All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi All, I want to separate a field which contains multiple value within it but doesn't have delimiter on it. Example: | makeresults | eval field1="example1@splunk.com example@splunk.com sample@... See more...
Hi All, I want to separate a field which contains multiple value within it but doesn't have delimiter on it. Example: | makeresults | eval field1="example1@splunk.com example@splunk.com sample@splunk.com scheduler" I have tried to use | eval split = split(field1, " "). But nothing works, Kindly help me out on this like how to separate this single string field as MV field. Thanks in Advance   
Hi @gcusello @deepakc  Thanks for all the inputs. Checking in again today after the weekend, the TCP filtering is working fine! The TCP events from the firewall stopped 1-2 hours after disabli... See more...
Hi @gcusello @deepakc  Thanks for all the inputs. Checking in again today after the weekend, the TCP filtering is working fine! The TCP events from the firewall stopped 1-2 hours after disabling of TCP input, and I suspect this might be due to TCP backlogs? I am not sure how Splunk handles TCP backlogs, but it seems that TCP backlogs will not be processed by the event filtering syntax. Maybe TCP backlogs are "past" the filtering stages and are slowly ingested?
There is no difference in the query, same query in dashboard panel and same used in search too
Panel displaying in dashboard:   When we open the panel in search showing as below:(this is the correct data) Host Data Details Error Files created localley on AMP File sent to D... See more...
Panel displaying in dashboard:   When we open the panel in search showing as below:(this is the correct data) Host Data Details Error Files created localley on AMP File sent to DMA HOM-jjderf - 10.123.34.18 HOM-iytgh - 10.123.363.23 HOP-wghjy - 12.234.201.22 HOP-tyhgt - 12.234.891.34   221 86  
Panel displaying in dashboard:   When we open the panel in search showing as below:(this is the correct data) Host Data Details Error Files created localley on AMP File sent to D... See more...
Panel displaying in dashboard:   When we open the panel in search showing as below:(this is the correct data) Host Data Details Error Files created localley on AMP File sent to DMA HOM-jjderf - 10.123.34.18 HOM-iytgh - 10.123.363.23 HOP-wghjy - 12.234.201.22 HOP-tyhgt - 12.234.891.34   221 86  
Query: |mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname |search errorname=apf Results: provider errorid errorname Count Digital it... See more...
Query: |mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname |search errorname=apf Results: provider errorid errorname Count Digital it 401 apf 200.0000 Data St 200 apf 500.0000 dtst 0 apf 18.0000 Digital it 100 apf 55.0000 dtst 501 apf 16.0000 Digital it 0 apf 20.0000 Data St 200 apf 300.0000 dtst 201 apf 12.0000 Data St 404 apf 20.0000 Digital it 201 apf 10.0000 Data St 501 apf 10.0000 dtst 201 apf 9.0000 Data St 401 apf 8.0000 dtst 500 apf 3.0000 Data St 555 apf 5.0000 dtst 200 apf 2.0000 expected results: provider errorname errorid Count Digital it apf 401 100 0 200.0000 55.0000 20.0000 Data St apf 200 200 404 500.0000 300.0000 20.0000 dtst apf 0 501 201 18.0000 16.0000 12.0000
What is not displaying correctly - what is different between the two tables?  
When we use a below query, in dashboard panel data is not showing correctly, if  we open the panel query in "open in search data is showing correctly. How to fix this issue?? index=dam-idx (... See more...
When we use a below query, in dashboard panel data is not showing correctly, if  we open the panel query in "open in search data is showing correctly. How to fix this issue?? index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) repoter.dataloadingintiated |stats count by local |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) task.dataloadedfromfiles NOT "error" NOT "end_point" NOT "failed_data" |stats count as FilesofDMA] |append [search index=dam-idx (host_ip=12.234.201.22 OR host_ip=10.457.891.34 OR host_ip=10.234.34.18 OR host_ip=10.123.363.23) "app.mefwebdata - jobintiated" |eval host = case(match(host_ip, "12.234"), "HOP"+substr(host, 120,24), match(host_ip, "10.123"), "HOM"+substr(host, 120,24)) |eval host = host + " - " + host_ip |stats count by host |fields - count |appendpipe [stats count |eval Error="Job didn't run today" |where count==0 |table Error]] |stats values(host) as "Host Data Details", values(Error) as Error, values(local) as "Files created localley on AMP", values(FilesofDMA) as "File sent to DMA"
A private lookup created in App A can ONLY be seen in app A, so if you try to create the lookup definition in app B, then it will not show the CSV in the dropdown  If your lookup is listed like ... See more...
A private lookup created in App A can ONLY be seen in app A, so if you try to create the lookup definition in app B, then it will not show the CSV in the dropdown  If your lookup is listed like the above, your  username (red) and app (blue), then I believe it should be possible to create a definition in the same app for a private lookup - so if you cannot see your lookup in the dropdown, it may be a result of permissions - I am not sure, but if you can change your lookup permissions to app, you could see if that changes it.
Hii Bowesmana, Thanks for your reply I created the look up table file by uploading the csv file.  and iam looking in the same app as the one that i created the look up table. I am actually suppose... See more...
Hii Bowesmana, Thanks for your reply I created the look up table file by uploading the csv file.  and iam looking in the same app as the one that i created the look up table. I am actually supposed to get the data from production splunk. so i have very limited access. The look up table file i created has private access which is visible only to me . would that be an issue ?  
