All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@NoIdea, There are different namespaces for tokens - default, submitted, and environment. You're running into the issue because you're using the "default" tokens. These are the ones we normally  us... See more...
@NoIdea, There are different namespaces for tokens - default, submitted, and environment. You're running into the issue because you're using the "default" tokens. These are the ones we normally  use as they are updated on the fly, whereas the submitted tokens are only updated after clicking the submit button. You can refer to these tokens using the namespace followed by a colon, eg: Default: $tok1$ Submitted: $submitted:tok1$ I've tried to understand the values you've put for the tokens and made an alternative dashboard showing the use of submitted tokens: <form version="1.1" theme="light"> <label>answers</label> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="tok1" searchWhenChanged="false"> <label>Tok1</label> <choice value="All">*</choice> <choice value="&quot; &quot;AND upper(STATUS)=upper('Active')&quot;">Y</choice> <choice value="&quot; &quot;AND upper(STATUS)=upper('Inactive')&quot;">N</choice> <prefix>Status="</prefix> <default>*</default> </input> <input type="text" token="tok2" searchWhenChanged="false"> <label>UserID</label> <default></default> <prefix> AND UserID=\"*" + upper(</prefix> <suffix>) + "*"</suffix> </input> </fieldset> <row> <panel id="table_1"> <html><h2>Using $$tok1$$</h2><table><tr><td><strong>$$tok1$$=</strong></td><td><textarea>$tok1$</textarea></td></tr><tr><td><strong>$$tok2$$=</strong></td><td><textarea>$tok2$</textarea></td></tr></table> <style>textarea{padding: 4px; font-size:16px;resize:none;width: 300px;border: 1px solid black;} div[id^="table"] td{border:1px solid black;padding: 4px;} div[id^="table"]{width: fit-content; } </style> </html> </panel> </row> <row> <panel id="table_2"> <html><h2>Using $$submitted:tok1$$</h2><table><tr><td><strong>$$submitted:tok1$$=</strong></td><td><textarea>$submitted:tok1$</textarea></td></tr><tr><td><strong>$$submitted:tok2$$=</strong></td><td><textarea>$submitted:tok2$</textarea></td></tr></table></html> </panel> </row> <row> <panel> <html><h2>The Search</h2>| search * $submitted:tok1$ $submitted:tok2$ </html> </panel> </row> </form> By putting your evals and conditionals directly into the values the form should work:   Hopefully that gets you closer to what you're after. There is another way to tackle this - but I don't quite understand your search. It's almost SPL but not quite. If the above isn't what you're after, can you explain your search a bit more?
Yes. Thank You very much. It works.
Hi All, We wanted to collect Events/Metrics/Data/Logs from New Relic and send it to Splunk Enterprise and Splunk ITSI (Please provide a suitable method for this). Simultaneously, we wanted to c... See more...
Hi All, We wanted to collect Events/Metrics/Data/Logs from New Relic and send it to Splunk Enterprise and Splunk ITSI (Please provide a suitable method for this). Simultaneously, we wanted to create a new environment for Splunk Enterprise and Splunk ITSI. Please mention the suitable specification for new Splunk Enterprise and Splunk ITSI architecture.
Hi @raoul, Maybe spaces in your LastLogin field are unprintable characters. Can you try below query which cleans all whitespace? | inputlookup MSOLUsers | where match(onPremisesDistinguishedName, ... See more...
Hi @raoul, Maybe spaces in your LastLogin field are unprintable characters. Can you try below query which cleans all whitespace? | inputlookup MSOLUsers | where match(onPremisesDistinguishedName, "OU=Users") | where not isnull(LastLogin) | eval LastLogin=replace(LastLogin,"[^A-Za-z0-9,:]+","") | eval LastActive=strptime(LastLogin, "%b%d,%Y,%H:%M") | eval DaysLastActive=round((now() - LastActive) / 86000, 0) | fields Company, Department, DisplayName, LastLogin, LastActive, DaysLastActive
Hi Could you open what you are meaning with this question? Are you moving splunk indexes on your host to another file system or volume in same node or moving whole node to another box or…. There ar... See more...
Hi Could you open what you are meaning with this question? Are you moving splunk indexes on your host to another file system or volume in same node or moving whole node to another box or…. There are already couple of answers for both cases which you could found by google. We can also answer to you after we understand better your current problem. r. Ismo
Hi @KhalidAlharthi, As long as the new data store has enough performance nothing should be affected.  
