All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all not... See more...
They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.
This also worked for me. Upgrade from 9.0.4 to 9.2.1
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and pa... See more...
Hi Team, I have generated dynamic URLs using the lookup and add it in the field value of the table. Now I need to make those dynamic URLs as a hyperlink so that we don't want to manually copy and paste the URL in the browser every time.  I modified the source code as below, but it is working. Please assist on this. Thank you. "visualizations": {         "viz_abc123": {             "type": "splunk.table",             "options": {                 "count": 5000,                 "dataOverlayMode": "none",                 "drilldown": {                     "condition": {                         "field": "URL",                         "link": "$row.URL|n$"                     }                 },                 "backgroundColor": "#FAF9F6",                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",                     "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",                     "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",                     "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"                 },                 "showInternalFields": false,                 "columnFormat": {                     "Duration(Secs)": {                         "data": "> table | seriesByName(\"Duration(Secs)\") | formatByType(Duration_Secs_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Secs)\") | rangeValue(Duration_Secs_RowColorsEditorConfig)"                     },                     "Duration(Mins)": {                         "data": "> table | seriesByName(\"Duration(Mins)\") | formatByType(Duration_Mins_ColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName(\"Duration(Mins)\") | rangeValue(Duration_Mins_RowColorsEditorConfig)"                     }                 }             },
If the app is not supported, you could still use it, but that's a risk you have to take.  Other options are, look at the Solarwind application and find out what methods does it offer in terms of sen... See more...
If the app is not supported, you could still use it, but that's a risk you have to take.  Other options are, look at the Solarwind application and find out what methods does it offer in terms of sending data to other systems, this could be syslog, logs files, API, once you understand this, you need to look at the options you have in Splunk, so look at using a Universal forwarder with syslog file collection, or use the UF to collect logs files, or send data from the Solarwinds app to a Splunk HEC endpoint. After this you can develop your TA to work on the props and transforms to format the data, into Splunk events. Also try and understand the data you want, example, is it alerts, inventory, etc.     
Thank you for the quick turnaround. I just missed the OUPUT.
1) avoid join where possible - it is expensive on resources and slow 2) it depends on your comparison https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_t... See more...
1) avoid join where possible - it is expensive on resources and slow 2) it depends on your comparison https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage#Comparing_two_fields
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add ma... See more...
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add maxResults=1000, but I got 100 tickets. I tried to search about it and found in JIRA cloud if we have more than 100 items to return, we have to iterate through them in batches using startAt. But, the challenge is I am unable to find any way of running the iteration since I only get 50 tickets and not more on which I could run the iteration. Thus, I need your guidance on how to build a solution or workaround in Splunk to fetch all tickets. Thank you  Taruchit  
Hi,  thanks for your solution, it's very useful. I also have a question about 1. when to use join and append  2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId) ... See more...
Hi,  thanks for your solution, it's very useful. I also have a question about 1. when to use join and append  2. when to use search and where, like search oid!=""  v.s. where isnotnull(orderId)   Thanks.
Try like this (or put the fields in the if function in single quotes) | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=s... See more...
Try like this (or put the fields in the if function in single quotes) | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | spath input=content path=serviceCart.serviceItems{}.serviceType output=serviceType | eval Service=if((serviceType="OIL" OR serviceType="TIRE") AND status="CANCELLED", "Cancelled", if((serviceType="OIL" OR serviceType="TIRE") AND status="BAY", "Bay", null()))
I tried that but my range values are "over" & "under" which rangevalues did not accept. Also tried replacing the string with numeric [1,0] values but no luck with this also Do you have any sugges... See more...
I tried that but my range values are "over" & "under" which rangevalues did not accept. Also tried replacing the string with numeric [1,0] values but no luck with this also Do you have any suggestion based on what might have worked for you incase of a similar usecase?
Within the json under the node"content" there is another array where I need to access a value serviceCart.serviceItems{}. serviceType  "serviceType" as shown here: \"serviceCart\":{\"serviceItems\"... See more...
Within the json under the node"content" there is another array where I need to access a value serviceCart.serviceItems{}. serviceType  "serviceType" as shown here: \"serviceCart\":{\"serviceItems\":[{\"id\":\"5a92-97304651e9fe\",\"iteId\":\"370122\",\"name\":\"High mileage featured\",\"upc\":\"999\",\"quantity\":0,\"serviceType\":\"OIL_AND_LUBE\",\"components\":[{\"componentType\":\"OIL\",\"product\":{\"itId\":\"99\",\"upc\":\"00071611012225\",\"name\":\"Pennzoil High Mileage 5W20 Motor Oil Ecobox, 1 Quart -\",\"quantity\":5.900,\"retailPrice\":20.72,\"cusredit\":0,\"includedQuantity\":5,\"attributes\":[{\"key\":\"brand\",\"value\":\"Pennzoil\"}]},\"configurations\":[]},{\"componentType\":\"OIL_FILTER\",\"product\":{\"itemId\":\"100992364\",\"upc\":\"00060223\",\"name\":\"FRAM Core 11665 Oil Filter - Offer Valid for In-store Oil Change Only Fits select: 2014-2018 JEEP, 2015-2019 JEEP UNLIMITED\",\"quantity\":1,\"retailPrice\":1.52,\"customerCredit\":0,\"includedQuantity\":1,\"attributes\":[{\"key\":\"brand\",\"value\":\"FRAM\"}]}  Using the same technique above I am not able to obtain the value. Here's what I tried. | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | spath input=content path=serviceCart.serviceItems{}.serviceType | eval Service=if((serviceCart.serviceItems{}.serviceType="OIL" OR serviceCart.serviceItems{}.serviceType="TIRE") AND status="CANCELLED", "Cancelled", if((serviceCart.serviceItems{}.serviceType="OIL" OR serviceCart.serviceItems{}.serviceType="TIRE") AND status="BAY", "Bay", null())) | where isnotnull(Service) | stats count by Service But "serviceType" is empty in the ternary check. However when I check it in "table serviceCart.serviceItems{}.serviceType" I see the value. I tried using mvexpand on the array "serviceCart.serviceItems" (not shown above) as well but still empty  
You need to use strptime() to parse the time string into an epoch time.
