All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResou... See more...
I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResources. Do I need to query this data in a different manner?   index="directoryaudit" | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime
Thank you so much @deepakc  Your answer has been very helpful!
Thank you @ITWhisperer . I used your recommended query as below but unable to get any output: index=test1 sourcetype=test2 EVENT A | bin Event_Time span=1s | sort 0 Event_Time | fieldformat Event_T... See more...
Thank you @ITWhisperer . I used your recommended query as below but unable to get any output: index=test1 sourcetype=test2 EVENT A | bin Event_Time span=1s | sort 0 Event_Time | fieldformat Event_Time=strftime(Event_Time, "%m/%d/%y %H:%M:%S") Please see below my old Splunk query being used using Splunk default "_time" field. index=test1 sourcetype=test2 EVENT A | bucket span=1s _time | stats count AS EventPerSec by _time | timechart span=1d max(EventPerSec) Ultimately, in this query, I want to replace "_time" by "Event_Time" that is more accurate than "_time".  Note that there can be multiple events in my data occurring at the exact same time (to the Seconds value). So basically, my query find the peak "EventPerSec" value in 1 day. Hope this explanation helps.
Data rolls off due to a few reasons. Data arrives in Splunk, it then needs to move through HOT/WARM>COLD/FROZEN, otherwise data will build up and you will run out of space. 1.Warm buckets move ... See more...
Data rolls off due to a few reasons. Data arrives in Splunk, it then needs to move through HOT/WARM>COLD/FROZEN, otherwise data will build up and you will run out of space. 1.Warm buckets move cold when either the homePath or maxWarmDBCount reach their limits.  2.Cold buckets are deleted when either the frozenTimePeriodInSecs or maxTotalDataSizeMB reach their limits. This may help show why it’s moving – see the event_message field index=_internal sourcetype=splunkd component=BucketMover | fields _time, bucket, candidate, component, event_message, from, frozenTimePeriodInSecs, host, idx,latest, log_level, now, reason, splunk_server, to | fieldformat "now"=strftime('now', "%Y/%m/%d %H:%M:%S") | fieldformat "latest"=strftime('latest', "%Y/%m/%d %H:%M:%S") | eval retention_days = frozenTimePeriodInSecs / 86400 | table _time component, bucket, from, to, candidate, event_message, from, frozenTimePeriodInSecs, retention_days, host, idx, now, latest, reason, splunk_server, log_level   You apply config via indexes.conf for the index for disk constrains by configuring the various options: Settings: frozenTimePeriodInSecs (Retention Period in seconds - Old bucket data is deleted (option to freeze it) based on the newest event - maxTotalDataSizeMB = (Limits the overall size of the index - (hot, warm, cold moves frozen) maxVolumeDataSizeMB = (limits the total size of all databases that reside on this volume) maxWarmDBCount = (The maximum number of warm buckets moves to cold) maxHotBuckets = (The number of actively written open buckets - when exceeded it moves to warm state) maxHotSpanSecs = (Specifies how long a bucket remains in the hot/warm state before moving to cold) maxDataSize = (specifies that a hot bucket can reach before splunkd triggers a roll to warm) maxVolumeDataSizeMB = (Overall Volume Size limit) homePath.maxDataSizeMB = (limit the individual index size) coldPath.maxDataSizeMB = (limit the individual index size) maxVolumeDataSizeMB = (limits the total size of all databases that reside on this volume)   See the indexes.conf for details https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Indexesconf
I'll check them out, thanks! @isoutamo 
Hi This is quite often asked and answered question. You could found many answers via google with search phrase “ site:community.splunk.com index retention time” r. Ismo
Hi Here is excellent presentation about event distribution “ Best practises for Data Collection - Richard Morgan”. You could found it at least from slide share service. r. Ismo
Did you manage to get a solution for this? For me as well this fails. But the relative thing works. Like -1d and so but this does not MM/dd/yyyy':'HH:mm:ss
Hello guys.... I have this task to investigate why indexes roll of data before retention age. From my findings, it shows number of warm buckets exceeded. Here's what the index configuration looks lik... See more...
Hello guys.... I have this task to investigate why indexes roll of data before retention age. From my findings, it shows number of warm buckets exceeded. Here's what the index configuration looks like. How can i fix this? [wall] repFactor=auto coldPath = volume:cold/customer/wall/colddb homePath = volume:hot_warm/customer/wall/db thawedPath = /splunk/data/cold/customer/wall/thaweddb frozenTimePeriodInSecs = 34186680 maxHotBuckets = 10 maxTotalDataSizeMB = 400000
</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> ... See more...
