Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-18-2024
08:02 AM
Yes, I'm sure Our Splunk UF instance run using the system account And problem files also require permission I attached a permissions example
03-18-2024
08:01 AM
1 Karma
If I understand your question correctly - you have several geographically distributed windows server from which you want to send events using WEF to a central collector (or a bunch of collectors) fro...
See more...
If I understand your question correctly - you have several geographically distributed windows server from which you want to send events using WEF to a central collector (or a bunch of collectors) from which you'll be able to pick up the events with a Splunk forwarder. And while the overal idea is good, some WEF subscriptions don't work. Well, the problem is - it's a completely not Splunk-related issue. It's a question for your windows team, especially as you say that GPOs are not properly applied. This is something you have to resolve with your AD/Windows admins.
03-18-2024
07:59 AM
It is not clear what settings you have on your alert searches. Do you have overlapping time periods? What is your alert trigger (that causes multiple alerts)? Please provide more detail.
03-18-2024
07:56 AM
1 Karma
Start with this and see if that works for you - if not please try to explain with as much detail as you can as to why it doesn't work. (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcety...
See more...
Start with this and see if that works for you - if not please try to explain with as much detail as you can as to why it doesn't work. (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2 )
| stats values(ApplicationName) as ApplicationName, values(ApplicationVersion) as ApplicationVersion, values(ApplicationVendor) as ApplicationVendor, values(hostname) as hostname, values(user) as user by cid
03-18-2024
07:55 AM
1 Karma
Hi @psomeshwar, forget the join command because your search will be very slow! You should try to use the stats command. Are there some rule in your join? e.g. results presnt in both the indexes or...
See more...
Hi @psomeshwar, forget the join command because your search will be very slow! You should try to use the stats command. Are there some rule in your join? e.g. results presnt in both the indexes or only in one of them? I give you the solution without constrains: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| stats
values(ApplicationName) AS ApplicationName
values(ApplicationVersion) AS ApplicationVersion
values(ApplicationVendor) AS ApplicationVendor
values(hostname) AS hostname
values(username) AS username
BY cid Ciao. Giuseppe
03-18-2024
07:53 AM
Sorry for the delay. I appreciate your answer. I have had a sick cat, and have not been able to respond. But your answer makes sense!
03-18-2024
07:43 AM
Currently, I need to join information from two different indexes. I cannot show the information as it is confidential, but I can give a general overview of what it should look like
Search:
index=...
See more...
Currently, I need to join information from two different indexes. I cannot show the information as it is confidential, but I can give a general overview of what it should look like
Search:
index=index1 sourcetype=sourcetype1 | table ApplicationName, ApplicationVersion, ApplicationVendor, cid
Result:
ApplicationName ApplicationVersion ApplicationVendor cid name 1.0.3 vendor 78fds87324 ... ...
Search2:
index=index2 sourcetype=sourcetype2 | table hostname, user, cid
Result:
hostname user cid domainname username 78fds87324 ... ...
What I need is a way to show the ApplicationName, ApplicationVersion, ApplicationVendor, hostname and username all in one table connected through the cid. Anyone have any ideas?
- Tags:
- index
03-18-2024
07:32 AM
Thanks @hrawat I just check this from docs and nether inputs.conf, server.conf or Set up and use HTTP Event Collector with configuration files says anything that there is only one value for queueSi...
See more...
Thanks @hrawat I just check this from docs and nether inputs.conf, server.conf or Set up and use HTTP Event Collector with configuration files says anything that there is only one value for queueSize. At least me, as non native English speaker, cannot get that conclusion based on those documents. It's much easier to understand this just opposite way. Have you already asked fixes/additional information for those documents? r. Ismo
03-18-2024
07:29 AM
Hello Freinds, Current setup - we have multiple locations in Europe, and each location we have multiple windows servers and those servers' forwarding logs to windows log collector server. from log c...
See more...
