Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-08-2024
07:53 AM
Hello, How to modify _time when running summary index on a scheduled search? Please suggest. I appreciate your help. Thank you When running summary index on a scheduled search, by default, _time...
See more...
Hello, How to modify _time when running summary index on a scheduled search? Please suggest. I appreciate your help. Thank you When running summary index on a scheduled search, by default, _time was set to info_min_time, (start time of a search duration), instead of search_now (time when the search run) So, if at this current time I collect the summary index in the last 30 day , the _time will be set to the last 30 days , instead of current time. The problem is if I run a search in the past 24 hours, the data won't show up because the _time is dated the last 30 days, so I had to search in the past 30 days
03-08-2024
07:53 AM
Hi @Harish2 , the condition you required is that hour must be NOT hour<8 OR hour>11. Are the hours of the events in the results compliant with this condition? maybe you should change the hour cond...
See more...
Hi @Harish2 , the condition you required is that hour must be NOT hour<8 OR hour>11. Are the hours of the events in the results compliant with this condition? maybe you should change the hour condition. Ciao. Giuseppe
03-08-2024
07:50 AM
I am looking for more of a generic mapping of resources to parts of the pipeline. However, this specific case is regarding a HF. Machine Name Machine CPU Cores (Physical / Virtual) Physical Me...
See more...
I am looking for more of a generic mapping of resources to parts of the pipeline. However, this specific case is regarding a HF. Machine Name Machine CPU Cores (Physical / Virtual) Physical Memory Capacity (MB) Operating System Architecture redacted 16 / 32 131020 Windows x64
03-08-2024
07:48 AM
yes events are present, my alert condition is results greater than zeros for last 15 minutes. but as per my requirement i mentioned todays date in the csv file, so alert should not trigger right
03-08-2024
07:45 AM
Hi @Harish2 , check the hours of these events, if they match the condition of your search. Ciao. Giuseppe
03-08-2024
07:44 AM
IHAC that is trying to ingest logs from their self-hosted Trellix instance. When I try to add an account, the URL field only lists: Global Frankfort India Singapore Sydney There i...
See more...
IHAC that is trying to ingest logs from their self-hosted Trellix instance. When I try to add an account, the URL field only lists: Global Frankfort India Singapore Sydney There is no other input field to specify an actual FQDN/IP. Am I missing something, or is this feature not present?
- Tags:
- account
- ip
- self-hosted
Labels
- Labels:
-
configuration
03-08-2024
07:43 AM
Hi @allidoiswinboom, to help you, I need them in text format to use in regex101.com, I cannot use a screenshot| Anyway, why in your regex there's the dollar char ($)? the correct regex should be ...
See more...
Hi @allidoiswinboom, to help you, I need them in text format to use in regex101.com, I cannot use a screenshot| Anyway, why in your regex there's the dollar char ($)? the correct regex should be REGEX = ^acl_policy_name\=\" Ciao. Giuseppe
03-08-2024
07:43 AM
i tried the query u provided i am receiving the alerts. not sure what i am missing
03-08-2024
07:38 AM
Hi Team, Hi Splunk Team, could you guide me through the process on how to consolidate Thousand Eyes into Splunk to centralize alerts on the dashboard? Please, Share me the each and every steps to...
See more...
Hi Team, Hi Splunk Team, could you guide me through the process on how to consolidate Thousand Eyes into Splunk to centralize alerts on the dashboard? Please, Share me the each and every steps to process on how to consolidate TE into Splunk. Thanks
Labels
- Labels:
-
data
03-08-2024
07:18 AM
Doesn't work on 7.3 . Big problem managing ipv6 networks . Year 2024 https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Configurenewassetoridentitylist
- Tags:
- assetmanagement
- ipv6
03-08-2024
07:10 AM
Hi @gcusello I have to black out certain information but see below: Thank you for your help!
03-08-2024
07:07 AM
Hi @rbakeredfi, are you speaking of an Indexer or an Heavy Forwarder? Have you done a correct assignemt of resources? how many CPUs have you on this server? If you're speaking of an Indexer, have ...
See more...
Hi @rbakeredfi, are you speaking of an Indexer or an Heavy Forwarder? Have you done a correct assignemt of resources? how many CPUs have you on this server? If you're speaking of an Indexer, have you a performant disk: at least 800 IOPS (better 1200)? Ciao. Giuseppe
03-08-2024
07:05 AM
Hi @allidoiswinboom , search the correct regex using regex101.com or, please, share some event so we can help you. Ciao. Giuseppe
03-08-2024
07:02 AM
@kiran_panchavat... Sorry for the late reply...we tried checking all the steps..peerlogs, license., oom issue...could not find anything wrong and all were good. So we tried a rolling restrat of the...
See more...
@kiran_panchavat... Sorry for the late reply...we tried checking all the steps..peerlogs, license., oom issue...could not find anything wrong and all were good. So we tried a rolling restrat of the SH cluster ...that fixed the issue and errors were gone Thank you for your time on helping with this..
03-08-2024
07:02 AM
Hi @gcusello Ok great, if that's the case, I just want to match events that start with "acl_policy_name" so I can transform the sourcetype to something else. All the events start with that so I'm n...
See more...
Hi @gcusello Ok great, if that's the case, I just want to match events that start with "acl_policy_name" so I can transform the sourcetype to something else. All the events start with that so I'm not sure what else I need to add to the REGEX? Thank you!
03-08-2024
06:59 AM
Hi @allidoiswinboom, I used your regex, if you haven't any result in the search, the issue is in the regex. Ciao. Giuseppe
03-08-2024
06:57 AM
Hi @Harish2 , your search isn't correct, there are some syntax errors. | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
| ap...
See more...
Hi @Harish2 , your search isn't correct, there are some syntax errors. | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
| appendcols [ | makeresults
| eval date=strftime(_time, "%m/%d/%Y")
| lookup calendsr.csv date OUTPUT type
| eval type=if(isnotnull(type),type,"NotHoliday"] Anyway, not using the hours , you check only a part of the requirementas you described. Ciao. Giuseppe
03-08-2024
06:57 AM
Hi @gcusello I ran that search and no results were found. So is the regex incorrect? I was just trying to match that event referenced above. Thank you!
03-08-2024
06:51 AM
Hi @allidoiswinboom, please, which sourcetype ha your running this search: index = f5_cs_p_p
| regex "^acl_policy_name=\"$" i addition, in the REGEX in transforms.conf, you should escape the quote...
See more...
Hi @allidoiswinboom, please, which sourcetype ha your running this search: index = f5_cs_p_p
| regex "^acl_policy_name=\"$" i addition, in the REGEX in transforms.conf, you should escape the quotes: REGEX = ^acl_policy_name=\"$ Ciao. Giuseppe
03-08-2024
06:47 AM
Hi @gcusello , Thank you so much, you gave me exactly what i want. but i tried but i don't want to add any date or hours in the query i added them in the csv file and run the below query still i am ...
See more...
Hi @gcusello , Thank you so much, you gave me exactly what i want. but i tried but i don't want to add any date or hours in the query i added them in the csv file and run the below query still i am receiving the alerts. can you please let me know what i am missing. And i want to add time also in the csv file, and link to the query so that during mentioned time and date my alert should not trigger. please help me on that | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
|appendcols
[|makeresults
|eval Today=date=strftime(_time, "%m/%d/%Y")
|lookup calendsr.csv date OUTPUT type
|eval type=if(isnotnull)(type),type,"NotHoliday"]
