All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @shimada-k , Yes correct. you don't have the interface field in all the events so you cannot display it in all raws. Ciao. Giuseppe
Splunk to slack report integration not displaying all events in results from output. So we have report running which will have below records in output. But Splunk reports triggered to slack will just... See more...
Splunk to slack report integration not displaying all events in results from output. So we have report running which will have below records in output. But Splunk reports triggered to slack will just display only first record in alerts description\summary. How to get entire thing in alert summary\description. UnmappedActions test, some value  test, some value test, some value   base search | stats values(unmapped_actions) as UnmappedActions 
Hello @marysan - thanks for this. I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest i... See more...
Hello @marysan - thanks for this. I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest if I am missing something? | eval email_subject=MonthYear." - ".Customer." - ".CheckName." - ".Device   Thank you.
Thanks again, gcusello. Much appreciated. Do I need to add <"values.interface" AS interface> in rename, correct? I executed the following query. index=gnmi ("tags.next-hop-group"=* OR "tags.index"... See more...
Thanks again, gcusello. Much appreciated. Do I need to add <"values.interface" AS interface> in rename, correct? I executed the following query. index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*) earliest="06/07/2024:08:28:14" | rename "tags.next-hop-group" AS tags_next_hop_group "tags.index" AS tags_index "tags.ipv4-entry_prefix" AS ipv4_entry_prefix "tags.network-instance_name" AS network_instance_name "values.interface" AS interface | eval tags_index=coalesce(tags_index, tags_next_hop_group) | stats values(ipv4_entry_prefix) AS ipv4_entry_prefix values(network_instance_name) AS network_instance_name values(interface) AS interface BY tags_index | sort ipv4_entry_prefix network_instance_name Then I received the following result.   My expectation is that "Ethernet48" appears in 1st and 2nd line. The data is as follows.       Many thanks, Kenji      
What version of the app do you have?  
Hi @Cyner__ , at first did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents ? In other words: did you checked the open route between ... See more...
Hi @Cyner__ , at first did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents ? In other words: did you checked the open route between UF and Splunk on port 9997 (default)? you can do this using telnet. did you enabled receiving in Splunk Enterprise ? [Settings > Forwardring and Receiving > Receiving] did you enabled forwarding in Universal Forwarder? When you did the above steps, you can check the connection using the following search index=_internal host=your_client_host) Ciao. Giuseppe
You could try something like this index=foo message="magic string" duration > [search index=foo message="magic string" | stats p99(duration) as search] | stats count as "# of Events with Duration > ... See more...
You could try something like this index=foo message="magic string" duration > [search index=foo message="magic string" | stats p99(duration) as search] | stats count as "# of Events with Duration > p99"
Also i can't find anything in the Splunk Enterprise. Nothing in forwarder management section and no data whatsoever
I am newbie to splunk. Any help is appreciated So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is wh... See more...
I am newbie to splunk. Any help is appreciated So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is when i try to ping test my local computer with VPS server , i have %100 packet loss. Also splunkd log file is full of "cooked connection to "my-local-ip" timed out and ... blocked nfor blocked_seconds=3000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. errors Thanks for helping. I am waiting for your response
@jrs42  you can use 'stats' instead of 'eventstats' to optimize : index=foo message="magic string" | stats p99(duration) as p99val, count(eval(duration > p99(duration))) as count
Hi @shimada-k , sorry I mistyped the field name, probably the interface field name is different, probably its only "interface", please see the exact field name and replace it in the search: index=... See more...
Hi @shimada-k , sorry I mistyped the field name, probably the interface field name is different, probably its only "interface", please see the exact field name and replace it in the search: index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*) | rename "tags.next-hop-group" AS tags_next_hop_group "tags.index" AS tags_index "tags.ipv4-entry_prefix" AS ipv4_entry_prefix "tags.network-instance_name" AS network_instance_name | eval tags_index=coalesce(tags_index, tags_next_hop_group) | stats values(ipv4_entry_prefix) AS ipv4_entry_prefix values(network_instance_name) AS network_instance_name values(interface) AS interface BY tags_index | sort ipv4_entry_prefix network_instance_name Ciao. Giuseppe
Tried this but have no luck with this.
Not helpful as all the fields are correct.
Assuming you are changing the groupby_field token in the change handler of the time selection input, which is essentially the input that is being waited for, you could also initialise the groupby_fie... See more...
Assuming you are changing the groupby_field token in the change handler of the time selection input, which is essentially the input that is being waited for, you could also initialise the groupby_field token in an init block in SimpleXML - it is perhaps a little more complicated to do in Studio
Hi gcusello, Thanks for your prompt reply. I tried your solution. It's almost perfect, but interface field does not appear. I would appreciate it if you could give me an additional advice to resolve... See more...
