I have soled the issue.
I needed to add quotes to the AccountType:
| where AccountType IN ("$AccountType$")
I also needed to change the delimiter:
<delimiter>,</delimiter>
This...
See more...
I have soled the issue.
I needed to add quotes to the AccountType:
| where AccountType IN ("$AccountType$")
I also needed to change the delimiter:
<delimiter>,</delimiter>
This solved the problem for me! Thank you!
Its empty in the field .Attached screenshot. For some of the transaction we have multiple error type with empty values and with values. For the same transaction below events are there with empty and...
See more...
Its empty in the field .Attached screenshot. For some of the transaction we have multiple error type with empty values and with values. For the same transaction below events are there with empty and with value. "timestamp" : "2024-03-21T17:33:53.993Z", "content" : { "ErrorType" : "", "ErrorMsg" : "" }
"timestamp" : "2024-03-21T17:33:20.786Z", "content" : { "ErrorType" : "HTTP:NOT_FOUND", "ErrorMsg" : "HTTP /glimport' failed: not found (404)." },
I need to identify hosts with errors, but only in block mode MY SPL ---------
index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| ...
See more...
I need to identify hosts with errors, but only in block mode MY SPL ---------
index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| table event_type, host, ip
------------------ each search works separately, but combined it seating on "parsing job" with no result for long time. Thank you
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18....
See more...
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.1 and Splunk app for content packs 2.10
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample ...
See more...
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample (anonymised) events to illustrate what you mean.
The IN operator only works in the search command. In where you must use the in function. | loadjob savedsearch="name:search:cust_info"
| where in(AccountType,$AccountType$)
Hi @mbozbura,
I’m a Community Moderator in the Splunk Community.
This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend tha...
See more...
Hi @mbozbura,
I’m a Community Moderator in the Splunk Community.
This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
So I am creating a dashboard and I keep getting this error:
Error in 'where' command: The expression is malformed. Expected ).
This is what I have:
| loadjob savedsearch="name:search:cust_info...
See more...
So I am creating a dashboard and I keep getting this error:
Error in 'where' command: The expression is malformed. Expected ).
This is what I have:
| loadjob savedsearch="name:search:cust_info"
| where AccountType IN ($AccountType$)
I created a multiselect filter on AccountType and I want the SPL to query on those selected. What could I be missing or another way to achieve this query to filter on AccountType?
The eval is trying to divide a string literal ("SumBalances") by a field, which won't work. Replace the double quotes with single quotes or remote the double quotes.
I am getting this error: Error in 'EvalCommand': Type checking failed. '/' only takes numbers. Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances"...
See more...
I am getting this error: Error in 'EvalCommand': Type checking failed. '/' only takes numbers. Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances" by balance_bin | eventstats sum("SumBalances") as total_balance | eval percentage_in_bin = round(("SumBalances" / total_balance) *100, 2) What could be causing this? Is there a way to olve this without the / symbol?
In my mv field nameas errortype.In the error type the counts shows file not found as 4 and empty as 2 .I want to exclude the empty values from the mv fields