Hello Freinds, Current setup - we have multiple locations in Europe, and each location we have multiple windows servers and those servers' forwarding logs to windows log collector server. from log collector to collect the logs on splunk cloud. few sites we are not receiving logs from windows servers, we checked in the GPO policy and its properly configured. while checking gpresult some of the settings not properly applied. i tried gpupdate and tried again. but issue still to be continued.
03-18-2024
07:09 AM
Unfortunately I haven't have those logs & apps on my test environment to guided you further with them. But you can read e.g. from https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/WebFramew...
See more...
Unfortunately I haven't have those logs & apps on my test environment to guided you further with them. But you can read e.g. from https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/WebFramework There are another guides too, just look those from google, bing or what ever search engine you are using.
03-18-2024
07:05 AM
1 Karma
Hi you could try this | rex "BatchId\s*:\s*(?<batch>[^,]+),\s*RequestId\s*(?<RequestID>[^,]+),\s*Msg : Batch status to be update to (?<Status>[^,]+)" If this is in any other field than _raw ...
See more...
Hi you could try this | rex "BatchId\s*:\s*(?<batch>[^,]+),\s*RequestId\s*(?<RequestID>[^,]+),\s*Msg : Batch status to be update to (?<Status>[^,]+)" If this is in any other field than _raw then add into rex field=<your field name> See https://regex101.com/r/U5IB8G/1 r. Ismo
03-18-2024
06:57 AM
You said "The path from logs is network share on the Windows Server, in which client-side application write via SMB". Are you sure that those files haven't permissions which allow only AD account a...
See more...
You said "The path from logs is network share on the Windows Server, in which client-side application write via SMB". Are you sure that those files haven't permissions which allow only AD account access those?
03-18-2024
06:57 AM
Thanks I am trying to extract three fields in below given message "message" : "BatchId : 7, RequestId : 100532188, Msg : Batch status to be update to SUCCESS", Extract : BatchId ,RequestId ,Sta...
See more...
Thanks I am trying to extract three fields in below given message "message" : "BatchId : 7, RequestId : 100532188, Msg : Batch status to be update to SUCCESS", Extract : BatchId ,RequestId ,Status need to extract SUCCESS . | rex "BatchId\s*:\s*(?<batch>[^,]+),\s*RequestId\s:\s*(?<RequestID>[^,]+),\s*Msg : Batch status to be update to (?<Status>\w+)"
- Tags:
- json
03-18-2024
06:54 AM
Are you sure that your transformation's name is same on both places (e.g. sonw vs snow etc.)?
03-18-2024
06:51 AM
1 Karma
There is a practice of setting queueSize in inputs.conf [http://<token>] stanza. queueSize over writes server.conf stanza [queue=httpInputQ]
maxSize Now if you have multiple tokens with ...
See more...
There is a practice of setting queueSize in inputs.conf [http://<token>] stanza. queueSize over writes server.conf stanza [queue=httpInputQ]
maxSize Now if you have multiple tokens with different queueSize. inputs.conf
[http://1]
queueSize=1
[http://2]
queueSize=2
[http://3]
queueSize=3
[http://4]
queueSize=4 Globally only one inputs.conf stanza wins for final httpInputQ size. This setting should only be set if setting 'persistentQueueSize' as well. If there are multiple http inputs configured and each input has set 'queueSize' but persistentQueueSize is not is set, splunkd will create one in-memory queue and pick the 'queueSize' value from first stanza after sorting http stanzas with matching token of first received http event in ascending order. With multiple pipelines configured, each pipeline will create one in-memory queue depending on the first http event received by the pipeline thus each pipeline might have different sized httpInputQ created. If there are multiple http stanzas configured and 'persistentQueueSize' is not set, prefer to set 'maxSize' under 'queue=httpInputQ' stanza in server.conf. So best practice would be to never set per token queueSize in inputs.conf. Instead set one time in server.conf, if not setting persistentQueueSize. [queue=httpInputQ]
maxSize
- Tags:
- hec
03-18-2024
06:48 AM
1 Karma
The appendcols command just appends columns in whatever order they are returned in with no respect for the values in the "common" fields, so, your comparison is like comparing apples with oranges, or...
