All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

HI, I have a single query to get all types of data in table. for one particular type I have an issue with the null values, i need to remove those null value results for the particular type only wit... See more...
HI, I have a single query to get all types of data in table. for one particular type I have an issue with the null values, i need to remove those null value results for the particular type only without effecting the other types of data. I need to remove those null values in that "error message" field for type 1 , for Type 2 it should be as it is. Thanks in advance.
What i mean is i want to create a query to output kvstore error and splunk Ta errors 
Hi normally you could use e.g. stats to do correlation between events. In your case try e.g. ... | stats first(_time) as _time values(*) as * by SessionID This will generate one event by each Sess... See more...
Hi normally you could use e.g. stats to do correlation between events. In your case try e.g. ... | stats first(_time) as _time values(*) as * by SessionID This will generate one event by each SessionID with contains other fields as multivalue fields or if values was same in all combined events then normal field. r. Ismo
Here is my search in question, the common field is the SessionID index=eis_lb apm_eis_rdp |fillnull value="-" |search UserID!="-" | rex field=_raw "\/Common\/apm_eis_rdp:ent-eis[:a-zA-Z0-9_.-](?'Se... See more...
Here is my search in question, the common field is the SessionID index=eis_lb apm_eis_rdp |fillnull value="-" |search UserID!="-" | rex field=_raw "\/Common\/apm_eis_rdp:ent-eis[:a-zA-Z0-9_.-](?'SessionID'........)" |search company_info="*" |rename company_info as "Agency" | table _time, SessionID, UserID,Full_Name, Agency, HostName, client_ip | sort - _time _time SessionID UserID Full_Name Agency HostName client_ip 2024-03-22 08:25:29 4f89ae57 Redacted Redacted Redacted Redacted - If I remove the Search UserID I can see the matching session ID and the client_ip is present. _time                               SessionID       UserID    Full_Name    Agency      HostName              client_ip 2024-03-22 14:26:48 4f89ae57     Redacted Redacted    Redacted   Redacted                    - 2024-03-22 14:25:52 4f89ae57 - - - -                                                                                                 Redacted How can I create a search like above to show the client_ip maching the SessionID
Hi! I have a dashboard with two parts - a table based on an existing dataset, and a column chart based on this query:   | bucket _time span=day | stats count by _time   The full table code looks... See more...
Hi! I have a dashboard with two parts - a table based on an existing dataset, and a column chart based on this query:   | bucket _time span=day | stats count by _time   The full table code looks like this:   { "type": "splunk.column", "dataSources": { "primary": "..." }, "title": "...", "options": { "x": "> primary | seriesByName('_time')", "y": "> primary | frameBySeriesNames('count')", "legendDisplay": "off", "xAxisTitleVisibility": "hide", "yAxisTitleText": "...", "showYAxisWithZero": true }, "eventHandlers": [], "context": {}, "showProgressBar": false, "showLastUpdated": false }   I want a click on any column to filter the table based on global_time - if I click on March 22, it filters the table to only show records where the _time is Mar 22 00:00:00 to Mar 22 23:59:59. How do I do that?
receiving the following error when trying to run "./splunk show cluster-bundle-status" 'Failed to contact the cluster manager. ERROR:  Cluster manager is not enabled on this node. "    A duplicat... See more...
receiving the following error when trying to run "./splunk show cluster-bundle-status" 'Failed to contact the cluster manager. ERROR:  Cluster manager is not enabled on this node. "    A duplicate error is displayed for the peers.  But when I sign into the cluster manager and go to indexer clustering there is all my 4 indexers on the dashboard and the manager node is properly set in configuration. I've even double checked the .conf files.  Any suggestions?    
One thing you could do is put the search filter into the token, so that if the $subunit_search$ token is empty, it won't interfere with the search:   index=<index> organization="$org$" unit="$unit$... See more...
One thing you could do is put the search filter into the token, so that if the $subunit_search$ token is empty, it won't interfere with the search:   index=<index> organization="$org$" unit="$unit$" $subunit_search$   Set your inputs so that it sets $subunit_search$ to equal "subunit=<subunit_name>" or default to "" (empty string)
Hi! I think you are referring to panels that can fold in the dashboard. I believe this has already been answered here: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-feature-exp... See more...
