All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi I am getting a log feed for a transactional system. Each log entry has a status either End, Begin or something in between (but for this I don't care about the in between) and a UUID to mark that ... See more...
Hi I am getting a log feed for a transactional system. Each log entry has a status either End, Begin or something in between (but for this I don't care about the in between) and a UUID to mark that they belong to the same transaction. I am struggling to write a search query that essentially subtracts the _time from the BEGIN entry ud UUID123, from the _time from the END entry with the same UUID. Obviously, my goal is to get the time it took the transaction to complete but I am not sure how to compare fields in two entries with the same UUID. Any ideas ? Thanks
Hi @AnanthaS , probably the issue is that the boolean AND operato must be in uppercase. then, don't use where after the main search, your search is slower! put all the search terms in the main sea... See more...
Hi @AnanthaS , probably the issue is that the boolean AND operato must be in uppercase. then, don't use where after the main search, your search is slower! put all the search terms in the main search index=shared_data source="lambda:maintenance_window_handler" sourcetype="httpevent" (eventStartsFrom <= now() AND eventEndsAt >= now()) If your search continue to not working, probably you haven't any event where you can find both the fields entStartsFrom and eventEndsAt and you have to group them using the stats command. Ciao. Giuseppe
I'm having the same exact issue as @AntonioJimenez and it is also a blocker for us.  Perhaps the author for this article might be able to help?
following query yields no results: index=shared_data source="lambda:maintenance_window_handler" sourcetype="httpevent" | where eventStartsFrom <= now() and eventEndsAt >= now() but index=shared... See more...
following query yields no results: index=shared_data source="lambda:maintenance_window_handler" sourcetype="httpevent" | where eventStartsFrom <= now() and eventEndsAt >= now() but index=shared_data source="lambda:maintenance_window_handler" sourcetype="httpevent" | where eventStartsFrom <= now() and index=shared_data source="lambda:maintenance_window_handler" sourcetype="httpevent" | where eventEndsAt >= now() both works individually. All comparisons are made against epoch date format. Can someone help me understand as what mistake I am doing here.
Thanks for the reply!! The stats i am looking for single windows servers. | timechart latest('CPU') by process_name host timechart followed by process_name host does not work
Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..
Hi @bowesmana  What do you have in your real search before you do the eventstats as it will push all the data to the search head, including _raw, so unless you use the fields statement you will be... See more...
Hi @bowesmana  What do you have in your real search before you do the eventstats as it will push all the data to the search head, including _raw, so unless you use the fields statement you will be sending all the event data to the SH. >> Can you re-phrase your statement?  How do I improve efficiency using fields statement? My search using real data is using  table statement without "*", but it does have a lot of fields. You are also doing lots of multivalue splits, which is going to be pretty memory hungry on the SH. Which part of my search is using multivalue splits? What is the depth of the tree in your case, your example is 3 tier, going from server via the LB - if it's only 3 tier, then you could perhaps build your pathways just be fetching the name="LoadBalancer" objects and using stats values() rather than eventstats to create the lookup - as at that point you don't care about the IPs. The depth is always 3-tier:   Server->LB->network. Can you give an example using stats values to create a lookup?     I care about the IP since the one server can have multiple IPs on its interface. For example: Server-A can have 192.162.1.7 (int1) and 192.162.1.6 (int2) I appreciate your assistance. Thank you so much
The purpose of this query is to create legacy diagrams of how the search head works in Splunk. I want to know the internal flow of the search head so anyone can use it in a future LLD or flow diagram... See more...
The purpose of this query is to create legacy diagrams of how the search head works in Splunk. I want to know the internal flow of the search head so anyone can use it in a future LLD or flow diagram. 
Hello @bowesmana  The eval match condition worked, but it didn't give me the result I expected. Is it possible to use "eventstat match condition" to group the student based on partialname? D... See more...
