All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @bowesmana  Your solution hit the spot! Thank you so much
Without knowing a bit more about your data and extracted fields, you could do something like this   | eval BROWSER=if(BROWSER="Chrome" AND match(_raw, " Edg\/"), "Edge", BROWSER)  
Hi Dear Malaysian Splunkers,  Part of the SplunkTrust tasks, I have created a Splunk User Group for Kuala Lumper Malaysia.  https://usergroups.splunk.com/kuala-lumpur-splunk-user-group/   Pls joi... See more...
Hi Dear Malaysian Splunkers,  Part of the SplunkTrust tasks, I have created a Splunk User Group for Kuala Lumper Malaysia.  https://usergroups.splunk.com/kuala-lumpur-splunk-user-group/   Pls join and lets discuss monthly about Splunk and getting more value from the data. see you there. thanks.    Best Regards Sekar
Hello, I have this search for tabular format.   index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId... See more...
Hello, I have this search for tabular format.   index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId as "Verification ID", code as "HRC" | sort -_time   The issue is at BROWSER column where even when user access our app via Edge it still shows as Chrome. I found a dissimilarity between the two logs. One that is accessed via Edge contains "Edg" in the logs. Edge logs   metadata={BROWSER=Chrome, LOCALE=, OS=Windows, USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx Edg/124.0.0.0, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})   Chrome logs   metadata={BROWSER=Chrome, LOCALE=, OS=Mac OS X, USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})   My question is, how do i create a conditional search for BROWSER like if contains Edg then Edge else BROWSER?
hey guys, with data retention being set, is there a way to whitelist a specific container to prevent it from being deleted?
Thank you @bowesmana,   I was looking for  | where (Check_Feature_Availability="false") AND ("a" IN ("a"))   Thank you.
I'm looking for a particular string in the list of strings.   The "a" in the first part is not from a field,  it's just a string that I'm trying to compare against.     I'm trying to implement the ... See more...
I'm looking for a particular string in the list of strings.   The "a" in the first part is not from a field,  it's just a string that I'm trying to compare against.     I'm trying to implement the following logic in python "word1" in ['word1', 'word2', ..., 'word_x', ]
OK, so I assume the list of strings are a, b and c, but what is the FIRST "a" in your statement "a" in ("a","b","c") as I said in my first reply, the search statement is comparing FIELD "a" with th... See more...
OK, so I assume the list of strings are a, b and c, but what is the FIRST "a" in your statement "a" in ("a","b","c") as I said in my first reply, the search statement is comparing FIELD "a" with the string values of the IN part. Is your field "a" something that has those values? For you to get all results simply adding that AND statement, would imply field "a" has "a" in all your events.
|search (Check_Feature_Availability=false) AND NOT ("Choice1" IN ("Choice1", "Choice2", "Choice3")) OR (Check_Feature_Availability=true) AND ("Choice1" IN ("Choice1", "Choice2", "Choice3"))   The... See more...
|search (Check_Feature_Availability=false) AND NOT ("Choice1" IN ("Choice1", "Choice2", "Choice3")) OR (Check_Feature_Availability=true) AND ("Choice1" IN ("Choice1", "Choice2", "Choice3"))   The list is really all the options from a multi-valued dropdown menu.  The values are all different.  
I am trying to dynamically alter my searched data, by utilizing a value from my data source (Check_Feature_Availability - boolean data) with a selected value from a multi-dropdown in the dashboard (l... See more...
I am trying to dynamically alter my searched data, by utilizing a value from my data source (Check_Feature_Availability - boolean data) with a selected value from a multi-dropdown in the dashboard (list of strings).  
So what is "a" in the first part of the statement? Your statement is saying does field "a" (NOT) have a value of a, b or c What is field "a" in your context and do they all have the value "a"?
What I'm trying to achieve from this, is try to implement an "exclusive or" logic. |search (Check_Feature_Availability=false) AND NOT ("a" IN ("a", "b", "c")) OR (Check_Feature_Availability=true) ... See more...
What I'm trying to achieve from this, is try to implement an "exclusive or" logic. |search (Check_Feature_Availability=false) AND NOT ("a" IN ("a", "b", "c")) OR (Check_Feature_Availability=true) AND ("a" IN ("a", "b", "c"))   TIA
| search (Check_Feature_Availability=false) AND ("a" in ("a")) is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a". Compare that with  | where (Check_Feature_... See more...
| search (Check_Feature_Availability=false) AND ("a" in ("a")) is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a". Compare that with  | where (Check_Feature_Availability="false") AND ("a" IN ("a"))  Note added quotes around "false". That is comparing text "a" with text "a" and will match. What is the purpose of that constraint?
It does work See this example row/panel that creates some pseudo data and simulates what you're trying to do <row> <panel> <input type="dropdown" token="func_option"> <label>Fun... See more...
It does work See this example row/panel that creates some pseudo data and simulates what you're trying to do <row> <panel> <input type="dropdown" token="func_option"> <label>Func</label> <choice value="Func1">Func1</choice> <choice value="Func2">Func2</choice> <choice value="Func3">Func3</choice> </input> <chart> <search> <query>| makeresults count=1000 | eval _time=_time-random() % 3600 | eval Func=mvindex(split("Func1,Func2,Func3",","), random() % 3) | eval duration=random() % 1000000 / 1000 | timechart fixedrange=t count avg(duration) by Func | fields _time avg*$func_option$ count*</query> <earliest>-60m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">1</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">"avg(duration): $func_option$"</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> I can choose the Func dropdown and it will make that particular Func as the chart overlay using the token  
I apologize if the following question might be a bit basic.  But I'm confused with the results.   When I append the  following code into the "search" line, it returns a shortened list of results. (f... See more...
