All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes.  src is on the by clause, how do you display on the graph above the report & then table of the search results on the bottom for save report? Or Am I not asking the question correctly?
I went through Settings > Add Data > Upload, and uploaded a simple 3 row csv Then I was brought to the source type page referenced previously
Yes, that could be a problem.  Did you upload a file?
Right now I am creating the alerts in our DEV environment and the lag is negligible, but that will definitely be something I'll keep in mind once we're promoting it to PAT and PROD. Ultimately, th... See more...
Right now I am creating the alerts in our DEV environment and the lag is negligible, but that will definitely be something I'll keep in mind once we're promoting it to PAT and PROD. Ultimately, the goal of the alert is to catch a trend in 5-minute intervals for a specific error code. If there are occasional spikes that are not sustained (say, in the first 5 minutes the count is 6 but in the second and third the count is 1 or 0) we don't want the alert to be triggered. But I'll be running some tests with the application folks by injecting the signatures into the logs at various rates, so I'll be able to determine if I'll have to shift the time windows. Thanks again, Bowesmana. You've been very helpful and I appreciate you sharing your knowledge.
No ideas?
This is a little confusing.  I do not see special characters in field values in the provided sample.  But I see a mismatch between operators about resourceGroup.  I assume that extract-audit-group an... See more...
This is a little confusing.  I do not see special characters in field values in the provided sample.  But I see a mismatch between operators about resourceGroup.  I assume that extract-audit-group and filter-group are intended to match resourceGroup.  Is this correct?  In the following snippets, extract-audit-group extracts a variable named extracted_group, whereas filter-group calls for one named attributes.extracted_beta.  Maybe filter-group should use extracted_group instead? - id: extract-audit-group type: regex_parser regex: '\s*\"resourceGroup\"\s*\:\s*\"(?P<extracted_group>[^\"]+)\"\s*' - id: filter-group type: filter expr: 'attributes.extracted_beta == "batch"'  
@victorcorrea Have a look at the time modifiers for the concept of 'snap to', which is the @ component of a time constraint. Generally with an alert, it is a good idea to understand whether you have... See more...
@victorcorrea Have a look at the time modifiers for the concept of 'snap to', which is the @ component of a time constraint. Generally with an alert, it is a good idea to understand whether you have any "lag" in data being generated by a source and then arriving and being indexed in Splunk. Consider an event generated at 6:59:58 by a system, which is sent to Splunk at 7:00:02 and is indexed at 7:00:03.  If your alert runs at 7am and searches earliest=-5m@m latest=@m then that event that has a time stamp of 6:59:58 will not yet be indexed in Splunk, so it will not be found by your alert. If this is one of your "Waiting" events, then you may trigger an alerts for a count of 2, but if you look later at that data, you will find the count is actually 3, because that latest event is now in the index. So, consider whether this is an issue for your alert - you can discover lag by doing index=foo | eval lag=_indextime-_time | stats avg(lag) if lag is significant, then shift your 5 minute time windows back sufficiently so you do not miss events. 
You can make panels dependent on the existence of a token. You do this with a <change> block on the input and setting or unsetting the tokens that a panel requires to display. You can be as fine or ... See more...
You can make panels dependent on the existence of a token. You do this with a <change> block on the input and setting or unsetting the tokens that a panel requires to display. You can be as fine or as coarse as you like, i.e. you could make a token for each panel and set/unset the panels as needed and then each panel definition will "depend" on its own token. You will also need an <init> section at the start of your XML to set the default state of the tokens if you want the panels to display immediately when the dashboard is loaded.   <change> <condition value="Pass_srvc"> <set token="show_panels_1">true</set> <unset token="show_panels_2">true</unset> </condition> <condition> <set token="show_panels_1">true</set> <set token="show_panels_2">true</set> </condition> </change> ... <panel depends="$show_panels_1$">... .. <panel depends="$show_panels_2$">... ..    
Thank you Bowesman, That makes sense and simplifies the query significantly. I added two different indexes by mistake when I added my reply, I only need to search a single index. The only th... See more...