See more...
The appendcols command just appends columns in whatever order they are returned in with no respect for the values in the "common" fields, so, your comparison is like comparing apples with oranges, or in your case wheat with rice. Is this what you really want to do? You could use stats to combine the values from each search like this index = data1
| eval grain_name = json_array_to_mv(json_keys(data1))
|mvexpand grain_name
|eval data = json_extract(data1, grain_name), qual = json_extract(data, "prod_qual")
|table grain_name, qual
| append [ search index=data2
| eval grain_name = json_array_to_mv(json_keys(data2))
| mvexpand grain_name
| eval data2 = json_extract(data2, grain_name), qual2 = json_extract(data2, "prod_qual")]
| stats values(qual) as qual values(qual2) as qual2 by grain_name
|eval diff = if(match (qual, qual2), "Same", "NotSame")
|table grain_name, qual, diff
03-18-2024
06:31 AM
Please can you provide more detail e.g. source of your dashboard, for what you have tried and why it isn't what you expect? (I assume you have tried span=1h)
03-18-2024
05:55 AM
Hi, I need a Specific Requirement with the time chart in my Dashboard. I have a Single Value Viz. which has the values and trend Comparisions. If I set the time range to the 24 hrs., it shou...
See more...
Hi, I need a Specific Requirement with the time chart in my Dashboard. I have a Single Value Viz. which has the values and trend Comparisions. If I set the time range to the 24 hrs., it should display the Last 24 hrs. count in the Value and Previous 24 hrs. Values (Differance)in the trend value. I can Achieve this by adding the span 1d, in the query. But whereas it comes to the Hrs., It won't be like that. Can anyone help me with this. Thanks in Advance.
Labels
- Labels:
-
timechart
03-18-2024
05:50 AM
@isoutamo hey thanks for the replay. I've been trying to create the following two you shared, but somehow i still don't see the the field in the field section I'm sharing the process I've taking. ...
See more...
@isoutamo hey thanks for the replay. I've been trying to create the following two you shared, but somehow i still don't see the the field in the field section I'm sharing the process I've taking. let me know if I'm missing something.
03-18-2024
05:50 AM
Hi ,
I am comparing two JSON data sets with respect to values of some nested keys in them.
The comparison is working fine except that at the end I am getting some blank rows with no data for them...
See more...
Hi ,
I am comparing two JSON data sets with respect to values of some nested keys in them.
The comparison is working fine except that at the end I am getting some blank rows with no data for them in the columns except the diff column that I am inserting.
I am including the query that I am using. However, since I am using appendcols in this, so the data sets returned by the search commands would be as below respectively:
data1={
\"Sugar\": {
\"prod_rate\" : \"50\",
\"prod_qual\" : \"Good\"
},
\"Rice\": {
\"prod_rate\" : \"80\",
\"prod_qual\" : \"OK\"
},
\"Potato\": {
\"prod_rate\" : \"87\",
\"prod_qual\" : \"OK\"
}
}
data2="{
\"Sugar\": {
\"prod_rate\" : \"50\",
\"prod_qual\" : \"Good\"
},
\"Wheat\": {
\"prod_rate\" : \"50\",
\"prod_qual\" : \"Good\"
}
}"
The actual query with proper search command in place is actually returning some blank rows. How can I remove them from display ?
index = data1
| eval grain_name = json_array_to_mv(json_keys(data1))
|mvexpand grain_name
|eval data = json_extract(data1, grain_name), qual = json_extract(data, "prod_qual")
|table grain_name, qual
| appendcols [ search index=data2| eval grain_name2 = json_array_to_mv(json_keys(data2))
| mvexpand grain_name2
| eval data2 = json_extract(data2, grain_name2), qual2 = json_extract(data2, "prod_qual")]
|eval diff = if(match (qual, qual2), "Same", "NotSame")
|table grain_name, qual, diff
- Tags:
- query
Labels
- Labels:
-
table
