All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@richgalloway   I was mentioning that by using below query : i can limit the result to show only title and definition |rest /servicesNS/-/-/admin/macros |table title,definition  Would there ... See more...
@richgalloway   I was mentioning that by using below query : i can limit the result to show only title and definition |rest /servicesNS/-/-/admin/macros |table title,definition  Would there be a way to do the same with rest API call for macro : https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json  While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition"  . Like below i am getting all fields , can i restrict the results to show only name and Definition of macro { "links": { "create": "/servicesNS/-/-/admin/macros/_new", "_reload": "/servicesNS/-/-/admin/macros/_reload", "_acl": "/servicesNS/-/-/admin/macros/_acl" }, "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros", "updated": "2024-04-29T13:11:40+00:00", "generator": { "build": "78803f08aabb", "version": "9.2.1" }, "entry": [ { "name": "3cx_supply_chain_attack_network_indicators_filter", "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "updated": "1970-01-01T00:00:00+00:00", "links": { "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload", "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable" }, "author": "nobody", "acl": { "app": "DA-ESS-ContentUpdate", "can_change_perms": true, "can_list": true, "can_share_app": true, "can_share_global": true, "can_share_user": false, "can_write": true, "modifiable": true, "owner": "nobody", "perms": { "read": [ "*" ], "write": [ "admin" ] }, "removable": false, "sharing": "global" }, "content": { "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "disabled": false, "eai:acl": null, "eai:appName": "DA-ESS-ContentUpdate", "eai:userName": "nobody" } } ], "paging": { "total": 2195, "perPage": 30, "offset": 0 }, "messages": [] }
Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its... See more...
Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename. |stats values(filename) as  File1 values(FileName) as File2 |eval filename=colsec(File1,File2) |table filename  File1 In the result: filename File1   Test
Hello, Splunk community!  I have created a correlation search with the following search string:  index="kali2_over_syslog" ((PWD=/etc AND cmd=*shadow) OR (PWD=* cmd=*/etc/shadow)) OR ((PWD=/... See more...
Hello, Splunk community!  I have created a correlation search with the following search string:  index="kali2_over_syslog" ((PWD=/etc AND cmd=*shadow) OR (PWD=* cmd=*/etc/shadow)) OR ((PWD=/etc AND cmd=*passwd) OR (PWD=* cmd=*/etc/passwd)) | eval time=strftime(_time, "%D %H:%M") | stats values(host) as "host" values(time) as "access time" values(executer) as "user" count by cmd | where 'count'>0 When I use it in search and reporting app and executing "sudo cat /etc/shadow" on the monitored linux machine it catches this event.  The rest of the settings of that correlation search are the same as in my other correlation search, which I used as a template. That another correlation search works well and notable events are getting generated as well as the email notification is sent.  The only difference is that I am not using any datamodel in my search because I have a small test lab and I only have one machine on which I want to monitor the following activity. Can it be that I must use the CIM-validated data models in my search, so that correlation search actually works fine and generates notable events? I am new to Splunk, so I am sorry if my question is a bit unclear or weird, let me know if you need additional information
This is what my solution does - how does it not do what you expect? Please provide examples
Thanks! This query gives some answer.  However, I still have to find the one with this situation: I have another alert for non-200 response codes. For this one I want to see if three consecutive 200... See more...
Thanks! This query gives some answer.  However, I still have to find the one with this situation: I have another alert for non-200 response codes. For this one I want to see if three consecutive 200 responses, take more than 10 seconds totally. That means I will create an alert about this. So the query should result only this three consecutive 200 responses that together take more that 10 seconds.
You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.
Hi @anel, tis health check is related to the last 24 hours, are you sure that in this period you don't have delayed searches? You can check this in the Monitoring Console. Anyway, it's not possibl... See more...
Hi @anel, tis health check is related to the last 24 hours, are you sure that in this period you don't have delayed searches? You can check this in the Monitoring Console. Anyway, it's not possible to reset this alert, you have only to wait for the time. Ciao. Giuseppe
I have another alert for non-200 response codes. For this one I want to see if three consecutive 200 responses, take more than 10 seconds totally. That means I will create an alert about this.
I wonder if you’re storing the data in the SH somehow. In the SH where you can query the data check the splunk_server field to see where the SH is pulling the data from. If everything was right you w... See more...
I wonder if you’re storing the data in the SH somehow. In the SH where you can query the data check the splunk_server field to see where the SH is pulling the data from. If everything was right you would see listed some or all indexers (depending on how well balanced the data is distributed among indexers for the time interval you selected)
Hi all, 5 days ago we got an issue with delayed searches.  This is fixed and we did not have skipped or delayed searches since. However, the warning is not disappearing.  Is there a way to manuall... See more...
Hi all, 5 days ago we got an issue with delayed searches.  This is fixed and we did not have skipped or delayed searches since. However, the warning is not disappearing.  Is there a way to manually trigger a recheck, mark this as acknowledged or any other way of making this warning go away?   
where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.
That worked! Thank you so much. This is exactly what I was needing. 
Any links to where I could raise non-technical support? 
