All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

With the new version, there are a number of changes, have a look through this doc, in short, you need to ensure a number of new indexes are in place _ds* see the doc and there's another setting in th... See more...
With the new version, there are a number of changes, have a look through this doc, in short, you need to ensure a number of new indexes are in place _ds* see the doc and there's another setting in the output.conf of the deployment server and add the new whitelist indexes to the UF's. Try these if it still fails log a support call. https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers 
Hi  You might then be able to apply a regex pattern to say to NOT not match ERROR or FATAL, therefore keep them, and discard the rest.  Try this  ^(?!.*(ERROR|FATAL)).*$
Thank you @gcusello, that worked
Hello! I have recently upgraded my splunk enterprise servers from 9.1.2 to 9.2.1. I noticed the following web behaviors in deployment server ; 1. When searching for hostname, it takes a lon... See more...
Hello! I have recently upgraded my splunk enterprise servers from 9.1.2 to 9.2.1. I noticed the following web behaviors in deployment server ; 1. When searching for hostname, it takes a long time to load 2. Server class and app for (any) host is not reflecting correctly. This was crossed checked on CLI serverclass.conf    Wondering if anyone face this issue and if it is a GUI bug.
Hi @blbr123 , test it in Splunk using the regex command. Ciao. Giuseppe
Thanks for the reply. But I forgot to mention that both are having different indexes> I am not able to use base search here.
Tested in splunk , only when I add (?ms) in front of regex it matches. But when I check this entire regex in the regex tool it does not match (?ms)^#Date.+\n#Fields.+ and I am not sure if we add (... See more...
Tested in splunk , only when I add (?ms) in front of regex it matches. But when I check this entire regex in the regex tool it does not match (?ms)^#Date.+\n#Fields.+ and I am not sure if we add (?ms) in transforms will work or not?    
The drilldown can't pass multiple rows of a table, but you could do this in a couple of ways 1. Create a stats values() of the column you want and just do not display it - using the <fields> XML ele... See more...
The drilldown can't pass multiple rows of a table, but you could do this in a couple of ways 1. Create a stats values() of the column you want and just do not display it - using the <fields> XML element - it will still exist in every row as a field. Pass this field as a multi value field. 2. When you click the table, have a second search that uses the first search as a base search and runs and does the stats values(column) and another <done> clause to set the token.
this one didn't work <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$row.device_ip_address.value$</set> </condition> ... See more...
this one didn't work <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$row.device_ip_address.value$</set> </condition> </done> below one is only giving 1st value of the field... I need to show rest of the values of device_ip_address <done> <condition match="$job.resultCount$==0"> <set token="Tokent">0</set> </condition> <condition> <set token="Tokent">$result.device_ip_address$</set> </condition> </done>
I have tried multiple options to show multiple values of single fields from 1st panels output to 2nd panels it didn't work. I don't see any official documents.  Is there any expert can suggest on t... See more...
I have tried multiple options to show multiple values of single fields from 1st panels output to 2nd panels it didn't work. I don't see any official documents.  Is there any expert can suggest on this?
Hi @blbr123 , (?ms) in a regex means that you have to consider a multiine event. Ciao. Giuseppe
Hi @jenkinsta , please try this: index=data earliest=-30d latest=now | eval period=if(_time>now()-86400,"last","previous") | stats dc(period) AS period_count values(period) AS period BY user | whe... See more...
Hi @jenkinsta , please try this: index=data earliest=-30d latest=now | eval period=if(_time>now()-86400,"last","previous") | stats dc(period) AS period_count values(period) AS period BY user | where period_count=1 AND period="last" Ciao. Giuseppe
sure will give a try and what does (?ms) do?
Hi @blbr123, this seems to be a multiline og, try adding (?ms) at the beginning of the regex. Then test your regex in Splunk not outside Splunk. Ciao. Giuseppe
Hi @majilan1, you should create a lookup containing the perimeter to monitor (called e.g. perimeter.csv) containing at least the host fied and eventually also other information. Then you coul | ts... See more...
Hi @majilan1, you should create a lookup containing the perimeter to monitor (called e.g. perimeter.csv) containing at least the host fied and eventually also other information. Then you coul | tstats count WHERE index=* BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Missed","Present") | table host status Ciao. Giuseppe d run a search like the following
Yes I have checked in regex looks good. There are no other HF's before.  
Hi @blbr123, did you checked the regex in Splunk? If you could share some sample of your logs I can help you in this. are there other (one or more) HFs before the one where you located props and t... See more...
Hi @blbr123, did you checked the regex in Splunk? If you could share some sample of your logs I can help you in this. are there other (one or more) HFs before the one where you located props and transforms? The transofrmation muste be applied in the first full Splunk instance where data pass through. Ciao. Giuseppe
I am using ingest action to filter the log message before being indexed in splunk.. I want to include the message that matches only the keyword :ERROR: and :FATAL: rest all of the messages should ... See more...
I am using ingest action to filter the log message before being indexed in splunk.. I want to include the message that matches only the keyword :ERROR: and :FATAL: rest all of the messages should not be indexed. Whereas in splunk ingest action has the filter to only exclude message not the include
Hi @Siddharthnegi , as I said in my answers to you previous question, if you install the Splunk Dashboard Example app ( https://splunkbase.splunk.com/app/1603 ), you'll find the example "Null Search... See more...
Hi @Siddharthnegi , as I said in my answers to you previous question, if you install the Splunk Dashboard Example app ( https://splunkbase.splunk.com/app/1603 ), you'll find the example "Null Search Swapper, that describes how to replace a panel with a message when no results, that's exacly the feature you need. In the example there's the code to use in the dashboard, that you need only to customize for your searches and panels. What's the issue? Ciao. Giuseppe
Use this type of technique, so you set a token if there are results and the panel showing the table will display (depends=) and the panel showing the message will not display (rejects=) <table depen... See more...
Use this type of technique, so you set a token if there are results and the panel showing the table will display (depends=) and the panel showing the message will not display (rejects=) <table depends="$has_results$"> <search> <query> Your search </query> </search> <done> eval token="has_results">if($job.resultCount$&gt;0, 1, null())</eval> </done> </table> <html rejects="$has_results$"> <h1>There are no results</h1> </html>