All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

at the send of your query add "0" after a sort function: Example: .... | table _time, accountnumber, field1, etc. | sort 0 https://docs.splunk.com/Documentation/Splunk/latest/SearchRef... See more...
at the send of your query add "0" after a sort function: Example: .... | table _time, accountnumber, field1, etc. | sort 0 https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.  So, at a high level - define what those KPI's, metrics, or Log_levels might look like an... See more...
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.  So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s Simple example Summary Dashboard for my LOG_LEVELS ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count   Based on the above example log counts,  you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards. Have a look here first and see if this is what you might want to do https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples. https://splunkbase.splunk.com/app/1603
index=wineventlog sourcetype=WinEventLog EventCode=4624 user="svc*" | eval EventTime=_time | eval EventTime=strftime(_time, "%m/%d/%Y %H:%M:%S %Z" | stats latest(EventTime) as lastlogon by ... See more...
index=wineventlog sourcetype=WinEventLog EventCode=4624 user="svc*" | eval EventTime=_time | eval EventTime=strftime(_time, "%m/%d/%Y %H:%M:%S %Z" | stats latest(EventTime) as lastlogon by user | table lastlogon, user
Hello, I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview... See more...
Hello, I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style.  If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.   Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups.  The overview dashboard could read from those lookups and search for error codes.  
a potential solution: you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers. " yourindex yo... See more...
a potential solution: you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers. " yourindex yoursourcetype | specify your filters here | lookup dnslookup clientip as youripfield OUTPUTNEW clienthost as yourassetfield or inverse | lookup dnslookup clienthost as yourassetfield OUTPUTNEW clientip as youripfield | stats by youripfield , yourassetfield | table youripfield , yourassetfield | outputlookup nameOflookup.csv append=false " Save this as a report (OUTPUT_IP_Asset_Correlation) and set a schedule to it (daily, weekly, which ever frequency works for you). Then in your actual query,  do a lookup up the generated lookup. " yourindex yoursourcetype | specify your filters here | lookup nameOflookup.csv youripfield as IP OUTPUTNEW host (or whatever field you need it to be) or | lookup nameOflookup.csv yourassetfield as Asset OUTPUTNEW host (or whatever field you need it to be) ... " https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/m-p/72304
I agree with @ITWhisperer .  and your sample JSON looks like an array of objects also. So please share a masked event here.   Meanwhile, I'm sharing a sample query so that you can start on the solu... See more...
I agree with @ITWhisperer .  and your sample JSON looks like an array of objects also. So please share a masked event here.   Meanwhile, I'm sharing a sample query so that you can start on the solution.  | makeresults | eval params="[{'field1':'value1','field2':'value2','field3':'value3','field4':'value4'}]" | rename comment as "upto now is sample data only" | eval params = replace(params, "'","\"") | eval _raw = params | spath   I have handled a single quote here.   if you have valid JSON then just remove `| eval params = replace(params, "'","\"")` .   Thanks  KV   
I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only mat... See more...
I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only matter of displaying in splunk search, or actually it is not proper json for splunk (source for this is database table, in which it is proper json array with double quotes)
This isn't JSON as JSON uses double quotes not single quotes. Please post an accurate representation of the field you want to extract the data from. Having said that, you should look at the json fun... See more...
This isn't JSON as JSON uses double quotes not single quotes. Please post an accurate representation of the field you want to extract the data from. Having said that, you should look at the json functions new to 9.x as these would probably be the basis of a solution.
I re-implemented your solutions and found #2 sorted by name. Your solution #3 does indeed sort by value.  There is a limitation of 9 or less fields/columns due lexical sorting, and the field... See more...
I re-implemented your solutions and found #2 sorted by name. Your solution #3 does indeed sort by value.  There is a limitation of 9 or less fields/columns due lexical sorting, and the fields now have additional ##_ prepended.  The limitation of 9 or less is significant if you watch a couple of dozen items and rank them. I will accept the answer.  I am thinking there is a simpler subsearch to drive the | table projection of the columns and I will continue to look in that direction.  For now, I will probably save as a macro. Thank you.
Hi @bowesmana  My actual  requirement is that if the field with empty values then I dont want to show in the table.IF some of the correlationID we dont have ImpconID so i used above query to filte... See more...
Hi @bowesmana  My actual  requirement is that if the field with empty values then I dont want to show in the table.IF some of the correlationID we dont have ImpconID so i used above query to filter the empty values. Now i want to filter the null values from the field. PFA
Hi, my splunk search results in two fields - Time and Event. Inside Event field there are multiple searchable fields, one of which is json array as string like this: params="[{'field1':'value1','fie... See more...
Hi, my splunk search results in two fields - Time and Event. Inside Event field there are multiple searchable fields, one of which is json array as string like this: params="[{'field1':'value1','field2':'value2','field3':'value3'}]" Above json array always has one json object like in example. I need to extract values for given fields from this json object - how can i do that? I figured spath is the way to do this, but none of solutions I found so far worked - maybe because all examples were operating on json as string only and in my case it is in Event as splunk shows in search - can you help?
Your solution is right: jdbc:sqlserver://IP:Port;databaseName=dbname;selectMethod=cursor;encrypt=false;trustServerCertificate=true I resolve my issue, thank a lot
Did you understand my comment about the difference between null and empty? Please confirm that these are null values you are taking about rather than empty values and provide some evidence that you ... See more...
Did you understand my comment about the difference between null and empty? Please confirm that these are null values you are taking about rather than empty values and provide some evidence that you actually have null values. Without that it's impossible to know what is going on
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system should helps you.
I test it at least for /raw endpoint.
There was a bug with http inputs where it hasn't work earlier even it should. Nice that it has fixed and it works also with http input too.
Hi @bowesmana  Still the null field values is appearing.
Thanks, that was helpful!
Thank you so for the responses @bowesmana @ITWhisperer and a special thanks to @yuanliu. I really apologize for posting the requirement in an unclear manner, I was extremely fatigued yet desperate... See more...
Thank you so for the responses @bowesmana @ITWhisperer and a special thanks to @yuanliu. I really apologize for posting the requirement in an unclear manner, I was extremely fatigued yet desperately needed to find the solution. Honestly saying I wasn't confident that I would receive the response so quickly and precise. I sincerely appreciate the community and individuals like you make this as a wonderful forum for discussion. To be part of this community is an honor.
You can use below splunk to check locked out accounts   sourcetype="wineventlog" EventCode=4740 OR EventCode=644 |eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) |stats latest(_time) AS... See more...
You can use below splunk to check locked out accounts   sourcetype="wineventlog" EventCode=4740 OR EventCode=644 |eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host) |stats latest(_time) AS time latest(src_nt_host) AS host BY dest_nt_domain user |eval ltime=strftime(time,"%c") |table ltime,dest_nt_domain user host |rename ltime AS "Lockout Time",dest_nt_domain AS Domain,user AS "Account Locked Out", host AS "Workstation"