All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I also have the same issue. Tried to email devinfo@splunk.com 10 days ago and still no reply.
You'll have a much better chance of getting real help if you really follow this formula for an answerable question: Illustrate data input (in raw text, anonymize as needed), whether they are raw ev... See more...
You'll have a much better chance of getting real help if you really follow this formula for an answerable question: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output WITHOUT SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
Default join option is inner. (See Descriptions for the join-options argument.) Why should not you expect less data? But without looking into join options, let me first point out that the two search... See more...
Default join option is inner. (See Descriptions for the join-options argument.) Why should not you expect less data? But without looking into join options, let me first point out that the two searches you try to join are performed on the same index during the same period.  This is about the most wasteful use of join in Splunk.  Even without the searches being so, whenever you have an urge to use join in Splunk, you should suppress it for at least three weeks and find an alternative. Even worse, your regex's suggest that you are trying to use rex to extract from structured JSON.  You should always avoid doing so.  Always work off data structure as your developers intend using robust, QA tested Splunk functionality on them. The best thing you can do is to follow the usual way of asking an answerable question: Illustrate data - raw events (in raw text) returned from index searches such as index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION, (anonymize as needed) Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output WITHOUT SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
I am practicing my attacks on the DVWA webserver and I would want to monitor the traffic logs from the DVWA into my splunk enterprise. However, I am unsure of the steps to do so despite following the... See more...
I am practicing my attacks on the DVWA webserver and I would want to monitor the traffic logs from the DVWA into my splunk enterprise. However, I am unsure of the steps to do so despite following the instructions given of getting data into my splunk enterprise.  So far, my splunk only monitors the following logs which I do not need. Additionally, I have added the following for the 'add monitor': But there is no logs on the apache or anything related to web in my splunk. Therefore, why does my splunk enterprise  captures logs from /var/log syslog only?      
Dear Everyone can help me for this, i have log from syslog but cannot break event by lines. {"@timestamp":"2000-01-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message"... See more...
Dear Everyone can help me for this, i have log from syslog but cannot break event by lines. {"@timestamp":"2000-01-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message":"[ABC]|Type=ABC|logDate=2000-01-21 00:58:39|ABC1=ABC2|ABC12=ABC23|ABC34=ABC35|ABC45=ABC46"}{"@timestamp":"2000-02-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message":"[ABC]|Type=ABC|logDate=2000-02-21 00:58:39|ABC1=ABC5|ABC13=ABC24|ABC35=ABC36|ABC46=ABC47"}   i need break this log from props.conf, i already used this: [ABC] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false   but not works, please tell me how to extract event log by lines
Hi Splunk community, is there documentation that provides step-by-step instructions on how I can ingest data and logs from my MongoDB Atlas cluster using API  to Splunk?  
This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input... See more...
This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input types - this shows a tab style selection <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #linked_list.input-link{ width: 400px !important; } #linked_list label{ display:none !important; } #linked_list.input-link div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ display: -webkit-box !important; } #linked_list.input-link button{ min-width: 100px !important; max-width: 130px !important; border-top-color: #E1E6EB; border-top-style: solid; border-top-width: 1px; border-right-color: #E1E6EB; border-right-style: solid; border-right-width: 1px; border-left-color: #E1E6EB; border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; } #linked_list .splunk-choice-input-message{ display: none !important; } #linked_list.input-link button[role="radio"][aria-checked="true"]{ background-color: #62B5E5 !important; color: #000 !important; } #linked_list.input-link button[role="radio"][aria-checked="false"]{ background-color: #005587 !important; color: #fff !important; } </style> </html> </panel> </row> Hope this is usefulk
Is there a css element that can help  move the "really bad" button so it on the same line as the rest?  
Have you found a solution for this? I'm on the same quest.
bin command also needs snap to, i.e. | bin _time span=1w@w or  | bin _time span=1w aligntime=@w+1d otherwise it just gives you 7 day chunks.  
Works perfectly, thank you! I was dancing all around it but could not nail it down. That did it for me!
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you acc... See more...
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you access to search results which you perhaps could post-process with your vars you would pass to the search. However, that still doesn't really solve the partitioning issue you're looking for.  Do search filters for roles give you a workable solution - I suspect that may be too broad though.
You can give this a try https://github.com/dtburrows3/Splunk_Expand_Macros_Command A work in progress but seems to cover majority of things I have thrown at it so far.
Thanks a million!
Thanks Yuan, Issue I am seeing is that value for "location" is coming as empty. Whereas I can see there is data in raw for location. What can be the issue? Thanks!
There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime. <<base search>> | eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@... See more...
There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime. <<base search>> | eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d") | chart sum(results) over SummaryDate Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday. Here's another way using the bin command. <<base search>> | bin _time span=1w ``` Convert _time from Sundays to Mondays ``` | eval SummaryDate = _time+86400 | chart sum(results) over SummaryDate  
I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to ... See more...
I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to the start of the line, everything comes through as an apprulelabel. When I dive into the events, I see there are other rules showing, but they arent populating in the statistics table. I would like to have each rule come through as its own.  index=zscaler sourcetype=zscalernss-web user=* | eval rule_type=case(isnotnull(urlrulelabel), "urlurlelabel", isnotnull(apprulelabel), "apprulelabel", isnotnull(rulelabel), "rulelabel", true(), "unknown") | eval rule=coalesce(apprulelabel, urlrulelabel, rulelabel) | stats count by rule, rule_type | rename rule as Rule, rule_type as "Type of Rule", count as "Hit Count" | sort - "Hit Count" Thank you in advance
eval is the command to use to add a new field to an event.  Use the relative_time function to help set the value. | eval newField = relative_time(now(), "-7d@d")  
Here's what I found (with the help of Perplexity engine) - saved me... : The fields_list in the transforms.conf stanza should match the column names in your CSV file.