All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input... See more...
This is what you need #linked_list.input-link{ width: 400px !important; } where your input is <input id="linked_list" type="list"... Here's some more useful ways of changing linked list input types - this shows a tab style selection <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #linked_list.input-link{ width: 400px !important; } #linked_list label{ display:none !important; } #linked_list.input-link div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ display: -webkit-box !important; } #linked_list.input-link button{ min-width: 100px !important; max-width: 130px !important; border-top-color: #E1E6EB; border-top-style: solid; border-top-width: 1px; border-right-color: #E1E6EB; border-right-style: solid; border-right-width: 1px; border-left-color: #E1E6EB; border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; } #linked_list .splunk-choice-input-message{ display: none !important; } #linked_list.input-link button[role="radio"][aria-checked="true"]{ background-color: #62B5E5 !important; color: #000 !important; } #linked_list.input-link button[role="radio"][aria-checked="false"]{ background-color: #005587 !important; color: #fff !important; } </style> </html> </panel> </row> Hope this is usefulk
Is there a css element that can help  move the "really bad" button so it on the same line as the rest?  
Have you found a solution for this? I'm on the same quest.
bin command also needs snap to, i.e. | bin _time span=1w@w or  | bin _time span=1w aligntime=@w+1d otherwise it just gives you 7 day chunks.  
Works perfectly, thank you! I was dancing all around it but could not nail it down. That did it for me!
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you acc... See more...
Saw your thread on Slack, but I wonder if this is useful https://community.splunk.com/t5/Reporting/How-to-run-a-savedsearch-with-the-owner-permission/m-p/213229 so using the ref= would give you access to search results which you perhaps could post-process with your vars you would pass to the search. However, that still doesn't really solve the partitioning issue you're looking for.  Do search filters for roles give you a workable solution - I suspect that may be too broad though.
You can give this a try https://github.com/dtburrows3/Splunk_Expand_Macros_Command A work in progress but seems to cover majority of things I have thrown at it so far.
Thanks a million!
Thanks Yuan, Issue I am seeing is that value for "location" is coming as empty. Whereas I can see there is data in raw for location. What can be the issue? Thanks!
There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime. <<base search>> | eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@... See more...
There is more than one way to do that.  If you want to create a new field, use eval with relative_time and strptime. <<base search>> | eval SummaryDate = relative_time(strptime(Date, "%d/%m/%Y"), "@w+1d") | chart sum(results) over SummaryDate Since "@w" snaps to Sunday, we use "+1d" to start the week on Monday. Here's another way using the bin command. <<base search>> | bin _time span=1w ``` Convert _time from Sundays to Mondays ``` | eval SummaryDate = _time+86400 | chart sum(results) over SummaryDate  
I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to ... See more...
I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to the start of the line, everything comes through as an apprulelabel. When I dive into the events, I see there are other rules showing, but they arent populating in the statistics table. I would like to have each rule come through as its own.  index=zscaler sourcetype=zscalernss-web user=* | eval rule_type=case(isnotnull(urlrulelabel), "urlurlelabel", isnotnull(apprulelabel), "apprulelabel", isnotnull(rulelabel), "rulelabel", true(), "unknown") | eval rule=coalesce(apprulelabel, urlrulelabel, rulelabel) | stats count by rule, rule_type | rename rule as Rule, rule_type as "Type of Rule", count as "Hit Count" | sort - "Hit Count" Thank you in advance
eval is the command to use to add a new field to an event.  Use the relative_time function to help set the value. | eval newField = relative_time(now(), "-7d@d")  
Here's what I found (with the help of Perplexity engine) - saved me... : The fields_list in the transforms.conf stanza should match the column names in your CSV file.
I am analyzing some .csvs which have a "date" field present. The .csvs are indexed, but the index time is pretty irrelevant, however, the "date" field is important. I am trying to create a new fie... See more...
I am analyzing some .csvs which have a "date" field present. The .csvs are indexed, but the index time is pretty irrelevant, however, the "date" field is important. I am trying to create a new field which would represent the first day of the week relative to the "date" field in my data. Ultimately I am going to create some charts over time which will use this new field. Below is an example of my desired outcome - from the date present as a field in the .csv, create a new field (Summary Date) which shows the date of Monday for that week. Date (present in .csv) Summary Date  (new field) 6/15/2024 6/10/2024 6/16/2024 6/10/2024 6/18/2024 6/17/2024   * realizing there may be more than one way to skin the cat, ultimately I am looking to group results by week in Line Charts. The query will be very basic, something like this: <base search> | chart sum(results) by "Summary Date"   And I want the date shown on the X-axis to be the first day (Monday in my case) of every week. Maybe there is an easier solution than creating a new "Summary Date" field via an eval expression, but that is where my head goes first. Any suggestions are appreciated!  