If you use <option name="rangeColors" />, shouldn't you also define <option name="rangeValues" />?  Without values, Splunk will no know which color you want to pick.
My test is on a basic installation on my laptop.  CIDR match works as is.  Maybe delete that lookup and redo it?  Do you use UI or edit transforms.conf directly?  If you use UI, maybe post the part w... See more...
My test is on a basic installation on my laptop.  CIDR match works as is.  Maybe delete that lookup and redo it?  Do you use UI or edit transforms.conf directly?  If you use UI, maybe post the part where you set up CIDR match?  Is there a mismatch between field name in CIDR setup and the actual file header?  I already showed my test file content and the lookup stanza in transforms.conf.  Here are from the UI: Also avoid bad entries like *.* in the file.  I don't know if that will ruin CIDR match, but why take the risk.
HI @gcusello , I tried it using the way you suggested, it is working while uploading sample log however the same config is not working on live data. Here is the props.conf    [ __auto__learned__ ... See more...
HI @gcusello , I tried it using the way you suggested, it is working while uploading sample log however the same config is not working on live data. Here is the props.conf    [ __auto__learned__ ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]*){\"event\"\:\{\" NO_BINARY_CHECK=true  
Hello no start time is in this format 2024-05-20T04:00:53.847Z and after the eval the result is the same 2024-05-20T04:00:53.847Z ! how to put on epoch time and transform it? thanks Laurent
Yes i copy pasted the same payLoadInterface  into csv file.But i dont know why is not coming .And how to check the values from lookup file is getting populated The values like DSR_TEST,DSR_TEST1,D... See more...
Yes i copy pasted the same payLoadInterface  into csv file.But i dont know why is not coming .And how to check the values from lookup file is getting populated The values like DSR_TEST,DSR_TEST1,DSR_TEST2
With polkit versions 0.120 and below, the version number was structured with a major/minor format always using the major version of 0. It appears that Splunk was using that dot between them to decode... See more...
With polkit versions 0.120 and below, the version number was structured with a major/minor format always using the major version of 0. It appears that Splunk was using that dot between them to decode the version number in its create-polkit-rules option to detect whether the older PKLA file or the newer JS version would be supported. Starting in polkit version 121, the maintainers of polkit have dropped the "0." major number and started using the minor version as the major version. Because of this, Splunk does not currently seem to be able to deploy its own polkit rules. This affects both RHEL 9 and Ubuntu 24.04 so far in my testing. Has anyone else run into this issue or have another workaround for it? Thanks!   root@dev2404-1:~# pkcheck --version pkcheck version 124 root@dev2404-1:~# apt-cache policy polkitd polkitd: Installed: 124-2ubuntu1 Candidate: 124-2ubuntu1 Version table: *** 124-2ubuntu1 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages 100 /var/lib/dpkg/status root@dev2404-1:~# /opt/splunk/bin/splunk version Splunk 9.2.1 (build 78803f08aabb) root@dev2404-1:~# /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 1 -create-polkit-rules 1 " ": unable to parse Polkit major version: '.' separator not found. ^C root@dev2404-1:~#     https://github.com/polkit-org/polkit/tags
Hi @karthi2809, do you have in payLoadInterface the same values "aaa", "bbb", "ccc" ? if yes, you can join the Link to the events, otherwise, it isn't possible. Ciao. Giuseppe
Hi @gcusello  This my lookup InterfaceName Link DSR_TEST https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup?_gl=1*1w7wkaf*_ga*MTYzMTg2Njc5NC4xNzExOTgxMTg4*_ga_G... See more...
Hi @gcusello  This my lookup InterfaceName Link DSR_TEST https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup?_gl=1*1w7wkaf*_ga*MTYzMTg2Njc5NC4xNzExOTgxMTg4*_ga_GS7YF8S63Y*MTcxNjM4NTE1Ni41OS4xLjE3MTYzODYxMDMuNTYuMC4w*_ga_5EPM2P39FV*MTcxNjM4NTE1Ni4xNTcuMS4xNzE2Mzg2MTAzLjAuMC4zMjM3MzE2MTE.&_ga=2.25230836.839088300.1716203378-1631866794.1711981188  DSR_TEST1 https://community.splunk.com/t5/Splunk-Search/How-to-Combine-search-query-with-a-lookup-file-with-one-common/td-p/296885?sort=votes  DSR_TEST2 https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Gauge