Hi You could learn how to use SPL from your local instructions or https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/GetstartedwithSearch We didn’t know your data, indexes etc. so we can’t he... See more...
Hi You could learn how to use SPL from your local instructions or https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/GetstartedwithSearch We didn’t know your data, indexes etc. so we can’t help you, especially when we don’t know what you want to know. r. Ismo
Clear. So, an event with _time field with "+", in practice, represents a complete _time extraction with all "date_*" underfields inside Thanks
Hi @CarolinaHB, I noticed that "#012" exists in your event as end of event marker. You can use below as a line breaker; LINE_BREAKER=#012()    
open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity
Hi @mahesh27, You can filter results like below; | mstats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype | sort 4 - Failed    
Hello,  I need to event break the following events, but they have a different date format. At the beginning, only at the end, it ends with the 'keyprotectiontype' field, which sometimes has 'NA'. Ad... See more...
Hello,  I need to event break the following events, but they have a different date format. At the beginning, only at the end, it ends with the 'keyprotectiontype' field, which sometimes has 'NA'. Additionally, it must always have the 'reason' field at the beginning.   Apr 2 22:18:08 04-02 22: 17:39#011reason=Allowed#011event_id=7353490211603742721#011protocol=HTTP#011action=Allowed#011transactionsize=345241#011responsesize=344806#011requestsize=435#011urlcategory=Operating System and Software Updates#011serverip=92.123.121.156#011requestmethod=GET#011refererURL=None#011useragent=Microsoft BITS/7.8#011product=NSS#011location=Road Warrior#011ClientIP=12.2.11.10#011status=206#011user=lvtorrea@lula.com.es#011url=2.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/20c818db-67ad-44d4-8409-4d9dd7986af1?P1=1712128627&P2=404&P3=2&P4=OEkaO+U5XHKvf+lM41oEFDeIKRAD9S6SWgch3BSzA/yxusk1LA44YVdjNg94soDh+D8bYKjPHLpS4296pI6Tcw==#011vendor=Zscaler#011hostname=dkdkdk #011clientpublicIP=1.111.120.11#011threatcategory=None#011threatname=None#011filetype=None#011appname=General Browsing#011pagerisk=0#011threatseverity=None#011department=XXXXX (1422)#011urlsupercategory=Information Technology#011appclass=General Browsing#011dlpengine=None#011urlclass=Business Use#011threatclass=None#011dlpdictionaries=None#011fileclass=None#011bwthrottle=NO#011contenttype=application/octet_stream#011unscannabletype=None#011devicehostname=MAA#011deviceowner=lvtorrea#011keyprotectiontype= Software Protection#0122024-04-02 22:17:39#011reason=Allowed#011event_id=7353490211788947457#011protocol=SSL#011action=Allowed#011transactionsize=9568#011responsesize=4934#011requestsize=4634#011urlcategory=Microsoft_WVD_URL#011serverip=20.189.173.26#011requestmethod=NA#011refererURL=None#011useragent=Unknown#011product=NSS#011location=Road Warrior#011ClientIP=192.168.0.147#011status=NA#011user=jlvaldezo@lula.com.es#011url=us-v10c.events.data.microsoft.com#011vendor=Zscaler#011hostname=dkdkdk#011clientpublicIP=1.19.72.10#011threatcategory=None#011threatname=None#011filetype=None#011appname=General Browsing#011pagerisk=0#011threatseverity=None#011department=xxxxxxx MANAGEMENT#011urlsupercategory=User-defined#011appclass=General Browsing#011dlpengine=None#011urlclass=Bandwidth Loss#011threatclass=None#011dlpdictionaries=None#011fileclass=None#011bwthrottle=NO#011contenttype=Other#011unscannabletype=None#011devicehostname=KDKD#011deviceowner=jlvaldezo#011keyprotectiontype=N/A#012202     Can you help me?
Hi @verbal_666, You can see related documentation below about timestamp information. The events that missing date_* fields may not have extracted time inside.   https://docs.splunk.com/Documentatio... See more...
Hi @verbal_666, You can see related documentation below about timestamp information. The events that missing date_* fields may not have extracted time inside.   https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields#Use_default_fields Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.  
Hi there. Did you saw in many events, exploding the event to detail, the _time field has a "+" icon on its side? Exploding it, give the detail of created _time field, What's that? I... See more...