Hi gcusello, Thanks for your prompt reply. I tried your solution. It's almost perfect, but interface field does not appear. I would appreciate it if you could give me an additional advice to resolve it. index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*) | rename "tags.next-hop-group" AS tags_next_hop_group "tags.index" AS tags_index "tags.ipv4-entry_prefix" AS ipv4_entry_prefix "tags.network-instance_name" AS network_instance_name | eval tags_index=coalesce(tags_index, tags_next_hop_group) | stats values(ipv4_entry_prefix) AS ipv4_entry_prefix values(network_instance_name) AS network_instance_name values(tags.interface) AS interface BY tags_index | sort ipv4_entry_prefix network_instance_name Result Many thanks, Kenji    
 I highly recommend that you look at the training Splunk offers, this will get you into the deeper aspects and how to administrate Splunk and build up knowledge.  The Splunk Admin courses should g... See more...
 I highly recommend that you look at the training Splunk offers, this will get you into the deeper aspects and how to administrate Splunk and build up knowledge.  The Splunk Admin courses should get your started, the various modules should cover what you are looking for at a deeper level.  https://www.splunk.com/en_us/training/course-catalog.html?sort=Newest&filters=filterGroup3SplunkEnterpriseCloudAdministrator  
Hi Team, I have stats group by fields as token it will change dynamically based on time selection. for example if select since 1st Jun 24 then my query will be like below. eventtype="abc" |stats co... See more...
Hi Team, I have stats group by fields as token it will change dynamically based on time selection. for example if select since 1st Jun 24 then my query will be like below. eventtype="abc" |stats count by a,b,c  and if select date before 1st Jun 2024 i.e 30th May 2024 i would like to have stats group by field like below. eventtype="abc" |stats count by a,d,e So my current implementation is putting group by field in token, token will be set based on time selection and final query would be like below. eventtype="abc" |stats count by $groupby_field$ Now the issue is splunk dashboard says waiting for input the moment i add token input to stats groupby field. Appreciate your suggestion/help to handle this scenario.   Thanks, Mani  
The problem is that that _row does not correspond to linecount=2, but is recognized as 1. I will give you one _row data as an example. (_row recognized as one) 1333561147.74 48957 131.178.... See more...
The problem is that that _row does not correspond to linecount=2, but is recognized as 1. I will give you one _row data as an example. (_row recognized as one) 1333561147.74 48957 131.178.233.243 TCP_DENIED/403 1914 GET http://bewfsnfwka.net/  edgy@demo.com NONE/- - BLOCK_AMW_REQ-DefaultGroup-Demo_Clients-NONE-NONE-NONE <nc,dns,-9,"Trojan- Downloader .Gen",100,13689,586638,-,-,-,-,-,-,-,-,nc,-> - -1262356487.060 16922 131.178.233.243 TCP_REFRESH_HIT/200 474 GET http://damtare.by . ru/id.txt edgy@demo.com DIRECT/damtare.by.ru text/html DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting <IW_scty,-6.9,0,-,-,-,-,0,- ,-,-,-,-,-,-,IW_scty,-> - - () 1333561147.74 48957 131.178.233.243 TCP_DENIED/403 1914 GET http://bewfsnfwka.net/  edgy@demo.com NONE/- - BLOCK_AMW_REQ-DefaultGroup-Demo_Clients-NONE-NONE-NONE <nc,dns,-9,"Trojan- Downloader .Gen",100,13689,586638,-,-,-,-,-,-,-,-,nc,-> - - (2) 1262356487.060 16922 131.178.233.243 TCP_REFRESH_HIT/200 474 GET http://damtare.by.ru/id.txt  edgy@demo.com DIRECT/damtare.by.ru text/html DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRout ing < IW_scty,-6.9,0,-,-,-,-,0,-,-,-,-,-,-,-,IW_scty,-> - - (1), (2) How do I separate them into each _row? Please give an example of a regular expression that needs to be separated. thank you,
There are many ways to get the results, as @bowesmana and @emdaax show.  One more alternative is json_extract_exact (JSON functions were introduced in 8.1) | eval hits = json_extract(json_extract_ex... See more...
There are many ways to get the results, as @bowesmana and @emdaax show.  One more alternative is json_extract_exact (JSON functions were introduced in 8.1) | eval hits = json_extract(json_extract_exact(json_extract(payload, "cacheStats"), "lds:UiApi.getRecord"), "hits")  
Actually, while your technique is correct, as you are ONLY interested in count of duration>p99, you should use the fields statement to ONLY send the data you care about to the search head, i.e. inde... See more...
Actually, while your technique is correct, as you are ONLY interested in count of duration>p99, you should use the fields statement to ONLY send the data you care about to the search head, i.e. index=foo message="magic string" | fields - _raw | fields duration | eventstats p99(duration) as p99val | where duration > p99val | stats count as "# of Events with Duration > p99" those two fields statements will mean that the only piece of data being sent to the SH is 'duration'