Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-25-2024
01:27 AM
How quickly are your events getting indexed? For example, if you look at the _indextime field and compare it to the _time field you will notice a lag. If this is over a minute, it could be that the e...
See more...
How quickly are your events getting indexed? For example, if you look at the _indextime field and compare it to the _time field you will notice a lag. If this is over a minute, it could be that the events between -2m and -1m are not indexed before -1m and would therefore not show up in your alert search
04-25-2024
01:22 AM
To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Re...
See more...
To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Required (Nix TA) https://splunkbase.splunk.com/app/833 #This shows you the OS Supported = MacOs is listed https://docs.splunk.com/Documentation/AddOns/latest/UnixLinux/About #Read the release notes https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes And you will need to install a Universal Forwarder for the MacOS + configure outputs and TA inputs https://www.splunk.com/en_us/download/universal-forwarder.html
04-25-2024
01:21 AM
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates ...
See more...
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates a string - what is the maximum of a string? | stats ... max(newtime) as "event time" Field times does not exist (after previous stats command) | eval times=mvindex(times, 0, 2) I am not sure whether these make a difference though
Hello all, I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected. My idea is to send a mail when the Event 4776 is not detected. ...
See more...
Hello all, I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected. My idea is to send a mail when the Event 4776 is not detected. The closer I have is this : index ="*" | where ComputerName="ComputerName" | search EventCode=4776 This gives me every event 4776 on the device ComputerName I wanted to add earliest=-2m@m latest=-1m@m like I saw on different places but the result goes to 0 while I know this event is sent multiple times per second (multiple like 100 times) Second question, when I save as an Alert, I specify : Real Time, Trigger when Specified : search count =0 Is this right ? I saw people saying results=0 but I have this error : Cannot parse alert condition. Unknown search command 'results'.. Thanks for the help
Labels
- Labels:
-
alert action
04-25-2024
01:08 AM
I have a time picker & a time dropdown which has static values.
<panel id="pqr">
<input type="time" token="time">
<label>DateTime</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</...
See more...
I have a time picker & a time dropdown which has static values.
<panel id="pqr">
<input type="time" token="time">
<label>DateTime</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
</panel>
<panel id="abc">
<input type="dropdown" token="timedrop">
<label>Time Dropdown</label>
<choice value="now">Now</choice>
<choice value="+3d">3d</choice>
<choice value="+4d">4d</choice>
<choice value="+5d">5d</choice>
<default>now</default>
<change>
<eval token="latest_Time">if('timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval>
</change>
</input>
</panel>
The expectation is if Now is selected in timedrop, the data till now should load. If +3d is selected in timedrop, then +3d should be added with the time.latest token (coming from the time picker) and so on. On load (by default Today is selected), the latest_Time is returning NAN, but if I select a specific time range (say 8th April 10AM-11AM) & timedrop as 3d, it is working as expected.
04-25-2024
01:08 AM
Hi ITWhisperer, exactly this very simple elegant solution I needed. Thank you very much. Works fine.
04-25-2024
01:07 AM
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone expl...
See more...
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone explain how to configure it and make it work?
Labels
- Labels:
-
splunk-assist
04-25-2024
01:03 AM
Hi, Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event...
See more...
Hi, Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event column and not in statistics after changing the mode from fast to verbose. please help here. index="aws_generic" source="aws.guardduty" detail.type=Discovery:S3/AnomalousBehavior* | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") | rex field=host (?<service>.*):(?<cloudprovider>.*):(?<region>.*):(?<cluster>.*):(?<role>.*):(?<stagingarea>.*) | stats sparkline(count) as history max(newtime) as "event time" by stagingarea detail.region detail.type detail.severity detail.description detail.accountId detail.id | eval times=mvindex(times, 0, 2) | sort - "event time" detail.severity | table "event time","detail.accountId","detail.region","detail.severity","history","detail.type","detail.description" | rename "event time" as "Event Time","detail.accountId" as "AWS Account ID","detail.region" as "AWS Region","detail.type" as "Finding Type","detail.severity" as "Severity","history" as "Event History","detail.description" as "Description"
Labels
- Labels:
-
drilldown
04-25-2024
01:00 AM
Hi,
I am calculating the difference between two search results as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count.
Please could you ...
See more...
Hi,
I am calculating the difference between two search results as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count.
Please could you suggest ? how to fix
Thanks in advance.
SPL:
| makeresults
| eval variance=$MA:result.macoscount$ - $COSMOS:result.cosmacount$
| table variance
Issue:
middle panel (with blue color) result is "MA to COSMOS value "- COSMOS to P.H.B"
Labels
- Labels:
-
using Splunk Enterprise
04-25-2024
01:00 AM
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is tr...