Hi there. Did you saw in many events, exploding the event to detail, the _time field has a "+" icon on its side? Exploding it, give the detail of created _time field, What's that? In other events i can't see the "+" icon, also on same server/path/log, Is it some kind of, "+" == I, SPLUNK INDEXER, ELABORATED THE TIMESTAMP WITH MY ALGORITHMS BY MYSELF IN THIS WAY clean, no "+" == automatic timestamp calculation, no elaboration, i found it yet cooked ?   Thanks.
I think I understand -  try this search to create a table with fields: _time, percentage and one or more columns based on the value calculated each hour: | gentimes start=-7 | eval sample=random... See more...
I think I understand -  try this search to create a table with fields: _time, percentage and one or more columns based on the value calculated each hour: | gentimes start=-7 | eval sample=random()%100 | eval perc=random()%50 | rename starttime as _time | append[|makeresults | eval sample=100, perc=45| table _time, sample, perc] | timechart span=1d max(sample) as name, avg(perc) as "percentage" ``` Calculate how we name the fields based on the value of: name ``` | eval rename_field_to=if(name=100,"C","N/A") | eval "The Sample Yields {rename_field_to}" = name | fields - rename_field_to, name   This will create three or four columns: _time = time percentage = hourly average of the perc field The Sample Yields C  =  If the max for that hour was 100 The Sample Yields N/A = If the max for that hour was not 100 If you only want "The Sample Yields C" or nothing, then you can filter out with a | search name="C" after the timechart command. The main SPL is :  | eval "The Sample Yields {rename_field_to}" = name That will allow you to name a field using the value of another field.   If you want NA to simply be N/A then you can do a rename: | rename "The Sample Yields N/A" as "N/A" Is that closer to what you were after?      
Ok, here's a quick fix to stop any dashboards loading after a page refresh: <condition value="dash_a"> <link target="_blank">/app/search/dash_a</link> <set token="form.link_dash"></set> ... See more...
Ok, here's a quick fix to stop any dashboards loading after a page refresh: <condition value="dash_a"> <link target="_blank">/app/search/dash_a</link> <set token="form.link_dash"></set> <set token="link_dash"></set> </condition> This will only create a new window with a dashboard if the token matches dash_a, and  do nothing if it's blank. Once we load the dashboard, we reset the token (both form.token and token) to an empty string. That way if the page reloads, we do nothing. We can also make the condition statement a bit smarter. If you set the choice values to be the name of the dashboard you want to load, we can do this: Final Version <form version="1.1" theme="light"> <label>Dash_C</label> <fieldset submitButton="false"> <input type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash_a">Dashboard 1 ↗</choice> <choice value="dash_b">Dashboard 2 ↗</choice> <choice value="dash_c">Dashboard 3 ↗</choice> <change> <condition value=""> </condition> <condition> <link target="_blank">/app/search/$link_dash$</link> <set token="form.link_dash"></set> <set token="link_dash"></set> </condition> </change> </input> </fieldset> <row><panel depends="$CSS$"><html><style> .splunk-linklist{width:fit-content!important;} .splunk-linklist button{ min-width: 120px;} .splunk-linklist button span{ -webkit-box-pack: left; justify-content: left;-webkit-box-align: left; align-items: left;} .splunk-linklist button{background-color: #dddddd82;margin: 4px 2px 0px 0px; transition: 0.3s;} .splunk-linklist button:hover {background-color:#007abd!important;color:white!important;}</style></html></panel> </row> </form> The condition block will do nothing if the link_dash token is blank, but will load the dashboard in $link_dash$ if it's not blank. It then sets the token to "" so it won't load the dashboard again on a refresh. By using the <condition> as above,  it allows you to add as many dashboards as you want via the dropdown UI without needing to update the code.    
I am also having issue to install UF v9.2.1 on one of my servers. . Did a uninstallation of old version and install the new installer with admin rights. Disable antivirus also . But still failed  ... See more...
I am also having issue to install UF v9.2.1 on one of my servers. . Did a uninstallation of old version and install the new installer with admin rights. Disable antivirus also . But still failed  Any advise what can I do next???  
Hello @ITWhisperer , Thank for your quick response, truly appreciate it. But it's not working giving the entire events of source type accountA  
Create a composite field with the two labels concatenated and count by that I am not sure how to create composite filed, could you please advice on this please  
Hi @yuanliu , thank you so much, it worked