All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick keepin' it real.
Hi @sultanulariff, We can create a small lookup file containing the Bag Type values: | makeresults format=csv data="Bag Type Local Rush Transfer" | outputlookup bag_type_lookup.csv We can then add... See more...
Hi @sultanulariff, We can create a small lookup file containing the Bag Type values: | makeresults format=csv data="Bag Type Local Rush Transfer" | outputlookup bag_type_lookup.csv We can then add the inputlookup command to seed the event stream with all known Bag Type values: | makeresults format=csv data=" Date,Out Airline,Bag Type,Total Processed 01/05/2024,IX,Local,100 01/05/2024,IX,Transfer,120 02/05/2024,BA,Local,140 02/05/2024,BA,Transfer,160 03/05/2024,IX,Local,150" | appendpipe [ inputlookup append=true bag_type_lookup.csv ``` seed Bag Type values ``` | eventstats values("Bag Type") as "Bag Type" ``` get all possible values of Bag Type ``` | stats values("Bag Type") as "Bag Type" by Date "Out Airline" ``` get all combinations of Bag Type by Date and Out Airline ``` | mvexpand "Bag Type" ``` expand all combinations into separate events ``` ] | stats sum(eval(coalesce('Total Processed', 0))) as "Total Processed" by Date "Out Airline" "Bag Type" ``` sum Total Processed, replacing null values with 0 ``` Date Out Airline Bag Type Total Processed 01/05/2024 IX Local 100 01/05/2024 IX Rush 0 01/05/2024 IX Transfer 120 02/05/2024 BA Local 140 02/05/2024 BA Rush 0 02/05/2024 BA Transfer 160 03/05/2024 IX Local 150 03/05/2024 IX Rush 0 03/05/2024 IX Transfer 0   We used makeresults to provide test data. In production, we would optimize our base search to summarize results before the appendpipe command, e.g.: index=foo sourcetype=outbound_airline_bag_type_metrics | stats count as "Total Processed" by Date "Out Airline" "Bag Type" | appendpipe [ inputlookup append=true bag_type_lookup.csv | eventstats values("Bag Type") as "Bag Type" | stats values("Bag Type") as "Bag Type" by Date "Out Airline" | mvexpand "Bag Type" ] | stats sum(eval(coalesce('Total Processed', 0))) as "Total Processed" by Date "Out Airline" "Bag Type"  
Hi @tscroggins , there are only 3 possible values i.e. Bag_Type = "Local","Transfer","Rush".  The requirement is every flight for specific date shall have 3 rows with baggage volumes. If any row is ... See more...
Hi @tscroggins , there are only 3 possible values i.e. Bag_Type = "Local","Transfer","Rush".  The requirement is every flight for specific date shall have 3 rows with baggage volumes. If any row is missing from source data, I need to create the particular row with baggage volume as "0".
That is so wrong and so stupid. If you have a system where each user's home directory is mounted off of a CIFS server on logon (yes, I've seen such systems) should user's home be owned by root? And t... See more...
That is so wrong and so stupid. If you have a system where each user's home directory is mounted off of a CIFS server on logon (yes, I've seen such systems) should user's home be owned by root? And that's just one (yes, a bit extreme) example. If that's supposed to be a "best practice", question is "why". Also general "best practice" might not be the best practice for a given situation.
Hi @tscroggins , many thanks for the response. Looks perfect! Will need to try it with the actual data/query and reconfirm. 
Hi @PickleRick , there are three bag_types 1. Local 2. Transfer and 3. Rush From the actual source data, I do not get all three 'Total processed' baggage counts (i.e. there shall be 3 rows for ever... See more...
Hi @PickleRick , there are three bag_types 1. Local 2. Transfer and 3. Rush From the actual source data, I do not get all three 'Total processed' baggage counts (i.e. there shall be 3 rows for every single Airline/Date) every time. Hence, if any of the three bag_type is not there, I need to create a row for the missing Bag_type with Total_Processed=0. I use above index as base search query and left join further sub queries. For example, if 03/05/2024,IX,Transfer,0 is missing I am not able to join the sub queries related to 03/052024,IX,Transfer. So, I need it as a seperate/new row (if the row is missing)
A best practice for my customer isn't a best practice for your customer and vice versa, but in general, if you need to mount a separate file system, I recommend mounting it outside /opt/splunk and ei... See more...
A best practice for my customer isn't a best practice for your customer and vice versa, but in general, if you need to mount a separate file system, I recommend mounting it outside /opt/splunk and either updating Splunk configuration to reference the new location or using symlinks in the /opt/splunk directory tree. The mount point can be owned by root, but once mounted, the file system objects (including the root directory of the mounted file system) should be owned by the splunk user.
