All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Simplifying the way to approach it with a regex... | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%") The idea is to get values before th... See more...
Simplifying the way to approach it with a regex... | rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous" | where like(check,"%assetcard%") The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria.
I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire sear... See more...
I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire search look like?
I am searching some logs in an application for the last 24 hours (or any time range the user has selected). Is it possible to search the same logs in another application for the next day?  Eg: if th... See more...
I am searching some logs in an application for the last 24 hours (or any time range the user has selected). Is it possible to search the same logs in another application for the next day?  Eg: if the user has selected the time range as last one hour, can I see the trajectory of those logs over a period of next day?
Ok I guess one last thing.  When the results for the report are 100% across the board.  I don't get any results it is blank.  There seems to be the need for a result below 100% to return all fields a... See more...
Ok I guess one last thing.  When the results for the report are 100% across the board.  I don't get any results it is blank.  There seems to be the need for a result below 100% to return all fields again.
hi @AL3Z  Have you checked everything is clear on the Splunk licensing front?
Hi @frodelauka  One way to do it based on the events you shared is as below. | makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetc... See more...
Hi @frodelauka  One way to do it based on the events you shared is as below. | makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\"" | makemv log delim="\r\n" | mvexpand log | eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{","")) | where like(check_msg_rxd,"%assetcard")   If the reply helps, a Karma upvote would be appreciated.
Hello, How to search based on variable?    If select contains "many", then search no IN (1 to 30),  else search NO 7 | eval  variable = if(select="many", "(1-30)", "7")  | search no IN ... See more...
Hello, How to search based on variable?    If select contains "many", then search no IN (1 to 30),  else search NO 7 | eval  variable = if(select="many", "(1-30)", "7")  | search no IN variable             ==>    This doesn't work | search no IN (7)     ==>    This works | search no IN (1,2,3,4,5,6,7,8,9,10,11)   ==>    This works,   but I have to manually put the number | where variable IN (1,2,3,4,5,6,7,8,9,10,11) ==>    This  does not work ( although the Splunk documentation said it should work) https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandOverview | regex no= "([1-30])"   ==>   This works    | regex no = variable   ==>   This does not work   (variable) Thank you for your help
I know how the header and body should look like, while in this integration it does not work, did you use it ? according to the SOAR integration documentation, it can be delivered in json format so i... See more...
I know how the header and body should look like, while in this integration it does not work, did you use it ? according to the SOAR integration documentation, it can be delivered in json format so it provides such a format body: {"ruleUIDs":"xxx","newOwner":"xxx","comment": "test","status":"5","disposition":"disposition:2"}
Hi @Prathyusha891  A quick search on stackoverflow yields this. Try the steps mentioned in here to resolve the pycrypto dependency. https://stackoverflow.com/questions/50080459/failed-installing-... See more...
Hi @Prathyusha891  A quick search on stackoverflow yields this. Try the steps mentioned in here to resolve the pycrypto dependency. https://stackoverflow.com/questions/50080459/failed-installing-pycrypto-with-pip    If the reply helps, a Karma upvote would be appreciated.
Figured it out as it was a rename messing me up.  
@marq198 you know the Splunk app has an "update_notable" action? You say you don't know what the header or body should look like? I would ask shy you're trying this without that information, it's ... See more...
@marq198 you know the Splunk app has an "update_notable" action? You say you don't know what the header or body should look like? I would ask shy you're trying this without that information, it's kind of important  . See if you can use the Splunk app otherwise I would recommend reading up on how to interact with the Splunk API and then you should be able to make it work: https://docs.splunk.com/Documentation/Splunk/9.2.0/RESTTUT/RESTTutorialIntro 
hi @LearningGuy  I believe it's due to the collect commands used for scheduled summary indexing. More on this can be found here. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowle... See more...
hi @LearningGuy  I believe it's due to the collect commands used for scheduled summary indexing. More on this can be found here. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Knowledge/Configuresummaryindexes#Other_configuration_files_affected_by_summary_indexing  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Collect If the reply helps, a Karma upvote would be appreciated.