How do I add a  new field and set the value to seven days ago from the current date, snapped to the beginning of the current date? I know the date syntax should be "earliest=-7d@d", but am unsure if... See more...
How do I add a  new field and set the value to seven days ago from the current date, snapped to the beginning of the current date? I know the date syntax should be "earliest=-7d@d", but am unsure if I should use the eval command to add the field and the specific syntax. Thanks. 
Greetings to you !! I have a file in which I have a following content : My city is very good your city is also very good but but but but Now, I want only three lines to be indexed in Splunk :... See more...
Greetings to you !! I have a file in which I have a following content : My city is very good your city is also very good but but but but Now, I want only three lines to be indexed in Splunk : My city is very good your city is also very good but Since "but" has appeared multiple times , so we want to use only 1 "but" out of many I want to write props or any kind of configuration so that I can achieve this results. Kindly help !!
Resolved!  Two issues: (1) Don't trust regex you find on the Internet, (2) Trust but verify Turns out, I had assumed what I see in "Source" would line up with the data Splunk processed.  It lined ... See more...
Resolved!  Two issues: (1) Don't trust regex you find on the Internet, (2) Trust but verify Turns out, I had assumed what I see in "Source" would line up with the data Splunk processed.  It lined up with the regex ("New Process Name:  "has a space after the colon.  In actuality, this is a tab. I'm using this now.  Could probably use "\t" but playing it safe and allowing one or more whitespace. blacklist2 = EventCode="4688" Message="New Process Name:\s+C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-(?:powershell|regmon|admon|netmon|MonitorNoHandle).exe" Above is what I ended up with.  Not perfect, but good enough for a POC, and actually works, at least, in the current environment. Cheers!
Nice solution. I'm, working with similar situation. What does this situation look like with checkbox?
I have two query tables table 1 index="k8s_main" namespace="app02013" "EConcessionItemProcessingStartedHandler.createRma PH successfully created RMA" NOT [search index="k8s_main" namespace="app0201... See more...
I have two query tables table 1 index="k8s_main" namespace="app02013" "EConcessionItemProcessingStartedHandler.createRma PH successfully created RMA" NOT [search index="k8s_main" namespace="app02013" "NonCustomerOrderShippingLabelGeneratedEventsUtil.processShippingLabelEvent Successfully published" | fields LPN] | rex "LPN\": \"(?<LPN>[^,]+)\"\," | rex "location\": \"(?<location>[^,]+)\"\," | rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\," | rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\," | dedup orderLineId | eval LPN = replace(LPN, "\\[|\\]", "") | eval location = replace(location, "\\[|\\]", "") | eval orderNumber = replace(orderNumber, "\\[|\\]", "") | eval orderLineId = replace(orderLineId, "\\[|\\]", "") | table LPN location orderNumber orderLineId table 2 index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION | rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\," | rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\," | dedup orderLineId | eval orderNumber = replace(orderNumber, "\"", "") | eval orderLineId = replace(orderLineId, "\"", "") | table orderNumber orderLineId here is my join query: index="k8s_main" namespace="app02013" "EConcessionItemProcessingStartedHandler.createRma PH successfully created RMA" NOT [search index="k8s_main" namespace="app02013" "NonCustomerOrderShippingLabelGeneratedEventsUtil.processShippingLabelEvent Successfully published" | fields LPN] | rex "LPN\": \"(?<LPN>[^,]+)\"\," | rex "location\": \"(?<location>[^,]+)\"\," | rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\," | rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\," | dedup orderLineId | eval LPN = replace(LPN, "\\[|\\]", "") | eval location = replace(location, "\\[|\\]", "") | eval orderNumber = replace(orderNumber, "\\[|\\]", "") | eval orderLineId = replace(orderLineId, "\\[|\\]", "") | table LPN location orderNumber orderLineId | join left=L right=R where L.orderLineId = R.orderLineId [search index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION | rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\," | rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\," | dedup orderLineId | eval orderNumber = replace(orderNumber, "\"", "") | eval orderLineId = replace(orderLineId, "\"", "") | table orderNumber orderLineId] Each table returns unique row. But the result of the above query returns less data. Please help to find the problem.