Hi @dokaas_2, Hints should be present in either the search or the search log. For example, if the inputlookup or lookup commands are used in the search, the cause may be the file referenced by the l... See more...
Hi @dokaas_2, Hints should be present in either the search or the search log. For example, if the inputlookup or lookup commands are used in the search, the cause may be the file referenced by the lookup. If the error is caused by an automatic lookup, the source lookup should appear in the search log just prior to the error. Here's a contrived example: 05-25-2024 14:06:52.070 INFO CsvDataProvider [421638 searchOrchestrator] - Reading schema for lookup table='bad_csv_header_lookup', file size=32, modtime=1716659989 05-25-2024 14:06:52.070 WARN SearchResultsCSVSerializer [421638 searchOrchestrator] - Corrupt csv header in CSV file , 2 columns with the same name 'bar' (col #5 and #1, #5 will be ignored) Looking at the definition of bad_csv_header_lookup reveals my purposefully malformed bad_csv_header.csv file. In your error, the column name is empty: ''. If you have access to the Splunk host, you can scan $SPLUNK_HOME for CSV files with an empty column header, which is malformed with or without duplicates: find /opt/splunk -type f -name "*.csv" -exec sh -c "head -n 1 {} | grep -- ',,' >/dev/null" \; -printf "%p\n" Some add-ons in Splunkbase ship with malformed CSV lookups files, but the most likely cause is a CSV file without a header row.
Without using JavaScript, it works as expected but I need to use JavaScript.  I’m just assuming that due to the earliest and latest variables defined in JavaScript, the init block is not working for... See more...
Without using JavaScript, it works as expected but I need to use JavaScript.  I’m just assuming that due to the earliest and latest variables defined in JavaScript, the init block is not working for me. Is there a way to solve this issue?   
This is a new instance being installed by a contractor who posited that it's Linux best practice that root owns all mount points.  Internally, a security architect (not a Splunk admin) supported the ... See more...
This is a new instance being installed by a contractor who posited that it's Linux best practice that root owns all mount points.  Internally, a security architect (not a Splunk admin) supported the 'Linux best practice' argument.  In all of my many years of experience with Splunk, or in training, I have never heard of setting root as the owner of mount points within the /opt/splunk folder tree.  So this is a difference of professional opinion and I'm looking for definitive, authoritative consequences of having root as the owner of the mount points.   Often it takes someone outside the organization to validate an item.
The primary consequence is invalidation of assumptions made by Splunk during development. Splunk assumes the owner of the Splunk process has read, write, and execute access on $SPLUNK_HOME and all su... See more...
The primary consequence is invalidation of assumptions made by Splunk during development. Splunk assumes the owner of the Splunk process has read, write, and execute access on $SPLUNK_HOME and all subdirectories. Invalidating this assumption causes unexpected SplunkWeb exceptions at best and splunkd failures at worst. It may be more appropriate to ask what problem you're trying to solve by making root both the owner of the mount point and the owner of the mounted file system object. If splunk is the owner of /opt/splunk/var, then splunk can delete (unlink) /opt/splunk/var/lib and /opt/splunk/var/run if lib and run are unmounted and empty. (Edit: As a friendly aside, you're asking your Splunk administrator(s) and the Splunk community, none of whom presumably work for Splunk or have access to Splunk source code, to validate your assumption that everything will be fine if root owns subdirectories of $SPLUNK_HOME. If you don't trust either party to provide a satisfactory answer, I recommend contacting your Splunk technical account manager or Splunk support. Distrust is a healthy aspect of risk mitigation, but find a party you do trust and verify everyone's assumptions.)
As a brief addendum, if all possible label values are known in advance, it's more efficient to store the values in a lookup file and use the inputlookup command with append=true before the stats comm... See more...
As a brief addendum, if all possible label values are known in advance, it's more efficient to store the values in a lookup file and use the inputlookup command with append=true before the stats command; however, the introduction of any unknown field value, e.g. Date, requires additional logic to produce combinations of known and unknown values.
Hi @sultanulariff, We can use the appendpipe, eventstats, stats, and mvexpand commands to append a product of the set of Bag Type values by the set of Out Airline and Date values and then use the st... See more...
