All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Rohit.Sharma, Can you confirm if either of the replies has answered your question? If so, please click on the 'Accept as Solution' button or reply to the thread keeping the conversation going. 
Oh, I see... But should not it be $result.Level$ -- that is, singular "result", not plural "results"? Thanks!
I have a timestamp with this format "2024-01-01T20:00:00.190000000Z" I can convert this to normal format using rex, however, I want to know is there a alternative to convert to normal time format?
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "belo... See more...
@ITWhisperer  Here is the source code of trellis single value visualization {     "type": "splunk.singlevalue",     "options": {         "numberPrecision": 0,         "sparklineDisplay": "below",         "trendDisplay": "absolute",         "unitPosition": "after",         "shouldUseThousandSeparators": true,         "trellisMinColumnWidth": 120,         "trellisRowHeight": 68,         "majorValue": "> sparklineValues | lastPoint()",         "trendValue": "> sparklineValues | delta(-2)",         "sparklineValues": "> primary | seriesByName('Number of Scenarios')",         "trellisSplitBy": "Page",         "splitByLayout": "trellis",         "trellisPageCount": 1000,         "backgroundColor": "#d41f1f",         "majorColor": "#FAF9F6",         "trellisBackgroundColor": "#FAF9F6"     },     "context": {         "convertedColorRange": [             {                 "from": 100,                 "value": "#dc4e41"             },             {                 "from": 70,                 "to": 100,                 "value": "#f1813f"             },             {                 "from": 30,                 "to": 70,                 "value": "#f8be34"             },             {                 "from": 0,                 "to": 30,                 "value": "#0877a6"             },             {                 "to": 0,                 "value": "#53a051"             }         ]     },     "dataSources": {         "primary": "ds_P7P9WCoL_ds_TheWXmJx_ds_ionW1KZM"     },     "eventHandlers": [         {             "type": "drilldown.linkToDashboard",             "options": {                 "app": "search",                 "dashboard": "reliability_layer_3_insight_application_dashboard__thaa_proper",                 "newTab": true,                 "tokens": []             }         },         {             "type": "drilldown.setToken",             "options": {                 "tokens": [                     {                         "token": "stepTok",                         "key": "trellis.value"                     }                 ]             }         }     ],     "showProgressBar": false,     "showLastUpdated": false,     "hideWhenNoData": false }   Here is the datasource used for the this visualization.   index="xxx" appID="APP-xxx" environment=xxx tags="*Parm*" OR "*Batch*" stepName="*" status=PASSED | rex field=stepName "^(?<Page>[^\:]+)" | rex field=stepName "^\'(?<Page>[^\'\:]+)" | eval Page=upper(Page) | stats count(scenario) as "Number of Scenarios" by Page | sort - "Number of Scenarios"
I just checked our Searchheads for this issue: We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3. Kind Regards
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(D... See more...
Hi. I'm trying to use the subsearch, but I'm not what I am doing wrong. First the inner search is a list of account like this one. index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member I get one account, all ok so far. But using the search in an outer search. index=main sourcetype=vpacmanagement|join Member[search index=main sourcetype=vpacmanagement |eval DateStamp3= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval MemberName2 = split(TeamMember, "\\") | eval Member2 = mvindex(MemberName2,1) | eval Member2=upper(Member2) | where DateStamp3 > relative_time(now(), "-4d") AND like(Status, "%/%/%") AND Member2 = "ADMMICHAEL_HAYES3" |dedup WONumber | rename Member2 as Member | fields Member] | eval DateStamp2= strptime(DateStamp, "%Y-%m-%d %H:%M:%S") | eval month = strftime(DateStamp2, "%m") | eval year = strftime(DateStamp2, "%Y") | eval GroupName = split(DomainGroup, "\\"), MemberName = split(TeamMember, "\\") | eval Name = mvindex(GroupName,1), Member = mvindex(MemberName,1) | eval RequestType = upper(RequestType), Name = upper(Name), Member=upper(Member) | where not like(Status, "%/%/%") and DateStamp2 > relative_time(now(), "-2d") |dedup RequestType,DomainGroup, TeamMember | fields WONumber, DateStamp, ResourceSteward, RequestType, Name, Member, Status | table WONumber, DateStamp, ResourceSteward, RequestType, Name,Member, Status | sort DateStamp2   If you see I made some calculation and I'm using Member field as value to make the join, but still is not getting any account from the outer, and in fact the element exists in the outer search, does anyone knows what am I missing? Thanks  
It doesn't have to be whole dashboard, but it should at least match the visualisation you shared earlier, or, if it doesn't then share the part that isn't working for you (so we can try and test it, ... See more...
It doesn't have to be whole dashboard, but it should at least match the visualisation you shared earlier, or, if it doesn't then share the part that isn't working for you (so we can try and test it, or our solutions, for you).
Have you tried "Subject: $result.Level$ app in $result.APPDIRS$"?
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens
Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files ... See more...
