All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm attempting to compute the total number of API calls from our backend engine. Initially, I process API identification text logs as events in the engine's index, enabling me to filter respective re... See more...
I'm attempting to compute the total number of API calls from our backend engine. Initially, I process API identification text logs as events in the engine's index, enabling me to filter respective request IDs. Simultaneously, I process the target_num count within the same index/source. By merging these two logs through a join operation, I filter out all relevant requests to compute the total API calls accurately, achieving the desired outcome. Subsequently, I aim to enhance this by joining the filtered request IDs with another platform's index/source. Here, I intend to determine the success or failure status of each request at the platform level and then multiply it by the original value of target_num. However, upon combining these queries, I'm experiencing discrepancies in the execution results. I'm uncertain about the missing piece causing this issue. My Final Query : <x-request-id is an existing field on platform index and there is no rex I am using> ---------------------- index=default-va6* sourcetype="myengine-stage" "API call is True for MyEngine" | rex field=_raw "request_id=(?<reqID>.+?) - " | dedup reqID | join reqID [ search index=default-va6* sourcetype="myengine-stage" "Target language count" | rex field=_raw "request_id=(?<reqID>.+?) - " | rex field=_raw "Target language count (?<num_target>\d+)" | dedup reqID | fields reqID, num_target ] | fields reqID, num_target | stats count("reqID") as total_calls by num_target | eval total_api_calls = total_calls * num_target | stats sum(total_api_calls) as Total_Requests_Received | rename reqID AS "x-request-id" | join "x-request-id" [ search index=platform-va6 sourcetype="platform-ue*" "Marked request as" | eval num_succeed = if(like(message, "Marked request as succeed%"), 1, 0) | eval num_failed = if(like(message, "Marked request as failed%"), 1, 0) | fields num_succeed, num_failed ] | fields num_succeed, num_failed | stats sum(num_succeed) as num_succeed, sum(num_failed) as num_failed | eval total_succeed_calls = num_succeed * num_target, total_failed_calls = num_failed * num_target
<search> <query>index="ourIndex" sourcetype=$stype$ABC AND Is_Service_Account="True" OR Is_Service_Account="False" earliest=-48h | eval DC=upper(DC) | eval env1=case(DC like "%Q%","QA", DC like "... See more...
<search> <query>index="ourIndex" sourcetype=$stype$ABC AND Is_Service_Account="True" OR Is_Service_Account="False" earliest=-48h | eval DC=upper(DC) | eval env1=case(DC like "%Q%","QA", DC like "%DEV%","DEV", true(), "PROD") | search env1=$envPure$ AND $domainPure$ |rename DC AS domainPure | stats count </query> <earliest>0</earliest> <latest></latest> </search>   If earliest=-48h and within the source code there is <earliest>0</earliest>, then if we enable an admission rule that disables All Time searches what would happen? 
Here is an idea: Select events in which list{}.name has one unique value "Hello", and has a value of "code" as the first element of list{}.type.   | where mvindex('list{}.type', 0) == "code" AND 'l... See more...
Here is an idea: Select events in which list{}.name has one unique value "Hello", and has a value of "code" as the first element of list{}.type.   | where mvindex('list{}.type', 0) == "code" AND 'list{}.name' == "Hello" AND mvcount(mvdedup('list{}.name')) == 1   However, given that list is an array, selecting only the first element for matching may not be what the use case demands. (Work with developers to figure out what semantics array order may convey.)  Here is one to select any element with value "code".   | where 'list{}.type' == "code" AND 'list{}.name' == "Hello" AND mvcount(mvdedup('list{}.name')) == 1   Here is an emulation of your mock data for you to play with and compare with real data   | makeresults | fields - _* | eval data = mvappend("{ \"list\": [ {\"name\": \"Hello\", \"type\": \"code\"}, {\"name\": \"Hello\", \"type\": \"document\"} ] }", "{ \"list\": [ {\"name\": \"Hello\", \"type\": \"code\"}, {\"name\": \"World\", \"type\": \"document\"} ] }", "{ \"list\": [ {\"name\": \"Hello\", \"type\": \"document\"}, {\"name\": \"Hello\", \"type\": \"document\"} ] }") | mvexpand data | rename data AS _raw | spath ``` data emulation above ```   With this data, output is the same for both variants _raw list{}.name list{}.type { "list": [ {"name": "Hello", "type": "code"}, {"name": "Hello", "type": "document"} ] } Hello Hello code document
Interesting, thanks for taking time and replying to my queries. @PaulPanther 
Thanks for commenting on my scenario, that is the same conclusion that I came to, but was hoping to find a way around it.  
Hi Where are the Checkpoint values for enabled DB Connect Inputs stored? I did check at folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect There there are only files ... See more...