Hello @bowesmana  The eval match condition worked, but it didn't give me the result I expected. Is it possible to use "eventstat match condition" to group the student based on partialname? Do you think moving to evenstat makes the search more efficient?  I appreciate your help. Thank you so much without "eventstat match condition" - it worked   | makeresults format=csv data="grade,name A,student-1-a A,student-1-b A,student-1-c A,student-2-a A,student-2-b A,student-2-c" | eval partialname=substr(name,0,9) | eventstats values(name) as student by partialname   with "eventstat match condition" - it didn't work   | makeresults format=csv data="grade,name A,student-1-a A,student-1-b A,student-1-c A,student-2-a A,student-2-b A,student-2-c" | eval partialname=substr(name,0,9) | eventstats values(eval(if(match(name,substr(name,0,9)), name, null()))) as student by grade   Data: class name class-1 student-1-a class-1 student-1-b class-1 student-1-c class-1 student-2-a class-1 student-2-b class-1 student-2-c Expected result grade name student A student-1-a student-1-a     student-1-b     student-1-c A student-1-b student-1-a     student-1-b     student-1-c A student-1-c student-1-a     student-1-b     student-1-c A student-2-a student-2-a     student-2-b     student-2-c A student-2-b student-2-a     student-2-b     student-2-c A student-2-c student-2-a     student-2-b     student-2-c Currently here's the result with eventstats match condition grade name partialname student A student-1-a student-1 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c A student-1-b student-1 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c A student-1-c student-1 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c A student-2-a student-2 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c A student-2-b student-2 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c A student-2-c student-2 student-1-a       student-1-b       student-1-c       student-2-a       student-2-b       student-2-c
Regular expressions (RegEx) are powerful tools for splitting data based on patterns. dish tv billing issues Use split() with a RegEx pattern to segment text into manageable components, such as dividi... See more...
Regular expressions (RegEx) are powerful tools for splitting data based on patterns. dish tv billing issues Use split() with a RegEx pattern to segment text into manageable components, such as dividing a string by commas or spaces. For instance, split(/[,\s]+/). Customize patterns to match specific delimiters or structures in data, ensuring accurate segmentation for tasks like parsing CSV files or extracting structured information from unformatted text.
Hi @vijreddy30 , as I said, use the Add Data feature to define the correct sourcetype. Also because, viewing your screenshout, you have a timestamp at 6/12/24 0:37:54 and the Date column at 04/06/2... See more...
Hi @vijreddy30 , as I said, use the Add Data feature to define the correct sourcetype. Also because, viewing your screenshout, you have a timestamp at 6/12/24 0:37:54 and the Date column at 04/06/2024 and the Time column at 10:48:00. In Add Data, you can configure and test the timestamp and the line breaking. Ciao. Giuseppe
Hi @tuts , there's something wrong in your proceduree, review it step by step, and follow a Splunk Enterprise Security User / Admin training. Ciao. Giuseppe
Hi @ganeshkumarmoha , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Updated query for 2024 looks like this:   index=_audit sourcetype=audittrail action=remove_user | stats values(_time) as _time values(user) as removed_by by username
Hi @hazem , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @Jitendra33 , after a stats command, you have only the fields listed in the command, in your case you don't have the _time that is rerquested for the timechart command, so use stats, something li... See more...
Hi @Jitendra33 , after a stats command, you have only the fields listed in the command, in your case you don't have the _time that is rerquested for the timechart command, so use stats, something like this (to adapt to your real case: | Myquery | bin span=1d _time | stats sum(Attempts) AS TransactionAttempts sum(Success) AS SuccessfulTransactions BY _time MerchantName | eval CR=round(SuccessfulTransactions/TransactionAttempts*100, 2) Why did you used coalesce? Ciao. Giuseppe
@bowesmana   Thanks for the solution  | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" this worked tried similar thing to extract name from below url using below reg ex what... See more...
@bowesmana   Thanks for the solution  | rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)" this worked tried similar thing to extract name from below url using below reg ex what did I miss it didnot work i replaced . to /? If you could ecplain to it will be helpful URL --- /api/v1/Publish   value expected ---- Publish | rex field=message "reqPath\\\":\\\"(\w+\/)*(?<reqPath>\w+)" Thanks a ton in advance
I am experiencing the same issue. About 12 hours ago, I recieved a normal notification from the splunk app again. After using the test notification function, I noticed that the notifications are sent... See more...
I am experiencing the same issue. About 12 hours ago, I recieved a normal notification from the splunk app again. After using the test notification function, I noticed that the notifications are sent but not notification sound is played. All notification related settings on my phone are correct. I'll send another post when I'm able to confirm if the "no notification sound" problem is also affecting real notifications. But I'm fairly certain that it won't work as the notification sound also worked with test notifications before it stopped working completely. a few weeks ago. Does anyone have any information from the splunk team regarding this issue?
Hi Team,   I am trying to put conversion of transaction for all days of the week in a line chart for successful transaction for multiple merchants . Something  like this shown below.   My q... See more...
Hi Team,   I am trying to put conversion of transaction for all days of the week in a line chart for successful transaction for multiple merchants . Something  like this shown below.   My query is like this :  | Myquery | stats sum(Attempts) as TransactionAttempts, sum(Success) as SuccessfulTransactions by MerchantName | eval CR= round(coalesce( SuccessfulTransactions / TransactionAttempts * 100, 0 ), 2) | timechart span=1d CR by MerchantName   Which function shall i put in timechart to get desired result
This worked thanks a lot