All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Will this be available in version 9.4.2? We are upgrading in the coming weeks and have people itching for it.
Why are you using  proces_path=$Get_Process_Path|s$ if $Get_Process_Path$ already has the process_path="* prefix? Is this what is causing the issue?
Hi,  My dashboard has a few text boxes and I'm trying to make the inputs as user friendly as possible. I came across multiple issues which I have solved with previous posts however, there is a ... See more...
Hi,  My dashboard has a few text boxes and I'm trying to make the inputs as user friendly as possible. I came across multiple issues which I have solved with previous posts however, there is a conflict with the solutions that prevent me from implementing both at the same time.  #1 - If a text input is empty then that field should be ignored in the search. This can be fixed by adding a prefix and suffix  Ideally we can also input partial paths so there is also an implicit * character.  <input type="text" token="Get_Process_Path"> <label>Process Name or Path</label> <prefix>process_path="*</prefix> <suffix>*"</suffix> </input> https://community.splunk.com/t5/Dashboards-Visualizations/Evaluating-form-field-if-not-null/td-p/18164    #2 - Interpret back slash characters as text so we don't need to manually add \\ to every path. The |s filter for tokens fixed this.  process_path=$Get_Process_Path|s$ https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-escape-backslashes-in-user-input-and-then-use-that/m-p/142096    I can get both of these working on their own but not at the same time. Is there a way to do this or do I need a different approach?  Thanks.
  Thank you!
Hi @livehybrid  Thanks for looking into this - cheers. The issue is that I have filters (drop-downs) that I am using to zoom into data. So when I pick a jobID it works very well for other tables ... See more...
Hi @livehybrid  Thanks for looking into this - cheers. The issue is that I have filters (drop-downs) that I am using to zoom into data. So when I pick a jobID it works very well for other tables For example. The table below would have a filter The code would look like this. So this is perfect for "CONSO_ABAQ | 31/03/2016 | 22". However, if I put in * from the drop-down. I won't get the original line as it does not have resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue - however, I am looking to extract other data from that line to complete the table. host="MARKET_RISK_PDT_V2" index="murex_logs" sourcetype="Market_Risk_DT" | search "resourceSpans{}.resource.attributes{}.value.stringValue"="*" | search resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "CONSO_ABAQ | 31/03/2016 | 22" | spath resourceSpans{}.scopeSpans{}.spans{} output=scopeSpans | stats count by scopeSpans | spath input=scopeSpans | rename startTimeUnixNano as start | rename endTimeUnixNano as end | eval _time=start/pow(10,9) | eval duration = end -start | eval duration= duration/1000000 | eval duration = round(duration,0) | eval parentSpanId =if(parentSpanId="" ,"0", $parentSpanId$) | rename name as SPAN_TYPE | search traceId = * | search spanId="*" OR parentSpanId="*" | stats avg(duration) as Average count(duration) AS count, stdev(duration) AS stdev, median(duration) AS median, exactperc75(duration) AS perc75, exactperc95(duration) AS perc95, exactperc99.5(duration) AS perc99.5, min(duration) AS min, max(duration) AS max by SPAN_TYPE | sort - Average  
Hi @robertlynch2020  I might be mis-understanding something here, but why are you searching for resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" if you want to include data ... See more...
Hi @robertlynch2020  I might be mis-understanding something here, but why are you searching for resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" if you want to include data which does not have it? If you search for a field with value * then the field must exist. It might help if we could understand your usecase here if you're able to share a little more info, please?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi  I have the following data (Below). I have a situation where I want to search for "*" on a search and have it return all the data. resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringV... See more...
Hi  I have the following data (Below). I have a situation where I want to search for "*" on a search and have it return all the data. resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" However, this works for 99.9 % of my data, but the line below.  This path is not there. So when I run the command below, I get no results. However, I am looking for all data with the *. But as it's not there, it is excluding it. Is there any way I can still get the data back?   {"resourceSpans":[{"resource":{"attributes":[{"key":"process.pid","value":{"intValue":"600146"}},{"key":"service.instance.id","value":{"stringValue":"003nhhk3"}},{"key":"service.name","value":{"stringValue":"LAUNCHERMXMARKETRISK_MPC"}},{"key":"service.namespace","value":{"stringValue":"LAUNCHER"}},{"key":"telemetry.sdk.language","value":{"stringValue":"java"}},{"key":"telemetry.sdk.name","value":{"stringValue":"opentelemetry"}},{"key":"telemetry.sdk.version","value":{"stringValue":"1.34.0"}},{"key":"mx.env","value":{"stringValue":"dell945srv:13003"}}]},"scopeSpans":[{"scope":{"name":"mx-traces-api","version":"1.0.0"},"spans":[{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"cbf88ed07b403b48","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946314481406","endTimeUnixNano":"1747152946314775297","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"8ff7fabcab4b12d0","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946353054099","endTimeUnixNano":"1747152946353187644","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"4b14e49df1e1ffd8","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946474942393","endTimeUnixNano":"1747152946475042609","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"169b89bf118931d8","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946488875310","endTimeUnixNano":"1747152946488933120","status":{}}]}]}]}  
This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. I... See more...
This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. In this case without table there is no results not even one. Also my search in this example uses head 1, thus there is only one input  result.  I will try your version when I got back to work.
This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. I... See more...
