All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Siddharthnegi - Try this search | inputlookup E.csv | rename "4Let" as "Let4" | search Let4="ABCD" | stats count as count3 [search index=xyz category="Ad" "properties.OnboardingStatus"= Onboarded ... See more...
@Siddharthnegi - Try this search | inputlookup E.csv | rename "4Let" as "Let4" | search Let4="ABCD" | stats count as count3 [search index=xyz category="Ad" "properties.OnboardingStatus"= Onboarded | dedup properties.DeviceName | rename properties.DeviceName as DeviceName | stats count as count2]   I think the problem that you are facing is field name starting with number, which creates problem in search in some-cases.   I hope this helps!!! Kindly upvote if it does!!!
Hi @Ssuen2311, about the first question: yes, Smartstore is available also on on-premise infrastructures. About the cost, only a Splunk Sales Reperesentative can answer to you. About the size of t... See more...
Hi @Ssuen2311, about the first question: yes, Smartstore is available also on on-premise infrastructures. About the cost, only a Splunk Sales Reperesentative can answer to you. About the size of the solution, you should engage a Splunk Architect or a Splunk PS, it isn't a question for the Community and anyway many details are mandatory for this design. Ciao. Giuseppe
Hi @Siddharthnegi , what's the purpose of your search? using the search you shared you have a main search that arrives to a stats command and then you added another search without any relation with... See more...
Hi @Siddharthnegi , what's the purpose of your search? using the search you shared you have a main search that arrives to a stats command and then you added another search without any relation with the first one. Do you want to append the second to the first one or do you want to filter results from the first using the secon one? Ciao. Giuseppe
@Sumi - First of all, please explain onto why are you looking for pid file??
Thanks, how can we club the both into one to show count based on the two conditions What do you mean "based on the two conditions?"  Your original question simply says  to show in pie chart. ... See more...
Thanks, how can we club the both into one to show count based on the two conditions What do you mean "based on the two conditions?"  Your original question simply says  to show in pie chart. But i am getting values as other The answer to this is: You cannot have a pie chart with two columns.  If you "getting values as other" is not the problem, what is?  Illustrate your data - in text (anonymize as needed), illustrate desired result - normally I'd say in text but in this case, a mockup graphic piechart could work, then, explain the logic to derive the desired results from illustrated data in plain language without SPL.  These are three essential ingredients of an answerable question.
@uagraw01 - As suggested by @tscroggins self-signed certificates needs to be added to certificate store. Here are references to be done on Mac and Windows: https://learn.microsoft.com/en-us/skype-s... See more...
@uagraw01 - As suggested by @tscroggins self-signed certificates needs to be added to certificate store. Here are references to be done on Mac and Windows: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate https://support.apple.com/en-in/guide/keychain-access/kyca8916/mac#:~:text=In%20the%20Keychain%20Access%20app,certificate%20types%2C%20click%20Learn%20More.   I hope this helps!!! If it does kindly upvote!!!
Hello Splunkers! In the Security Posture by default there are no filters that would allow us to adjust the time, meaning, we see the summary about notable events over the last 24 hours. I want to ... See more...
Hello Splunkers! In the Security Posture by default there are no filters that would allow us to adjust the time, meaning, we see the summary about notable events over the last 24 hours. I want to change that, I have added a time picker that I would like to bind to one dashboard in the security posture - "Key indicators" so that I can see for example the summary of notable events over the last 12 hours or 7 days. Can someone please explain what needs to be done on time picker or dashboard in order to achieve this, or maybe is there an easier way to do this?  Thanks for taking your time reading and replying to my post
| inputlookup E.csv | search 4Let="ABCD" | stats count as count3 [search index=xyz category="Ad" "properties.OnboardingStatus"= Onboarded | dedup properties.DeviceName | rename properties.DeviceName... See more...
| inputlookup E.csv | search 4Let="ABCD" | stats count as count3 [search index=xyz category="Ad" "properties.OnboardingStatus"= Onboarded | dedup properties.DeviceName | rename properties.DeviceName as DeviceName | stats count as count2] this search is giving error
This is a data analytics forum.  So, you cannot just say "I know is missing" without data to substantiate.  My mock data actually includes conditions where a group of pods are missing in both current... See more...