Is the logic that IFF there is a previous message=executed for ID X, then if state=completed, message should then be changed to 'executed' or should it always be executed if state=completed? | eval ... See more...
Is the logic that IFF there is a previous message=executed for ID X, then if state=completed, message should then be changed to 'executed' or should it always be executed if state=completed? | eval message=if(state="completed", "executed", message) will just change message toexecuted if state is completed. If you ONLY want to change completed to executed if there is a previous "started", then it is important to understand your data a bit better, as ordering becomes significant - you have started completed pending  for ID 101 - so I am guessing that those are not in the order of occurrence. You would look at using streamstats, stats, eventstats or transaction to solve this - but can you give more about your existing search an data
How did you create the lookup by uploading a CSV using  the lookup editor using outputlookup which app did you create the lookup in and what app are you in when trying to make the lookup defini... See more...
How did you create the lookup by uploading a CSV using  the lookup editor using outputlookup which app did you create the lookup in and what app are you in when trying to make the lookup definition. If yo go to the list of lookup files (Lookups->Lookup table files) can you see the lookup there and what are its permissions - make sure you look for all lookups visible in all apps - and check what app your lookup file is in  
Hello, I have created a splunk look up table file( file is in csv format )and now Iam trying to create a look up definition.  But i couldn't create lookup definition because when i tried searching ... See more...
Hello, I have created a splunk look up table file( file is in csv format )and now Iam trying to create a look up definition.  But i couldn't create lookup definition because when i tried searching for the look up file , i couldn't get that file in my drop down menu to select. what could be the reason. can anyone help with this    Thanks in advance
Hi, we could see message ="executed" for started state field. so, would like to replace with same massage where state="completed"  event too for same ID's. I hope I word this out clearly. Th... See more...
Hi, we could see message ="executed" for started state field. so, would like to replace with same massage where state="completed"  event too for same ID's. I hope I word this out clearly. Thank you in advance.
As you don't have admin access, you have some options: 1. Create the transforms.conf / collections config using a file editor if you know what your doing and give it your Splunk admin they can do th... See more...
As you don't have admin access, you have some options: 1. Create the transforms.conf / collections config using a file editor if you know what your doing and give it your Splunk admin they can do the rest. 2. You can download a free instance of Splunk (Install it if you know what your doing)  and do the dev work there and then give the config to your Splunk admin. 3. You can also use the lookup editor app - https://splunkbase.splunk.com/app/1724  this is an easy way to create kvstores - you need to install this app and its popular, get you Splunk admin to install this.
@splunky_diamond  your welcome  Here's 's some more security tips to help you discovery some more. 1. Many Security people use this app to help them with there Security Use cases, I use it myse... See more...
@splunky_diamond  your welcome  Here's 's some more security tips to help you discovery some more. 1. Many Security people use this app to help them with there Security Use cases, I use it myself - so many good features, it can also make use case recommendations based on on your data sources. https://splunkbase.splunk.com/app/3435  2. ESCU - Provides regular Security Content updates to help security SOC / analysts to address ongoing time-sensitive threats, attack methods, and other security issues. https://splunkbase.splunk.com/app/3449  3. Here you will find so many use cases for reference - great place to baseline your security monitoring strategy. https://research.splunk.com/ 
Hi all, First post in SPLUNK and I'm not even going to pretend I know the in's and out's of everything that I am currently trying to achieve so I apologise if this is an easy answer... I have c... See more...
Hi all, First post in SPLUNK and I'm not even going to pretend I know the in's and out's of everything that I am currently trying to achieve so I apologise if this is an easy answer... I have created a dashboard that contains an HTML form and through JS magic it does everything I need it to, which includes a 'submit' button that is connected to an HTML table in a different panel. When the button is clicked the table is updated with the relevant information - Happy days. Under the HTML table, I have another button that when clicked I want it to create a new dashboard that displays that table (there is more to it but for now I just need it to create a new dashboard).  After a bit of research, I stumbled across AJAX but I'm constantly receiving a 404 error. I understand that a 404 is resource not found, but every document I find indicates that this is the correct resource. My SPLUNK Enterprise version is currently running on my Laptop (127.0.0.1:8000) but I am at a frustrating loss now...     document.getElementById('confirmButton').addEventListener('click', function() { var dashboardData = { name: 'newDash', 'eai:data': '<dashboard><label>$name$</label><description>$goal$</description><row><panel><html><h1>something</h1></html></panel></row></dashboard>', }; $.ajax({ url: '/serviceNS/nobody/search/data/ui/views', type: 'POST', data: dashboardData, success: function(response) { console.log('Success:', response); }, error: function(jqXHR, textStatus, errorThrown) { console.error('Error:', textStatus, errorThrown); } }); });     The issue seems to indicate the url section is wrong, but if anyone could help point me in the right direction, I would greatly appreciate it. Kind Regards, oO0NeoN0Oo   
Hello, I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup. Can I create KVStore lookup definition ... See more...
Hello, I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup. Can I create KVStore lookup definition in Splunk UI without using transform.conf file? Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file? Please suggest. Thank you
facing same issue, any solution?
No! Don't try to handle structured data with simple regexes. Unless you're very very very sure that the format is constant and it always will be (which is typically not something you can rely on sinc... See more...
No! Don't try to handle structured data with simple regexes. Unless you're very very very sure that the format is constant and it always will be (which is typically not something you can rely on since even the developers writing the solutions that produce such events don't know the exact order of fields that will be sent by their program) handling json or XML with regex is asking for trouble.