All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evid... See more...
To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evidence, etc. are collected by this add-on.
Try something like this | rex field=TeamWorkTimings "(?<TeamStart>[^-]+)-(?<TeamEnd>.*)"
You have an orange triangle warning symbol in the top right of your chart. What does this message say?
I have followed all the necessary guidelines. The operating system is Windows Server 2022, and I have installed it on a machine that didn't previously have UF installed. I have completely disabled th... See more...
I have followed all the necessary guidelines. The operating system is Windows Server 2022, and I have installed it on a machine that didn't previously have UF installed. I have completely disabled the antivirus. I have performed the installation twice, once with the domain admin and once with the local admin. Each time, I encountered the same issue. The latest installable version on these machines is 9.0.1, and subsequent versions (up to 9.2.1) encounter the same error.
Hi, I have removed the round function in chain search but it is still showing the same graph.
Given the limited amount of information you have given, it is not possible to determine the reason for the difference. Your example data does not represent your real data closely enough. For example,... See more...
Given the limited amount of information you have given, it is not possible to determine the reason for the difference. Your example data does not represent your real data closely enough. For example, do you have special characters / non-alphanumeric characters in your field names? Are your fields multi-valued or appear in your events more than once? If possible, please share a representative example of your data without showing any sensitive data.
my search isn't created with makeresults, I only put it as an example. doesn't work because if I use: search | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H... See more...
my search isn't created with makeresults, I only put it as an example. doesn't work because if I use: search | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | stats values(d*) as d* the result of f1 is different comparing with the result if I use: search f1=1 |stats dc(H)
Try without the rounding | timechart span=1m avg(ResponseTime) by API_Name
Hi All, I have time field having time range in this format in output of one splunk query: TeamWorkTimings 09:00:00-18:00:00 I want to have the values stored in two fields like: TeamStart 09:00:... See more...
Hi All, I have time field having time range in this format in output of one splunk query: TeamWorkTimings 09:00:00-18:00:00 I want to have the values stored in two fields like: TeamStart 09:00:00 TeamEnd 18:00:00 How do I achieve this using regex or concat expression in splunk. Please suggest.
Hi Everyone,  For some reason I'm getting  different CSV format file when I downloaded vs from the report generated on scheduled report functionality. - When I downloaded the file from the ... See more...
Hi Everyone,  For some reason I'm getting  different CSV format file when I downloaded vs from the report generated on scheduled report functionality. - When I downloaded the file from the splunk search option I am getting some like: {"timestamp: 2024-04-02T22:42:19.655Z sequence: 735 blablaclasname: com.rr.jj.eee.rrr anotherblablaclasnameName: com.rr.rr.rrrr.rrr level: ERRROR exceptionMessage: blablabc .... } - When I received by email the file using the same query I'm getting something like: {"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....} *.conf file I am seeing: LINE_BREAKER = \}(\,?[\r\n]+)\{? Regards  
It worked, thank you so much! But I need one more help. I have another dashboard with a dropdown and two line graphs showing Response-Time and Counts. The base search used for both the graphs is exa... See more...
It worked, thank you so much! But I need one more help. I have another dashboard with a dropdown and two line graphs showing Response-Time and Counts. The base search used for both the graphs is exactly same however the chain search's are little different where one calculates the average response time and other calculates counts for the same. But the counts graph works perfectly however the response time only shows for one selection("All" is selected in dropdown). Please help me in finding the issue.     
It doesn't work that way. You should do TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_all_to_nullqueue, netlogon_keep_some And have the netlogon_send_all_to_nullqueue transform send comple... See more...
It doesn't work that way. You should do TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_all_to_nullqueue, netlogon_keep_some And have the netlogon_send_all_to_nullqueue transform send completely _everything_ to nullQueue [netlogon_send_all_to_nullqueue] REGEX = . DEST_KEY = queue FORMAT = nullQueue And then keep only some of them - matching the string you want [netlogon_keep_some] REGEX = NO_CLIENT_SITE DEST_KEY = queue FORMAT = indexQueue
The dropdown has two fields, the label and the value - it is the label that is shown to the user and the value which is put in the token When you use the token in a search, the value can be found ou... See more...
The dropdown has two fields, the label and the value - it is the label that is shown to the user and the value which is put in the token When you use the token in a search, the value can be found out by the user if they open the search in another window. There are ways to make this more difficult to find out but do you really need to go that far?
i want to add  in source index=test (source="/test/log/path/qaserver1.log") without showing these path in dropdown list to user.. can we have some other method?.
In what way didn't it work? Here is a runanywhere example showing it working - I have used eventstats for the final command so you can see the random values used | makeresults count=5 | fields - _t... See more...
In what way didn't it work? Here is a runanywhere example showing it working - I have used eventstats for the final command so you can see the random values used | makeresults count=5 | fields - _time | eval f1=random()%2 | eval f2=random()%2 | eval f3=random()%2 | eval f4=random()%2 | eval H=round(((random() % 102)/(102)) * (104 - 100) + 100) | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | eventstats values(d*) as d*
Didn't work. one possible way was: f1=1 | stats dc(H) |appendcols [search f2=1 | stats dc(H)] | appendcols [search f3=1 | stats dc(H)] | appendcols [search f4=1 | stats dc(H)] but it is no... See more...
Didn't work. one possible way was: f1=1 | stats dc(H) |appendcols [search f2=1 | stats dc(H)] | appendcols [search f3=1 | stats dc(H)] | appendcols [search f4=1 | stats dc(H)] but it is not efficient 
The where command doesn't support wildcards in the same way as search. Either change where to search or change the dropdown to include the whole command line apart from the "All" option where it shou... See more...
The where command doesn't support wildcards in the same way as search. Either change where to search or change the dropdown to include the whole command line apart from the "All" option where it should be blank.
My intent is that any event message without the string NO_CLIENT_SITE anywhere in it is discarded. 
Thank you for replying. I am using the token in the chain search.  
As configured, the transform will match and discard all events that do not start with NO_CLIENT_SITE. An event starting with SOMEDATA (any string that isn't NO_CLIENT_SITE) would be discarded. Was th... See more...
As configured, the transform will match and discard all events that do not start with NO_CLIENT_SITE. An event starting with SOMEDATA (any string that isn't NO_CLIENT_SITE) would be discarded. Was that your intent?