This is a simple code to reproduce the problem. My actual code iterates over the events. The problem is when I dont use the table command before my customcommand there is no events to iterate over. In this case without table there is no results not even one. Also my search in this example uses head 1, thus there is only one input  result.
Hi @wipark  Your command yields a single event with the type of the events parameter, but does not process or yield the actual input events. In a streaming command, you must iterate over the incomin... See more...
Hi @wipark  Your command yields a single event with the type of the events parameter, but does not process or yield the actual input events. In a streaming command, you must iterate over the incoming events and yield output for each one. Your current implementation only yields once, regardless of input. Try this updated code: @Configuration() class CustomCommand(StreamingCommand): def stream(self, events): for event in events: event["event"] = str(type(events)) yield event   The stream method receives an iterator of events. You need to loop over events and yield each event (usually you would modify the events to perform your commands intended function..!). Your original code only yielded once, so unless the search pipeline expected a single event, nothing was passed downstream.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am developing a custom streaming command. During tests and debugging I noticed the command works fine in this search: index="_internal" | head 1 | table host | customcommand and produces the foll... See more...
I am developing a custom streaming command. During tests and debugging I noticed the command works fine in this search: index="_internal" | head 1 | table host | customcommand and produces the following result: <class 'generator'> But when I use the command in the following search it produces no results: index="_internal" | head 1 | customcommand This is the code: @Configuration() class CustomCommand(StreamingCommand): def stream(self, events): yield {"event": str(type(events))} and this is commands.conf: [customcommand] chunked = true filename = customcommand.py python.version = python3 requires_srinfo = true streaming = true How can I fix that?
Add another lookup command | lookup OS_Outdated.csv OperatingSystems as OS BuildNumber Version OUTPUT Outdated  
Hi @SN1  How about  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv Device... See more...
Hi @SN1  How about  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv DeviceName output OS BuildNumber Version | lookup os_version_status.csv OS BuildNumber Version OUTPUT Outdated | table DeviceName OS BuildNumber Version Outdated  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
hello So i want to make a search . i am using  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceNa... See more...
hello So i want to make a search . i am using  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) this gives me devicenames. now  | lookup snow_os.csv DeviceName output OS BuildNumber Version from this lookup i am comparing devicenames and as ouput i am getting OS BuildNumber Version. and from these fields i want to compare them to this lookup to get whether this Operating System is outdated or not. how can i do this ?    
more than 10 years later, and this is still helping people.  Thanks Martin!
This seems to work in GUI. | makeresults | eval data="D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,," | rex mo... See more...
This seems to work in GUI. | makeresults | eval data="D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,," | rex mode=sed field=data "s/,,/,Null,/g" | rex mode=sed field=data "s/,,/,Null,/g" | rex mode=sed field=data "s/^,/Null,/g" | rex mode=sed field=data "s/,$/,Null/g" | table data I don't know exact reason why this is needed twice | rex mode=sed field=data "s/,,/,Null,/g"  Somehow it related to handling always two continuous characters and this is reason why it needs to run twice.  These two lines is needed to manage 1st and last pairs (,Null and Null,) correctly. | rex mode=sed field=data "s/^,/Null,/g" | rex mode=sed field=data "s/,$/,Null/g" I think that you could add a new transforms.conf for index time changes based on above? 
solution: SEDCMD-replaceblanks1 = s/,,/,-,/g SEDCMD-replaceblanks2 = s/,,/,-,/g SEDCMD-replaceblanks3 = s/,,/,-,/g SEDCMD-replaceblanks4 = s/,,/,-,/g SEDCMD-replaceblanks5 = s/,,/,-,/g SEDCMD-r... See more...
solution: SEDCMD-replaceblanks1 = s/,,/,-,/g SEDCMD-replaceblanks2 = s/,,/,-,/g SEDCMD-replaceblanks3 = s/,,/,-,/g SEDCMD-replaceblanks4 = s/,,/,-,/g SEDCMD-replaceblanks5 = s/,,/,-,/g SEDCMD-replaceblanks6 = s/,,/,-,/g SEDCMD-replaceblanks7 = s/,,/,-,/g SEDCMD-replaceblanks8 = s/,,/,-,/g  
Most of the answers I've seen to questions like this seem to focus on the idea of reviewing essentially all of your searches and then optimizing all of your searches.  While that may be good practice... See more...
Most of the answers I've seen to questions like this seem to focus on the idea of reviewing essentially all of your searches and then optimizing all of your searches.  While that may be good practice, it also doesn't necessarily address the actual problem, because it doesn't help you to identify the one or two searches that are specifically causing the health monitor to become red.  Recently when I ran into this issue, I used this search to find the specific offending searches and then fix them, deactivating the alert. index=_internal sourcetype=scheduler "Scheduler Health Report recording a extremely lagged search"
This is good point. After thinking this question probably means how to get lis into dashboard which nodes have OS which didn’t contains all latest patches etc? Can you @SN1 confirm what you are mean... See more...
This is good point. After thinking this question probably means how to get lis into dashboard which nodes have OS which didn’t contains all latest patches etc? Can you @SN1 confirm what you are meaning for “outdated os”?
Hello @somesoni2 , Thank you for this approach. But it works only when we have one empty value in row, but if not looks like it doesnt replace every value properly. Example:  D,2,,200,00,8842,,USA... See more...
Hello @somesoni2 , Thank you for this approach. But it works only when we have one empty value in row, but if not looks like it doesnt replace every value properly. Example:  D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,,   Could you please suggest a solution.