03-04 Domain1.com instance5.com 2022-02-28 2022-03-05
Hi @Andre_  As @inventsekar mentioned, you could use MAX_DAYS_AGO as follows: == props.conf == # If within 3 days old. [WinEventLog] MAX_DAYS_AGO = 3 [XmlWinEventLog] MAX_DAYS_AGO = 3 This will... See more...
Hi @Andre_  As @inventsekar mentioned, you could use MAX_DAYS_AGO as follows: == props.conf == # If within 3 days old. [WinEventLog] MAX_DAYS_AGO = 3 [XmlWinEventLog] MAX_DAYS_AGO = 3 This will then only apply to XmlWinEventLog/WinEventLog  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @chrisboy68  How about using the bin command to bucket into 1 month blocks, then dedup on _time, or take first(fields) such as: index=main | bin _time span=1month | dedup _time | table bill_dat... See more...
Hi @chrisboy68  How about using the bin command to bucket into 1 month blocks, then dedup on _time, or take first(fields) such as: index=main | bin _time span=1month | dedup _time | table bill_date ID Cost _time or index=main | bin _time span=1month | stats first(bill_date) as bill_date, first(ID) as ID, first(Cost) as Cost by _time Or you could even look at timechart if useful.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Bedrohungsjäger  I would suggest checking out the ZScaler docs on ZPA logging to Splunk and Log Streaming Service (LSS) at https://help.zscaler.com/zpa/about-log-streaming-service which has deta... See more...
Hi @Bedrohungsjäger  I would suggest checking out the ZScaler docs on ZPA logging to Splunk and Log Streaming Service (LSS) at https://help.zscaler.com/zpa/about-log-streaming-service which has detailed docs and videos, and also checkout the PDF deployment guide at https://help.zscaler.com/downloads/zscaler-technology-partners/operations/zscaler-and-splunk-deployment-guide/Zscaler-Splunk-Deployment-Guide-FINAL.pdf  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Try something like this (index=xxx source type=xxx) OR (index=summary_index) | eventstats values(index) as sources by trace | where mvcount(sources) > 1 | timechart span=1h values(count) AS "Custom... See more...
Try something like this (index=xxx source type=xxx) OR (index=summary_index) | eventstats values(index) as sources by trace | where mvcount(sources) > 1 | timechart span=1h values(count) AS "Customers per Hour"
Hi @h2rr821  The 9.4.x release you have installed may well work on RHEL7, it is just that it is not supported by Splunk. You can currently download 9.2.x which is supported until Jan 31 2026 and do... See more...
Hi @h2rr821  The 9.4.x release you have installed may well work on RHEL7, it is just that it is not supported by Splunk. You can currently download 9.2.x which is supported until Jan 31 2026 and does support RHEL7. See https://www.splunk.com/en_us/legal/splunk-software-support-policy.html?locale=en_us#:~:text=Splunk%20Enterprise%20/%20Splunk%20Analytics%20for%20Hadoop%20/%20Splunk%20Light* for more info. Regarding the error, please can you confirm that there is no firewall between you and the Splunk instance, if so is it permitting your requests?  I presume that it is not on the same machine you are working on? Does the system show port 8000 being listened on (e.g. ss -ltn)  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @Cheng2Ready  You'd be much better off using a stats here i think, and loading in both searches at the start, something like this might work, but it would be good if you could confirm the field w... See more...
Hi @Cheng2Ready  You'd be much better off using a stats here i think, and loading in both searches at the start, something like this might work, but it would be good if you could confirm the field which links them? Is it trace? (index=xxx source type=xxx) OR (index=summary_index) | stats values(index) as sources by trace | where mvcount(sources) > 1  In your search you would struggle to achieve timechart because you dont have _time at this point? If possible please give us further info we can help with this.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mean it's pretty clear... See more...
So is there no way to have it match the first and last strings while excluding a certain middle part? Something like: "[string1, regex to exclude middle part, string2]" I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost
MAX_DAYS_AGO - I would set this on the indexer? (our setup is UF -> Indexer)  Will that be a global setting for all incoming data? Kind Regards Andre
How do you run a match a field ID between two indexes? without using a sub search(due to limit of 10000 results) without using Join command resource intensive and there is about 140,000+ results s... See more...
How do you run a match a field ID between two indexes? without using a sub search(due to limit of 10000 results) without using Join command resource intensive and there is about 140,000+ results so running join will take forever to load. I tried the following below but doesn't seem to work: index=xxx  source type=xxx  | eval source_index="a" | append [search index=summary_index | eval source_index="b" | fields ID] | stats values(source_index) as sources by trace | where mvcount(sources) > 1 | timechart span=1h values(count) AS "Customers per Hour" Trying to match between the main search and the summary search Unique ID accounts field and if it matches we want it to give us a count of how many ID there is which will translate customers per hour.