All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

our servers are in germany but splunk time is 2hr ahead  why is that? like  the event creation is on 5:02 am german time but in splunk it is showing 3:02am . any solutions
Hi @gcusello  I am really unable to find my role but all I understand is that i dont have all the required permissions .Any suggestion on what kind of role will let me edit permissions for dashboard?
Hello @gcusello , See below I show the .spl file name and download date.   I believe I have the latest version of the ES currently. Cheers, splunky_diamond
Hi,  thanks for you explication,I'll review and rewrite my others search query statements.   thanks.
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that... See more...
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that we have a 24-hour suppression time for the alert, which led to a critical incident. To address this issue, the user has requested a reduction in the suppression time for the alert. The goal is to eliminate suppression unless the previous triggered alert is still open. If there are no open P1 tickets for event ID: 12320, there should not be any suppression of the generation of new tickets. Current Alert Configuration We have one alert in Splunk, and we are using the following query: Splunk query: index=winevent sourcetype="WinEvent:*" ((host="scwpxxxxx0001*" OR host="scwdxxxxx0008*" OR host="scwdxxxxx0009*" OR host="scwpxxxxx0002*") AND (EventCode=12320)) | eval assignment_group = "ABC IT - Computing Services" | eval host=lower(mvindex(split(host,"."),0)) | eval correlation_id=strftime(_time,"%Y-%m-%d %H:%M:%S").":".host | eval short_description=case((host="scwpxxxxx0001" OR host="scwdxxxxx0008"),"Microsoft AAD Proxy Connector - Prod not able to connect due to network issues.",(host="scwdxxxxx0009" OR host="scwpxxxxx0002"),"Microsoft AAD Proxy Connector - Dev not able to connect due to network issues.", 1=1, 0 ) | eval category="Application", subcategory="Repair/Fix", contact_type="Event", state=4, ci=host, customer="no573", impact=1, urgency=1, description="Event Code ".EventCode." encountered on host ".host." at ".strftime(_time,"%m/%d/%Y %H:%M:%S %Z")." SourceName:".SourceName." Log Name: ".LogName." TaskCategory:".TaskCategory." Message=".Message." Ticket generated on SNOW at ".strftime(now(),"%m/%d/%Y %H:%M:%S %Z") | table host, short_description, assignment_group, impact, urgency, category, subcategory, description, ci, correlation_id Alert Type Scheduled Schedule Run on cron schedule: */30 * * * * (every 30 minutes) Time Range Last 4 hours Expiration 24 hours Throttle Enabled Suppress results containing field value: host, EventCode Suppress triggering for: 24 hours Trigger Actions ServiceNow Incident Integration How we can suppress the alert as per the requirement. Please help us here. Thank you.
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 3... See more...
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 30 day time frame. I thought that host may have been the cause of the incrase. But, that new host is not even in the top 10 most active hosts.  The amount of overall perfmon data in proportion to the wineventlog data is increasing.  Please see the attached chart. Perfmon is represented with  brown bar, wineventlog is the green bar.  I'm asking for any ideas that would help me in identifying the cause of this change. Thank you, in advance for any help.    
They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all not... See more...
They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.
This also worked for me. Upgrade from 9.0.4 to 9.2.1
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and pa... See more...
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and paste the URL in the browser every time.  I modified the source code as below, but it is working. Please assist on this. Thank you. "visualizations": {         "viz_abc123": {             "type": "splunk.table",             "options": {                 "count": 5000,                 "dataOverlayMode": "none",                 "drilldown": {                     "condition": {                         "field": "URL",                         "link": "$row.URL|n$"                     }                 },                 "backgroundColor": "#FAF9F6",                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",                     "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",                     "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",                     "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"                 },                 "showInternalFields": false,                 "columnFormat": {                     "Duration(Secs)": {                         "data": "> table | seriesByName(\"Duration(Secs)\") | formatByType(Duration_Secs_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Secs)\") | rangeValue(Duration_Secs_RowColorsEditorConfig)"                     },                     "Duration(Mins)": {                         "data": "> table | seriesByName(\"Duration(Mins)\") | formatByType(Duration_Mins_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Mins)\") | rangeValue(Duration_Mins_RowColorsEditorConfig)"                     }                 }             },
If the app is not supported, you could still use it, but that's a risk you have to take.  Other options are, look at the Solarwind application and find out what methods does it offer in terms of sen... See more...
If the app is not supported, you could still use it, but that's a risk you have to take.  Other options are, look at the Solarwind application and find out what methods does it offer in terms of sending data to other systems, this could be syslog, logs files, API, once you understand this, you need to look at the options you have in Splunk, so look at using a Universal forwarder with syslog file collection, or use the UF to collect logs files, or send data from the Solarwinds app to a Splunk HEC endpoint. After this you can develop your TA to work on the props and transforms to format the data, into Splunk events. Also try and understand the data you want, example, is it alerts, inventory, etc.     