Thank you Bowesman, That makes sense and simplifies the query significantly. I added two different indexes by mistake when I added my reply, I only need to search a single index. The only thing that is still not clear to me is the values that I need to refer to in the "earliest" and "latest. So, I grabbed your query and listed the "latest" as "@m": index=cts-ep-app earliest=-15m@m latest=@m "Waiting" | bin _time span=5m aligntime=@m | stats count by _time | stats sum(eval(if(count>=3,1,0))) as AllOverThreshold | where AllOverThreshold=3   And that seems to have done the trick. Many thanks. Appreciate you taking the time to chime in.
Calculated field and transforms are also search time.  The general advice is to be very careful in making index time calculations. (Except filtering down.)
The first field mentioned in the by clause of the final stats command (which is src) will be / is your x-axis (see your graphic)
Try something like this index=foo earliest=-15m@m latest=@m | bin _time span=5m aligntime=latest | stats count by _time
You can probably make that initial search much faster without using append, which you should try to avoid as most of the time you can do it an alternate way. Try this (index=foo earliest=-5m@m late... See more...
You can probably make that initial search much faster without using append, which you should try to avoid as most of the time you can do it an alternate way. Try this (index=foo earliest=-5m@m latest=@m) OR (index=its-em-pbus3-app earliest=-15m@m latest=-5m@m) "Waiting" | bin _time span=5m aligntime=@m | stats count by _time | stats sum(eval(if(count>=3,1,0))) as AllOverThreshold You search is effectively looking for Waiting in 2 different indexes with 3 different time ranges - if you make the first one -5m@m to @m rather than "now" then you can count the results by _time and you would expect  3+ per time window. The second stats just creates a new field called AllOverThreshold that should have the value 3 if all counters are over 3. Then you can simply use a where clause to say | where AllOverThreshold=3 Then your alert will have no results if all counters are >= 3. NB: If you use latest=now in the first query, then you will get 4 rows of data with the last being the seconds from @m to now and that may or may not have results  
i have a dashboard, In that there is a drop down for services. we have 10 panels in a dashboard. When i select service drop down my all 10 panels will get displays as per the service chosen from ... See more...
i have a dashboard, In that there is a drop down for services. we have 10 panels in a dashboard. When i select service drop down my all 10 panels will get displays as per the service chosen from the from drop down.  For example if i choose "passed services" from the drop down instead of showing all panels i want to see only panle1 to panel5  and hide panel 6 to panel 10  how i can do that? <form> <label>Services_Dashboard</label> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time" searchWhenChanged="true"> <label> </label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <inputype type="dropdown" token="services" searchWhenChanged="true"> <label>Services</label> <choice value="*">all</choice> <choice value="Lgn_srvc">Login services</choice> <choice value="Fld_srvc">Failed services</choice> <choice value="Pass_srvc">passed services</choice> <choice value="Tmout_srvc">timeout services</choice> <choice value="Lgout_srvc">logout service</choice> <choice value="Err_srvc">error services</choice> <choice value="War_srvc">warning services</choice> <intialValue>*</intialValue> </input> </fieldset> <row> <panel> <title>panel1 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel2 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel3 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel4 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel5 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel6 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel7 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel8 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel9 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> <panel> <title>panel10 for $services$</title> <search> <query> index=xxx stats count by app</query> <earliest>time.earliest</earliest> <latest>time.latest</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> </panel> </row> </form>  
Here is the SPL index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUN... See more...
