Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-02-2024
03:54 PM
You will either have to show the pie chart as a trellis chart so it shows one chart for each country or create a composite field containing both country and error message, as the pie chart can only s...
See more...
You will either have to show the pie chart as a trellis chart so it shows one chart for each country or create a composite field containing both country and error message, as the pie chart can only show one dimension, i.e. index=test
| iplocation Properties.ip
| dedup Properties.ip
| eval composite=country.":".'event.Properties.errMessage'
| stats count by composite Then the composite will be Australia:OK and so on.
04-02-2024
03:51 PM
| where event.Properties.errMessage != "OK"
04-02-2024
03:49 PM
Create a composite field with the two labels concatenated and count by that
04-02-2024
03:47 PM
2 Karma
It appears to be related to the size of the visualisation. I changed f to be 100003138 and still I see all 6 slices but if I simply change the size of the visualisation area of the pie chart I w...
See more...
It appears to be related to the size of the visualisation. I changed f to be 100003138 and still I see all 6 slices but if I simply change the size of the visualisation area of the pie chart I will see this
04-02-2024
03:43 PM
Hi Team Can anyone help me with Splunk search query to split the successful login from invalid? Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid paramet...
See more...
Hi Team Can anyone help me with Splunk search query to split the successful login from invalid? Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid parameter Thanks
- Tags:
- search query
Labels
- Labels:
-
search job inspector
-
subsearch
04-02-2024
03:39 PM
Hi Can anyone help me with below query I have created a pie chart based on the error message, however i am not sure how to add country along index=test | iplocation Properties.ip | dedup Prop...
See more...
Hi Can anyone help me with below query I have created a pie chart based on the error message, however i am not sure how to add country along index=test | iplocation Properties.ip | dedup Properties.ip | stats count by event.Properties.errMessage
- Tags:
- search query
04-02-2024
03:39 PM
Double wild-carded strings are not very efficient. Could you perhaps extract the "proc" values into a field and then use a where command to exclude to events with the undesired values?
04-02-2024
03:35 PM
I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that ...
See more...
I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that you want to filter on? Another possibility is perhaps the regex command | regex process_decoded!="SELECT"
04-02-2024
03:21 PM
1 Karma
Try something like this index=compare sourcetype="accountA" OR sourcetype="accountB"
| rename nameB as nameA, addressB as addressA, cellB as cellA
| eventstats count by accid nameA addressA cellA
| ...
See more...
Try something like this index=compare sourcetype="accountA" OR sourcetype="accountB"
| rename nameB as nameA, addressB as addressA, cellB as cellA
| eventstats count by accid nameA addressA cellA
| where count==1
04-02-2024
03:16 PM
1 Karma
Probably - the token you could try to use in the drilldown is $trellis.value$
04-02-2024
02:35 PM
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not i...
See more...
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not in accountB and objective is to find that gap. sourcetypeA accid nameA addressA cellA 002 test1 tadd1 1234 003 test2 tadd2 1256 003 test2 tadd2 5674 004 test3 tadd3 2345 005 test4 tadd4 4567 006 test5 tadd5 7800 006 test5 tadd5 9900 sourcetypeB accid nameB addressB cellB 002 test1 tadd1 1234 003 test2 tadd2 5674 004 test3 tadd3 2345 005 test4 tadd3 4567 006 test5 tadd5 9900 Output will be: 003 test2 tadd2 1256 006 test5 tadd5 7800 Any Recommendation will be highly appreciated.
- Tags:
- Gap Analysis
04-02-2024
02:24 PM
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud. Any directions of triaging the ...
See more...
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud. Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user.
Labels
- Labels:
-
using Splunk Cloud
04-02-2024
01:53 PM
You might be wanting to configure Splunk to start at boot time. /opt/splunk/bin/splunk enable boot-start ref: https://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunktostartatboott...
See more...
You might be wanting to configure Splunk to start at boot time. /opt/splunk/bin/splunk enable boot-start ref: https://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunktostartatboottime
04-02-2024
01:45 PM
Thanks. I hadn't thought of that. Since I posted the question, NetSkope came back with a solution. I was sent this conf_file_stanzas = conf_file_object.get_all()
replace the above line with ...
See more...
Thanks. I hadn't thought of that. Since I posted the question, NetSkope came back with a solution. I was sent this conf_file_stanzas = conf_file_object.get_all()
replace the above line with following:
conf_file_stanzas = conf_file_object.get_all(only_current_app=True) With that the issue was resolved. The code was trying to get information from another TA.
04-02-2024
01:39 PM
1 Karma
Assuming you are on a linux machine, you could try piping the session_key value to that first command. echo "sessionkeyhere" | splunk cmd python -m pdb netskope_email_notification.py (Note that if ...
See more...
Assuming you are on a linux machine, you could try piping the session_key value to that first command. echo "sessionkeyhere" | splunk cmd python -m pdb netskope_email_notification.py (Note that if you enter the key in explicitly, it may be saved in your command history which may be undesired. You can also read the key from a source using the "cat" command) I couldn't tell you about the session_key... perhaps the Netskope docs could tell you where to get one. It could be a session with an email provider if this python script is intended to send email.
04-02-2024
01:28 PM
I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (wi...
See more...
I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (without private information) would be very helpful. E.g. something like this?
04-02-2024
01:13 PM
Indeed, "latest" should be on 9.2.1, but it seems to be on 9.0.9 . Perhaps we can ping the resolver of that post @amayor_splunk and humbly ask for assistance.
04-02-2024
01:08 PM
1 Karma
At search time, you could use spath to navigate past the "event:" part of the log: <yoursearch>
| spath path=event output=_raw However you may want a solution that does not require spath on every s...
See more...
At search time, you could use spath to navigate past the "event:" part of the log: <yoursearch>
| spath path=event output=_raw However you may want a solution that does not require spath on every search. You can configure your indexing tier to remove the "event:" part of the log, so that it directly shows you the useful fields without needing to be expanded. On the indexing tier, make a props.conf file in an app e.g. /opt/splunk/etc/apps/yourappname/local/props.conf Make this stanza: [cisco:amp:event]
SEDCMD-RemoveEventKey = s/{"event":\s*//
SEDCMD-RemoveLastBracket = s/}$// (and more stanzas for other sourcetypes you would like this change to apply to)
04-02-2024
01:06 PM
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded ...
See more...
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded field which gives a "p" thing as a result. Examples of | Search NOT: Example of Stats resulted "p": | rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<process_enc>[A-Za-z\d+/=]*)?" | decrypt field=process_enc b64 emit('process_decoded') | stats count by process_decoded Could someone please provide guidance on the correct syntax to exclude or search the decoded field using search not or using a lookup and help clarify the "P" thing from stats command? DECRYPT2
DECRYPT2
DECRYPT2
04-02-2024
12:45 PM
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there i...
See more...
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there is no option to select posting alerts to a shared channel. The channel just does not appear in the list. Is this a known limitation of the app? On the integration guide here https://help.victorops.com/knowledge-base/microsoft-teams-integration-guide/ it states that "Note that installing into any channel in a team will make Splunk>VictorOps available for all channels in that team." Has the app been set up to allow integration with Shared channels in MS Teams? References: https://learn.microsoft.com/en-us/microsoftteams/shared-channels https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/shared-channels
Labels
- Labels:
-
configuration
-
troubleshooting