Hi Where are the Checkpoint values for enabled DB Connect Inputs stored? I did check at folder: /opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect There there are only files with names of our disabled DB Inputs, but not the ones of our enabled DB Inputs. Splunk Enterprise Version: 9.0.4.1 Splunk DB Connect Version: 3.6.0 Ps. our three enabled DB Inputs do work correctly, and I can see the checkpoint values from the web. Just cannot find where they are stored on the OS best regards Altin
Hello,    I have a panel with a search query e.g.     <row><panel><table> <search> <query>_some_query_ | table A B C D </query> </search> </table></panel></row>        and it displays multi... See more...
Hello,    I have a panel with a search query e.g.     <row><panel><table> <search> <query>_some_query_ | table A B C D </query> </search> </table></panel></row>        and it displays multiple of rows on a dashboard. I am trying to create a button that will send all of the column C data to a different site, so I want to store column C data as a token. Is there a way to do that?  
Hello! As a newcomer to the world of IT and Cyber Security, i am having some trouble. I am trying to set up a splunk homelab environment to get some hands on experience with the application. My ... See more...
Hello! As a newcomer to the world of IT and Cyber Security, i am having some trouble. I am trying to set up a splunk homelab environment to get some hands on experience with the application. My hopeful goal is to be able to import or stream some data to a splunk dashboard to be able to mess a round and learn for starters, but eventually set up my own home network monitoring system. Ive been able to statically import some local logs and read them over, which is fine. Id like to be able to setup a better environment for detecting intrusions and analyzing for IOCs. If anyone has some helpful links or advice i would very much appreciate it!
Hi @richgalloway @isoutamo , thank you for the information and help.
Hi @hfaz , when you say that enabled forwarding to the Indexers, I suppose that you're peaking of logs. Check that you don't have the deploymentclient.conf file in the HF, eventually distributed us... See more...
Hi @hfaz , when you say that enabled forwarding to the Indexers, I suppose that you're peaking of logs. Check that you don't have the deploymentclient.conf file in the HF, eventually distributed using an add-on. Ciao. Giuseppe
Hi @Roopashree, Splunk isn't Excel, so you cannot merge two cels, you could have the NOT_OK value in both the rows: <your_search> | rex 1 | rex 2 | stats count BY Status Reasons please next time a... See more...
Hi @Roopashree, Splunk isn't Excel, so you cannot merge two cels, you could have the NOT_OK value in both the rows: <your_search> | rex 1 | rex 2 | stats count BY Status Reasons please next time add also the sample in text mode. Ciao. Giuseppe
Perfect! Thanks for the tip.
  I need help with a splunk query to return events where an array of object contains certain value for a key in all the objects of an array Event 1: { list: [ ... See more...
  I need help with a splunk query to return events where an array of object contains certain value for a key in all the objects of an array Event 1: { list: [ {"name": "Hello", "type": "code"}, {"name": "Hello", "type": "document"} ] } Event 2: { list: [ {"name": "Hello", "type": "code"}, {"name": "World", "type": "document"} ] } Event 3: { list: [ {"name": "Hello", "type": "document"}, {"name": "Hello", "type": "document"} ] } filters: In the list array, the first object in an array should have "type": "code" In all the items in the list array should have "name": "Hello" Expected output: In the above list of events the query should return 'Event 1', where first item - list[0].type = code and list has all the items with "name": "Hello" I tried multiple ways like search list{}.name="Hello" This was returning the events which had atleast 1 element having name: Hello However i was able to achieve checking for 1st filter as below | eval conflict = mvindex(list, 0) | spath input=conflict | search type=code If someone can help in achieving both the filters in a query that will be helpful. Thanks in advance  
Hello Splunkers, I'm encountering an issue with data model acceleration in my ES instance . A few weeks ago, I enabled several data models in my ES instance to support correlation searches. However,... See more...
Hello Splunkers, I'm encountering an issue with data model acceleration in my ES instance . A few weeks ago, I enabled several data models in my ES instance to support correlation searches. However, I recently noticed that there hasn't been any increase in SVC usage, and upon checking today, I found that the acceleration status for these models was disabled. I'm puzzled by this and would appreciate any insights into why this occurred and how to identify the root cause. Thank you.
Hey DK, Build the PKG, then open terminal and run the command sudo xattr -rd com.apple.quarantine /path/to/the.pkg This will remove the com.apple.quarantine attribute and stop the computer fro... See more...
Hey DK, Build the PKG, then open terminal and run the command sudo xattr -rd com.apple.quarantine /path/to/the.pkg This will remove the com.apple.quarantine attribute and stop the computer from checking it for malicious software. The -d option deletes the noted attribute and the -r option acts recursively. If you would like to check which attributes the .PKG has on it, then run the command: xattr -r /path/to/the.pkg   Hope this helps  
I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have y... See more...
I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have you found a workaround (assuming you've seen this)?
With Splunk Enterprise 9.2.1 there's no issue any more. This issue is defintively related to the builds of Splunk Enterprise.
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi, I wanted to create a table as below. I am extracting Status and Reason using rex. How can I create this. Count column should count the events- I used stats count by ..  
@karthi2809 - Dashboard filters values shows in the URL, so once you get right URL, that should work.   I hope this helps!!!!