Hi this is the way if you want to return value of some field from inner search. It seems that it excepting those " marks outside of value.  r. Ismo
hi @Chiranjeev  The default configuration in web datamodel for dest field is evaluated. if(isnull(dest) OR dest="" OR dest="-","unknown",dest) So you'll need to either update this eval state... See more...
hi @Chiranjeev  The default configuration in web datamodel for dest field is evaluated. if(isnull(dest) OR dest="" OR dest="-","unknown",dest) So you'll need to either update this eval statement in the data model to fit your case or map correct field for dest field. If the reply helps, a Karma vote would be appreciated. 
I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both result... See more...
I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both results (same phrase marked in bold) -> Search: index=example host=example message_name=* AND profileId="xxxx-xxxxx-xxxxx" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard"" Result1: MessageReceiver:96 - Message received: {"name":"screenView","screenName":"assetcard","previous":{"name":"screenView","screenName":"homeScreen","subscreenName":"STB.TOP.HOME" Result2: MessageReceiver:96 - Message received: {"name":"screenView","screenName":"homeScreen","previous":{"name":"screenView","screenName":"assetcard"
I think that copying files to another directory will resolve the problem with file blocking (if it really is) But it is also quite difficult because of the large amount of files and dirs
Alright maybe not enough coffee....I am going in circles trying to get this to display the values in the csv.  Cant figure out what needs to go with the fillnull value. index=my_data data... See more...
Alright maybe not enough coffee....I am going in circles trying to get this to display the values in the csv.  Cant figure out what needs to go with the fillnull value. index=my_data data.environment.application="MY APP" data.environment.environment="test" | eval estack="my_stack" | fillnull value="prod" estack data.environment.stack | where 'data.environment.stack'=estack | streamstats window=1 current=False global=False values(data.result) AS nextResult BY data.componentId | eval failureStart=if((nextResult="FAILURE" AND 'data.result'="SUCCESS"), "True", "False"), failureEnd=if((nextResult="SUCCESS" AND 'data.result'="FAILURE"), "True", "False") | transaction data.componentId, data.environment.application, data.environment.stack startswith="failureStart=True" endswith="failureEnd=True" maxpause=15m | stats sum(duration) as downtime by data.componentId | inputlookup append=true Component_avail.csv | fillnull | addinfo | eval uptime=(info_max_time - info_min_time)-downtime, avail=(uptime/(info_max_time - info_min_time))*100, downMins=round(downtime/60, 0) | rename data.componentId AS Component, avail AS Availability | table Component, Availability  
Hi @sairajkiran  Try checking the values from the job inspector for your event/search. Not sure if it will fulfil your needs. The field you can use is search_id -- in _introspection and _audit ... See more...
Hi @sairajkiran  Try checking the values from the job inspector for your event/search. Not sure if it will fulfil your needs. The field you can use is search_id -- in _introspection and _audit indexes For _internal, you'll need to extract this value from job which looks something like this search/search/jobs/1710936732.74/control so the search_id field value is 1710936732.74  If the reply helps, a Karma vote would be appreciated.
Hello, Thank you so much for your response. The query that contain the search is actually in the statistic table, but the condition is a condition based on the drop down token. This is the mai... See more...
Hello, Thank you so much for your response. The query that contain the search is actually in the statistic table, but the condition is a condition based on the drop down token. This is the main question: How to dynamically search / where based on variable like below? | search day_no_each_timestamp = day_in_week OR | where day_no_each_timestamp = day_in_week  
Hi, We are getting below error on the machines running with Network Toolkit app. It's affecting the Data forwarding to Splunk cloud. Please help.   0000 ERROR ExecProcessor [5441 ExecProcessorSc... See more...
Hi, We are getting below error on the machines running with Network Toolkit app. It's affecting the Data forwarding to Splunk cloud. Please help.   0000 ERROR ExecProcessor [5441 ExecProcessorSchedulerThread] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/network_tools/bin/ping.py"   self.logger.warn("Thread limit has been reached and thus this execution will be skipped for stanza=%s, thread_count=%i", stanza, len(self.threads))   Thanks!