All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

correction : no need of alerts during 23:50 to 00:15
Hello All, Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the dai... See more...
Hello All, Below is my alert script, and I dont want to have any alerts during night 11:50 to 00:25 midnight, however I am getting them and its triggering alert to the support team. this is the daily restart window for interfaces and no need of alerts during this time. index=XXX sourcetype=XXX punct="--_::.,_=\"\"" | rex field=_raw "\d*-\d*-\d*\s(?<hour>\d*:\d*):\d*\S\d*\S" | search hour!=23:50 | search hour!=00:15 | table _time SITE Appreciate help on this.   Below is the sample event 2024-03-20 06:32:08.046, SITE="UU3"
Thank you bowesmana!. Really appreciate your help on this.   now I am greedy.... Can  I get query to get Max, Average, Minimum of each ESService?  
Hi as you can see this depends on case. You must also understand that SPL is not a programming language and for that reason it works differently than those. What is your use case / issue which you ... See more...
Hi as you can see this depends on case. You must also understand that SPL is not a programming language and for that reason it works differently than those. What is your use case / issue which you are trying to solve? r. Ismo
Simplifying the way to approach it with a regex... | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%") The idea is to get values before th... See more...
Simplifying the way to approach it with a regex... | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%") The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria.
I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire sear... See more...
I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire search look like?
I am searching some logs in an application for the last 24 hours (or any time range the user has selected). Is it possible to search the same logs in another application for the next day?  Eg: if th... See more...
I am searching some logs in an application for the last 24 hours (or any time range the user has selected). Is it possible to search the same logs in another application for the next day?  Eg: if the user has selected the time range as last one hour, can I see the trajectory of those logs over a period of next day?
Ok I guess one last thing.  When the results for the report are 100% across the board.  I don't get any results it is blank.  There seems to be the need for a result below 100% to return all fields a... See more...
Ok I guess one last thing.  When the results for the report are 100% across the board.  I don't get any results it is blank.  There seems to be the need for a result below 100% to return all fields again.
hi @AL3Z  Have you checked everything is clear on the Splunk licensing front?
Hi @frodelauka  One way to do it based on the events you shared is as below. | makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetc... See more...
Hi @frodelauka  One way to do it based on the events you shared is as below. | makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\"" | makemv log delim="\r\n" | mvexpand log | eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{","")) | where like(check_msg_rxd,"%assetcard")   If the reply helps, a Karma upvote would be appreciated.
Hello, How to search based on variable?    If select contains "many", then search no IN (1 to 30),  else search NO 7 | eval  variable = if(select="many", "(1-30)", "7")  | search no IN ... See more...
Hello, How to search based on variable?    If select contains "many", then search no IN (1 to 30),  else search NO 7 | eval  variable = if(select="many", "(1-30)", "7")  | search no IN variable             ==>    This doesn't work | search no IN (7)     ==>    This works | search no IN (1,2,3,4,5,6,7,8,9,10,11)   ==>    This works,   but I have to manually put the number | where variable IN (1,2,3,4,5,6,7,8,9,10,11) ==>    This  does not work ( although the Splunk documentation said it should work) https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandOverview | regex no= "([1-30])"   ==>   This works    | regex no = variable   ==>   This does not work   (variable) Thank you for your help
I know how the header and body should look like, while in this integration it does not work, did you use it ? according to the SOAR integration documentation, it can be delivered in json format so i... See more...
I know how the header and body should look like, while in this integration it does not work, did you use it ? according to the SOAR integration documentation, it can be delivered in json format so it provides such a format body: {"ruleUIDs":"xxx","newOwner":"xxx","comment": "test","status":"5","disposition":"disposition:2"}
Hi @Prathyusha891  A quick search on stackoverflow yields this. Try the steps mentioned in here to resolve the pycrypto dependency. https://stackoverflow.com/questions/50080459/failed-installing-... See more...
Hi @Prathyusha891  A quick search on stackoverflow yields this. Try the steps mentioned in here to resolve the pycrypto dependency. https://stackoverflow.com/questions/50080459/failed-installing-pycrypto-with-pip    If the reply helps, a Karma upvote would be appreciated.
Figured it out as it was a rename messing me up.  
@marq198 you know the Splunk app has an "update_notable" action? You say you don't know what the header or body should look like? I would ask shy you're trying this without that information, it's ... See more...
@marq198 you know the Splunk app has an "update_notable" action? You say you don't know what the header or body should look like? I would ask shy you're trying this without that information, it's kind of important  . See if you can use the Splunk app otherwise I would recommend reading up on how to interact with the Splunk API and then you should be able to make it work: https://docs.splunk.com/Documentation/Splunk/9.2.0/RESTTUT/RESTTutorialIntro 
hi @LearningGuy  I believe it's due to the collect commands used for scheduled summary indexing. More on this can be found here. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowle... See more...
hi @LearningGuy  I believe it's due to the collect commands used for scheduled summary indexing. More on this can be found here. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Configuresummaryindexes#Other_configuration_files_affected_by_summary_indexing  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Collect If the reply helps, a Karma upvote would be appreciated.
Hi this is the way if you want to return value of some field from inner search. It seems that it excepting those " marks outside of value.  r. Ismo
hi @Chiranjeev  The default configuration in web datamodel for dest field is evaluated. if(isnull(dest) OR dest="" OR dest="-","unknown",dest) So you'll need to either update this eval state... See more...
hi @Chiranjeev  The default configuration in web datamodel for dest field is evaluated. if(isnull(dest) OR dest="" OR dest="-","unknown",dest) So you'll need to either update this eval statement in the data model to fit your case or map correct field for dest field. If the reply helps, a Karma vote would be appreciated. 
I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both result... See more...
I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both results (same phrase marked in bold) -> Search: index=example host=example message_name=* AND profileId="xxxx-xxxxx-xxxxx" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard"" Result1: MessageReceiver:96 - Message received: {"name":"screenView","screenName":"assetcard","previous":{"name":"screenView","screenName":"homeScreen","subscreenName":"STB.TOP.HOME" Result2: MessageReceiver:96 - Message received: {"name":"screenView","screenName":"homeScreen","previous":{"name":"screenView","screenName":"assetcard"
I think that copying files to another directory will resolve the problem with file blocking (if it really is) But it is also quite difficult because of the large amount of files and dirs