There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not
Did you mean that the response codes are all 200 but take more than 10 seconds? If so, what do you want to do if there are non-200 responses? Please clarify your requirement
Hi All, I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.H... See more...
Hi All, I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.   |eval FileList=coalesce(File1,File2)
Would something like this work for you? | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference Full r... See more...
Would something like this work for you? | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference Full runanywhere example based on your events | makeresults format=json data="[{\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"TransactionType\":\"Transfer\",\"Amount\":901,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"TransactionType\":\"Transfer\",\"Amount\":567,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Created a new transaction\",\"RenderedMessage\":\"Created a new transaction\",\"Properties\":{\"SourceContext\":\"ApiGateway.Controllers.OrdersController\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"TransactionType\":\"Transfer\",\"Amount\":234,\"Currency\":\"SEK\",\"ExecutionDate\":\"2023-11-15T14:32:00.0000000+02:00\",\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"ActionId\":\"9a240462-d4c7-485e-a974-8229f2520c6c\",\"ActionName\":\"ApiGateway.Controllers.OrdersController.PostOrder (ApiGateway)\",\"RequestId\":\"0HN34CGT9KPCS:00000004\",\"RequestPath\":\"/orders\",\"ConnectionId\":\"0HN34CGT9KPCS\",\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK234.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK901.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK567.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"Complete\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK234.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK901.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"Debtor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Creditor\":\"CommonTypeLibrary.DomainModel.AccountHolder\",\"Prefunding\":null,\"Type\":\"Transfer\",\"PaymentProcessType\":\"Internal\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"Suti\":\"CommonTypeLibrary.DomainModel.Suti\",\"ExecutionDate\":\"CommonTypeLibrary.DomainModel.ExecutionDate\",\"Amount\":\"SEK567.00\",\"ResponsibleLedger\":\"CommonTypeLibrary.DomainModel.Ledger\",\"RemittanceInformation\":\"None\",\"OriginalTransactionReference\":\"None\",\"SuppressedStatuses\":[],\"TransactionStatus\":\"InProgress\",\"Messages\":[],\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"TransactionIdentifier\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"JobType\":\"TransactionStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"e4dfbba0-90cf-4e1d-9ca3-e661ace5fe1d\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"7ced831c-f8fd-41a2-88b1-6b564259539b\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}, {\"Level\":\"Information\",\"MessageTemplate\":\"Publishing transaction status\",\"RenderedMessage\":\"Publishing transaction status\",\"Properties\":{\"SourceContext\":\"ApiGateway.Services.StatusUpdateService\",\"TransactionReference\":\"9f7742e7-0350-420a-9f6b-79d7bd024bc5\",\"TransactionStatus\":\"Registered\",\"OrderStatus\":\"Registered\",\"Messages\":null,\"OrderReference\":\"289e272f-2677-409b-9576-f28b2763c658\",\"JobType\":\"OrderStatusUpdateTask\",\"JobRetries\":0,\"ProcessInstanceId\":2251799813733043,\"EnvironmentName\":\"Development\"}}]" | fields _raw | spath Properties | spath input=Properties | table _time, OrderReference, TransactionReference, Type, Amount, Currency, OrderStatus | stats latest(*) as * by OrderReference TransactionReference
Right, it doesn't extract the fields but the data is available. Using JSON functions possibly the data can be queries but that is cumbersome.
Hi @roywan, the only way is to open a non technical ticket to Splunk Support, no other way. Ciao. Giuseppe
OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Un... See more...
OK. Regardless of join or not, your search is pretty bad performance-wise due to how it's initial part in the first place. You're doing <initial_search> | spath [...] | where <some_condition> Unfortunately, it's gonna have to read and parse every single event from the given time range which is not what you want. What is a bit tricky when approaching Splunk for the first time is that due to the fact that you're dealing with so called "schema on read" approach, Splunk - first and foremost - indexes values. So if you have a search saying field=value Splunk first searches for all events containing the value and only those events are then checked if they do contain that value in places corresponding with the definition of field. The more conditions you have in your initial search, the more events Splunk can discard from the initial result set (due to them containing, for example, just one of two sought for terms) so that ideally the "hit ratio" is quite high and Splunk doesn't have to work too much at parsing those intermediate search results. Your search on the other hand invokes the spath command on every single event that falls within the time range and only then it checks the results for some condition using the where command. If your events were well-formed json events, you could have the sourcetype defined with KV_MODE=json and use field=value matching based on json fields. But even if you don't have the fields parsed automatically at the point of your initial search, you can greatly improve your search performance by adding the conditions as a "full-text search". So your index="my_index" | spath input=Properties | where RenderedMessage="Created a new transaction" AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658" AND 'Properties.EnvironmentName'="Development" can be rewritten (yes, it looks a bit ugly but should be a lot faster) as index="my_index" "Created a new transaction" "289e272f-2677-409b-9576-f28b2763c658" "Development" | spath input=Properties | where RenderedMessage="Created a new transaction" AND 'Properties.OrderReference'="289e272f-2677-409b-9576-f28b2763c658" AND 'Properties.EnvironmentName'="Development"