All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The delete command "deletes" the events which are in the pipeline - tstats does not return the events so this is unlikely to work. Having said that, I am not sure what happens if you do manage to del... See more...
The delete command "deletes" the events which are in the pipeline - tstats does not return the events so this is unlikely to work. Having said that, I am not sure what happens if you do manage to delete the events from the index, whether the stats returned by tstats change?
@HemanthCR7   Hi Hemanth, It depends on your organization sometimes to encounter this problem when attempting to register using your corporate email. because external emails may be blocked by certa... See more...
@HemanthCR7   Hi Hemanth, It depends on your organization sometimes to encounter this problem when attempting to register using your corporate email. because external emails may be blocked by certain businesses. Should that be the case, open a support ticket and examine your spam folder.
https://regex101.com/r/vFdbh7/1 | rex "\"address\":\"(?<api>[\w\/:]+?)(?=([a-z0-9]+\-[a-z0-9-]+)|$)"
@smitbelani Please have a look Notification when a new update is released - Splunk Community 
Hi @tamir , my solution is to save the extraction in an field extraction, if you want to use the regex in a search, you have to add it to a search: index=your_index | rex field=source "Snowflake\/... See more...
Hi @tamir , my solution is to save the extraction in an field extraction, if you want to use the regex in a search, you have to add it to a search: index=your_index | rex field=source "Snowflake\/(?<folder>[^\/]+)" Ciao. Giuseppe  
Hi @Deprasad, please try this regex: | rex "\"address\":\"(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)" that you can test at https://regex101.com/r/Umz02I/1 if you already extracted the full APP val... See more...
Hi @Deprasad, please try this regex: | rex "\"address\":\"(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)" that you can test at https://regex101.com/r/Umz02I/1 if you already extracted the full APP value (and it's called "api_url "), you can use a different regex | rex field=api_url "(?<uri>https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)"  Ciao. Giuseppe
Is there feature which notifies the new release of Splunk version ? may be via email or subscribing a newsletter or something ?
Try something like this index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.deta... See more...
Try something like this index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.detailDisplayName' | eval problem_detail=replace(problem_detail, "&#8226","") | eval problem_detail=replace(problem_detail, ";","|") | eval techGroupLevel = 'techGroupLevel.levelName' | eval techGroupLevel = replace(techGroupLevel, "&nbsp;"," ") | eval techGroupLevel = replace(techGroupLevel, " ","") | eval techGroupLevel = replace(techGroupLevel, "Level"," Level") | eval location_Name = 'location.locationName' | eval status = 'statustype.statusTypeName' | eval priority = 'prioritytype.priorityTypeName' | eval techGroupId = 'techGroupLevel.id' | eval tech_Name = 'clientTech.displayName' | eval problem_classification=if(match(problem_detail,".*email.*"), "email problem", problem_detail) | stats count by problem_classification
I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API. There are multiple versions of same API along with or without user guid which is a unique v... See more...
I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API. There are multiple versions of same API along with or without user guid which is a unique value. "address":"http://test/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser/delete/342ad-123m4-r43rm-144dgdg "address":"http://test/services/user/v2/deleteUser Looing for a regex which reads the API until the alphanumeric string starts. In short , if I do stats count by API it should give the count as 3.  
Hi guys,  Thank you in advance,  Is it possible to use a value of the search result as a parameter in the |sendmail from=" ? " In the | sendmail to="we can use results.mail_to" but in case o... See more...
Hi guys,  Thank you in advance,  Is it possible to use a value of the search result as a parameter in the |sendmail from=" ? " In the | sendmail to="we can use results.mail_to" but in case of | sendmail from="results.mail_from" don't work. We already disable the security options for this.   like for example  i ndex="main" | eval mail_from = "username@mail.com" | eval mail_to = "username@mail.com" | eval subject = "subject" | table username age country city | sendemail to=$result.mail_to$ from= $result_mail_from$ subject=$results.subject$ message="This is an example message" sendresults=true inline=true format=table sendcsv=true
Fair enough. I wish there was a Splunk way to push these changes to system/local that didn't include a third party application.   Would you recommend show config vs btool in this case?
Hi @kiran_panchavat , could you please help me on this...!!
I have the same issue. So, you are saying that from the certifi library, I can extract the path to the SSL certificate bundle and pass it to the post request as an argument, right? Now, I want to cl... See more...
I have the same issue. So, you are saying that from the certifi library, I can extract the path to the SSL certificate bundle and pass it to the post request as an argument, right? Now, I want to clarify something, the add-on application I have developed needs to be distributed to the clients so, according to this link: https://community.splunk.com/t5/Splunk-Cloud-Platform/How-do-I-go-about-publishing-a-Splunk-Technical-Add-On/m-p/633127#M2081 does the client need to put their bundled certificate themselves into the app directory? And use your code to retrieve the path of the cert and pass it as an argument to the post request? 
Good Morning  i have a field that i've called problem_detail in our Helpdesk index. it contains all the types of problems that are logged to us. i would like to only merge those that are associated... See more...
Good Morning  i have a field that i've called problem_detail in our Helpdesk index. it contains all the types of problems that are logged to us. i would like to only merge those that are associated with email queries together. there are about 15 different ones.  index=mmuh_helpdesk sourcetype=mmuh_helpdesk_json | dedup id | fillnull value=NULL | search "problemtype.detailDisplayName"!=*AGRESSO* | eval problem_detail='problemtype.detailDisplayName' | eval problem_detail=replace(problem_detail, "&#8226","") | eval problem_detail=replace(problem_detail, ";","|") | eval techGroupLevel = 'techGroupLevel.levelName' | eval techGroupLevel = replace(techGroupLevel, "&nbsp;"," ") | eval techGroupLevel = replace(techGroupLevel, " ","") | eval techGroupLevel = replace(techGroupLevel, "Level"," Level") | eval location_Name = 'location.locationName' | eval status = 'statustype.statusTypeName' | eval priority = 'prioritytype.priorityTypeName' | eval techGroupId = 'techGroupLevel.id' | eval tech_Name = 'clientTech.displayName' | stats count by problem_detail this spl is giving me the full list of 158 problem details and from there i can see around 15 of these relate to email.  Is there away i can combine the totals from all the problem_details that contain 'email' together.  i tried eval and then coalesce but it didnt work ..:(    thank you         
@richgalloway  thanks for replay the | rex is working as it should the problem start when I'm trying to save the Regex. and this is cause by the fact i need to save the regex from the "source" field ... See more...
@richgalloway  thanks for replay the | rex is working as it should the problem start when I'm trying to save the Regex. and this is cause by the fact i need to save the regex from the "source" field and no from the "_raw" field. The main goal is to add another field in all searches without using the | rex command every time. 
You can parse this event with rex https://regex101.com/r/eUputR/1 However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of b... See more...
You can parse this event with rex https://regex101.com/r/eUputR/1 However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID
hey @gcusello  thanks for your replay. It seems like the capture do not capture any of the fields i needed, I've tried to save it an even to play a bit with the syntax.  but still no success.   
I'm trying to test Splunk Cloud, have registered for free trial but have not received any email so far from Splunk. Faced similar problem a few times. What do I do in this situation?
Your final command will only give you one result event - depending on how you have set up the trigger for your alert, you could remove this and then trigger on the number of results being less than 2... See more...
Your final command will only give you one result event - depending on how you have set up the trigger for your alert, you could remove this and then trigger on the number of results being less than 2 i.e. let Splunk do the counting for you.
Thank you for your support @ITWhisperer , the given code is working as expected.