All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, please try this: | tstats dc(index) AS index_count WHERE index IN (aws,windows) BY host | where index_count=2 | table host Ciao. Giuseppe
See this for base search documentation https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/Savedsearches
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large num... See more...
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table. See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values. <form version="1.1" theme="light"> <label>GP Errors</label> <search id="base"> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats count by _time host EventCode Message | rename host AS Host, EventCode AS EventID </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search base="base"> <query> | stats count by EventID</query> </search> </input> </fieldset> <row> <panel> <table> <search base="base"> <query> search Host=$Computername$ EventID=$EventID$ | table Host, EventID, Message, _time count | sort - _time</query> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.  
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or... See more...
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or searches showing the fields you are querying - please ensure the data is sanitised, so it can be posted here.  
Hi.  So you tried | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)   And there are two pro... See more...
Hi.  So you tried | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)   And there are two problems. 1) the first makeresults .. I don't know what the ns=project* is. Here's the reference https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults 2) your rex is extracting the value into the field Response_Time but then use do stats avg on response_time in lowercase.  Case matters in Splunk field names. Here's what seems to work | makeresults=1 | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(Response_Time)
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got... See more...
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got there in the end.  Thank you for the query though, wouldn't have found this without it.   
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the ... See more...
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result.  Log:            {"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}}         Query:         | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)           Could I know where I'm going wrong?
Windows hardening which cause the issue . Solved after adjust the permissions. 
I've used tokens in the base search itself. Except class and group filter. I need to enable these two tokens for SQL row and need to disable it for others. @richgalloway 
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist... See more...
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist.” Even a small typo in the index name can lead to errors. Make sure you’ve spelled the index name correctly. https://docs.splunk.com/Documentation/Splunk/9.2.0/Troubleshooting/Cantfinddata 
Thanks ^^ have a nice day!
The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.
I tried to whitelist an ip address for HEC log ingestion and got the error message "Subnet overlaps Private IP block"   Does anyone know what this means? Thanks
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solut... See more...
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid.  I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me.  Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it.  I had to remove the print statements to get the UI working again.  I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip().  I can't work out what I need to do to see where the user information is coming from.  Any help on how I can debug this? TIA, Joe
Thanks for replying Marnall. It is indeed very strange that the CIM Validator does not return any results. Especially since as you mentioned, at the bottom of the page there is a table labelled "Eve... See more...
Thanks for replying Marnall. It is indeed very strange that the CIM Validator does not return any results. Especially since as you mentioned, at the bottom of the page there is a table labelled "Events" that does return results. I do not recall if this issue was present last week, but trying to click on the "Search type" drop down menu and clicking on "datamodel" no longer saves that selection. It is permanently stuck on "_raw". Clicking on all the magnifying glasses of each search, the results are almost always the same: - "Total fields" always returns a count of zero. - The rest all return the data model that I have selected. I've added several screenshots to showing what I see. I hope there will be more suggestions for troubleshooting. No CIM Validation results despite the "Events" table being populated. "Open in Search" result from "Issue Fields"
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I... See more...
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search? 2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search? 3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?     <form version="1.1" theme="light"> <label>GP Errors</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats values(EventCode)</query> <earliest>-90m@m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$ | table host, EventCode, Message, _time | rename host AS Host, EventCode AS EventID | sort _time desc</query> <earliest>-90m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>    
Indexers will automatically copy buckets from local storage to SmartStore/S3 when they roll from hot to warm.  You can try to tune the hot bucket lifetime to 30 days, but I don't recommend it.  Let t... See more...
Indexers will automatically copy buckets from local storage to SmartStore/S3 when they roll from hot to warm.  You can try to tune the hot bucket lifetime to 30 days, but I don't recommend it.  Let them roll normally and size your SmartStore cache so it's large enough to hold 30 days' of data. Use the frozenTimePeriodInSecs setting in indexes.conf to specify the lifetime of the data.  Buckets will be removed from S3 when the newest event in the bucket is older than the specified time.
Hi, Here is something you could check. I see in your command line, you have  -javaagent:splunk-otel-javaagent.jar   That probably works as long as your current working directory is where that jar... See more...
Hi, Here is something you could check. I see in your command line, you have  -javaagent:splunk-otel-javaagent.jar   That probably works as long as your current working directory is where that jar file lives. You could try specifying the full path there instead to be sure. Then, you'll want to make sure that the user that is running your Java app has read/write permissions to that directory where the splunk-otel-javaagent.jar lives because that will be the default location of the profiler reading and writing the jfr files. I assume you've already confirmed that the OTel collector is running and sending other types of data to the Observability Cloud (such as host metrics).
I'm having 5 filters in that, I've two filters called group and class for group token=$group$ and for class=$class$. For group and class filters only one specific row that is SQL having values, othe... See more...
I'm having 5 filters in that, I've two filters called group and class for group token=$group$ and for class=$class$. For group and class filters only one specific row that is SQL having values, others rows does not have values. if i pass token $class$ and $group$ in SQL. I'm getting results, but when i pass these tokens to other rows, it will be zero, because there is no values for class and group.  But i want to show other rows also but $class$ and $group$ token should be rejected because other filter having values for these rows also. So only i'm asking we can use depends or rejects. Please I need your help to solve this. The depends and rejects options control the layout of the dashboard; they have no effect on the content of the dashboard panels. Can you share the code in which the tokens are being used?  That may help with my understanding of the problem and allow me to make a useful suggestion.
Hi. Your search is so close to what I do.. change search -> where   | tstats count where index=aws by host | table host | where NOT [| tstats count where index=windows by host | table host]