All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello,   I have a dashboard with radio button + text input field.      <form version="1.1" theme="light"> <label>mnj1809_radio</label> <init> <set token="tokradiotext">$tokradio$="$tokte... See more...
Hello,   I have a dashboard with radio button + text input field.      <form version="1.1" theme="light"> <label>mnj1809_radio</label> <init> <set token="tokradiotext">$tokradio$="$toktext$"</set> </init> <fieldset submitButton="false"> <input type="radio" token="tokradio"> <label>Field</label> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <change> <set token="tokradiotext">$value$="$toktext$"</set> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <set token="tokradiotext">$tokradio$="$value$"</set> </change> </input> </fieldset> <row> <panel> <event> <title>tokradiotext=$tokradiotext$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>   'A radio input to select field names and a text input to enter field values, you can define and update a separate field when either token changes' Radio button is allowed one choice but I'd like to use checkbox that select multiple option. So if I choose multiple checkbox I'd like to see the search is looking for the results in those fields what were choose.   Could you please help me?   Thanks in advance!
Do you really want to know the times in the entire index?  If so, tstats is usually the way to go. | tstats min(_time) as start max(_time) as end where index=myindex | fieldformat start = strftime(s... See more...
Do you really want to know the times in the entire index?  If so, tstats is usually the way to go. | tstats min(_time) as start max(_time) as end where index=myindex | fieldformat start = strftime(start, "%F %T") | fieldformat end = strftime(end, "%F %T") Something like that.
One of Splunk's biggest taboo is join.  SQL is designed to make join efficient.  But Splunk is NoSQL.  If you feel there is a need for SQL like join, it is usually because the search strategy is wron... See more...
One of Splunk's biggest taboo is join.  SQL is designed to make join efficient.  But Splunk is NoSQL.  If you feel there is a need for SQL like join, it is usually because the search strategy is wrong. It is much better if you describe your dataset and the search used to obtain those two tables, and describe the desired output.  There is usually a more Splunk way to get the result and avoid join.
First, can you confirm that transaction grouped the correct events? Second, do you mean to say that even though one of the events in a transaction is 2024-06-13 09:22:49,101 INFO [com.mysite.core.... See more...
First, can you confirm that transaction grouped the correct events? Second, do you mean to say that even though one of the events in a transaction is 2024-06-13 09:22:49,101 INFO [com.mysite.core.repo.BaseWebScript] [http-nio-8080-exec-43] ****** NEW WEBSCRIPT REQUEST ****** Server Path: http://repo.mysite.com:80 Service Path: /repo/service/company/upload Query String: center=pc&contentType=reqDocExt&location=\\myloc\CoreTmp\app\pc\in\gwpc5799838158526007183.tmp&name=wagnac%20%20slide%20coverage%20b&description=20% rule&contentCreator=JOSEY FALCON&mimeType=application/pdf&accountNum=09693720&policyNum=13068616 Splunk does not give you  location with value \\myloc\CoreTmp\app\pc\in\gwpc5799838158526007183.tmp?  This is nearly impossible but you can try add extract command after index search.  If you look at the emulation I listed above, I used extract to emulate Splunk's default action.
Hi  I am getting some events from a csv which contains the below format and would like to drop such events using transforms.  null,null,0,null,null,null,null,null,null,  ---- to be dropped null,... See more...
Hi  I am getting some events from a csv which contains the below format and would like to drop such events using transforms.  null,null,0,null,null,null,null,null,null,  ---- to be dropped null,null,0,null,null,null,null,null,null,  ---- to be dropped null,null,0,null,null,null,null,null,null,  ---- to be dropped null,null,0,null,null,null,null,null,null,  ---- to be dropped null,null,0,null,null,null,null,null,null,  ---- to be dropped 52376,null,0,test,87387,2984,22,abc,99  ----- to be kept Below is what i have done so far and is not working Props.conf [Reports5min] TRANSFORMS-null = setnull transforms.conf [setnull] REGEX = ^null,null\,0,null,null,null,null,null,null,$ DEST_KEY = queue FORMAT = nullQueue
Hello , How can I know the start time and the latest time  coming of data of all index . meaning that when was the first time data came in that index and when is the latest time data have came in th... See more...
Hello , How can I know the start time and the latest time  coming of data of all index . meaning that when was the first time data came in that index and when is the latest time data have came in that index.
  index=ABC sourcetype="stalogmessage" | fields _raw | spath output=statistical_element "StaLogMessage.StatisticalElement" | spath output=statistical_subject "StaLogMessage.StatisticalElement.Sta... See more...
