All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I don't believe it is possible to do - you can in theory do this index=_audit | head 1 | eval message="hello" | table user action message | collect testmode=f [ | makeresults | fields - _time | eval... See more...
I don't believe it is possible to do - you can in theory do this index=_audit | head 1 | eval message="hello" | table user action message | collect testmode=f [ | makeresults | fields - _time | eval index="main" | format "" "" "" "" "" ""] but you would need for the subsearch to know the index to select and that is run before the outer search, so you can't do what you are trying to do
@Miguel3393 actually if you change that line to  | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) i.e. replace the final 0 with null() then you will not get all the... See more...
@Miguel3393 actually if you change that line to  | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, null()) i.e. replace the final 0 with null() then you will not get all the extra columns for other Codigo_error values.
OK, if you want to add in more error code use cases, then change this line | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) Change it like to | eval Error_{Codigo_er... See more...
OK, if you want to add in more error code use cases, then change this line | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) Change it like to | eval Error_{Codigo_error}=if(in(Codigo_error, "69", "10001", "11"), 1, 0) and add as many as needed 
Thankyou very much for the detailed reply, that gives me enough to action now. I appreciate the contributions to the community in this way.
If I wanted to add another error ,example Codigo_error="11", what would I have to do?
Yes, you can because the second search using the base is simply to create the single row result, which you can then turn into a token, e.g. <search id="base"> <query> bla </query> </search> <ta... See more...
Yes, you can because the second search using the base is simply to create the single row result, which you can then turn into a token, e.g. <search id="base"> <query> bla </query> </search> <table depends="$hidden$"> <search base="base"> <query> | stats values(device_ip_address) as device_ip_address | eval device_ip_address=mvjoin(device_ip_address, ",") </query> </search> <done> <set token="mytoken">$result.device_ip_address$</set> </done> </table> and then your other search can use $mytoken$ as needed - use the eval in the second search to make the format of the device_ip_address values what you need it to be for the other search.
If I wanted to add another error ,example Codigo_error="10001", what would I have to do?
Hello! I'm looking to set the index parameter of the collect command with the value of a field from each event. Here's an example.     | makeresults count=2 | streamstats count | eval index = ca... See more...
Hello! I'm looking to set the index parameter of the collect command with the value of a field from each event. Here's an example.     | makeresults count=2 | streamstats count | eval index = case(count=1, "myindex1", count=2, "myindex2") | collect index=index testmode=true     This search creates two events. Both events have the index field, one with "myindex1" as the value, and the other with "myindex2". I would like to use these values to set the index in the collect command.
Sorry, I misunderstood, it works correctly.
If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID  | eval Stat... See more...
If error and exception then it should be error rest of them are success.but using the below query to get status still.i got both suuccess and error for the some of the transactions ID  | eval Status=case(priority="ERROR" AND tracePoint="EXCEPTION" OR message="*Error while processing*","ERROR", priority="WARN","WARN",priority!="ERROR" AND tracePoint!="EXCEPTION" OR message!="*(ERROR):*","SUCCESS") |stats values(Status) as Status by transactionId    
@alfredoh14,   Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3 | streamstats count as id | eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'... See more...
@alfredoh14,   Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3 | streamstats count as id | eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'' AS \"ERROR\" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK", id=2,"'' as \"something \",''Missing Value'' AS \"ERROR\" from ART_owner.ART_LOAD_CLOB_DATA_WORK", id=3, "from Building_Mailer_owner.Building_Mailer_") | fields sql ``` The above was just to create the source data ``` | rex field="sql" "from\s+(?<lk_wlc_app_short>.+?)_owner" | lookup lookup_weblogic_app lk_wlc_app_short | table lk_wlc_app_short, lk_wlc_app_name, sql   The regular expression pulls out the table name in the SQL, eg "from XXXX_owner", and uses the short code to match the app name from the lookup. To make the lookup work, you will need to ensure that the matches are NOT case sensitive, or make sure your lookup fields match what is in the SQL.  
I understand. I managed to make a little progress using the strategy of pulling through triggered alerts. My research is as follows:******
I understand. You can make a little progress using the strategy of pulling alerts that are triggered. My research is as follows: index=_audit action="alert_fired" ss_app=search ss_name="alert 1"... See more...
I understand. You can make a little progress using the strategy of pulling alerts that are triggered. My research is as follows: index=_audit action="alert_fired" ss_app=search ss_name="alert 1" OR ss_name="alert 2" | rename ss_name AS title | stats count by title, ss_app, _time | sort -_time In this research I can bring up the two alerts that I want to combine. Is it possible to get certain fields from these two alerts? In this case, I want to get the user. I can only generate the alert if the user is the same, the problem is that there are two different log providers and therefore, the field that has the user value has different names.
hi @Elupt01, You can update the navigation menu to include links to all of you dashboards. If you go to:  Settings > User Interface > Navigation Menus > default You will see a text box where you ... See more...
hi @Elupt01, You can update the navigation menu to include links to all of you dashboards. If you go to:  Settings > User Interface > Navigation Menus > default You will see a text box where you can put in XML to define your navigation. There are a few ways to show items. Note: DASHBOARD_NAME refers to the name of the dashboard as seen in the URL, not the title. To link a single dashboard on the main navigation bar use this format: <view name="DASHBOARD_NAME" />   To create a dropdown with a bunch of dashboards, use this format: <collection label="Team Dashboards"> <view name="DASHBOARD_NAME_1" /> <view name="DASHBOARD_NAME_2" /> <view name="DASHBOARD_NAME_3" /> </collection>   If you want the dashboards to be automatically added to the menu when you create them, use this format: <collection label="Team Dashboards"> <view source="unclassified" /> </collection> The "unclassified" here means it will list all dashboards not explicitly mentioned in the navigation menu.   There are a few other tricks you can do, like using URLs as menu links: <a href="https://company.intranet.com" target="_blank">Team Intranet Page</a>   Have a look at the dev docs for more detailed info: https://dev.splunk.com/enterprise/reference/dashboardnav/
Alerts are based on results of a search - for an alert to be triggered based on two conditions, your search needs to find both conditions.
I am glad it works - what does your query about earliest and latest mean?
So if a transaction has both ERROR and not ERROR, what do you want it to show?
I'm seeing this same error on a new build. Did you ever find an answer?
Hello everyone, How can I correlate two alerts into a third one? For instance: I have alert 1 and alert 2 both with medium severity. I need the following validation in alert 3: If, after 6 hours... See more...
Hello everyone, How can I correlate two alerts into a third one? For instance: I have alert 1 and alert 2 both with medium severity. I need the following validation in alert 3: If, after 6 hours since alert 1 was triggered, alert 2 is triggered as well, generate alert 3 with high severity.
Thanks for the response, it does show info, but it seems that it looks for all errors and not just 10001 and 69. and it seems not to respect that it only shows when the percentage is greater tha... See more...
Thanks for the response, it does show info, but it seems that it looks for all errors and not just 10001 and 69. and it seems not to respect that it only shows when the percentage is greater than 10. Regards