All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It is unlikely that Splunk is adding them to the data it receives - what is your ingest path, i.e. how does the data get into Splunk and what configuration have you used along the way?
Except that the screen grab you showed is not from this SimpleXML code  
I've no idea where those control characters (\n, \x etc.) are coming from. They are not in the data that the mainframe send to Splunk.
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already par... See more...
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already parsed though)
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Na... See more...
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Nan error <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval></change> </input> </panel>
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful info... See more...
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful information.
| eval devices=mvappend(old_device,new_device) | stats values(user) as users by devices
I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNA... See more...
I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","ACTION":"INFORMATIONAL","MSGNUM":"IEF234E","MSGTXT":"IEF234E K 449F,JE5207,PVT,RDSONLVP,RDSONLVP","MSGREQTYPE":""} 2. {"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:34:47.92 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","CONSOLE":"INTERNAL","ACTION":"INFORMATIONAL","MSGNUM":"IEC147I","MSGTXT":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE":""}    for event 1, everything works as it should. For event 2, the MSGTXT field is coming up blank: I thought that the MDSGTCT field might be populated and just not displaying becasue of the control characters (the mainframe doesn't use these, so not sure where they are coming from) but running rex against MSGTXT or substr still gives me nothing.  Adding the search command: rex "MSGTXT(?<msgtext>.+):" does create a msgtext field with the MSGTXT plus a few more characters : ":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE"            , so the data is in the event to be extracted.  I can work with this to extract the comma-deliminated field that I actually want, but it's a pain having to prcess this particula MSGNUM (IEC147I) differently. Any suggestions as to how to go about getting htese events parsed correctly? Thanks, Steve            
Tried this method but for some reason I still see the same error.   
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controlle... See more...
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controller.  For exemple, if I don't have the event for 2 minutes, this is critical. So in Alert, I want a mail when the last Event ocurred more than 2 minutes ago for exemple. Or a message if I dont have the Event for 2 minutes. Thanks for the detail regarding the Alert parameters in Splunk.   
Hey Giuseppe, the solution doesn't work since it doesn't include users who have the value of new_device inside their old_device field Check the example in the post 
Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add ... See more...
Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add a message instead of zero: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-60,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Avoid to use Real time, because these searches are very heavy for the system: each search takes a CPU and release it when finisces, but RT searches never finish. It's better a scheduled search, even if every minute. Expire, in Splunk there isn't an expiring period for an alert; the expiring period that you see in the alert is for the results (usually 1 day or 1 week) one year I think that's too large and disk space consuming. No, if the alert doesn't trigger an alert condition you don't have a message, if you want a message, you have to use a different search, but what's the utility of a message that's all ok in an alert? an alert should trigger only an error condition, not an OK conditon. Ciao. Giuseppe
Hello @shabamichae , You should check for _internal index and source=*python.log. This would help understand better why the PDF creation failed and what actually is the reason for dashboard not bein... See more...
Hello @shabamichae , You should check for _internal index and source=*python.log. This would help understand better why the PDF creation failed and what actually is the reason for dashboard not being part of the email attachements. I suspect that since the dashboard is complex and have multiple graphs, there should be connectionTimeout error which you can tweak in the configuration files. However, concrete reason and solution can be devised on the basis of the ERROR message only. Thanks, Tejas.
Hello @gcusello ,    I think I am getting it.  So right now, I change so I can check for the last 2 minuts and I have in result a table with host and _time.  In _time, I have null as a result bec... See more...
Hello @gcusello ,    I think I am getting it.  So right now, I change so I can check for the last 2 minuts and I have in result a table with host and _time.  In _time, I have null as a result because the event is accuring in the last 2 minuts for every host.    When I want to set it up as an alert.  I should say   :  Alert Type : Real Time => so alert is running continuously ? I want it to run minimum every minute Expire : 365 days => the alert will run for the next year  Condition of triggering : Per results => meaning whenever the _time <> null, I will have a message ?  Or should i do : Personnalized : _time <> null      Thanks for helping me in my new journey in Splunk
Hi @Josh1890 , please try this: <your_search> | stats dc(User) AS user_count values(User) AS user BY DeviceID | where user_count>1 Ciao. Giuseppe
is it important to know that I am sending the data via cribl workers and not using heavy forwarders?
And to answer your question, I want to see if the value of new_deviceid exists in other users old_deviceid field, meaning it was assigned to them in the past
Updated the post
Updated the post, please take a look
Hi @Josh1890 , as @ITWhisperer said, some sample coud help to better understand your requirement. Anyway, if I correctly understood, you want to know if the new_id was assigned in the past to some ... See more...
Hi @Josh1890 , as @ITWhisperer said, some sample coud help to better understand your requirement. Anyway, if I correctly understood, you want to know if the new_id was assigned in the past to some different users; in other words, if there are more users with assigned the same new_id, is this correct? It isn't so cluear for me the reation between new_id and past_id. Anyway, in this case, you could try to run something like this: <your_search> | stats dc(user) AS user_count values(user) AS user BY new_id | where user_count>1 Ciao. Giuseppe