All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We have a query where we are  getting the count by site. index=test-index |stats count by host site. When we run this query in search head cluster we are getting output as  site                   ... See more...
We have a query where we are  getting the count by site. index=test-index |stats count by host site. When we run this query in search head cluster we are getting output as  site                       host undefined         appdtz undefined        appstd undefined        apprtg undefined        appthf   When we run the same query in deployer we are getting output correctly with site. site                       host sitea         appdtz sitea       appstd siteb        apprtg siteb        appthf  how to fix this issue in SH cluster.
I don't know if that it is in Event top level field matters, so I'm pasting screenshot of raw data. Field in question is tlogParameters
is it fixed? under which version is fixed? is there any technical documentation for that? Thanks  
there are several queries : for example sourcetype=Sample_sourcetype :  1- | metadata type=sourcetypes | search sourcetype=Sample_sourcetype | table index, sourcetype 2- | tstats count... See more...
there are several queries : for example sourcetype=Sample_sourcetype :  1- | metadata type=sourcetypes | search sourcetype=Sample_sourcetype | table index, sourcetype 2- | tstats count where sourcetype=Sample_sourcetype by index | table index  
Hi all.  I'm trying to understand how to map my diagnostic setting AAD data coming in from an mscs:azure:eventhub sourcetype to CIM.  I notice in the official docs for the TA, it mentions that th... See more...
Hi all.  I'm trying to understand how to map my diagnostic setting AAD data coming in from an mscs:azure:eventhub sourcetype to CIM.  I notice in the official docs for the TA, it mentions that the sourcetype above isn't mapped to CIM, however the azure:monitor:aad is mapped to CIM.  I'm attempting to leverage Enterprise Security to build searches off of some UserRiskEvents data coming in, and would like to be able to reference datamodels. So, is there any world I can take my existing data and transform it to match what's mapped to CIM? I envision like other TA's, that this can filter down to unique sourcetypes upon ingestion, while the Inputs on the IDM is set to a parent sourcetype. I can't confirm if that's true or not.
Hi @tej57 , pls find the xml below. <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <la... See more...
Hi @tej57 , pls find the xml below. <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="servicecode"> <label>Code</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>service_code</fieldForLabel> <fieldForValue>service_code</fieldForValue> <search> <query> index=application-idx |rename "attribute.app.servicecode" as service_code | eval service_code=if(service_code="NULL","Non-Servicecode",service_code) |stats count by service_code | fields service_code </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=application-idx AND attribute.app.servicecode="$servicecode$" source=application.logs |stats count </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>
Assume that ImpCon is a multivalue field from which you want to remove null values this works for you : | eval ImpCon=mvfilter(isnotnull(ImpCon) AND ImpCon!="")
PowerConnect is a certified SAP Addon. The North American distributor is an elite partner with Splunk. If you want to get CPQ data into Splunk, PowerConnect is the way to go.
If you're using PowerConnect you'll need to get a license. It's not free software. You'll install the software into your Netweaver layer using SAINT. Then, you have to exchange a HEC token with your ... See more...
If you're using PowerConnect you'll need to get a license. It's not free software. You'll install the software into your Netweaver layer using SAINT. Then, you have to exchange a HEC token with your Splunk instance. There is some additional config on the SAP side to establish the connection with Splunk.
Rather than pasting search results, please paste the raw event data, preferably in a code block </> to preserve original formatting.
If you want to get SAP data into Splunk Cloud, you should check out PowerConnect. It's certified by SAP and RHONODOS is an elite partner with Splunk.
you could try: index=* | stats values(sourcetype) as sourcetype by index | table index, sourcetype this will provide all sourcetypes associated to their index, based on the timeframe given... See more...
you could try: index=* | stats values(sourcetype) as sourcetype by index | table index, sourcetype this will provide all sourcetypes associated to their index, based on the timeframe given and if they contain event logs during that time frame. 
All you need is: | eval Name_Of_Search="$name$"   This is documented at https://docs.splunk.com/Documentation/Splunk/9.2.1/Alert/EmailNotificationTokens 
at the send of your query add "0" after a sort function: Example: .... | table _time, accountnumber, field1, etc. | sort 0 https://docs.splunk.com/Documentation/Splunk/latest/SearchRef... See more...
at the send of your query add "0" after a sort function: Example: .... | table _time, accountnumber, field1, etc. | sort 0 https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.  So, at a high level - define what those KPI's, metrics, or Log_levels might look like an... See more...
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.  So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s Simple example Summary Dashboard for my LOG_LEVELS ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count   Based on the above example log counts,  you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards. Have a look here first and see if this is what you might want to do https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples. https://splunkbase.splunk.com/app/1603
index=wineventlog sourcetype=WinEventLog EventCode=4624 user="svc*" | eval EventTime=_time | eval EventTime=strftime(_time, "%m/%d/%Y %H:%M:%S %Z" | stats latest(EventTime) as lastlogon by ... See more...
index=wineventlog sourcetype=WinEventLog EventCode=4624 user="svc*" | eval EventTime=_time | eval EventTime=strftime(_time, "%m/%d/%Y %H:%M:%S %Z" | stats latest(EventTime) as lastlogon by user | table lastlogon, user
Hello, I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview... See more...
Hello, I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style.  If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.   Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups.  The overview dashboard could read from those lookups and search for error codes.  
a potential solution: you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers. " yourindex yo... See more...
a potential solution: you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers. " yourindex yoursourcetype | specify your filters here | lookup dnslookup clientip as youripfield OUTPUTNEW clienthost as yourassetfield or inverse | lookup dnslookup clienthost as yourassetfield OUTPUTNEW clientip as youripfield | stats by youripfield , yourassetfield | table youripfield , yourassetfield | outputlookup nameOflookup.csv append=false " Save this as a report (OUTPUT_IP_Asset_Correlation) and set a schedule to it (daily, weekly, which ever frequency works for you). Then in your actual query,  do a lookup up the generated lookup. " yourindex yoursourcetype | specify your filters here | lookup nameOflookup.csv youripfield as IP OUTPUTNEW host (or whatever field you need it to be) or | lookup nameOflookup.csv yourassetfield as Asset OUTPUTNEW host (or whatever field you need it to be) ... " https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/m-p/72304
I agree with @ITWhisperer .  and your sample JSON looks like an array of objects also. So please share a masked event here.   Meanwhile, I'm sharing a sample query so that you can start on the solu... See more...
I agree with @ITWhisperer .  and your sample JSON looks like an array of objects also. So please share a masked event here.   Meanwhile, I'm sharing a sample query so that you can start on the solution.  | makeresults | eval params="[{'field1':'value1','field2':'value2','field3':'value3','field4':'value4'}]" | rename comment as "upto now is sample data only" | eval params = replace(params, "'","\"") | eval _raw = params | spath   I have handled a single quote here.   if you have valid JSON then just remove `| eval params = replace(params, "'","\"")` .   Thanks  KV   
I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only mat... See more...
I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only matter of displaying in splunk search, or actually it is not proper json for splunk (source for this is database table, in which it is proper json array with double quotes)