All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The Message Trace input requires an additional step that isn't needed for the other inputs.  Did you add the Azure AD app registration to one of the following IAM roles? Exchange Administrator Glo... See more...
The Message Trace input requires an additional step that isn't needed for the other inputs.  Did you add the Azure AD app registration to one of the following IAM roles? Exchange Administrator Global Administrator Global Reader role (recommended) https://docs.splunk.com/Documentation/AddOns/released/MSO365/Configureinputmessagetrace
Warning: "This usually indicates problems with underlying storage performance." But this warning is showing for other graph too.
Hi All, I have one log that is ABC and it is present in sl-sfdc api and have another log EFG that is present in sl-gcdm api now I want to see the properties and error code fields which is present ... See more...
Hi All, I have one log that is ABC and it is present in sl-sfdc api and have another log EFG that is present in sl-gcdm api now I want to see the properties and error code fields which is present in EFG log but it has many other logs coming from different apis also . I only want the log which is having the correlationId same in ABC then it should check the other log .And then I will use this regular expression to get the fields, like spath. Currently I am using this query  index=whcrm ( sourcetype=xl-sfdcapi ("Create / Update Consents for gcid" OR "Failure while Create / Update Consents for gcid" OR "Create / Update Consents done") ) OR ( sourcetype=sl-gcdm-api ("Error in sync-consent-dataFlow:") ) | rename properties.correlationId as correlationId | rex field=_raw "correlationId: (?<correlationId>[^\s]+)" | eval is_success=if(match(_raw, "Create / Update Consents done"), 1, 0) | eval is_failed=if(match(_raw, "Failure while Create / Update Consents for gcid"), 1, 0) | eval is_error=if(match(_raw, "Error in sync-consent-dataFlow:"), 1, 0) | stats sum(is_success) as Success_Count, sum(is_failed) as Failed_Count, | eval Total_Consents = Success_Count + Failed_Count | table Total_Consents, Success_Count, Failed_Count first one is the ABC log and second is the EFG also I want to use this regular expression in between to get the details  | rex field=message "(?<json_ext>\{[\w\W]*\})" | spath input=json_ext Or there can be any other way to write the query and get the counts please help . Thanks in Advance
To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evid... See more...
To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evidence, etc. are collected by this add-on.
Try something like this | rex field=TeamWorkTimings "(?<TeamStart>[^-]+)-(?<TeamEnd>.*)"
You have an orange triangle warning symbol in the top right of your chart. What does this message say?
I have followed all the necessary guidelines. The operating system is Windows Server 2022, and I have installed it on a machine that didn't previously have UF installed. I have completely disabled th... See more...
I have followed all the necessary guidelines. The operating system is Windows Server 2022, and I have installed it on a machine that didn't previously have UF installed. I have completely disabled the antivirus. I have performed the installation twice, once with the domain admin and once with the local admin. Each time, I encountered the same issue. The latest installable version on these machines is 9.0.1, and subsequent versions (up to 9.2.1) encounter the same error.
Hi, I have removed the round function in chain search but it is still showing the same graph.
Given the limited amount of information you have given, it is not possible to determine the reason for the difference. Your example data does not represent your real data closely enough. For example,... See more...
Given the limited amount of information you have given, it is not possible to determine the reason for the difference. Your example data does not represent your real data closely enough. For example, do you have special characters / non-alphanumeric characters in your field names? Are your fields multi-valued or appear in your events more than once? If possible, please share a representative example of your data without showing any sensitive data.
my search isn't created with makeresults, I only put it as an example. doesn't work because if I use: search | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H... See more...
my search isn't created with makeresults, I only put it as an example. doesn't work because if I use: search | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | stats values(d*) as d* the result of f1 is different comparing with the result if I use: search f1=1 |stats dc(H)
Try without the rounding | timechart span=1m avg(ResponseTime) by API_Name
Hi All, I have time field having time range in this format in output of one splunk query: TeamWorkTimings 09:00:00-18:00:00 I want to have the values stored in two fields like: TeamStart 09:00:... See more...
Hi All, I have time field having time range in this format in output of one splunk query: TeamWorkTimings 09:00:00-18:00:00 I want to have the values stored in two fields like: TeamStart 09:00:00 TeamEnd 18:00:00 How do I achieve this using regex or concat expression in splunk. Please suggest.
