All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNA... See more...
I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","ACTION":"INFORMATIONAL","MSGNUM":"IEF234E","MSGTXT":"IEF234E K 449F,JE5207,PVT,RDSONLVP,RDSONLVP","MSGREQTYPE":""} 2. {"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:34:47.92 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","CONSOLE":"INTERNAL","ACTION":"INFORMATIONAL","MSGNUM":"IEC147I","MSGTXT":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE":""}    for event 1, everything works as it should. For event 2, the MSGTXT field is coming up blank: I thought that the MDSGTCT field might be populated and just not displaying becasue of the control characters (the mainframe doesn't use these, so not sure where they are coming from) but running rex against MSGTXT or substr still gives me nothing.  Adding the search command: rex "MSGTXT(?<msgtext>.+):" does create a msgtext field with the MSGTXT plus a few more characters : ":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE"            , so the data is in the event to be extracted.  I can work with this to extract the comma-deliminated field that I actually want, but it's a pain having to prcess this particula MSGNUM (IEC147I) differently. Any suggestions as to how to go about getting htese events parsed correctly? Thanks, Steve            
Tried this method but for some reason I still see the same error.   
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controlle... See more...
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controller.  For exemple, if I don't have the event for 2 minutes, this is critical. So in Alert, I want a mail when the last Event ocurred more than 2 minutes ago for exemple. Or a message if I dont have the Event for 2 minutes. Thanks for the detail regarding the Alert parameters in Splunk.   
Hey Giuseppe, the solution doesn't work since it doesn't include users who have the value of new_device inside their old_device field Check the example in the post 
Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add ... See more...
Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add a message instead of zero: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-60,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Avoid to use Real time, because these searches are very heavy for the system: each search takes a CPU and release it when finisces, but RT searches never finish. It's better a scheduled search, even if every minute. Expire, in Splunk there isn't an expiring period for an alert; the expiring period that you see in the alert is for the results (usually 1 day or 1 week) one year I think that's too large and disk space consuming. No, if the alert doesn't trigger an alert condition you don't have a message, if you want a message, you have to use a different search, but what's the utility of a message that's all ok in an alert? an alert should trigger only an error condition, not an OK conditon. Ciao. Giuseppe
Hello @shabamichae , You should check for _internal index and source=*python.log. This would help understand better why the PDF creation failed and what actually is the reason for dashboard not bein... See more...
Hello @shabamichae , You should check for _internal index and source=*python.log. This would help understand better why the PDF creation failed and what actually is the reason for dashboard not being part of the email attachements. I suspect that since the dashboard is complex and have multiple graphs, there should be connectionTimeout error which you can tweak in the configuration files. However, concrete reason and solution can be devised on the basis of the ERROR message only. Thanks, Tejas.
Hello @gcusello ,    I think I am getting it.  So right now, I change so I can check for the last 2 minuts and I have in result a table with host and _time.  In _time, I have null as a result bec... See more...
Hello @gcusello ,    I think I am getting it.  So right now, I change so I can check for the last 2 minuts and I have in result a table with host and _time.  In _time, I have null as a result because the event is accuring in the last 2 minuts for every host.    When I want to set it up as an alert.  I should say   :  Alert Type : Real Time => so alert is running continuously ? I want it to run minimum every minute Expire : 365 days => the alert will run for the next year  Condition of triggering : Per results => meaning whenever the _time <> null, I will have a message ?  Or should i do : Personnalized : _time <> null      Thanks for helping me in my new journey in Splunk
Hi @Josh1890 , please try this: <your_search> | stats dc(User) AS user_count values(User) AS user BY DeviceID | where user_count>1 Ciao. Giuseppe
is it important to know that I am sending the data via cribl workers and not using heavy forwarders?
And to answer your question, I want to see if the value of new_deviceid exists in other users old_deviceid field, meaning it was assigned to them in the past
Updated the post
Updated the post, please take a look
Hi @Josh1890 , as @ITWhisperer said, some sample coud help to better understand your requirement. Anyway, if I correctly understood, you want to know if the new_id was assigned in the past to some ... See more...
Hi @Josh1890 , as @ITWhisperer said, some sample coud help to better understand your requirement. Anyway, if I correctly understood, you want to know if the new_id was assigned in the past to some different users; in other words, if there are more users with assigned the same new_id, is this correct? It isn't so cluear for me the reation between new_id and past_id. Anyway, in this case, you could try to run something like this: <your_search> | stats dc(user) AS user_count values(user) AS user BY new_id | where user_count>1 Ciao. Giuseppe  
I have nothing to add, except to say that I have observed the same bug, where the server classes that use machine filtering display the incorrect clients in the UI. The bug remains in version v.9.2.1
@Splunkerninja, this is clearly not due to the row separation but the formation of the URL for getting the search results. So if the current dashboard is working for you with the search result URL, ... See more...
@Splunkerninja, this is clearly not due to the row separation but the formation of the URL for getting the search results. So if the current dashboard is working for you with the search result URL, just make the first change by closing the </row> after the table panel and open another <row> element before the html element. This will ensure that the existing dashboard is working as expected. As a second step, change the visibility of the row where table is listed and set a "depends" clause with non existing token.
Hi @apomona , this search is an alert that triggers when the EventCode is missed saing that for the missed host you didn't received any event i the last minute, bt you haven't information about when... See more...
Hi @apomona , this search is an alert that triggers when the EventCode is missed saing that for the missed host you didn't received any event i the last minute, bt you haven't information about when you received the last event. if you want a report about the periods when the eventCode is missed, you should use a different search: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-60,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 | table host _time in this way, you check if all the hosts in the lookup sent events with the above EventCode and, when missed, also the last event in the last hour. Ciao. Giuseppe
Hi ,   I have set-up a scheduled pdf report to be emailed of a complex dashboard with several graphs, unfortunately I keep getting a timeout error The dashboard takes about 2 minutes to display. A... See more...
Hi ,   I have set-up a scheduled pdf report to be emailed of a complex dashboard with several graphs, unfortunately I keep getting a timeout error The dashboard takes about 2 minutes to display. A simple dashboard with a single graph works perfectly so I'm sure the rest of the config is okay. What I did notice however is that I receive the email, with the following error about a minute after the report was scheduled: Scheduled view delivery. An error occurred while generating the PDF. Please see python.log for details.   Please help.
Please can you share some anonymised representative events demonstrating your issue?
Thanks @richgalloway please find the attached snaps as i am restricted to GUI 
Try like this: <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> ... See more...
Try like this: <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <title>Latest time token $latest_Time$</title> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval> </change> </input> </panel> There doesn't seem to be a way to set an initial value on a time input - perhaps this is a bug?