All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@gcusello  Sorry for the late reply but this helped with the creation of the sourcetype. Thank you for all your help!  
Probably append with some stats values() would do the trick similarily to join.
Dear Splunkers,    My goal is to expose only some dashboards to external customer. Created a dedicated role and user with minimal access to a single app where these dashboards are placed. However, ... See more...
Dear Splunkers,    My goal is to expose only some dashboards to external customer. Created a dedicated role and user with minimal access to a single app where these dashboards are placed. However, I'm struggling with hiding Splunk bar/navigation menu. I.e. the customer can still use "find" window to search for some reports and dashboards he is not obliged to see. Could you please lead me on how to hide it?  The navigation menu looks like below:   <nav search_view="search"> <view name="search" /> <view name="datasets" /> <view hideSplunkBar="true" /> <view hideAppBar="true" /> <view hideChrome="true" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" default='true'/> </nav>     regards, Sz
I'm not sure why you do all this magic after the lookup command. |lookup activity2 ex_ip as lb OUTPUT ex_ip as match This will find a row in your lookup table activity2 for which the ex_ip value is... See more...
I'm not sure why you do all this magic after the lookup command. |lookup activity2 ex_ip as lb OUTPUT ex_ip as match This will find a row in your lookup table activity2 for which the ex_ip value is equal to the lb value from the event. If such row is found the value from the ex_ip column (in this case it's the same column you searched by - it's a common lookup-verifying technique) is copied to the field called "match" in your result set. If there was no match the 'match' field is left empty. So if you want to find only those events that matched your lookup you simply filter to find events which have a value in this field | search match=* It's that simple. If you want to match by other field you have to specify other field(s) in your lookup.
Try and see. Good thing about Splunk search is that it's hard to break something just by searching. And yes, you can use wildcards with IN operator.
Don't replace the <<FIELD>> part on the right side of the eval in foreach with a static field name.
Can I use wildcard values in the IN command? user IN (System Administrator Guest admin*)  So basically omit any user that starts with the word admin?
Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator tha... See more...
Best Practice is to filter out events as early as possible, preferably before the first pipe.  Multiple filters can be combined with (implicit) AND.  Some like the cleaner look of the IN operator that just lists values to look for (or omit if NOT is used). EventCode=4624 user!="*$" NOT user IN (SYSTEM Administrator Guest) | timechart span=1d dc(user) as "Unique Users"  
Thank you! If I could ask one more question I'm now wanting to filter that out a bit. So when looking that up I'm told to do | where user!="SYSTEM" or something like that EventCode=4624 user!="*$... See more...
Thank you! If I could ask one more question I'm now wanting to filter that out a bit. So when looking that up I'm told to do | where user!="SYSTEM" or something like that EventCode=4624 user!="*$" | timechart span=1d dc(user) as "Unique Users" | where user!="SYSTEM" So that has me think 2 questions. If != is the sign for EXCLUDE then why does this above statement work user!="*$" and second question since it DOES work how can I exclude multiple values? example: | where user!="SYSTEM","Administrator","Guest", etc?
I tried both index=MyPCF | fields server instance cpu_percentage | eval cpu_percentage=round(cpu_percentage,2) | eval server_instance = 'server' + "_" + 'instance' | timechart mAX(cpu_percentage) a... See more...
I tried both index=MyPCF | fields server instance cpu_percentage | eval cpu_percentage=round(cpu_percentage,2) | eval server_instance = 'server' + "_" + 'instance' | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 | foreach * [| fieldformat "<<FILED>>"=cpu_percentage . "%"] And index=MyPCF | fields server instance cpu_percentage | eval cpu_percentage=round(cpu_percentage,2) | eval server_instance = 'server' + "_" + 'instance' | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 | foreach * [| eval "<<FILED>>"=cpu_percentage ."%"] below is the output I get: _time Server_1 Server_2 Server_3 2024-03-25T14:00:00.000-0400 5.14 1.98 3.83 2024-03-25T14:01:00.000-0400 2.93 1.64 3.65 2024-03-25T14:02:00.000-0400 3.33 2.28 3.31 2024-03-25T14:03:00.000-0400 3.54 2.11 3.67 2024-03-25T14:04:00.000-0400 4.02 1.94 3.81 2024-03-25T14:05:00.000-0400 4.3 3.58 3.78 2024-03-25T14:06:00.000-0400 3.13 2.72 3.46 2024-03-25T14:07:00.000-0400 2.58 2.07 3.62 2024-03-25T14:08:00.000-0400 2.33 1.77 3.67 2024-03-25T14:09:00.000-0400 2.66 1.75 4.01 2024-03-25T14:10:00.000-0400 3.2 1.94 4.58 2024-03-25T14:11:00.000-0400 2.76 1.59 4.57
What about defining this on a Cloud Index you create ?   I get a defaut app assigned and there is no filed available to edit this. Thanks
How do you copy a knowledge object from one app to another in Splunk
Do I need do add anything else other than the inputlookup? I am still unsuccessful with getting a match when I know there are a ton.
Yes, its an IP address.
Hi @pop345, what's te content od the lb field? Isupposed that it's an IP address. Anyway, in the first example, you should rename the lb field name to all the fields in the main search (src, dest)... See more...
Hi @pop345, what's te content od the lb field? Isupposed that it's an IP address. Anyway, in the first example, you should rename the lb field name to all the fields in the main search (src, dest). In the second example, you perform a full text search on _raw. ciao. Giuseppe 
Hi @selvaraj4u, I'm not sure on Dashboard Studio, but with Classic dashboards, you should try: index=xyz query1 latest=now() [ search index=xyz query2 earliest=global_time.earliest latest=global_ti... See more...
Hi @selvaraj4u, I'm not sure on Dashboard Studio, but with Classic dashboards, you should try: index=xyz query1 latest=now() [ search index=xyz query2 earliest=global_time.earliest latest=global_time.latest] In other words, you shoud force the time borders different than Time Picker. Ciao. Giuseppe
I try to avoid join where possible, but I can't make this query work without it.  See if this helps you. index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd (component=Aggregator... See more...
I try to avoid join where possible, but I can't make this query work without it.  See if this helps you. index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd (component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL) | rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*" | eval data_sourcetype=coalesce(data_sourcetype, st) | rename data_sourcetype as sourcetype | fields sourcetype event_message component | join sourcetype [| tstats count where index=* by sourcetype, index | fields - count ] | table sourcetype component event_message index  
the text "NaN" (does occasionally happen when the source is a SQL query) either  This explains it.  I was wondering why typeof(num) should be Number when num had value "NaN". Whoever wrote that co... See more...
the text "NaN" (does occasionally happen when the source is a SQL query) either  This explains it.  I was wondering why typeof(num) should be Number when num had value "NaN". Whoever wrote that code in typeof must have SQL in mind.  A SQL query only returns "NaN" when the data type is numeric.  If you are programming against results from a SQL query in any language, you always need to write a logic for this possible return.
The stats command can do that, although I'm not sure how it will handle "N/A". | stats avg('Column 4') as "Column 2" by 'Column 1'  
The distinct_count (dc) function will give the unique values of a field. ErrorCode=4624 user!="*$" | timechart span=1d dc(user) as "Unique Users"