This is a data analytics forum.  So, you cannot just say "I know is missing" without data to substantiate.  My mock data actually includes conditions where a group of pods are missing in both current interval and previous intervals. They are shown as missing in all intervals in which they are missing in the chart screenshot.  If you need concrete help, always post sample data that will demonstrate all features necessary. (Anonymize as needed.) Speaking of pod groups, you still haven't confirmed whether it is the pod groups you are trying to mark.  As I said, there is no logic that will support detecting missing of individual instances of any pod by using lookup table with wildcards.
I would like to have an investigation created with a notable event recorded in there using the API. I've been trying to achieve this by adding a notable event to an ES investigation using the API.  ... See more...
I would like to have an investigation created with a notable event recorded in there using the API. I've been trying to achieve this by adding a notable event to an ES investigation using the API.  So far I have been able to create an investigation and then add an artifact to it using the API. Next step I need to complete is to insert a notable event into an ES investigation using the API.    Alternatively if its possible to create an investigation from a notable using the API then I would also be happy with that option.
Hi, For the migration of data we need to use Smart Store from splunk Please help us to understand the below pointers: Smart Store is available for on prem implementation. Costing How do you siz... See more...
Hi, For the migration of data we need to use Smart Store from splunk Please help us to understand the below pointers: Smart Store is available for on prem implementation. Costing How do you size the solution?
My bad, sorry that while I was removing the sensitive data, I messed up the event. Here is the actual one that I used: { Client:ClientA, Msgtype:WebService, Priority:2, Interactionid:1DD6AA27-65... See more...
My bad, sorry that while I was removing the sensitive data, I messed up the event. Here is the actual one that I used: { Client:ClientA, Msgtype:WebService, Priority:2, Interactionid:1DD6AA27-6517-4D62-84C1-C58CA124516C, Seq:15831, Threadid:23, message: TimeMarker: MyClient: Result=Success Time=0000.05s Message=No payments found. (RetrievePaymentsXY - ID1:123131 ID2:Site|12313 ID3:05/14/2024-07/12/2024 1|12313), Userid:Unknown } And, the regex works too, here is the working example that would extract the apiName: https://regex101.com/r/7f9Cnb/1  
In Python script I get a below error in internal logs TypeError: Object of type bytes is not JSON serializable We are using python 3 May I know how to get rid of this error in internal logs?... See more...
In Python script I get a below error in internal logs TypeError: Object of type bytes is not JSON serializable We are using python 3 May I know how to get rid of this error in internal logs?  
Hi @yuanliu  Thanks, how can we club the both into one to show count based on the two conditions
It can be done with map, but the phrase best approach uses the map command is not a phrase that would normally be used when considering the map command. As @PickleRick indicates, it has to be used ca... See more...
It can be done with map, but the phrase best approach uses the map command is not a phrase that would normally be used when considering the map command. As @PickleRick indicates, it has to be used carefully. In your pseudo example it's fine, but with real data remember that each result will initiate a new run of the saved search - if you have lots of results, as this runs collect for EACH and every row, it can place significant additional load on the server - and by default it will only run 10 iterations.  
Hey I registered myself with the Splunk free trail but I was not able to get to the usage data management console, this is what I have landed up to, does any of the following include the actual host ... See more...
Hey I registered myself with the Splunk free trail but I was not able to get to the usage data management console, this is what I have landed up to, does any of the following include the actual host apart from the license tier the customer belongs to?  
Thank you for the tips. This works good. I already done and I am happy for that.
Sure @IAskALotOfQs .. all are welcome.. as its the virtual event, ALL are welcome, thanks. 
I'm not from Malaysia but would love to join a meeting full of Splunk guru's to learn off, I'm currently at admin level and maybe could ask some questions from time to time?