All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Re... See more...
To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Required (Nix TA) https://splunkbase.splunk.com/app/833 #This shows you the OS Supported = MacOs is listed https://docs.splunk.com/Documentation/AddOns/latest/UnixLinux/About   #Read the release notes https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes And you will need to install a Universal Forwarder for the MacOS + configure outputs and TA inputs https://www.splunk.com/en_us/download/universal-forwarder.html
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates ... See more...
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates a string - what is the maximum of a string? | stats ... max(newtime) as "event time" Field times does not exist (after previous stats command) | eval times=mvindex(times, 0, 2) I am not sure whether these make a difference though
Hello all,  I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected.  My idea is to send a mail when the Event 4776 is not detected. ... See more...
Hello all,  I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected.  My idea is to send a mail when the Event 4776 is not detected.  The closer I have is this :  index ="*" | where ComputerName="ComputerName" | search EventCode=4776 This gives me every event 4776 on the device ComputerName I wanted to add  earliest=-2m@m latest=-1m@m like I saw on different places but the result goes to 0 while I know this event is sent multiple times per second (multiple like 100 times)   Second question, when I save as an Alert, I specify : Real Time,  Trigger when Specified : search count =0  Is this right ? I saw people saying results=0 but I have this error : Cannot parse alert condition. Unknown search command 'results'.. Thanks for the help        
I have a time picker & a time dropdown which has static values.   <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </... See more...
I have a time picker & a time dropdown which has static values.   <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if('timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval> </change> </input> </panel> The expectation is if Now is selected in timedrop, the data till now should load. If +3d is selected in timedrop, then +3d should be added with the time.latest token (coming from the time picker) and so on. On load (by default Today is selected), the latest_Time is returning NAN, but if I select a specific time range (say 8th April 10AM-11AM) & timedrop as 3d, it is working as expected.
Hi ITWhisperer, exactly this very simple elegant solution I needed. Thank you very much. Works fine.
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone expl... See more...
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone explain how to configure it and make it work? 
Hi,  Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event... See more...
Hi,  Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event column and not in statistics after changing the mode from fast to verbose. please help here. index="aws_generic" source="aws.guardduty" detail.type=Discovery:S3/AnomalousBehavior* | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") | rex field=host (?<service>.*):(?<cloudprovider>.*):(?<region>.*):(?<cluster>.*):(?<role>.*):(?<stagingarea>.*) | stats sparkline(count) as history max(newtime) as "event time" by stagingarea detail.region detail.type detail.severity detail.description detail.accountId detail.id | eval times=mvindex(times, 0, 2) | sort - "event time" detail.severity | table "event time","detail.accountId","detail.region","detail.severity","history","detail.type","detail.description" | rename "event time" as "Event Time","detail.accountId" as "AWS Account ID","detail.region" as "AWS Region","detail.type" as "Finding Type","detail.severity" as "Severity","history" as "Event History","detail.description" as "Description"
Hi, I am calculating the difference between two search results  as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count. Please could you ... See more...
Hi, I am calculating the difference between two search results  as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count. Please could you suggest ? how to fix Thanks in advance. SPL: | makeresults | eval variance=$MA:result.macoscount$ - $COSMOS:result.cosmacount$ | table variance Issue: middle panel (with blue color) result is "MA to COSMOS value "- COSMOS to P.H.B"  
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is tr... See more...
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is triggered and sent to the alert center. I wonder if there is a way to do this with this add-on?
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however... See more...
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however, it would be great if you posted a docs feedback (there is a form at the bottom of https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ) describing your situation and how it differs from the described state.
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn"> <label>Dedup</label> <choice value="| dedup Attr1">Dedup... See more...
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn"> <label>Dedup</label> <choice value="| dedup Attr1">Dedup</choice> <default></default> <initialValue></initialValue> </input> Then use the token in your search index=machinedata $LastOne_tkn$ | table Attr1, Attr2  
I cannot understand why you say you are not getting a "table".  Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone ... See more...
I cannot understand why you say you are not getting a "table".  Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone 2. Transpose + foreach Both are just like table.  Are they not?
It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search? So that the list of IPs displayed by this query can be attached to dscip ... See more...
It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search? So that the list of IPs displayed by this query can be attached to dscip | search sourcetype="new" DstIP=(list of above ip)
Rest assured, if I had any suggestions, I would have given them by now.
OK so I'll ask again another way, what output would you like, for example from the 8 lines you shared earlier?
Thanks @ITWhisperer  , it worked 
If I understand your question correctly, you want group matching messages to be displayed as a single string like “file put successfully”, not separately as "Inbound file processed successfully GL102... See more...
If I understand your question correctly, you want group matching messages to be displayed as a single string like “file put successfully”, not separately as "Inbound file processed successfully GL1025pcardBCAXX8595143691007",  "File put Succesfully GL1025pcardBCAXX8595143691007", and so on.  This is a common requirement.  But in addition to unnecessary asterisks in regex's as @ITWhisperer points out, you should group them before performing stats.  Here is the code   | eval message = if(match(message, "File put Succesfully|Successfully created file data|Archive file processed successfully|Summary of all Batch|processed successfully for file name|ISG successful Call|Inbound file processed successfully|ISG successful Call"), "file put successfully", message) | stats values(message) as message   Suppose you have events with the following values of message: message Inbound file processed successfully GL1025pcardBCAXX8595143691007 Inbound file processed successfully GL1025pcardBCAXX8595144691006 Inbound file processed successfully GL1025pcardBCAXX8732024191001 Inbound file processed successfully GL1025transBCAXX8277966711002 File put Succesfully GL1025pcardBCAXX8595143691007 File put Succesfully GL1025pcardBCAXX8595144691006 File put Succesfully GL1025pcardBCAXX8732024191001 File put Succesfully GL1025transBCAXX8277966711002 some unmatching value some other unmatching value The result will be message file put successfully some other unmatching value some unmatching value Is this what you are looking for? Here is an emulation that you can play with and compare with real data   | makeresults | eval message = mvappend("Inbound file processed successfully GL1025pcardBCAXX8595143691007", "Inbound file processed successfully GL1025pcardBCAXX8595144691006", "Inbound file processed successfully GL1025pcardBCAXX8732024191001", "Inbound file processed successfully GL1025transBCAXX8277966711002", "File put Succesfully GL1025pcardBCAXX8595143691007", "File put Succesfully GL1025pcardBCAXX8595144691006", "File put Succesfully GL1025pcardBCAXX8732024191001", "File put Succesfully GL1025transBCAXX8277966711002", "some unmatching value", "some other unmatching value") | mvexpand message ``` data emulation above ```    
I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/.  I have a c# application running inside dock... See more...
I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/.  I have a c# application running inside docker of the same host where sc4s is running. My application is able to send syslog data on port 514 and the same is visible in Splunk Cloud dashboard under sourcetype as sc4s:fallback I am running the same application in my windows local machine trying to send data to the same port and linux machine ip. Data is sent to the host machine because I can see it in the TCP dump but sc4s is not ingesting the data into the Splunk Cloud.   What should be my next step in debugging. I have tried everything from my side but still not able to figure out what the issue is my sc4s deployment
@ITWhisperer++++ Any suggestions pls?
Cheers Rick,  The regex I ended up is like this (?:.*)\/(\w*). The one you suggested,(?:.*)/(\w*), didn't work.   thanks Alex