Hi Everyone,  For some reason I'm getting  different CSV format file when I downloaded vs from the report generated on scheduled report functionality. - When I downloaded the file from the ... See more...
Hi Everyone,  For some reason I'm getting  different CSV format file when I downloaded vs from the report generated on scheduled report functionality. - When I downloaded the file from the splunk search option I am getting some like: {"timestamp: 2024-04-02T22:42:19.655Z sequence: 735 blablaclasname: com.rr.jj.eee.rrr anotherblablaclasnameName: com.rr.rr.rrrr.rrr level: ERRROR exceptionMessage: blablabc .... } - When I received by email the file using the same query I'm getting something like: {"timestamp: 2024-04-02T22:42:19.655Z\nsequence: 735\nblablaclasname: com.rr.jj.eee.rrr\nanotherblablaclasnameName: com.rr.rr.rrrr.rrr\nlevel: ERRROR\n\nexceptionMessage: blablabc\n....} *.conf file I am seeing: LINE_BREAKER = \}(\,?[\r\n]+)\{? Regards  
It worked, thank you so much! But I need one more help. I have another dashboard with a dropdown and two line graphs showing Response-Time and Counts. The base search used for both the graphs is exa... See more...
It worked, thank you so much! But I need one more help. I have another dashboard with a dropdown and two line graphs showing Response-Time and Counts. The base search used for both the graphs is exactly same however the chain search's are little different where one calculates the average response time and other calculates counts for the same. But the counts graph works perfectly however the response time only shows for one selection("All" is selected in dropdown). Please help me in finding the issue.     
It doesn't work that way. You should do TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_all_to_nullqueue, netlogon_keep_some And have the netlogon_send_all_to_nullqueue transform send comple... See more...
It doesn't work that way. You should do TRANSFORMS-netlogon_send_to_nullqueue = netlogon_send_all_to_nullqueue, netlogon_keep_some And have the netlogon_send_all_to_nullqueue transform send completely _everything_ to nullQueue [netlogon_send_all_to_nullqueue] REGEX = . DEST_KEY = queue FORMAT = nullQueue And then keep only some of them - matching the string you want [netlogon_keep_some] REGEX = NO_CLIENT_SITE DEST_KEY = queue FORMAT = indexQueue
The dropdown has two fields, the label and the value - it is the label that is shown to the user and the value which is put in the token When you use the token in a search, the value can be found ou... See more...
The dropdown has two fields, the label and the value - it is the label that is shown to the user and the value which is put in the token When you use the token in a search, the value can be found out by the user if they open the search in another window. There are ways to make this more difficult to find out but do you really need to go that far?
i want to add  in source index=test (source="/test/log/path/qaserver1.log") without showing these path in dropdown list to user.. can we have some other method?.
In what way didn't it work? Here is a runanywhere example showing it working - I have used eventstats for the final command so you can see the random values used | makeresults count=5 | fields - _t... See more...
In what way didn't it work? Here is a runanywhere example showing it working - I have used eventstats for the final command so you can see the random values used | makeresults count=5 | fields - _time | eval f1=random()%2 | eval f2=random()%2 | eval f3=random()%2 | eval f4=random()%2 | eval H=round(((random() % 102)/(102)) * (104 - 100) + 100) | foreach f1 f2 f3 f4 [| eval <<FIELD>>=if(<<FIELD>>==1,1,null())] | eventstats dc(H) as d1 by f1 | eventstats dc(H) as d2 by f2 | eventstats dc(H) as d3 by f3 | eventstats dc(H) as d4 by f4 | eventstats values(d*) as d*
Didn't work. one possible way was: f1=1 | stats dc(H) |appendcols [search f2=1 | stats dc(H)] | appendcols [search f3=1 | stats dc(H)] | appendcols [search f4=1 | stats dc(H)] but it is no... See more...
Didn't work. one possible way was: f1=1 | stats dc(H) |appendcols [search f2=1 | stats dc(H)] | appendcols [search f3=1 | stats dc(H)] | appendcols [search f4=1 | stats dc(H)] but it is not efficient 
The where command doesn't support wildcards in the same way as search. Either change where to search or change the dropdown to include the whole command line apart from the "All" option where it shou... See more...
The where command doesn't support wildcards in the same way as search. Either change where to search or change the dropdown to include the whole command line apart from the "All" option where it should be blank.