All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Removed the eval statement and got it working. 
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average val... See more...
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average value.
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:2... See more...
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;"> <h3>Message:</h3> </div> <div class="modal-body" style="padding:30%"> <p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p> </div> </div> </html> </panel>   I have created this code which displays the pop up but the splunk dashboard is still working on the background ...Can anyone please help  me with an  idea about any script that I can add in this code to make the dashboard stop working in the background as well as the pop up should also display...      
Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed... See more...
Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed on servers
Hello Kiran, <panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; p... See more...
Hello Kiran, <panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;"> <h3>Message:</h3> </div> <div class="modal-body" style="padding:30%"> <p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p> </div> </div> </html> </panel> I have created this code which displays the pop up but the dashboard is still working on the background ...do you have any idea about any script that I can add in this code to make the dashboard stop working in the background.
You are probably entering private IPs - or see this for Splunk's private IPs https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages  
Hi, please try this: | tstats dc(index) AS index_count WHERE index IN (aws,windows) BY host | where index_count=2 | table host Ciao. Giuseppe
See this for base search documentation https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/Savedsearches
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large num... See more...
To make a common search, use a base search that is then used by both other searches. The details will need to be common enough. Your main table has a search window of 90m - do you expect a large number of events in this data set. This table does not really do any aggregations, so using this as a base search is not really good idea. You would need 3 searches, the base and one for the dropdown and the other for the data table. See this (untested) and compare it to your dashboard - it fixes your dropdown issue, creates a base search used by the other two searches and they all use the same time picker values. <form version="1.1" theme="light"> <label>GP Errors</label> <search id="base"> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats count by _time host EventCode Message | rename host AS Host, EventCode AS EventID </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search base="base"> <query> | stats count by EventID</query> </search> </input> </fieldset> <row> <panel> <table> <search base="base"> <query> search Host=$Computername$ EventID=$EventID$ | table Host, EventID, Message, _time count | sort - _time</query> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  Note that you also need to consider dependencies - should the list of eventids in the dropdown be ones that are found only for the entered computer? If not, then when you select an ID it may not exist.  
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or... See more...
You are only providing keyholes into your problem domain - we need to understand the bigger picture as @richgalloway says to understand what your problem is. Can you provide your existing XML and/or searches showing the fields you are querying - please ensure the data is sanitised, so it can be posted here.  
Hi.  So you tried | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)   And there are two pro... See more...
Hi.  So you tried | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)   And there are two problems. 1) the first makeresults .. I don't know what the ns=project* is. Here's the reference https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults 2) your rex is extracting the value into the field Response_Time but then use do stats avg on response_time in lowercase.  Case matters in Splunk field names. Here's what seems to work | makeresults=1 | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(Response_Time)
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got... See more...
I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID. It's also listed under the Event INFO in the container under Details Source ID: Got there in the end.  Thank you for the query though, wouldn't have found this without it.   
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the ... See more...
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result.  Log:            {"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}}         Query:         | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)           Could I know where I'm going wrong?
Windows hardening which cause the issue . Solved after adjust the permissions. 
I've used tokens in the base search itself. Except class and group filter. I need to enable these two tokens for SQL row and need to disable it for others. @richgalloway 
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist... See more...
@poojabolla Hello Pooja, If you reference an index that does not exist in your Splunk environment, you will receive an error message similar to: “Error in ‘Search’: The specified index does not exist.” Even a small typo in the index name can lead to errors. Make sure you’ve spelled the index name correctly. https://docs.splunk.com/Documentation/Splunk/9.2.0/Troubleshooting/Cantfinddata 
Thanks ^^ have a nice day!
The events returned by the search can have multiple fields,; the fieldsFor... elements defile which fields from the search are used for the label and which is used for the value.
I tried to whitelist an ip address for HEC log ingestion and got the error message "Subnet overlaps Private IP block"   Does anyone know what this means? Thanks
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solut... See more...
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid.  I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me.  Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it.  I had to remove the print statements to get the UI working again.  I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip().  I can't work out what I need to do to see where the user information is coming from.  Any help on how I can debug this? TIA, Joe