I apologize if the following question might be a bit basic.  But I'm confused with the results.   When I append the  following code into the "search" line, it returns a shortened list of results. (from 47 to 3)  AND ("a" in ("a"))   original code.  index=main_service ABC_DATASET Arguments.email="my_email@company_X.com" | rename device_model as hardware, device_build as builds, device_train as trains, ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability | search (Check_Feature_Availability=false) AND ("a" in ("a")) | table builds, trains, Check_Feature_Availability   I was expecting to see the same number of results.  Am I wrong about my expectations, or am I missing something here? TIA     index=main_service  ABC_DATASET  Arguments.email="my_email@company_X.com" | rename device_model as hardware, device_build as builds, device_train as trains, ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability | search (Check_Feature_Availability=false)  AND ("a" in ("a")) | table builds, trains, Check_Feature_Availability
Use this index=testing | timechart max("event.Properties.duration") as maxDuration | eval maxDuration=round(maxDuration/1000, 3)  
It does sounds from your data description of package, current_version, current_date, previous_version, previous_date, that a lookup may be a practical way to maintain the current state of events.  A... See more...
It does sounds from your data description of package, current_version, current_date, previous_version, previous_date, that a lookup may be a practical way to maintain the current state of events.  Are you planning to run this search once a month or daily, but it would seem that an approach might be to have a search that looks for data in the last 30 days. At this point it will have version and date info for package X It can then do a lookup of that package to the lookup data and get 'current/previous' info for the package.  It's not difficult to manage that lookup to update it, but I'm not clear on what you want from this list. As you don't know how far back a 'previous' patch was installed you have know way of knowing how far back to search data, so the lookup will give you all that immediately. I am guessing you may also want to be looking at host+package, not just package, so depending on how many hosts/packages you have, the lookup could be reasonably big, but much depends on how often you want to read/use this data.
Thank you @PickleRick . Here is the detailed background of my requirement. I need to refer the values from lookup and compare it with values in events for same field and derive the other field https... See more...
Thank you @PickleRick . Here is the detailed background of my requirement. I need to refer the values from lookup and compare it with values in events for same field and derive the other field https://community.splunk.com/t5/Splunk-Search/Help-with-splunk-search-query/m-p/685039#M233782  
Could someone help me in deriving solution for this case below? Background : We have an app and in which we set all our saved searches as durable ones as we dont want to miss any runs. So any schedu... See more...
Could someone help me in deriving solution for this case below? Background : We have an app and in which we set all our saved searches as durable ones as we dont want to miss any runs. So any scheduled search if it fails on that particular scheduled time due to any issues like infra related or resource related it will be covered in next run. So am trying to capture the last status even after the durable logic applied.  Lets say I have 4 events. So the first two runs  (Scheduled_time=12345  AND Scheduled_time=12346)  of ALERT ABC failed. And in the third schedule during 12347 those two are covered and in that 12347 is also covered and all are success.  So if I take query like this first .. | stats last(status) by savedsearch_name scheduled_time I get output like this savedsearch_name last(status) scheduled_time ABC                    skipped                   12345 ABC                    skipped                   12346 ABC                    success                   12347   I need to write a logic that take A. jobs whose last status is not success - So here  ABC 12345 and ABC 12346 B. where durable_cursor != scheduled_time. So it will pick events for that job where multiple jobs covered for that missed duration. In this case here it will pick my EVENT 3  C. Then I have to derive like this. Take the failed saved search job name with its scheduled time in which its failed and check that scheduled_time falls within next durable_cursor and scheduled_time with status=success. .. TAKE FAILED SAVEDSEARCH NAME TIME as FAILEDTIME | where durable_cursor!=scheduled_time | eval Flag=if(FAILEDTIME>=durable_cursor OR FAILEDTIME<=scheduled_time, "COVERED", "NOT COVERED") with its schedule_time and check again if that job (with its job name) other scheduled time run falls betweee EVENT 4 : savedsearch_name = ABC ; status = success; scheduled_time =12347 EVENT 3 : savedsearch_name = ABC ; status = success ;  durable_cursor=12345 scheduled_time =12347 EVENT 2 : savedsearch_name = ABC ; status = skipped ; scheduled_time =12346 EVENT 1 : savedsearch_name = ABC ; status = skipped ; scheduled_time =12345 How I derived so far and where I stuck. I took this in two reports First report will take all the Jobs whose last status is not success and tabled output with fields SAVEDSEARCH NAME, SCHEDULEDTIME AS FAILEDTIME, LAST(STATUS) as FAILEDSTATU Then I saved this result in lookup Thsi has to run for last one hour window Second Report It will refer the lookup and take the failed savedsearch names from the lookup and search only those events in Splunk internal sets and search only the events where durable_cursor!=scheduled_time and then check if that failed savedsearch time falls within durable_cursor and next scheduled_time and check if status is success. Thsi is working fine if I have one savedsearch job for one time. But not for multivalues Lets say Job A itself is having four runs in an hour and except first all are failures. In this case I could not cover as referring values from lookup as multivalue field not matching the exact stuff Here is the question I posted for the same https://community.splunk.com/t5/Splunk-Search/How-to-retrieve-value-from-lookup-for-multivalue-field/m-p/684637#M233699   If somebody have any alternate or better thoughts on this can you please throw some light on this.
Do you actually care what order the data is returned in - you are simply adding it to the summary index. The _time written to the summary will be whatever you want it to be, so just ignore the messag... See more...
Do you actually care what order the data is returned in - you are simply adding it to the summary index. The _time written to the summary will be whatever you want it to be, so just ignore the message, I don't believe it will affect the data in the summary.