All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

index=abc sourcetype=abc | timechart span=1m eval(count(IP)) AS TimeTaken Now I want to get 95th percentile of this total IP counts. like below. | stats perc95(TimeTaken) as Perc_95 by IP So h... See more...
index=abc sourcetype=abc | timechart span=1m eval(count(IP)) AS TimeTaken Now I want to get 95th percentile of this total IP counts. like below. | stats perc95(TimeTaken) as Perc_95 by IP So how should I write this query ?
Hi, I have a json-file in splunk with an arguments{}-field like this   field1=[content_field1] field2=[content_field2] field3=[content_field3]     splunk doesn't recognize the fields field1 et... See more...
Hi, I have a json-file in splunk with an arguments{}-field like this   field1=[content_field1] field2=[content_field2] field3=[content_field3]     splunk doesn't recognize the fields field1 etc. I assume it is because this is not really json format but I want to be sure. I can extract the files with rex but if splunk can recognize the fields automatically would be better. I think the content of the log-file should be something like this:   arguments{}:{"field1":"content_field1", "field2":"content_field2", "field3:"content_field3"}   but I want to be sure if that's the best way (because when it is the logging has to be changed). Does splunk recognize the fields automatically if events are logged in this way? Is the above mentioned the best way or are there better ways to let splunk recognize the fields automatically?    
Thank you, I had to play around with my search a bit, but this overall syntax was the trick
May I misunderstand your question, but it's simple: index= testing field1="write" field2="*@abc.com" |table field1, field2, .... if "@abc.com"  is a user name and not a domain (as I assume) you ... See more...
May I misunderstand your question, but it's simple: index= testing field1="write" field2="*@abc.com" |table field1, field2, .... if "@abc.com"  is a user name and not a domain (as I assume) you do not need to put the wildcard (*) before. If you put it, it will result in every user with @abc.com. Like, user1@abc.com, user2@abc.com... alternative: index=testing | stats count by field1 field2 | search field1="write" AND field2"*@abc.com" Regards,
how can I type it? I tried sum function but it results value A+B+C. 
This is showing that the fields have been extracted incorrectly. Yet again I ask if you could please share your configurations which are being used to extract the fields for this sourcetype - this i... See more...
This is showing that the fields have been extracted incorrectly. Yet again I ask if you could please share your configurations which are being used to extract the fields for this sourcetype - this is likely to be where your problem lies, so if you want a resolution, you are going to have to give us more information.
Please paste the text (not an image) of the search into code block (otherwise, it is too small to be read easily)
Hi Team,   Could you please help me on installing pandas module for Phantom.   Regards, Harisha
I have observed one more thing with these failed events. In the event section, usually at the end of each event, the default fields like host, sourcetype, etc., will be appended and displayed. Simil... See more...
I have observed one more thing with these failed events. In the event section, usually at the end of each event, the default fields like host, sourcetype, etc., will be appended and displayed. Similarly, in addition to those default fields, I could see the Request_ID field is also displayed in that section after each event. In that place I could see the format of Request_ID is in unexpected form. Please check the below screenshot (After the field CT=1, the section of default fields is shown)  
Hi please find the below image   
As I said, these look like two different sourcetypes and should be treated as such
So it looks like it is to do with how the fields are extracted. Please can you share these details?
Please share some of the events whish are being returned incorrectly (anonymised appropriately)
@ITWhisperer  I am not using  TIME_FORMAT attribute here, then probably it should work ? Please share your thoughts.
Actually I have shared picture of the raw event of the failed ones only (just masked the confidential fields). They look similar to the other events which work.
yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id  example - @abc.com , @test.com , testing.@... See more...
yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id  example - @abc.com , @test.com , testing.@test.co
Also you shared (a picture of) an event which works, but not one which doesn't. Please can you share the raw text of a "failing" event in a code block (rather than a picture) - you can obfuscate any ... See more...
Also you shared (a picture of) an event which works, but not one which doesn't. Please can you share the raw text of a "failing" event in a code block (rather than a picture) - you can obfuscate any sensitive details as appropriate.
So it looks like it is to do with how the fields are extracted. Please can you share these details?
I am using just the table command index=main host=* sourcetype=* source=* | table _time, Request_id, Future_id
Ideally, these should be ingested as different sourcetypes so that different parsing can be associated with the different formats.