Where is the web server actually installed to and ran from for SOAR in a RHEL environment? Unlike Splunk Web UI where I can modify the web.conf file, for SOAR I only see a massive amount of py files everywhere. I need to figure out where it actually starts and sets it's paths. Specifically where SSL is chosen. Assume I have installed SOAR to /data   Thanks for any assistance!
Hi @ITWhisperer , Source code has huge lines so I am unable to paste it or attach as a file. Kindly advise.
I have an alert based on the below search (obfuscated):   ... | eval APPDIR=source | rex field=APPDIR mode=sed "s|/logs\/.*||g" | eventstats values(APPDIR) as APPDIRS | eval Level=if("/app/5000" IN... See more...
I have an alert based on the below search (obfuscated):   ... | eval APPDIR=source | rex field=APPDIR mode=sed "s|/logs\/.*||g" | eventstats values(APPDIR) as APPDIRS | eval Level=if("/app/5000" IN (APPDIRS), "PRODUCTION", "Non-production") | eval APPDIRS=mvjoin(APPDIRS, ",")   The idea is to discern the affected application-instance (there are multiple logs under each of the /app/instance/logs/) and then to determine, whether the instance is a production one or not. In the search-results all three new fields (APPDIR, APPDIRS, and Level) are populated as expected. But they don't show up in the e-mails. The "Subject: $Level$ app in $APPDIRS$" expands to mere "Subject:  app in ". Nor are the fields expanded in the body of the alert e-mail. Now, I understand, that event-specific fields -- like the singular APPDIR above -- cannot be expected to work in an alert. But the plural APPDIRS, as well as the Level, are aggregates, aren't they? What am I doing wrong, and how do I fix it?
spath will extract the fields
Hello,   Can someone help me in extracting the fields from this nested json raw logs?   {"eventVersion":"1.09","userIdentity":{"type":"AssumedRole","principalId":"AROAUDGMTGGHXY5YL2EW6:redloc... See more...
Hello,   Can someone help me in extracting the fields from this nested json raw logs?   {"eventVersion":"1.09","userIdentity":{"type":"AssumedRole","principalId":"AROAUDGMTGGHXY5YL2EW6:redlock","arn":"arn:aws:sts::281749434767:assumed-role/PrismaCloudRole-804603675133320192-member/redlock","accountId":"281749434767","accessKeyId":"ASIAUDGMTGGHRRR2WZT2","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"AROAUDGMTGGHXY5YL2EW6","arn":"arn:aws:iam::281749434767:role/PrismaCloudRole-804603675133320192-member","accountId":"281749434767","userName":"PrismaCloudRole-804603675133320192-member"},"attributes":{"creationDate":"2024-04-09T05:58:35Z","mfaAuthenticated":"false"}}},"eventTime":"2024-04-09T12:43:01Z","eventSource":"athena.amazonaws.com","eventName":"ListWorkGroups","awsRegion":"us-west-2","sourceIPAddress":"52.52.50.152","userAgent":"Vert.x-WebClient/4.4.6","requestParameters":{"maxResults":50},"responseElements":null,"requestID":"59f0ad81-7607-40bb-a40b-eab3fad0fb7a","eventID":"4bc352ff-0cc5-49cb-9b0e-2784bffbb58f","readOnly":true,"eventType":"AwsApiCall","managementEvent":true,"recipientAccountId":"281749434767","eventCategory":"Management","tlsDetails":{"tlsVersion":"TLSv1.3","cipherSuite":"TLS_AES_128_GCM_SHA256","clientProvidedHostHeader":"athena.us-west-2.amazonaws.com"}} logSource: aws-controltower/CloudTrailLogs:o-bj312h8hh6_281749434767_CloudTrail_us-east-1 logSourceType: aws:cloudwatchlogs  
The old events cannot be searched because they're on the old volume.  Indexers have only one volume definition so they only know the current volume. Use OS tools to copy the directories from the old... See more...
The old events cannot be searched because they're on the old volume.  Indexers have only one volume definition so they only know the current volume. Use OS tools to copy the directories from the old volume to the new one then restart the indexers.
Hi @Paul.Gilbody , Can you share the solution here. I'm stuck with same issue
App  started successfully (id: 1712665900147) on asset: Loaded action execution configuration executing action: test_asset_connectivity Connecting to 192.168.208.144... Connectivity test faile... See more...
App  started successfully (id: 1712665900147) on asset: Loaded action execution configuration executing action: test_asset_connectivity Connecting to 192.168.208.144... Connectivity test failed 1 action failed Failed to connect to PHANTOM server. No route to host. Connectivity test failed i am facing this issue  i tried all the possible way
I would look at this, but unfortunately playbooks that were developed in 6.x will not load in 5.x
I have the same issue but these arguments are not set in the code? Same issue as OP is writing about. The table is shown if i select the classic dashboard, but not in studio..
Hi all, I created a volume and changed all homePath for all indexes to use this volume. Now I can't search on events that existed before this volume was created, and the search heads only show even... See more...
Hi all, I created a volume and changed all homePath for all indexes to use this volume. Now I can't search on events that existed before this volume was created, and the search heads only show events that are on this volume. How can I move old and existing events to this volume so I can search on them? Thank you.