All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So, it is expected to get the AccountTypes selected from the user on the dashboard from the multiselect filter. 
I need to identify hosts with errors, but only in block mode MY SPL --------- index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block] | dedup host | ... See more...
I need to identify hosts with errors, but only in block mode MY SPL --------- index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block] | dedup host | table event_type, host, ip   ------------------ each search works separately, but combined it seating on "parsing job"  with no result for long time. Thank you 
What does the $AccountType$ token expand to?
| stats count by query
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.... See more...
After configuring content pack for VMware. I repeatedly get "duplicate entity aliases found". We are also collecting for TA-Nix. How can I fix the duplicate entity alias issue. I am running ITE 4.18.1 and Splunk app for content packs 2.10
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample ... See more...
Are these multivalue fields within the same event? By "empty" do you mean they contain the word "empty" or that they have no value (empty string) or that they don't exist? Please share some sample (anonymised) events to illustrate what you mean.
Hey! I still get the same error. But thank you for trying! Let me know if something else clicks. Thank you.
The IN operator only works in the search command.  In where you must use the in function. | loadjob savedsearch="name:search:cust_info" | where in(AccountType,$AccountType$)  
Hi @mbozbura, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend tha... See more...
Hi @mbozbura, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
So I am creating a dashboard and I keep getting this error:  Error in 'where' command: The expression is malformed. Expected ). This is what I have: | loadjob savedsearch="name:search:cust_info... See more...
So I am creating a dashboard and I keep getting this error:  Error in 'where' command: The expression is malformed. Expected ). This is what I have: | loadjob savedsearch="name:search:cust_info" | where AccountType IN ($AccountType$)   I created a multiselect filter on AccountType and I want the SPL to query on those selected.  What could I be missing or another way to achieve this query to filter on AccountType?
I have the same issue i have a valid stix2, did you find a solution for this?
Thank you so much! That worked! 
The eval is trying to divide a string literal ("SumBalances") by a field, which won't work.  Replace the double quotes with single quotes or remote the double quotes.
I am getting this error:   Error in 'EvalCommand': Type checking failed. '/' only takes numbers.   Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances"... See more...
I am getting this error:   Error in 'EvalCommand': Type checking failed. '/' only takes numbers.   Here is lines of SPL: | stats count as "Count of Balances", sum(BALANCECHANGE) as "SumBalances" by balance_bin | eventstats sum("SumBalances") as total_balance | eval percentage_in_bin = round(("SumBalances" / total_balance) *100, 2) What could be causing this? Is there a way to olve this without the / symbol? 
In my mv field nameas  errortype.In the error type the counts shows file not found as 4 and empty as 2 .I want to exclude the empty values from the mv fields
Thank you! Same issue here on Splunk 9.2.1 Splunk was NOT starting at boot-start (with init.d) but manually was starting correctly. After having commented the mentioned line is now properly booting... See more...
Thank you! Same issue here on Splunk 9.2.1 Splunk was NOT starting at boot-start (with init.d) but manually was starting correctly. After having commented the mentioned line is now properly booting with the VM (Oracle Linux). I am going to open a case to the support to inform them about it.
Solved by myself, underscores gives not problem.
I'll try to explain it with a basic example. As an output of a stats command I have: detection query search1 google.com yahoo.com search2 google.com bing.com ... See more...
I'll try to explain it with a basic example. As an output of a stats command I have: detection query search1 google.com yahoo.com search2 google.com bing.com   I want to get which queries are not being detected by both search1 and search 2. Or else, getting rid of the queries that are in both searches, either way work. Like ok, search1 is detecting yahoo.com whereas search2 isn't, and viceversa with bing.com I thought about grouping by query instead of by search,  the problem is I have dozens or even hundreds of queries. Any thoughts? Cheers
Hi Splunkers, I have a doubt about underscores and path in props.conf. Suppose, in my props.conf, I have: [source::/aaa/bbb/ccc_ddd] As you can see, in my path I have an underscore in path name. ... See more...
Hi Splunkers, I have a doubt about underscores and path in props.conf. Suppose, in my props.conf, I have: [source::/aaa/bbb/ccc_ddd] As you can see, in my path I have an underscore in path name. This could be a problem? I mean: can I put the underscore without problem or I have to use backslash to escape it?
I've had more consistent results by putting the trigger condition in the search and having the alert trigger if the number of results is not zero. | tstats count where index=cts-dcpsa-app sourcetype... See more...
I've had more consistent results by putting the trigger condition in the search and having the alert trigger if the number of results is not zero. | tstats count where index=cts-dcpsa-app sourcetype=app:dcpsa host_ip IN (xx.xx.xxx.xxx, xx.xx.xxx.xxx) by host | eval current_time=_time | eval excluded_start_time=strptime("2024-04-14 21:00:00", "%Y-%m-%d %H:%M:%S") | eval excluded_end_time=strptime("2024-04-15 04:00:00", "%Y-%m-%d %H:%M:%S") | eval is_maintenance_window=if(current_time >= excluded_start_time AND current_time < excluded_end_time, 1, 0) | eval is_server_down=if(count == 0, 1, 0) | where is_maintenance window = 0 AND is_server_down=1