All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Can this work for passing value to Splunk add on for Servicenow. Description section. Thank you 
Since the vt4splunk app uses the VirusTotal API, it will not work off-line.
Make sure you're running the search in Verbose mode.  In Smart mode, Splunk only extracts fields explicitly referenced in the query.
Thanks.  I don't have a lot of experience with the JSON functions, but I think this should help. index=index1 sourcetype=sourcetype1 hostname=* software != "" | eval software=mvexpand(json_array_to_... See more...
Thanks.  I don't have a lot of experience with the JSON functions, but I think this should help. index=index1 sourcetype=sourcetype1 hostname=* software != "" | eval software=mvexpand(json_array_to_mv(software) | rex field=software "cpe:\/a:(?<Vendor>[^:]+):(?<Product>[^:]+):(?<Version>.*)" | table hostname, Vendor, Product, Version | dedup hostname, Vendor, Product, Version  The idea is to convert the software field from a JSON array into a multi-value field so it can be split into separate events using mvexpand.
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0.  I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit).  This, I know how to ... See more...
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0.  I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit).  This, I know how to do.  But, I need to be able to scroll down and do the exact same thing again below, so I can keep my original output up at the top.  I need to know how to basically do this sort of dashboard (all in the same dashboard) Fieldset 1 <Filters, Time-picker, Submit, etc> Panels for Fieldset 1 (charts, tables, etc.) ** Run the first one, keep that output, and then run the one below, while the other results remain the same Fieldset 2 (or duplicate) <Filters, Time-picker, Submit, etc> Panels for Fieldset 2 (charts, tables, etc.)   ...and if it's any different, how to keep drilling down to: Fieldset 3, Fieldset 4, and so on... Does anyone know how to do that, or is there a book/reference on that?  Thanks.
If you want to use fieldformat, that's fine, but you still need to use the foreach command as I suggested index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_P... See more...
If you want to use fieldformat, that's fine, but you still need to use the foreach command as I suggested index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 | foreach * [| fieldformat "<<FILED>>"=round('<<FIELD>>',2)."%"] https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach  
Update, configuration profile works, no notifications are seen from the users perspective and workstation is added into Splunk 
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i r... See more...
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i run the same query and table those fields , i can see them.  index=1234 sourcetype=4567 --> can not see those fields when this search is triggered. But when i add a table command with those field names in the search i can see the fields and the values for them.   index=1234 sourcetype=4567 | table field1, field2 --> this query i can see the fields.   Did any one face this issue ? We are on latest Splunk version 9.0.X..    
You can start the REST search query with index=* and then add the subsequent commands one-by-one to see where the results get filtered out or when the errors come up
Hello all,    I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data adde... See more...
Hello all,    I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data added to the end of my custom url and when clicked will load the exact page I need with that value at the end in the browser. This is what I have tried. I tried to add the "$click.value$" then also tried "=$click.value$" I also tried to put just "$id$" at the end. No results it just loads the URL with my addition as text (does not pull the actual value)             "eventHandlers": [                 {                     "type": "drilldown.customUrl",                     "options": {                         "url": "https://myURL.com/abcd/=$click.value$",                         "newTab": true
Probably the best thing for that, as bowesmana suggested, is the predict command, which would estimate what the data may look like in the future based on its behavior in the past.  Unless you have d... See more...
Probably the best thing for that, as bowesmana suggested, is the predict command, which would estimate what the data may look like in the future based on its behavior in the past.  Unless you have data with timestamps in the future, you can't actually look at future data. now()+1d should be empty.
You could leave the index=index1 field in the inputs.conf stanza. That way all non-matching events would go to index1, and all matching events would go to index 2
Hi,  Thanks for the reply, I am still learning splunk pardon for my ignorance. I tried as you mentioned index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_P... See more...
Hi,  Thanks for the reply, I am still learning splunk pardon for my ignorance. I tried as you mentioned index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 | foreach * [| fieldformat cpu_percentage=round('cpu_percentage',2)."%"] Still same result Time Server1 Server2 2024-03-21T15:00:00.000-0400 1.869638272 2.384320706 2024-03-21T15:01:00.000-0400 1.879958176 2.083629971 2024-03-21T15:02:00.000-0400 8.669585777 8.115720288 2024-03-21T15:03:00.000-0400 1.907194392 2.248362057 2024-03-21T15:04:00.000-0400 1.735136924 2.030363275 2024-03-21T15:05:00.000-0400 1.753416379 1.682836294 2024-03-21T15:06:00.000-0400 1.792363893 1.862924138 2024-03-21T15:07:00.000-0400 5.003060737 2.801886629
No. Firstly, using foreach with staticaly named fields makes no sense. Secondly, you should modify your results _after_ the timechart. Thirdly, I prefer using fieldformat in such case, not eval - ... See more...
No. Firstly, using foreach with staticaly named fields makes no sense. Secondly, you should modify your results _after_ the timechart. Thirdly, I prefer using fieldformat in such case, not eval - this way you can display values with the format you want but not lose the original values. So use the solution @ITWhisperer showed but afhter your timechart command (and you can replace the eval command with fieldformat as I wrote).
I tried this but getting the same result, % not getting uppended to cpu_percent value index=MyPCF | fields server_instance cpu_percentage | foreach * [| eval cpu_percent=round('cpu_percentage',2)."... See more...
I tried this but getting the same result, % not getting uppended to cpu_percent value index=MyPCF | fields server_instance cpu_percentage | foreach * [| eval cpu_percent=round('cpu_percentage',2)."%"] | timechart mAX(cpu_percent) as CPU_Percentage by server_instance usenull=true limit=0  
Yes, if you get an app containing the field extractions, like the Apache Web Server app, then set the sourcetype to be the ones to which the field extractions apply to (usually listed in the app docu... See more...
Yes, if you get an app containing the field extractions, like the Apache Web Server app, then set the sourcetype to be the ones to which the field extractions apply to (usually listed in the app documentation or config files), then you will have field extractions.   The other way is to put the logs in json format but that may not work so great with these logs.
Yes, it is active in Cloud Monitoring Console and receive events in _internal
It turns out the cause of my issue was another rex statement down the line that hadn't been updated to match the renamed string. It used  (?<Foo>\D\d*)-0 which matched the string before the repla... See more...
It turns out the cause of my issue was another rex statement down the line that hadn't been updated to match the renamed string. It used  (?<Foo>\D\d*)-0 which matched the string before the replacement, which the statement is now (?<Foo>\D*\d)-0 Apologies for my confusion. I've marked your efforts as the solution as the backslash was indeed not needed. Thank you and have some Karma for your efforts.
Try something like this | foreach * [| eval "<<FIELD>>"=round('<<FIELD>>',2)."%"]
Is there way to change the permissions of all lookups in a app