Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-05-2024
03:30 PM
Standard SPL doesn't have a curl command. You should ask the developer who developed the app that gives you curl, or consult its manual to find out the correct syntax and any limitations it may have...
See more...
Standard SPL doesn't have a curl command. You should ask the developer who developed the app that gives you curl, or consult its manual to find out the correct syntax and any limitations it may have. (Given that "Apps and Add-ons" forum is gone from this board, Splunk Dev might be a successor.) Also, you talk about "dynamic url" as if it is a Splunk feature. It is not. Maybe you can illustrate your SPL snippet so volunteers can understand precisely what you are referring to?
03-05-2024
03:24 PM
You are correct that join is slow and easily hits limit. But how is stats with coalesce not actually connecting the events / data together? What exactly do you get? Given that your mock code uses ...
See more...
You are correct that join is slow and easily hits limit. But how is stats with coalesce not actually connecting the events / data together? What exactly do you get? Given that your mock code uses mock field names, are you sure you typed field names correctly in coalesce and group by? What is the output from the following test? index=index_1
(sourcetype=source_1 field_D="Device" field_E=*Down* OR field_E=*Up*) OR (source="source_2" earliest=-30d@d latest=@m)
| eval field_AB=coalesce(field_A, field_B)
| where isnotnull(field_AB)
| table _time source field_AB If field_A exists in every event from source_1 and likewise field_B in source_2, the test should list every event from both sources. Do you get that? If all spellings are correct, you can rename your actual field names to field_A, field_B, etc., then post sample data from the two sources (anonymize as needed) so volunteers will have a basis to help in concrete ways. This is a long way to say that stats with coalesce is the correct code.
03-05-2024
03:07 PM
1 Karma
Again, thank you for including data emulation in problem presentation. I tried to be more semantic but the syntax got more and more tangled. So this time, I will just use string manipulation. |...
See more...
Again, thank you for including data emulation in problem presentation. I tried to be more semantic but the syntax got more and more tangled. So this time, I will just use string manipulation. | timechart span=1w@w first(MathGrade) as MathGrade, first(EnglishGrade) as EnglishGrade, first(ScienceGrade) as ScienceGrade by Student useother=f limit=0
| eval _time = strftime(_time,"%m/%d/%Y")
| fields - _span _spandays
| transpose 0 header_field=_time column_name=Grade
| eval Grade = split(Grade, ": ")
| eval Student = mvindex(Grade, 1), Grade = mvindex(Grade, 0)
| table Student Grade *
| sort Student Here, I included snap-to @w which you asked about in the other question. Your emulated data gives Student Grade 02/04/2024 02/11/2024 02/18/2024 02/25/2024 Student1 EnglishGrade 10 6 10 7 Student1 MathGrade 10 6 10 7 Student1 ScienceGrade 10 6 10 7 Student2 EnglishGrade 9 8 9 6 Student2 MathGrade 9 8 9 6 Student2 ScienceGrade 9 8 9 6 Hope this helps.
03-05-2024
02:16 PM
1 Karma
First, thank you for including data emulation in the question. There are two aspects that Splunk chooses to address separately. First is calendar time anchor. (I think Splunk calls this "snap-to"; ...
See more...
First, thank you for including data emulation in the question. There are two aspects that Splunk chooses to address separately. First is calendar time anchor. (I think Splunk calls this "snap-to"; see Date and time format variables.) If you use @w with the span attribute, timechart will snap to beginning of the week, which is deemed to be start of Sunday on CE calendar, whichever timezone the search head uses. For example, using your emulation with | timechart span=1w@w first(MathGrade) by Student useother=f limit=0 gives _time Student1 Student2 2024-02-04 10 9 2024-02-11 6 8 2024-02-18 10 9 2024-02-25 7 6 Now, your ask is to begin a week on an arbitrary day. Given timechart doesn't support this, the hack is to shift time back and forth. For example, 02/09/2024 is a Friday, or day 5 in Splunk's dow count. | eval _time = relative_time(_time, "-5d@d")
| timechart span=1w@w first(MathGrade) by Student useother=f limit=0
| eval _time = relative_time(_time, "+5d@d") Using the same emulation, the above gives _time Student1 Student2 2024-02-02 10 9 2024-02-09 8 6 2024-02-16 9 8 2024-02-23 5 9 Hope this helps.
