All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Ram2 , what's the Mode you're using? you must use Verbose. if the site field isn't extracted, you cannoy use it, did you extracted the site field? Ciao. Giuseppe
Hi @gcusello , probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer have you i... See more...
Hi @gcusello , probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer have you in the events the site field? --No these are default values for a host coming from universal forwarder,  what they set from application side.
Hello @marysan , the query is the same
This lead to a solve for me. I had our user change the time format at the beginning of their logs. 
Hi @Ram2 , probaby you runned the search on SHC outside the app where the site fied is extracted. have you in the events the site field? Ciao. Giuseppe
@humanBeing  If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers.
@DanAlexander1  If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers.
I think this query will work for you :    | tstats summariesonly=true fillnull_value="N/D" dc(All_Email.internal_message_id) as total_emails from datamodel=Email where (All_Email.action="quaranti... See more...
I think this query will work for you :    | tstats summariesonly=true fillnull_value="N/D" dc(All_Email.internal_message_id) as total_emails from datamodel=Email where (All_Email.action="quarantined" OR All_Email.action="delivered") AND NOT [| `email_whitelist_generic`] by All_Email.src_user, All_Email.subject, All_Email.action | `drop_dm_object_name("All_Email")` | eventstats sum(eval(if(action="quarantined", 1, 0))) as quarantined_count_peruser, sum(eval(if(action="delivered", 1, 0))) as delivered_count_peruser by src_user, subject | where total_emails > 50 AND quarantined_count_peruser > 10 AND delivered_count_peruser > 0
We have a query where we are  getting the count by site. index=test-index |stats count by host site. When we run this query in search head cluster we are getting output as  site                   ... See more...
We have a query where we are  getting the count by site. index=test-index |stats count by host site. When we run this query in search head cluster we are getting output as  site                       host undefined         appdtz undefined        appstd undefined        apprtg undefined        appthf   When we run the same query in deployer we are getting output correctly with site. site                       host sitea         appdtz sitea       appstd siteb        apprtg siteb        appthf  how to fix this issue in SH cluster.
I don't know if that it is in Event top level field matters, so I'm pasting screenshot of raw data. Field in question is tlogParameters
is it fixed? under which version is fixed? is there any technical documentation for that? Thanks  
there are several queries : for example sourcetype=Sample_sourcetype :  1- | metadata type=sourcetypes | search sourcetype=Sample_sourcetype | table index, sourcetype 2- | tstats count... See more...
there are several queries : for example sourcetype=Sample_sourcetype :  1- | metadata type=sourcetypes | search sourcetype=Sample_sourcetype | table index, sourcetype 2- | tstats count where sourcetype=Sample_sourcetype by index | table index  
Hi all.  I'm trying to understand how to map my diagnostic setting AAD data coming in from an mscs:azure:eventhub sourcetype to CIM.  I notice in the official docs for the TA, it mentions that th... See more...
Hi all.  I'm trying to understand how to map my diagnostic setting AAD data coming in from an mscs:azure:eventhub sourcetype to CIM.  I notice in the official docs for the TA, it mentions that the sourcetype above isn't mapped to CIM, however the azure:monitor:aad is mapped to CIM.  I'm attempting to leverage Enterprise Security to build searches off of some UserRiskEvents data coming in, and would like to be able to reference datamodels. So, is there any world I can take my existing data and transform it to match what's mapped to CIM? I envision like other TA's, that this can filter down to unique sourcetypes upon ingestion, while the Inputs on the IDM is set to a parent sourcetype. I can't confirm if that's true or not.
Hi @tej57 , pls find the xml below. <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <la... See more...
Hi @tej57 , pls find the xml below. <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="servicecode"> <label>Code</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>service_code</fieldForLabel> <fieldForValue>service_code</fieldForValue> <search> <query> index=application-idx |rename "attribute.app.servicecode" as service_code | eval service_code=if(service_code="NULL","Non-Servicecode",service_code) |stats count by service_code | fields service_code </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=application-idx AND attribute.app.servicecode="$servicecode$" source=application.logs |stats count </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>
Assume that ImpCon is a multivalue field from which you want to remove null values this works for you : | eval ImpCon=mvfilter(isnotnull(ImpCon) AND ImpCon!="")
PowerConnect is a certified SAP Addon. The North American distributor is an elite partner with Splunk. If you want to get CPQ data into Splunk, PowerConnect is the way to go.
If you're using PowerConnect you'll need to get a license. It's not free software. You'll install the software into your Netweaver layer using SAINT. Then, you have to exchange a HEC token with your ... See more...
If you're using PowerConnect you'll need to get a license. It's not free software. You'll install the software into your Netweaver layer using SAINT. Then, you have to exchange a HEC token with your Splunk instance. There is some additional config on the SAP side to establish the connection with Splunk.
Rather than pasting search results, please paste the raw event data, preferably in a code block </> to preserve original formatting.
If you want to get SAP data into Splunk Cloud, you should check out PowerConnect. It's certified by SAP and RHONODOS is an elite partner with Splunk.
you could try: index=* | stats values(sourcetype) as sourcetype by index | table index, sourcetype this will provide all sourcetypes associated to their index, based on the timeframe given... See more...
you could try: index=* | stats values(sourcetype) as sourcetype by index | table index, sourcetype this will provide all sourcetypes associated to their index, based on the timeframe given and if they contain event logs during that time frame.