See more...
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is triggered and sent to the alert center. I wonder if there is a way to do this with this add-on?
04-25-2024
12:51 AM
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however...
See more...
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however, it would be great if you posted a docs feedback (there is a form at the bottom of https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ) describing your situation and how it differs from the described state.
04-25-2024
12:44 AM
1 Karma
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn">
<label>Dedup</label>
<choice value="| dedup Attr1">Dedup...
See more...
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn">
<label>Dedup</label>
<choice value="| dedup Attr1">Dedup</choice>
<default></default>
<initialValue></initialValue>
</input> Then use the token in your search index=machinedata
$LastOne_tkn$
| table Attr1, Attr2
04-25-2024
12:29 AM
I cannot understand why you say you are not getting a "table". Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone ...
See more...
I cannot understand why you say you are not getting a "table". Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone 2. Transpose + foreach Both are just like table. Are they not?
04-25-2024
12:28 AM
It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search? So that the list of IPs displayed by this query can be attached to dscip ...
See more...
It works, I have an IP list based on the specified system name (prod etc). Now how can I associate this list with a search? So that the list of IPs displayed by this query can be attached to dscip | search sourcetype="new" DstIP=(list of above ip)
04-25-2024
12:27 AM
Rest assured, if I had any suggestions, I would have given them by now.
04-25-2024
12:26 AM
OK so I'll ask again another way, what output would you like, for example from the 8 lines you shared earlier?
04-25-2024
12:24 AM
Thanks @ITWhisperer , it worked
04-25-2024
12:10 AM
If I understand your question correctly, you want group matching messages to be displayed as a single string like “file put successfully”, not separately as "Inbound file processed successfully GL102...
See more...
If I understand your question correctly, you want group matching messages to be displayed as a single string like “file put successfully”, not separately as "Inbound file processed successfully GL1025pcardBCAXX8595143691007", "File put Succesfully GL1025pcardBCAXX8595143691007", and so on. This is a common requirement. But in addition to unnecessary asterisks in regex's as @ITWhisperer points out, you should group them before performing stats. Here is the code | eval message = if(match(message, "File put Succesfully|Successfully created file data|Archive file processed successfully|Summary of all Batch|processed successfully for file name|ISG successful Call|Inbound file processed successfully|ISG successful Call"),
"file put successfully", message)
| stats values(message) as message Suppose you have events with the following values of message: message Inbound file processed successfully GL1025pcardBCAXX8595143691007 Inbound file processed successfully GL1025pcardBCAXX8595144691006 Inbound file processed successfully GL1025pcardBCAXX8732024191001 Inbound file processed successfully GL1025transBCAXX8277966711002 File put Succesfully GL1025pcardBCAXX8595143691007 File put Succesfully GL1025pcardBCAXX8595144691006 File put Succesfully GL1025pcardBCAXX8732024191001 File put Succesfully GL1025transBCAXX8277966711002 some unmatching value some other unmatching value The result will be message file put successfully some other unmatching value some unmatching value Is this what you are looking for? Here is an emulation that you can play with and compare with real data | makeresults
| eval message = mvappend("Inbound file processed successfully GL1025pcardBCAXX8595143691007",
"Inbound file processed successfully GL1025pcardBCAXX8595144691006",
"Inbound file processed successfully GL1025pcardBCAXX8732024191001",
"Inbound file processed successfully GL1025transBCAXX8277966711002",
"File put Succesfully GL1025pcardBCAXX8595143691007",
"File put Succesfully GL1025pcardBCAXX8595144691006",
"File put Succesfully GL1025pcardBCAXX8732024191001",
"File put Succesfully GL1025transBCAXX8277966711002",
"some unmatching value",
"some other unmatching value")
| mvexpand message
``` data emulation above ```
04-25-2024
12:09 AM
I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/. I have a c# application running inside dock...
See more...
I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/. I have a c# application running inside docker of the same host where sc4s is running. My application is able to send syslog data on port 514 and the same is visible in Splunk Cloud dashboard under sourcetype as sc4s:fallback I am running the same application in my windows local machine trying to send data to the same port and linux machine ip. Data is sent to the host machine because I can see it in the TCP dump but sc4s is not ingesting the data into the Splunk Cloud. What should be my next step in debugging. I have tried everything from my side but still not able to figure out what the issue is my sc4s deployment
04-25-2024
12:06 AM
@ITWhisperer++++ Any suggestions pls?