Here is the SPL index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*") | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT | convert ctime(mostRecentTime) | sort - mostRecentTime  Here is the .conf action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.forceCsvResults = 1 action.risk.param.verbose = 0 action.send2uba.param.verbose = 0 action.threat_add.param.verbose = 0 action.webhook.enable_allowlist = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -3mon@d cron_schedule = 0 1 * * 1 description = ```SRB Update: adjusted ACTION_NAME & SQL_TEXT Search Analyst-JYS : A/U-2024/01/10 : R/A-2024/01/12```\ dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_view = search search = index=$masked$_oracle src!=$masked$* dest=$masked$* ACTION_NAME IN ("*CREATE*","*ALTER*","*DROP*","*EXECUTE*") AND SQL_TEXT IN ("*CREATE TABLE*","*DROP TABLE*","*ALTER TABLE*","*TRUNCATE TABLE*","*CREATE FUNCTION*","*ALTER FUNCTION*","*DROP FUNCTION*","*CREATE PACKAGE BODY*","*ALTER PACKAGE BODY*","*DROP PACKAGE BODY*","*CREATE PACKAGE*","*ALTER PACKAGE*","*DROP PACKAGE*")\ | stats values(user) as user values(ACTION_NAME) as dbSQLCommand, values(CLIENT_PROGRAM_NAME) as dbdlient dc(CLIENT_PROGRAM_NAME) as App_Making_chage_count dc(ACTION_NAME) as distinctSQLCommandsPerformed earliest(_time) as mostRecentTime by src, dest, SQL_TEXT\ | convert ctime(mostRecentTime) \ | sort - mostRecentTime  I don't see any where the visualization is set.  could you rephase "The x-axis of a chart is usually the first field / column in the result events used for the chart. Check your search query to ensure that the fields are in the correct order."  I don't get it because there is no chart command or setting in the report.
I want to get pfsense logs to splunk to make some analysis. I tired this method "https://www.jaycroos.com/splunk-to-monitor-pfsence-logs/" but it didn't work for me. Now i want to try using Spl... See more...
I want to get pfsense logs to splunk to make some analysis. I tired this method "https://www.jaycroos.com/splunk-to-monitor-pfsence-logs/" but it didn't work for me. Now i want to try using Splunk universal forwarder, How can i install Splunk universal forwarder on my pfsense to get the logs to splunk ? Any guidance would be appreciated. please let me know if there is other method, where i can get my pfsense logs to the splunk server.
You still haven't said if my suggested solution is valid in your case. Did you try it, did it give you what you want or not? That will give you a single value for each of the categories of data you ... See more...
You still haven't said if my suggested solution is valid in your case. Did you try it, did it give you what you want or not? That will give you a single value for each of the categories of data you have in your timechart. The other question is what do you want to do with this data, is this to be displayed in another dashboard panel or are you trying to show this somehow in the same timechart without splitting by host for these two fields or something else?
An update to my original question: I managed to build a query that runs the 3 searches I need within the defined timeframes and validated that the results are good: index=foo earliest=-5m@m... See more...
An update to my original question: I managed to build a query that runs the 3 searches I need within the defined timeframes and validated that the results are good: index=foo earliest=-5m@m latest=now | search "Waiting" | stats count as counter1 | append [ | search "Waiting" index=its-em-pbus3-app earliest=-10m@m latest=-5m@m | stats count as counter2 ] | append [ | search "Waiting" index=its-em-pbus3-app earliest=-15m@m latest=-10m@m | stats count as counter3 ] I have displayed the results from each query in a table and compared them against searches for the same timeframes to confirm that the values matched. So that's part 1 dealt with. Now I'm trying to figure out a way to generate a result to this query that would indicate that the value of the 3 counts is >=3. I tried using "case" to check each value individually and assign a value to a "results" field using eval: | eval results = case ( counter1 >= 3 AND counter2 >=3 AND counter3>=3 , "true"   My goal was to be able to search for the "results" field value to determine if my conditions were met, but no dice.
If there is only one index, then you are saying you want to find one user from a query where eventname=xxx and index=a and then find all other events for that user where some other condition exists t... See more...
If there is only one index, then you are saying you want to find one user from a query where eventname=xxx and index=a and then find all other events for that user where some other condition exists then the following logic is how you do things. index=a (condition 1 OR condition 2) | eval x=if(condition=1, 1, 0) | eval y=if(condition=2, 1, 0) | stats sum(x) as x sum(y) as y by user | where x>0 AND y>0 I still think I am missing something from your question - if this is not what you are after, please try to describe all of your data inputs and the output you want to get as a result.  
@codebuilder  i got the same message, but in the splunk i don't find any logs. What is the problem ?