All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @richgalloway , Thanks for you inputs on this.  We are running the search in verbose mode only, but this did no help us. The event we are dealing with is very big and we are thinking if Splunk... See more...
Hi @richgalloway , Thanks for you inputs on this.  We are running the search in verbose mode only, but this did no help us. The event we are dealing with is very big and we are thinking if Splunk is hitting any limitation in showing up all the fields in the left side panel selected fields and interested fields.
yes tried it out with all options already, with quote, without quote & double quotes. All are giving the same error. Error in 'mstats' command: Invalid token: sum(eval(if(calc:service.thaa_str... See more...
yes tried it out with all options already, with quote, without quote & double quotes. All are giving the same error. Error in 'mstats' command: Invalid token: sum(eval(if(calc:service.thaa_stress_requests_count_lr_tags>0  
Try without quotes around the field names (perhaps there is something significant about the colon? | mstats sum(eval(if(calc:service.thaa_stress_requests_count_lr_tags>0, calc:service.thaa_stress_re... See more...
Try without quotes around the field names (perhaps there is something significant about the colon? | mstats sum(eval(if(calc:service.thaa_stress_requests_count_lr_tags>0, calc:service.thaa_stress_requests_count_lr_tags, null()))) As "Count", avg(eval(if(calc:service.thaa_stress_requests_lr_tags>0, calc:service.thaa_stress_requests_lr_tags, null()))) As "Response" where index=itsi_im_metrics by Dimension.id
I am trying to get values from xml part of an event. The event starts with few lines than it has xml part, after that few more lines and another xml part. I want to extract at first only the parts of... See more...
I am trying to get values from xml part of an event. The event starts with few lines than it has xml part, after that few more lines and another xml part. I want to extract at first only the parts of the event that are in xml format.
We need more information. Are you trying to extract at search time or index time?  Are you trying keep the XML or discard it?  Please share a sanitized sample event or two.
getting error -  Error in 'mstats' command: Invalid token:  sum(eval(if('calc:service.thaa_stress_requests_count_lr_tags'>0
Thank you, that did the trick.  I was trying to do everything through the field extraction page, but using 'sed' worked better.  It kept all the context I needed and eliminated all the slashes.
Try something like this | mstats sum(eval(if('calc:service.thaa_stress_requests_count_lr_tags'>0, 'calc:service.thaa_stress_requests_count_lr_tags', null()))) As "Count", avg(eval(if('calc:service.t... See more...
Try something like this | mstats sum(eval(if('calc:service.thaa_stress_requests_count_lr_tags'>0, 'calc:service.thaa_stress_requests_count_lr_tags', null()))) As "Count", avg(eval(if('calc:service.thaa_stress_requests_lr_tags'>0, 'calc:service.thaa_stress_requests_lr_tags', null()))) As "Response" where index=itsi_im_metrics by Dimension.id
I have below query to calculate average response times. For some reason some times the value is coming as '0'. i wanted to remove those values from my calculation.  | mstats sum(calc:service.thaa_s... See more...
I have below query to calculate average response times. For some reason some times the value is coming as '0'. i wanted to remove those values from my calculation.  | mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx") -- Sample Values  metric_name:calc:service.thaa_stress_requests_lr_tags: 4115725 metric_name:calc:service.thaa_stress_requests_lr_tags: 0 metric_name:calc:service.thaa_stress_requests_lr_tags: 3692799
You can simply remove the backslashes like this | rex field=_raw mode=sed "s/\\\//g" However, I suspect this is not what you want, but what you want it unclear since all your data is "context". Are... See more...
You can simply remove the backslashes like this | rex field=_raw mode=sed "s/\\\//g" However, I suspect this is not what you want, but what you want it unclear since all your data is "context". Are you expecting Field1 to be "context,context,context", or something else?
Hi, my event has unstructured data i.e. few strings than xml part than few more strings and another xml follow by few more strings. How do I extract only the xml parts from the event when there is ... See more...
Hi, my event has unstructured data i.e. few strings than xml part than few more strings and another xml follow by few more strings. How do I extract only the xml parts from the event when there is no pattern  to the string i.e. number of lines before and after the xml nor the string content has a pattern.    
This technique doesn't appear to work in 9.2.0. Is there a new technique to mirror dashboards from one app to another? I did have to navigate deeper and into the .../ui/views folder but just assumed ... See more...
This technique doesn't appear to work in 9.2.0. Is there a new technique to mirror dashboards from one app to another? I did have to navigate deeper and into the .../ui/views folder but just assumed that is due to this post being five years old. TIA! $SPLUNK_HOME/etc/apps/<source app>/local/data/ui/views/<source dahsboard>.xml  
Hi @ChrisG  The link is mentioned by you is not working now and still we unable to find any Splunk universal forwarder for AIX 6.1 in the previous version list . Kindly check once again . 
Trying to figure out how to extract a field using regex to capture the entire string.  Only problem is there are a bunch of slashes throughout.  Sometimes one, sometimes 3, etc.  I've tried variation... See more...
Trying to figure out how to extract a field using regex to capture the entire string.  Only problem is there are a bunch of slashes throughout.  Sometimes one, sometimes 3, etc.  I've tried variations of commands I found in the documentation but no luck.  is this possible? Example String of Field I want to extract with all the context appended to one another minus the slashes: \"\\\"Field1\\\":\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\",\\\:"\"context"\\\"context\\\\\\\context\\\\\\\\Field2 Want it to be extracted like this: Field1="context","context" etc so slashes are eliminated.  Appreciate any help.
I tried it, but it didn't work. splunk does not create the events with the information between the delimiters: ## MONIT_DOC_START .... ..... ## MONIT_DOC_END   Any ideas? I have also tr... See more...
I tried it, but it didn't work. splunk does not create the events with the information between the delimiters: ## MONIT_DOC_START .... ..... ## MONIT_DOC_END   Any ideas? I have also tried this (unsuccessful) :   BR
Hello, Looking into the solution I am facing an issue when I do base-search. When I use the regex in SPL code and when it gets converted to xml. My code is not working. If I change my xml code I get... See more...
Hello, Looking into the solution I am facing an issue when I do base-search. When I use the regex in SPL code and when it gets converted to xml. My code is not working. If I change my xml code I get unvalidated tag . Is there a way to get it working in base search Example: IN SPL code: | rex field="log.mess" ".*\"Category\":\"(?<Category>[^\"]+)" In xml: | rex field="log.mess" ".*\"Category\":\"(?&amp;lt;Category&amp;gt;[^\"]+)"
1.Please help me to add hover affect to a text box in glasstable ? 2. Please help me to add color coding based on value in a glasstable ?
do i need to config rsyslog?
ok, but also nothing in SCP
Wait a second. You're looking for events on the HF? It doesn't (at least shouldn't) work that way. A forwarder, as the name says, is a component which forwards data from input(s) to output(s). If pro... See more...
Wait a second. You're looking for events on the HF? It doesn't (at least shouldn't) work that way. A forwarder, as the name says, is a component which forwards data from input(s) to output(s). If properly configured, HF should not index events locally.