If you're not hellbent of doing it with Ingest Actions, you can just use transforms to filter out all events except for the ones you want https://docs.splunk.com/Documentation/Splunk/latest/Forwardi...
See more...
If you're not hellbent of doing it with Ingest Actions, you can just use transforms to filter out all events except for the ones you want https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad In your case you'd need to first have a "match-all" transform rerouting all data to nullQueue, and then a transform maching only ERROR/FATAL events sending the events to indexQueue.
This format looks suspiciously familiar. Check if you're using INDEXED_EXTRACTIONS on this sourcetype. If you do, the data is parsed on the UF and is not further processed on the indexer (or HF).
1. Calling specific people to answer your question is plain rude. This is a volunteer-driven community and people respond to publicly posted question if/when they want. If you want a response in a ti...
See more...
1. Calling specific people to answer your question is plain rude. This is a volunteer-driven community and people respond to publicly posted question if/when they want. If you want a response in a timely manner - you have to purchase some support/consultancy services from one of many Splunk partners or Splunk's own Professional Services. 2. Digging up a thread from 5 years ago is not very likely to produce meaningful results. Create a new thread, describe your problem. If your problem is similar to an old one, you could link to the old one for reference.
Hi I am stuck in a similar situation where the following command works. The query is when the numerator and the denominator are zero I get the following error message "Error in 'EvalCommand"...
See more...
Hi I am stuck in a similar situation where the following command works. The query is when the numerator and the denominator are zero I get the following error message "Error in 'EvalCommand": Type checking failed. '"' only takes numbers" I tried it through if statement but still it doesn't work. Could you help me on this?
The question is a bit imprecise. What do you want to do precisely? I'd interpret it as "For each day I want to get a count of accounts not appearing in the events already in any of the previous day...
See more...
The question is a bit imprecise. What do you want to do precisely? I'd interpret it as "For each day I want to get a count of accounts not appearing in the events already in any of the previous days". Is that right? Also how do you treat the first day of such summary? Because all acccounts from the first day would get shown this way first day.
With the new version, there are a number of changes, have a look through this doc, in short, you need to ensure a number of new indexes are in place _ds* see the doc and there's another setting in th...
See more...
With the new version, there are a number of changes, have a look through this doc, in short, you need to ensure a number of new indexes are in place _ds* see the doc and there's another setting in the output.conf of the deployment server and add the new whitelist indexes to the UF's. Try these if it still fails log a support call. https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers
Hi You might then be able to apply a regex pattern to say to NOT not match ERROR or FATAL, therefore keep them, and discard the rest. Try this ^(?!.*(ERROR|FATAL)).*$
Hello! I have recently upgraded my splunk enterprise servers from 9.1.2 to 9.2.1. I noticed the following web behaviors in deployment server ; 1. When searching for hostname, it takes a lon...
See more...
Hello! I have recently upgraded my splunk enterprise servers from 9.1.2 to 9.2.1. I noticed the following web behaviors in deployment server ; 1. When searching for hostname, it takes a long time to load 2. Server class and app for (any) host is not reflecting correctly. This was crossed checked on CLI serverclass.conf Wondering if anyone face this issue and if it is a GUI bug.
Tested in splunk , only when I add (?ms) in front of regex it matches. But when I check this entire regex in the regex tool it does not match (?ms)^#Date.+\n#Fields.+ and I am not sure if we add (...
See more...
Tested in splunk , only when I add (?ms) in front of regex it matches. But when I check this entire regex in the regex tool it does not match (?ms)^#Date.+\n#Fields.+ and I am not sure if we add (?ms) in transforms will work or not?
The drilldown can't pass multiple rows of a table, but you could do this in a couple of ways 1. Create a stats values() of the column you want and just do not display it - using the <fields> XML ele...
See more...
The drilldown can't pass multiple rows of a table, but you could do this in a couple of ways 1. Create a stats values() of the column you want and just do not display it - using the <fields> XML element - it will still exist in every row as a field. Pass this field as a multi value field. 2. When you click the table, have a second search that uses the first search as a base search and runs and does the stats values(column) and another <done> clause to set the token.
this one didn't work <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$row.device_ip_address.value$</set> </condition> ...
See more...
this one didn't work <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$row.device_ip_address.value$</set> </condition> </done> below one is only giving 1st value of the field... I need to show rest of the values of device_ip_address <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$result.device_ip_address$</set> </condition> </done>
I have tried multiple options to show multiple values of single fields from 1st panels output to 2nd panels it didn't work. I don't see any official documents. Is there any expert can suggest on t...
See more...
I have tried multiple options to show multiple values of single fields from 1st panels output to 2nd panels it didn't work. I don't see any official documents. Is there any expert can suggest on this?
Hi @jenkinsta , please try this: index=data earliest=-30d latest=now
| eval period=if(_time>now()-86400,"last","previous")
| stats dc(period) AS period_count values(period) AS period BY user
| whe...
See more...
Hi @jenkinsta , please try this: index=data earliest=-30d latest=now
| eval period=if(_time>now()-86400,"last","previous")
| stats dc(period) AS period_count values(period) AS period BY user
| where period_count=1 AND period="last" Ciao. Giuseppe