</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup applicationName | sort applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort InterfaceName | table InterfaceName </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>InterfaceName</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input> Query : index=mulesoft environment=PRD $BankApp$ OR (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where $interface$ AND isnotnull(FileList) | sort -timestamp If i select all in dropdown the particular values of inputlookup  file fields and data should be showen.If its * then its shows all the values.This the query which i am trying to achieve things. 
As you have gotten valid license, just ask unlock license from same source as you got your normal license.
Thanks.
You should replace the version number with word “latest” and then you will get the latest version of those documents.
Hi @Simon.Rajanpaul, Thank you so much for coming back many months later and sharing a solution. I love to see it!
Hi @karthi2809, this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer. Anyway, at first don't use the search comm... See more...
Hi @karthi2809, this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer. Anyway, at first don't use the search command after the main search because your search will be slower Then, I see again a different field name than the one in the input, which is the correct one? could you share yur search with the tokens? Ciao. Giuseppe
@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold... See more...
@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??    https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMzU0MDI0NC4zOC4xLjE3MTM1NDIxMzUuNjAuMC4w*_ga_5EPM2P39FV*MTcxMzU0MDIyNi40MC4xLjE3MTM1NDIxMzUuMC4wLjgyOTY2NTcwNw..&_ga=2.163511419.633269778.1713540226-984040655.1703927739#Troubleshoot_with_REST_searches 
@gcusello Its working now.One more details that i want to know.If select applicationName and InterfaceName for particular value the value is comming and if i use all with * its not showing any data .... See more...
@gcusello Its working now.One more details that i want to know.If select applicationName and InterfaceName for particular value the value is comming and if i use all with * its not showing any data .How can we add all (*).Instead of * .How to add all the data in the applicationName and interfaceName . for example  | search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api)  like this . I will paste  my query.   index=mulesoft environment=* | search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api) OR (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where InterfaceName="APEX_VENDOR_PORTAL_AP_SUPPLIERS_OUT" AND isnotnull(FileList) | sort -timestamp | sort -timestamp
Try something like this | search ("<--- TRN:" OR "---> TRN:" OR "===> TRN@") | eval field=split(source,"/") | eval Instance=mvindex(field,4) | rex "(?<direction>[<\->]+) TRN[^:]*:\s+(?<TRN>\S+)" | r... See more...
Try something like this | search ("<--- TRN:" OR "---> TRN:" OR "===> TRN@") | eval field=split(source,"/") | eval Instance=mvindex(field,4) | rex "(?<direction>[<\->]+) TRN[^:]*:\s+(?<TRN>\S+)" | rex " ===>.+\[Priority=(?<Priority>\w+)" | rex "(?<App>\w+) sent to" | eval get=if(direction="<---","get",null()) | eval put=if(direction="--->","put",null()) | stats values(get) as get values(put) as put values(Priority) as Priority values(App) as App by TRN Instance | where Priority="$token$" | chart count(get) as Testget count(put) as Testput count(eval(App=="AP")) as AP count(eval(App=="AH")) as AH count(eval(App="MP")) as MP by Instance | eval Pending = Testget - (AP + AH)
@keneyfofe Have you checked splunkd.log? Check the below link for reference.  https://community.splunk.com/t5/Splunk-Enterprise/SplunkUI-app-list-error-V9-1-0-1-SVA-S1-lab-instance/m-p/651872  If t... See more...
@keneyfofe Have you checked splunkd.log? Check the below link for reference.  https://community.splunk.com/t5/Splunk-Enterprise/SplunkUI-app-list-error-V9-1-0-1-SVA-S1-lab-instance/m-p/651872  If this helps, please upvote or accept solution. 
@jppasnak  Splunk team confirmed that is a bug on Splunk version 9.2.x. The Splunk Dev team is working on that. We can wait until they release fix version.    You should create a support/bug ticket... See more...
@jppasnak  Splunk team confirmed that is a bug on Splunk version 9.2.x. The Splunk Dev team is working on that. We can wait until they release fix version.    You should create a support/bug ticket to Splunk Support. ** If this helps, please upvote or accept solution. **