Hi @sultanulariff, We can use the appendpipe, eventstats, stats, and mvexpand commands to append a product of the set of Bag Type values by the set of Out Airline and Date values and then use the stats command to summarize the Total Processed: | makeresults format=csv data=" Date,Out Airline,Bag Type,Total Processed 01/05/2024,IX,Local,100 01/05/2024,IX,Transfer,120 02/05/2024,BA,Local,140 02/05/2024,BA,Transfer,160 03/05/2024,IX,Local,150" | appendpipe [ eventstats values("Bag Type") as "Bag Type" ``` get all possible values of Bag Type ``` | stats values("Bag Type") as "Bag Type" by Date "Out Airline" ``` get all combinations of Bag Type by Date and Out Airline ``` | mvexpand "Bag Type" ``` expand all combinations into separate events ``` ] | stats sum(eval(coalesce('Total Processed', 0))) as "Total Processed" by Date "Out Airline" "Bag Type" ``` sum Total Processed, replacing null values with 0 ``` Date Out Airline Bag Type Total Processed 01/05/2024 IX Local 100 01/05/2024 IX Transfer 120 02/05/2024 BA Local 140 02/05/2024 BA Transfer 160 03/05/2024 IX Local 150 03/05/2024 IX Transfer 0   This example will only append missing Bag Type values. It can be expanded to append any combination of Date, Out Airline, and Bag Type values. We can also convert Date to a time value and use the makecontinuous command to generate spans of dates prior to appending and summarizing combinations.
Thanks. Can you give me any specific issues that might arise if the non-root user 'splunk' can't write into the /opt/splunk/var/run folder? (this is a search head in a cluster) As well, what about i... See more...
Thanks. Can you give me any specific issues that might arise if the non-root user 'splunk' can't write into the /opt/splunk/var/run folder? (this is a search head in a cluster) As well, what about in the /opt/splunk/var/lib folder on an indexer.  Note that buckets are actually stored in /opt/splunk/var/lib/splunk/
Thanks.  Can you give me any specific issues that might arise if the non-root user 'splunk' can't write into the /opt/splunk/var/run folder?  (this is a search head in a cluster)
I'm seeing errors such as:    Corrupt csv header in CSV file , 2 columns with the same name '' (col #12 and #8, #12 will be ignored) but there I can't find the reference to what CSV file that is ca... See more...
I'm seeing errors such as:    Corrupt csv header in CSV file , 2 columns with the same name '' (col #12 and #8, #12 will be ignored) but there I can't find the reference to what CSV file that is causing this error.  Does anyone have any guidance on how to find the offending CSV file?
Please don't spam the same question in multiple places. As to the your question - check the original event which triggers your notable and see if your event is not truncated. If it is you might need... See more...
Please don't spam the same question in multiple places. As to the your question - check the original event which triggers your notable and see if your event is not truncated. If it is you might need to tweak your ingestion parameters so that longer part of the event is retained.
Ugh. That's bad. While @richgalloway 's solution should work (you can try to be even more explicit with more precise definition of the timestamp format for linebreaking you'll be getting some ugly tr... See more...
Ugh. That's bad. While @richgalloway 's solution should work (you can try to be even more explicit with more precise definition of the timestamp format for linebreaking you'll be getting some ugly trailers to some of your events. Also since these are contents of a json field, some characters will most probably be escaped. It would be best if you managed to: 1) Work with the source side so that you get your event in a more reasonable way (without all this json overhead) - preferred option 2) If you can't do that, use a pre-processing step in form of an external script/tool/whatever which will "unpack" those jsons and just leave you with raw data.
There are many threads about migrating environments in different scenarios. Use the search General idea is that your environment should be consistent in terms of used OS and its version but there... See more...
There are many threads about migrating environments in different scenarios. Use the search General idea is that your environment should be consistent in terms of used OS and its version but there is no explicit requirement that SH tier must be on the same OS distribution as the indexer-tier (although it is of course best to have a relatively homogenous environment for maintenance reasons) or that the DS must be on the same OS as SHs.  
Regardless of whether you mean the loadjob as some form of batch ingesting events or an actual invocation of Splunk's loadjob command, the typical approach to filtering events by the contents of a lo... See more...
Regardless of whether you mean the loadjob as some form of batch ingesting events or an actual invocation of Splunk's loadjob command, the typical approach to filtering events by the contents of a lookup is to use a lookup to assign a field value and then filter on that value. This way you'll get only those events that do have wanted values. Keep in mind thought that: 1) You still need to read all matching "before lookup" events so if you're filtering to a very small subset of events, another approach might be better. 2) If your lookup is big, indeed moving to KVstore can be the thing to do. Anyway, this is the approach: <your initial search> | lookup mylookup.csv lookupfield AS eventfield OUTPUT lookupfield AS somefieldwewanttofilterby | where isnotnull(somefieldwewanttofilterby)