Thank you for the quick turnaround. I just missed the OUPUT.
1) avoid join where possible - it is expensive on resources and slow 2) it depends on your comparison https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_t... See more...
1) avoid join where possible - it is expensive on resources and slow 2) it depends on your comparison https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fields
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add ma... See more...
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add maxResults=1000, but I got 100 tickets. I tried to search about it and found in JIRA cloud if we have more than 100 items to return, we have to iterate through them in batches using startAt. But, the challenge is I am unable to find any way of running the iteration since I only get 50 tickets and not more on which I could run the iteration. Thus, I need your guidance on how to build a solution or workaround in Splunk to fetch all tickets. Thank you  Taruchit  
Hi,  thanks for your solution, it's very useful. I also have a question about 1. when to use join and append  2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId) ... See more...
Hi,  thanks for your solution, it's very useful. I also have a question about 1. when to use join and append  2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId)   Thanks.
Try like this (or put the fields in the if function in single quotes) | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=s... See more...
Try like this (or put the fields in the if function in single quotes) | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | spath input=content path=serviceCart.serviceItems{}.serviceType output=serviceType | eval Service=if((serviceType="OIL" OR serviceType="TIRE") AND status="CANCELLED", "Cancelled", if((serviceType="OIL" OR serviceType="TIRE") AND status="BAY", "Bay", null()))
I tried that but my range values are "over" & "under" which rangevalues did not accept. Also tried replacing the string with numeric [1,0] values but no luck with this also Do you have any sugges... See more...
I tried that but my range values are "over" & "under" which rangevalues did not accept. Also tried replacing the string with numeric [1,0] values but no luck with this also Do you have any suggestion based on what might have worked for you incase of a similar usecase?
Within the json under the node"content" there is another array where I need to access a value serviceCart.serviceItems{}. serviceType  "serviceType" as shown here: \"serviceCart\":{\"serviceItems\"... See more...
Within the json under the node"content" there is another array where I need to access a value serviceCart.serviceItems{}. serviceType  "serviceType" as shown here: \"serviceCart\":{\"serviceItems\":[{\"id\":\"5a92-97304651e9fe\",\"iteId\":\"370122\",\"name\":\"High mileage featured\",\"upc\":\"999\",\"quantity\":0,\"serviceType\":\"OIL_AND_LUBE\",\"components\":[{\"componentType\":\"OIL\",\"product\":{\"itId\":\"99\",\"upc\":\"00071611012225\",\"name\":\"Pennzoil High Mileage 5W20 Motor Oil Ecobox, 1 Quart -\",\"quantity\":5.900,\"retailPrice\":20.72,\"cusredit\":0,\"includedQuantity\":5,\"attributes\":[{\"key\":\"brand\",\"value\":\"Pennzoil\"}]},\"configurations\":[]},{\"componentType\":\"OIL_FILTER\",\"product\":{\"itemId\":\"100992364\",\"upc\":\"00060223\",\"name\":\"FRAM Core 11665 Oil Filter - Offer Valid for In-store Oil Change Only Fits select: 2014-2018 JEEP, 2015-2019 JEEP UNLIMITED\",\"quantity\":1,\"retailPrice\":1.52,\"customerCredit\":0,\"includedQuantity\":1,\"attributes\":[{\"key\":\"brand\",\"value\":\"FRAM\"}]}  Using the same technique above I am not able to obtain the value. Here's what I tried. | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | spath input=content path=serviceCart.serviceItems{}.serviceType | eval Service=if((serviceCart.serviceItems{}.serviceType="OIL" OR serviceCart.serviceItems{}.serviceType="TIRE") AND status="CANCELLED", "Cancelled", if((serviceCart.serviceItems{}.serviceType="OIL" OR serviceCart.serviceItems{}.serviceType="TIRE") AND status="BAY", "Bay", null())) | where isnotnull(Service) | stats count by Service But "serviceType" is empty in the ternary check. However when I check it in "table serviceCart.serviceItems{}.serviceType" I see the value. I tried using mvexpand on the array "serviceCart.serviceItems" (not shown above) as well but still empty  
You need to use strptime() to parse the time string into an epoch time.
If you use <option name="rangeColors" />, shouldn't you also define <option name="rangeValues" />?  Without values, Splunk will no know which color you want to pick.
My test is on a basic installation on my laptop.  CIDR match works as is.  Maybe delete that lookup and redo it?  Do you use UI or edit transforms.conf directly?  If you use UI, maybe post the part w... See more...
My test is on a basic installation on my laptop.  CIDR match works as is.  Maybe delete that lookup and redo it?  Do you use UI or edit transforms.conf directly?  If you use UI, maybe post the part where you set up CIDR match?  Is there a mismatch between field name in CIDR setup and the actual file header?  I already showed my test file content and the lookup stanza in transforms.conf.  Here are from the UI: Also avoid bad entries like *.* in the file.  I don't know if that will ruin CIDR match, but why take the risk.