All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @gcusello  Update: it actually did work! I just got new notable generated and the field value passed successfully! Thank you very much! 
Hi @KendallW  yes, that's exactly right. _time is one of the columns in a lookup file. And I want to choose the _time range from Lookup file using the time picker in Splunk dashboard. 
Hi @PB Could you please share your dashboard's XML? If I understand correctly, you want to pick a time range using Splunk's time picker on the dashboard, then have data from the CSV (lookup?) file... See more...
Hi @PB Could you please share your dashboard's XML? If I understand correctly, you want to pick a time range using Splunk's time picker on the dashboard, then have data from the CSV (lookup?) file returned by a search where the _time column in the CSV falls within the range specified in the time picker?
Hi @Yashvik , events are the ones you have, if you don't want duplicated events also in the Events tab use the dedup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupC... See more...
Hi @Yashvik , events are the ones you have, if you don't want duplicated events also in the Events tab use the dedup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview) to remome the duplicated ones. Ciao. Giuseppe
Hi @dallison , as @richgalloway said, Splunk License Master doesn't distribute licenses, but the other server connect to it to use the license. About your error: did you opened the port 8089 routes... See more...
Hi @dallison , as @richgalloway said, Splunk License Master doesn't distribute licenses, but the other server connect to it to use the license. About your error: did you opened the port 8089 routes between the License Master and the other servers? You can check this using telnet. Ciao. Giuseppe
Hi @gcusello  Thanks for the reply. using stats helps in removing the duplicate values in "statistics" tab.  However, the duplicate fields are still appearing in "Events" tab.  I don't understand ho... See more...
Hi @gcusello  Thanks for the reply. using stats helps in removing the duplicate values in "statistics" tab.  However, the duplicate fields are still appearing in "Events" tab.  I don't understand how it's happening. Ps. Due to unknown reasons I can't attach images.
Hi @jkamdar , as described in the url youshared, there are some infrastructura requirements (OS) and configuration requirement (described in the page). What is unclear? I think that it's fully des... See more...
Hi @jkamdar , as described in the url youshared, there are some infrastructura requirements (OS) and configuration requirement (described in the page). What is unclear? I think that it's fully described. Ciao. Giuseppe
Hi @ravida , when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action? Then, when you configure the Add Notable Adaptive Response Action, did you create... See more...
Hi @ravida , when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action? Then, when you configure the Add Notable Adaptive Response Action, did you created the Drilldown Search? Ciao. Giuseppe
Hi @loganramirez , usually Splunk displays date in the timezone defined for the user. to pass a timestamp in a different timezone, use eval and pass the transformed value instead of the original on... See more...
Hi @loganramirez , usually Splunk displays date in the timezone defined for the user. to pass a timestamp in a different timezone, use eval and pass the transformed value instead of the original one. Ciao. Giuseppe
Hi @siddharthad, in the drilldown link, you have to pass all the fields (in the ones that you have in your results) that are useful to identify the events to display in the drilldown dashboard. Put... See more...
Hi @siddharthad, in the drilldown link, you have to pass all the fields (in the ones that you have in your results) that are useful to identify the events to display in the drilldown dashboard. Put attention that you can pass only the fields in your main search, e.g. if you have a | table _tima, Name host, the only fields that you can pass are _time, Name and host. If you need to pass other fields that you don't want to display in the main dashboard, you can add them to the search and list the fields to display in the <fields></fields> tag. Ciao. Giuseppe
Hi @nateloepker , your data seems to have a json format, did you tried using INDEXED_EXTRACTIONS = json in your sourcetype definition oer the spath command (https://docs.splunk.com/Documentation/Spl... See more...
Hi @nateloepker , your data seems to have a json format, did you tried using INDEXED_EXTRACTIONS = json in your sourcetype definition oer the spath command (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Spath)? Ciao. Giuseppe
Hi @Yashvik, this probably depends on the data you're using, anyway, try to group your ata by a common key usingstats instead table command, something like this: index=splunk_idx source= some_sour... See more...
Hi @Yashvik, this probably depends on the data you're using, anyway, try to group your ata by a common key usingstats instead table command, something like this: index=splunk_idx source= some_source | rex field=log "level=(?<level>.*?)," | rex field=log "\[CID:(?<cid>.*?)\]" | rex field=log "message=(?<msg>.*?)," | rex field=log "elapsed_time_ms=\"(?<elap>.*?)\"" | search msg="\"search pattern\"" | stats values(msg) AS msg values(elap) AS elap BY cid Ciao. Giuseppe
Hi @rkaufman , don't attach your request, even if on the same topic, because in this way, you'll have less attention that a new one. Anyway, my hint is the same: open a case to Splunk support, send... See more...
Hi @rkaufman , don't attach your request, even if on the same topic, because in this way, you'll have less attention that a new one. Anyway, my hint is the same: open a case to Splunk support, sending them a diag. What if you try to not install the last ver version but the previous one? Ciao. Giuseppe
Hi @ash2 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi All, When we doing a splunk search in our application (sh_app1), we noticed some fields are duplicated / double up (refer: sample_logs.png) if we do the same search in another application (sh_we... See more...
Hi All, When we doing a splunk search in our application (sh_app1), we noticed some fields are duplicated / double up (refer: sample_logs.png) if we do the same search in another application (sh_welcome_app_ui), we do not see any duplication for the same fields. cid Perf-May06-9-151xxx level INFO node_name aks-application-xxx   SPL being used. index=splunk_idx source= some_source | rex field=log "level=(?<level>.*?)," | rex field=log "\[CID:(?<cid>.*?)\]" | rex field=log "message=(?<msg>.*?)," | rex field=log "elapsed_time_ms=\"(?<elap>.*?)\"" | search msg="\"search pattern\"" | table cid, msg, elap The event count remains same if we search inside that app or any other app, only some fields are  duplicated. We couldn't figure out where the actual issue is.  Can someone help? 
Thanks for your response! I got the query I index  | timechart span=1d sum(abc) as total by xyz | eval day=lower(strftime(_time,"%A")) | where day=="monday" | fields - day
Hi @gowthammahes  Are you trying to index this log file in indexer/search head directly OR are you trying to read this file thru Universal Forwarder?
has anyone successfully using Splunk API call /services/saved/searches/SEARCH_NAME(https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D) to add a webhoo... See more...
has anyone successfully using Splunk API call /services/saved/searches/SEARCH_NAME(https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D) to add a webhook for an existing Splunk report? I added action.webhook=1 , action.webhook.param.url=https://1234.com , and actions=pagerduty,webhook successfully through API but the Splunk UI does not show the webhook on UI (please see screenshot). Anyone has any idea what seem to be the problem?     curl \ --data-urlencode 'action.webhook.param.url=https://1234.com' \ --data-urlencode 'action.webhook=1' \ --data-urlencode 'actions=pagerduty,webhook' \ --data-urlencode 'output_mode=json' \ --header "Authorization: Splunk A_TOKEN_HERE" \ --insecure \ --request 'POST' \ --retry '12' \ --retry-delay '5' \ --silent \ "https://localhost:8089/services/saved/searches/test-12345"      
I found the solution.  | eval firstNewValue = mvindex(newValue,0)  
EXTRACT props do not invoke a transform.  Use REPORT, instead.