All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @SSJMBP you can use the IN operator when you want to determine if a field contains one of several values. This can make your search queries cleaner and easier to read.   For example, instead of... See more...
Hi @SSJMBP you can use the IN operator when you want to determine if a field contains one of several values. This can make your search queries cleaner and easier to read.   For example, instead of using multiple OR conditions, you can use:   sourcetype="fraud_detection.csv" fraud="1" gender IN ("F", "M")   This ensures that the filter applies correctly to include events with either gender "F" or "M". Ref: Search Reference    Additionally, as already suggest by ITWhisperer, please try always to include a few anonymized example events. This makes it easier for all contributors to understand the dataset you are working with and provide more accurate support.   best regards,
That isn't a JSON object, so you could try using rex to parse it - you could try something like this | rex max_match=0 "'(?<field>\w+:\s[^']+)'" | mvexpand field | rex field=field "(?<name>\w+):\s(?... See more...
That isn't a JSON object, so you could try using rex to parse it - you could try something like this | rex max_match=0 "'(?<field>\w+:\s[^']+)'" | mvexpand field | rex field=field "(?<name>\w+):\s(?<value>.*)" | eval {name} = value | fields - name value | stats values(*) as * by _raw  
Assuming it is releaseyear that has the multiple values, you could try mvexpand |inputlookup abc.csv |table name published |lookup def.csv name as name OUTPUT releaseyear |mvexpand releaseyear
If your Time field is actually an _time field then it will be in epoch format (number of seconds since 1970), if that is the case, then you could try formatting (rather than parsing) - something like... See more...
If your Time field is actually an _time field then it will be in epoch format (number of seconds since 1970), if that is the case, then you could try formatting (rather than parsing) - something like this for later than 12:30 pm <colorPalette type="expression">if(tonumber(strftime(value,"%H%M%S"))>123000, "#A2CC3E", "#F58F39")</colorPalette>  
The filter applies to each event, so if you want to keep an event that has either M* or F*, you need to use OR e.g.  sourcetype="fraud_detection.csv" fraud="1" (gender="F'" OR gender="M'") I don't ... See more...
The filter applies to each event, so if you want to keep an event that has either M* or F*, you need to use OR e.g.  sourcetype="fraud_detection.csv" fraud="1" (gender="F'" OR gender="M'") I don't know your data but I am assuming the single quote is part of the gender field. If not, it would be useful if you could share some anonymised events in a code block </> so we can see what it is that you are dealing with.
Hey all, I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx.  I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwe... See more...
Hey all, I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx.  I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwealth Bank In the first part of the simulation we're required to pull multiple sets of data to create a dashboard with different charts to show fraud attempts by various data sets. The one I'm stuck on is we're asked to pull a chart on "Which gender performed the most fraudulent activities and in what category?" I'm trying to use: sourcetype="fraud_detection.csv" fraud="1" gender="F'" gender="M'" | stats count values(fraud) values(age) by category but the search only accepts one gender argument, either gender="F'" or "M'", for some reason.   I've tried using gender="M'" AND gender="F'", gender="F'" + gender="M'", gender="F' + M'" but I can't quite figure it out.  I've looked into joining data but I'm not sure that's the solution I'm after? Any help would be appreciated. 
Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A... See more...
Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A2CC3E", "#F58F39")</colorPalette> Time expecting this color in Time field 25-05-2024 19:06 Red 25-05-2024 22:10 Red 25-05-2024 22:16 Red 26-05-2024 06:50 Green 26-05-2024 06:52 Green 26-05-2024 11:50 Green 26-05-2024 11:52 Green 27-05-2024 07:09 Red 27-05-2024 07:10 Red 27-05-2024 11:52 Green 27-05-2024 11:57 Green Thanks in Advance!
Hi,  I'm trying to join two lookups based on the name field. Here's what i have, |inputlookup abc.csv |table name published |lookup def.csv name as name OUTPUT releaseyear When i run thi... See more...
Hi,  I'm trying to join two lookups based on the name field. Here's what i have, |inputlookup abc.csv |table name published |lookup def.csv name as name OUTPUT releaseyear When i run this, i get a multiple values in the field. How to get rid of these multiple values and ensure only one value per field? Thanks!
That will give you one solution, but the other is more generalized: | makeresults count=100 | streamstats count | eval count=count-1 | rename count as x | eval y1=pow(x-50, 2)+25, y2=-pow(x-30, 2)+1... See more...