Hi! I think you are referring to panels that can fold in the dashboard. I believe this has already been answered here: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-feature-expand-or-collapse-panel-in-dashboard-using/m-p/507211/highlight/true#M33722 
The lookup command should be formulated like this: | lookup activity2 <col_in_lookup> as <field_in_search> OUTPUT <col_in_lookup> as <field_to_output>   Thus your lookup command should work if the... See more...
The lookup command should be formulated like this: | lookup activity2 <col_in_lookup> as <field_in_search> OUTPUT <col_in_lookup> as <field_to_output>   Thus your lookup command should work if the field containing the ip address value in the events is called "lb". But if you want to check if a dest ip is in the lookup, you might try: | lookup activity2 ex_ip as dest OUTPUT ex_ip as ip_found | search ip_found = *
Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI? I recently had a significant amount of my entities retire for some reason despite the entities s... See more...
Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI? I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.
I am trying to compare an IP address field called ex_ip thats stored in a lookup file with an index called activity which contains dest, src and a few other fields. I am trying to match the ex_ip fro... See more...
I am trying to compare an IP address field called ex_ip thats stored in a lookup file with an index called activity which contains dest, src and a few other fields. I am trying to match the ex_ip from the lookup file with the dest IP from the activity index. My following query is not resulting in any matches. Any help would be appreciated. index="activity" |lookup activity2 ex_ip as lb OUTPUT ex_ip as match |eval match=if(LIKE('dest', 'ex_ip'), 1, 0) |search match=1  
Thanks @isoutamo 
I am having trouble with my search. I am finding groups and my groups are broken down into organization, unit, and subunit. The tokens are being passed in for each respective part of the group.  ex... See more...
I am having trouble with my search. I am finding groups and my groups are broken down into organization, unit, and subunit. The tokens are being passed in for each respective part of the group.  example: Group1: apple.banana.orange Group2: apple. banana.grape Group3: melon.berry index | search organization = $org$ | search unit = $unit$ | search subunit = $subunit$ | eval group = organization."."unit."."subunit This would output apple.bananan.orange and apple.banana.grape, but would not show anything for melon.berry Sometimes I have groups that do not have subunits. When I tried to add the fillnulll: index | search organization = $org$ | search unit = $unit$ | fillnull value="" $subunit$ | eval group =if(isnotnull($subunit$), organization."."unit."."subunit, "organization.".".unit) That worked for groups with no subunit, but then the groups that did have subunits it did not work. This would output melon.berry, but it would output all the events for apple.banana. It wouldn't do the search specifically for orange or grape.  I am trying to have my search handle when a subunit token is passed and it is blank, what to do with it to output the correct values.   
Is there any word or some token how you know where first xml part will ends or is it just end of line and then 3rd line is some other text?
it loos like this is the first line this is the second line <!DOCTYPE....> ......... the rest of the xml is here this is the third line <!DOCTYPE...> .......rest of the xml is here this is th... See more...
it loos like this is the first line this is the second line <!DOCTYPE....> ......... the rest of the xml is here this is the third line <!DOCTYPE...> .......rest of the xml is here this is the fourth line this is the fifth line
Have you check that your IAM roles are still correctly defined and valid for your node?  Can you run those S3 access test commands?
You could try to ask it from Splunk Support or your account manager.
I was looking into the splunk integration with hadoop and saw that it's on schedule for EOL (Jan 2025 per https://docs.splunk.com/Documentation/Splunk/9.2.0/HadoopAnalytics/MeetSplunkAnalyticsforHado... See more...
I was looking into the splunk integration with hadoop and saw that it's on schedule for EOL (Jan 2025 per https://docs.splunk.com/Documentation/Splunk/9.2.0/HadoopAnalytics/MeetSplunkAnalyticsforHadoop).  I know it's changed around a few times, like there used to be a "hadoop connect" app, before "Splunk Analytics for Hadoop". Is this happening again where it's just moving somewhere else, or is it totally gone now? Nothing else to substitute it?
Have you already seen this https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/gettingstartedpython
Hi it’s hard to help you without more information about your environment and queries. You could try to look if this helps https://conf.splunk.com/files/2020/slides/TRU1761C.pdf There are many more... See more...
Hi it’s hard to help you without more information about your environment and queries. You could try to look if this helps https://conf.splunk.com/files/2020/slides/TRU1761C.pdf There are many more presentations which could help too? r. Ismo