All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is there way to change the permissions of all lookups in a app
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | field... See more...
Please help on the following: 1) Instead of values 2.8685303234545950 I want to restrict to 2 decimal places like 2.87 2) I want to append "%"  at the end of 2.87, like 2.87% index=MyPCF | fields server_instance cpu_percentage | timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0 Below is the current output I get: _time server1 sevrer3 server4 server5 2024-03-21 13:45:00 3.1049753795247880 2.6818978525900086 3.0970366478143334 2.6279363289367494 2024-03-21 13:46:00 2.9336478352933097 2.4579778020150926 2.9602531790679110 2.9074405642281490 2024-03-21 13:47:00 2.9608714340953393 2.5579155086951600 2.7920194409649772 3.2610313588043978 2024-03-21 13:48:00 3.5946875229937634 2.5006464331193965 3.1106486461269176 3.7073668015974173 2024-03-21 13:49:00 2.8303159134216944 3.5756938476048900 3.4757319466032990 2.9783098006952250 2024-03-21 13:50:00 3.0067950036354420 2.2524125280871740 3.0493445107055930 2.2877333705021860 2024-03-21 13:51:00 2.7526861431818790 2.5427731042748785 3.0946836167596232 2.7477304760698664 2024-03-21 13:52:00 3.4172636751835066 2.730991461075761 2.7698859629286040 2.6296901815909903 2024-03-21 13:53:00 2.5957496530754254 2.1086391909665694 2.6025759149116060 2.4142703772570730 2024-03-21 13:54:00 2.7321368209680920 2.5317849096196980 2.8368213301356677 3.0664957483386470
The search works as shown which probably means there is something different in your environment which hasn't been made clear to us. Please can you provide more details and examples of where this subs... See more...
The search works as shown which probably means there is something different in your environment which hasn't been made clear to us. Please can you provide more details and examples of where this substitution is not working as expected?
Hi,  I need an help with my windows security logs how we can create the lateral movement use case 
You could try using a html panel is some text in using the html codes for arrows, ← → etc
Yeah I tried that first, but other related issues on the boards led me to try it with the backslash. It returns the same results.
You don't need the backslash - here is a runanywhere example showing it working | makeresults | fields - _time | eval ThisField=split("01-g01-0 01-g02-0 01-g03-0"," ") | mvexpand ThisField | rex fie... See more...
You don't need the backslash - here is a runanywhere example showing it working | makeresults | fields - _time | eval ThisField=split("01-g01-0 01-g02-0 01-g03-0"," ") | mvexpand ThisField | rex field=ThisField mode=sed "s/g0/GRN/g"
Hi you should remove \ before G. r. Ismo
Stats combined the unique correlation ID.
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any... See more...
Hello world, I'm trying to use rex to rename the part of the strings below where it says "g0" to "GRN". So the output would read 01-GRN1-0, 01-GRN2-0etc. I have been unable to get it to work and any guidance to point me in the right direction would be much appreciated. The rex statement in question: | rex field=ThisField mode=sed "s/g0/\GRN/g" Example strings: 01-g01-0 01-g02-0 01-g03-0
Based on your SPL and screenshot it seems to be a MV field. Some yours stats have combined it from several correlationId or what ever you have after by on stats.
Hi Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-... See more...
Hi Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-How-do-I-prevent-unwanted-data/m-p/613039 You have typo on transforms.conf name on your examples, but probably it’s correct on your HF? And you have restarted it after modify those configurations? r. Ismo
Darn. Nope. All those conditions check out OK in my environment. New indexes are where they should be, it's a stand-alone deployment manager, etc..
No, I haven't, thanks!  Missed this in the release notes... Will let you know how it works out.
The condition is not working for me  like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Excep... See more...
The condition is not working for me  like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Exception then it should be SUCCESS.Screen shot attached below index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND message="GLImport Job Already Running, Please wait for the job to complete*") OR ( message="End of GL Import process - No files found for import to ISG") | rename content.File.fstatus as Status | eval Status=case( like('Status' ,"SUCCESS") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", like('tracePoint',"EXCEPTION") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"ERROR"),"ERROR", like('priority',"WARN"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "") | stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" values(message) as message values(timestamp) as timestamp values(content.errorType) as errorType by correlationId | eval ProcessMsg= coalesce(ProcessMsg,errorType,message) | eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId | eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | join correlationId type=left [ search index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (message="API: START: /v1/revpro-to-oracle/onDemand*") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport") OR (message="API: START: /v1/revproGLImport/onDemand*") | eval JobType=case( like('message',"API: START: /v1/revproGLImport/onDemand%"),"OnDemand", like('message',"API: START: /v1/revpro-to-oracle/onDemand%"),"OnDemand", like('message',"API: START: /v1/fin_Zuora_GL_Revpro_JournalImport"),"Scheduled") | table JobType correlationId ] | table Status JobType Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs | where JobType!=" "  
Hi Have you read this https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers ? r. Ismo
Hi when your field names are not contained any special characters, it’s safer and easier to left ‘ away. Basically those conditions seems to be ok. Can you give some samples which are not working?... See more...
Hi when your field names are not contained any special characters, it’s safer and easier to left ‘ away. Basically those conditions seems to be ok. Can you give some samples which are not working? r. Ismo
Are you getting IHF’s internal logs into SCP? Or any other logs via this IHF?
Hi, I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match... See more...
Hi, I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match make to success.In my case its showing both SUCCESS and ERROR in the table.     | eval Status=case( like('Status' ,"%SUCCESS%") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"%EXCEPTION%") ,"SUCCESS", like('tracePoint',"%EXCEPTION%") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"%ERROR%"),"ERROR", like('priority',"%WARN%"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "")      
Hello @gcusello  Sorry.. I tried again your last suggestion, but num and num2 still have type as "Number" I expect num2 has "String" type after using   num2= tostring(num,"commas")   Please sugg... See more...
Hello @gcusello  Sorry.. I tried again your last suggestion, but num and num2 still have type as "Number" I expect num2 has "String" type after using   num2= tostring(num,"commas")   Please suggest   Thanks again..