That will give you one solution, but the other is more generalized: | makeresults count=100 | streamstats count | eval count=count-1 | rename count as x | eval y1=pow(x-50, 2)+25, y2=-pow(x-30, 2)+1000 | table x y1 y2 ``` end sample data ``` | eval dy=y2-y1 | autoregress dy | where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1 | fields - dy dy_p1 x y1 y2 21 866 919 60 125 100   If we find the intersections outside Splunk we get: x ~ 20.315, y ~ 906.2 x ~ 59.685, y ~ 118.8
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva... See more...
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva and generate a Dashboard for each application.
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1,... See more...
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1, field2, field3 to be searchable - can you help with what query should I write?
Please explain what is meant by "it is not working".  What results do you get and how do they not meet your expectations? The exclude_message field will be null if the lookup fails to find a match.
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservic... See more...
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : GUID_EXPIRED my vtest.csv lookup looks like below: domain_name; microservice_name; message abc; test;  NO_DOCUMENTS_FOUND I am using the below query to exclude 1st set of events. I have created WILDCARD(message) match_type  | lookup vtest message OUTPUT message as exclude_message | search NOT (exclude_message="*") But it is not working, and I don't get any fields in "exclude_message" as well. kindly help.   
Build it with Dashboard Studio.  You can add Markdown panels that take whatever text you provide, and then enable the Interaction for Link to  Dashboard 
I want to create menu dashboard which contains 3 boxes in a row. If I click on any box it should navigate to my destination dashboard. I don't want any image just need text(other dashboards name) in ... See more...
I want to create menu dashboard which contains 3 boxes in a row. If I click on any box it should navigate to my destination dashboard. I don't want any image just need text(other dashboards name) in the box. 
@Iñigo , we finally customized the HTTP app by just using the authentication taken from Graph apps. In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAu... See more...
@Iñigo , we finally customized the HTTP app by just using the authentication taken from Graph apps. In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAuth and if HTTP supports OAuth, it must definetely provide the option to insert a payload, otherwise we can safely say that the app does not support OAuth really. However, waiting Splunk to understand and acknowledge such thought is like a miracle so we proceeded to customize the app.
Hi @zoe, building on previous suggestions from "gcusello & tscroggins" , especially that sometimes y1 and y2 might not be exactly equal but rather close to each other, I would use the following meth... See more...
Hi @zoe, building on previous suggestions from "gcusello & tscroggins" , especially that sometimes y1 and y2 might not be exactly equal but rather close to each other, I would use the following method to find the closest intersections: | eval diff=abs(y1 - y2) | sort diff | head 1 | table _time, y1, y2, diff From there, you can use another diff (if needed) to calculate the actual difference between the numbers stored in the y1 and y2 fields. Search Ref: Function: abs Command: Sort Command: Head    best regards,
Hi @drew19  Did you manage to use the HTTP app with Azure authentication? We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with th... See more...
Hi @drew19  Did you manage to use the HTTP app with Azure authentication? We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with the out-of-the-box app(s). In the end it's just a custom app just as if you made it from scratch with its advantages and issues. We are using more and more Power Automate since MS integrated proper authentication for their flows and for this matter we just need very simple POST and GET actions, but authenticated. Nothing more and nothing less. I got the same results as you when trying to authenticate. Creating an additional app, even if this simple, just to pass an additional parameter for OAuth seems like reinventing the wheel.
So we did a little more digging. The magic in this case is called "channelAccess". This setting basically grants access to specific event logs for "normal user" accounts. High value event logs, for e... See more...
So we did a little more digging. The magic in this case is called "channelAccess". This setting basically grants access to specific event logs for "normal user" accounts. High value event logs, for example: security event log, are only available for higher privileged accounts. The sysmon event log is considered "high value". So when you check the "channelAccess" settings you get this by default: But Microsoft allows you to modify this setting. So we modified the "channelAccess" settings based on the "powershell operational" settings: After you set the setting, restart the SplunkForwarder Service. And voila - you have access to the sysmon event log without adding the virtual account to a specific group.  
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notificati... See more...
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notifications about deprecated jQuery or python version for given apps. Since all the apps are "Built by Splunk Inc.", I have a feeling this should not be the case.  Is it safe to [Dismiss App Alert] in the Upgrade Readiness App? Will the alert re-appear after the next scan?