All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Amadou, the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor. ... See more...
Hi @Amadou, the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor. I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail. So what are the conditions that you need to search? if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string. Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL? Ciao. Giuseppe
OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense index="mscloud" userPrincipalName="some_username" status.errorCode=!=0 Since to... See more...
OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense index="mscloud" userPrincipalName="some_username" status.errorCode=!=0 Since token replacement is just a simple text substitution, you might need something like that: index="mscloud" userPrincipalName="$UserID$" status.errorCode$errorCode$ (and define your choices as "=*", "=0", "!=0" respectively) or do index="mscloud" userPrincipalName="$UserID$" $errorCode$ and define your choices as whole conditions ("status.errorCode=0" and so on)
Hi @Real_captain, this is one the few cases to use transaction command: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA ... See more...
Hi @Real_captain, this is one the few cases to use transaction command: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | transaction startswith="IDJO20P" endswith="PIDZJEA" | table _time eventcount Ciao. Giuseppe
Hello, Good day! MS Graph API duplicate email ingestion into Splunk SOAR:  We have Splunk SOAR v 6.1.1, and the Graph API v3, the ingestion settings are polling selected to interval and every 4 min... See more...
Hello, Good day! MS Graph API duplicate email ingestion into Splunk SOAR:  We have Splunk SOAR v 6.1.1, and the Graph API v3, the ingestion settings are polling selected to interval and every 4 minutes. We are noticing duplicate ticket/email ingestion every 4 minutes causing our playbook (label_change) to error out with Validation error and could not update the record Re: SOAR Could not update record due to Validation... - Splunk Community Appreciate your guidance in advance!  
sure . Will take this. Thanks for your feedback
1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots). 2. For "please help asap"... See more...
1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots). 2. For "please help asap" you go to your local Splunk consultants and pay for their services. This is a community-driven forum where people voluntarily help others. Remarks like this can have the opposite effect on their motivation to answer you.
The output of each of those commands will contain settings for all outputs and all inputs respectively so the size of the output might differ. But if you find any given input or output stanza, you ca... See more...
The output of each of those commands will contain settings for all outputs and all inputs respectively so the size of the output might differ. But if you find any given input or output stanza, you can compare the effective configs for this configuration element.
hahah and I was just thinking we are getting there... So I went through events and can confirm that I have one event per .csv line. I don't see any additional information injected in the events, ot... See more...
hahah and I was just thinking we are getting there... So I went through events and can confirm that I have one event per .csv line. I don't see any additional information injected in the events, other than "," in the fields that are empty (in the .csv file). My search first pulls in some data and does filtering and then: | rename Letter as Y_Field | table A_Field, B_Field, Y_Field | join type=left Y_Field [ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC" | eval dateFile=strftime(now(), "%Y-%m-%d") | where like(source,"%".dateFile."%XXX.csv") | rename "Target Number" as Y_Field | eval Y_Field=lower(Y_Field) | fields Y_Field, Field, "Field 2", "Field 3"] | table A_Field, B_Field, Y_Field, Field, "Field 2", "Field 3" I also wonder if the issue might be with the common field for both the search and the events information, as I have to rename it to match. I tested with renaming the field in the search, tested with renaming the filed in the data pulled from the index and tested by renaming both to something different - but no luck. As I mentioned earlier the data in index is injected daily, so the search looks for the latest csv. When I run this search, I get results for A_Field, B_Field, and Y_Field, but Field, "Field 2" and "Field 3" are empty. 
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.   My existing query is: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
My existing query is : index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input... See more...
My existing query is : index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap. My existing query is: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo  
Hi  Can you please help me to find out how we can find the count of events between the 2 events in SPLUNK.  Example , i have to find the count of events (RPWARDA , SPWARAA , SPWARRA ) between eve... See more...
Hi  Can you please help me to find out how we can find the count of events between the 2 events in SPLUNK.  Example , i have to find the count of events (RPWARDA , SPWARAA , SPWARRA ) between events IDJO20P and PIDZJEA.  IDJO20P to PIDZJEA will be considered a day and i have to find count of events (RPWARDA , SPWARAA , SPWARRA ) in a day.    SPLUNk Query to find the events: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P)    
I have the following query that gives me a list of pods that are missing based off the comparison of what should be deployed as defined in the pod_list.csv inputlookup.   index=abc sourcetype=kubec... See more...
I have the following query that gives me a list of pods that are missing based off the comparison of what should be deployed as defined in the pod_list.csv inputlookup.   index=abc sourcetype=kubectl importance=non-critical | dedup pod_name | eval Observed=1 | append [| inputlookup pod_list.csv | eval Observed=0 | eval importance=if(isnull(importance), "critical", importance) | search importance=non-critical] | lookup pod_list pod_name_lookup as pod_name OUTPUT pod_name_lookup | eval importance=if(isnull(importance), "critical", importance | stats max(Observed) as Observed by pod_name_lookup, importance | where Observed=0 and importance="non-critical"     The data in the pod_list.csv looks like so: namespace pod_name_lookup importance ns1 kafka-* critical ns1 apache-* critical ns2 grafana-backup-* non-critical   This works as expected. I am now having difficulties creating a timechart with this data to be able to see when a pod wasnt deployed, not just what is currently missing. Any help is greatly appreciated.  
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.  
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.    
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.    
@gcusello in case you just have an index and you have to find keywords inside of  this index, from which parameter you choose your keywords inside of this index? as we know in the left side  of splun... See more...
@gcusello in case you just have an index and you have to find keywords inside of  this index, from which parameter you choose your keywords inside of this index? as we know in the left side  of splunk you have many field with keywords.
Hi @isoutamo  So if I am using lookup editor, I don't need an intervention from the admin, including restarting or refreshing URL, correct? Thanks
If you want to monitor your SaaS application from the outside, there are also mechanisms in the observability components (like Real User Monitoring, Synthetic Monitoring, ...) available. 
That helps.  You can surely look on https://splunkbase.splunk.com if there is an add-on for your SaaS application. Usually you get the technical mechanisms in an add-on and the visual knowledge ob... See more...
That helps.  You can surely look on https://splunkbase.splunk.com if there is an add-on for your SaaS application. Usually you get the technical mechanisms in an add-on and the visual knowledge objects like dashboards in an app. But sometimes it's a combination. Please refer to the documentation of the app/add-on to see what it is capable of. If there is one, you would see that you get that into your Splunk environment. Either Splunk cloud or Splunk Enterprise. The add-on should be vetted for your instance and version.  After that you follow the instructions of the app/add-on to onboard the data.  If there is nothing available in splunkbase you would start from scratch. For that the add-on builder is a good start. You would create the mechanism to get the data from the SaaS REST API, extract the fields and create dashboards after that. That's the usual process.