  index=ABC sourcetype="stalogmessage" | fields _raw | spath output=statistical_element "StaLogMessage.StatisticalElement" | spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject" | fields - _raw | mvexpand statistical_element | mvexpand statistical_subject | spath input=statistical_element output=statistical_item "StatisticalItem" | spath input=statistical_item output=StatisticalId "StatisticalId" | spath input=statistical_item output=Value "Value" | spath input=statistical_subject output=SubjectType "SubjectType" | where SubjectType="ORDER_RECIPE" | stats count by StatisticalId Value SubjectType _time | lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName | mvexpand SymbolicName | where SymbolicName="UTILISATION" | strcat "raw" "," SymbolicName group_name | stats min(Value) AS min_value, max(Value) AS max_value, sum(Value) AS sum_value, count AS count BY SymbolicName group_name StatisticalId _time | eval min_value=coalesce(min_value,value), max_value=coalesce(max_value,value), sum_value=coalesce(sum_value,value), count=coalesce(count,1) | fields StatisticalId min_value max_value sum_value count group_name _time | dedup StatisticalId _time group_name | fields - _virtual_ _cd_ | fillnull value="" | timechart span=1h minspan=3600s eval(round(min(min_value),2)) AS "Minimum", eval(round(max(max_value),2)) AS "Maximum", eval(round(sum(sum_value),2)) AS summed, eval(round(sum(count),2)) AS counted | eval "Average" = round(summed/counted, 2) | fields - summed counted     As I am using above query to visualize the graph in Maximum , minimum and average. But my values are looking different.    Expected result I want : @bowesmana Please help me what I need to fix in the query to achieve expected results. 
I also have the same issue. Tried to email devinfo@splunk.com 10 days ago and still no reply.
You'll have a much better chance of getting real help if you really follow this formula for an answerable question: Illustrate data input (in raw text, anonymize as needed), whether they are raw ev... See more...
You'll have a much better chance of getting real help if you really follow this formula for an answerable question: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output WITHOUT SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
Default join option is inner. (See Descriptions for the join-options argument.) Why should not you expect less data? But without looking into join options, let me first point out that the two search... See more...
Default join option is inner. (See Descriptions for the join-options argument.) Why should not you expect less data? But without looking into join options, let me first point out that the two searches you try to join are performed on the same index during the same period.  This is about the most wasteful use of join in Splunk.  Even without the searches being so, whenever you have an urge to use join in Splunk, you should suppress it for at least three weeks and find an alternative. Even worse, your regex's suggest that you are trying to use rex to extract from structured JSON.  You should always avoid doing so.  Always work off data structure as your developers intend using robust, QA tested Splunk functionality on them. The best thing you can do is to follow the usual way of asking an answerable question: Illustrate data - raw events (in raw text) returned from index searches such as index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION, (anonymize as needed) Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output WITHOUT SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
I am practicing my attacks on the DVWA webserver and I would want to monitor the traffic logs from the DVWA into my splunk enterprise. However, I am unsure of the steps to do so despite following the... See more...
I am practicing my attacks on the DVWA webserver and I would want to monitor the traffic logs from the DVWA into my splunk enterprise. However, I am unsure of the steps to do so despite following the instructions given of getting data into my splunk enterprise.  So far, my splunk only monitors the following logs which I do not need. Additionally, I have added the following for the 'add monitor': But there is no logs on the apache or anything related to web in my splunk. Therefore, why does my splunk enterprise  captures logs from /var/log syslog only?      
Dear Everyone can help me for this, i have log from syslog but cannot break event by lines. {"@timestamp":"2000-01-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message"... See more...
Dear Everyone can help me for this, i have log from syslog but cannot break event by lines. {"@timestamp":"2000-01-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message":"[ABC]|Type=ABC|logDate=2000-01-21 00:58:39|ABC1=ABC2|ABC12=ABC23|ABC34=ABC35|ABC45=ABC46"}{"@timestamp":"2000-02-21T00:58:39.372418529Z","event":{},"@version":"1","type":"prod","filtered_message":"[ABC]|Type=ABC|logDate=2000-02-21 00:58:39|ABC1=ABC5|ABC13=ABC24|ABC35=ABC36|ABC46=ABC47"}   i need break this log from props.conf, i already used this: [ABC] LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false   but not works, please tell me how to extract event log by lines
Hi Splunk community, is there documentation that provides step-by-step instructions on how I can ingest data and logs from my MongoDB Atlas cluster using API  to Splunk?  
This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input... See more...
This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input types - this shows a tab style selection <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #linked_list.input-link{ width: 400px !important; } #linked_list label{ display:none !important; } #linked_list.input-link div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ display: -webkit-box !important; } #linked_list.input-link button{ min-width: 100px !important; max-width: 130px !important; border-top-color: #E1E6EB; border-top-style: solid; border-top-width: 1px; border-right-color: #E1E6EB; border-right-style: solid; border-right-width: 1px; border-left-color: #E1E6EB; border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; } #linked_list .splunk-choice-input-message{ display: none !important; } #linked_list.input-link button[role="radio"][aria-checked="true"]{ background-color: #62B5E5 !important; color: #000 !important; } #linked_list.input-link button[role="radio"][aria-checked="false"]{ background-color: #005587 !important; color: #fff !important; } </style> </html> </panel> </row> Hope this is usefulk
Is there a css element that can help  move the "really bad" button so it on the same line as the rest?  
Have you found a solution for this? I'm on the same quest.
bin command also needs snap to, i.e. | bin _time span=1w@w or  | bin _time span=1w aligntime=@w+1d otherwise it just gives you 7 day chunks.  
Works perfectly, thank you! I was dancing all around it but could not nail it down. That did it for me!
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you acc... See more...
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you access to search results which you perhaps could post-process with your vars you would pass to the search. However, that still doesn't really solve the partitioning issue you're looking for.  Do search filters for roles give you a workable solution - I suspect that may be too broad though.