- Tags:
- relative_time
- snap-to
03-05-2024
02:15 PM
How about something like this | makeresults
| eval start= strptime("02-01-2024", "%m-%d-%Y")
| eval today=now()
| eval time_difference=floor((today-start)/(60*60*24))
| eval mod_val=time_differe...
See more...
How about something like this | makeresults
| eval start= strptime("02-01-2024", "%m-%d-%Y")
| eval today=now()
| eval time_difference=floor((today-start)/(60*60*24))
| eval mod_val=time_difference % 28
| eval days_to_patch=28-mod_val
03-05-2024
01:55 PM
I can't quiet tell what is the input data and how Splunk is splitting. Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event st...
See more...
I can't quiet tell what is the input data and how Splunk is splitting. Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event starts with the date at the beginning of the line etc.
03-05-2024
01:49 PM
Hello, I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024 to 3/1/2024 How to display timechart multivalues without colon? The complete search is down ...
See more...
Hello, I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024 to 3/1/2024 How to display timechart multivalues without colon? The complete search is down below. Thank you so much for your help. This is the result with colon Is it possible to display the data like the following? Should I parse the data to get the display like below or is there a better way to do this? Student Grades 2/8/2024 2/15/2024 2/22/2024 2/29/2024 Student1 EnglishGrade 10 7 7 10 Student1 MathGrade 10 7 7 10 Student1 ScienceGrade 10 7 7 10 Student2 EnglishGrade 9 6 7 9 Student2 MathGrade 9 6 7 9 Student2 ScienceGrade 9 6 7 9 Here's the search | makeresults format=csv data="_time,Student,MathGrade,EnglishGrade,ScienceGrade
1707368400,Student1,10,10,10
1707454800,Student1,9,9,9
1707541200,Student1,8,8,8
1707627600,Student1,7,7,7
1707714000,Student1,6,6,6
1707800400,Student1,5,5,5
1707886800,Student1,6,6,6
1707973200,Student1,7,7,7
1708059600,Student1,8,8,8
1708146000,Student1,9,9,9
1708232400,Student1,10,10,10
1708318800,Student1,10,10,10
1708405200,Student1,9,9,9
1708491600,Student1,8,8,8
1708578000,Student1,7,7,7
1708664400,Student1,6,6,6
1708750800,Student1,5,5,5
1708837200,Student1,6,6,6
1708923600,Student1,7,7,7
1709010000,Student1,8,8,8
1709096400,Student1,9,9,9
1709182800,Student1,10,10,10
1709269200,Student1,10,10,10
1707368400,Student2,9,9,9
1707454800,Student2,5,5,5
1707541200,Student2,6,6,6
1707627600,Student2,7,7,7
1707714000,Student2,8,8,8
1707800400,Student2,9,9,9
1707886800,Student2,5,5,5
1707973200,Student2,6,6,6
1708059600,Student2,7,7,7
1708146000,Student2,8,8,8
1708232400,Student2,9,9,9
1708318800,Student2,9,9,9
1708405200,Student2,5,5,5
1708491600,Student2,6,6,6
1708578000,Student2,7,7,7
1708664400,Student2,8,8,8
1708750800,Student2,9,9,9
1708837200,Student2,5,5,5
1708923600,Student2,6,6,6
1709010000,Student2,7,7,7
1709096400,Student2,8,8,8
1709182800,Student2,9,9,9
1709269200,Student2,9,9,9"
| table _time, Student, MathGrade, EnglishGrade, ScienceGrade
| timechart span=1w first(MathGrade) as MathGrade, first(EnglishGrade) as EnglishGrade, first(ScienceGrade) as ScienceGrade by Student useother=f limit=0
| eval _time = strftime(_time,"%m/%d/%Y")
| fields - _span _spandays
| transpose 0 header_field=_time column_name=Grades
03-05-2024
01:40 PM
Not yet no
03-05-2024
01:39 PM
Hi so how is are the events being split by Splunk? And do you have any props to tell splunk how to split the events?
03-05-2024
01:38 PM
@burwell wrote: Hi so what's the patching schedule? Every 28 days starting in Feb 1? Sorry, yes. Every 28 days starting Feb 1.
03-05-2024
01:36 PM
Hi so what's the patching schedule? Every 28 days starting in Feb 1?
03-05-2024
01:23 PM
Hello everyone, I am trying to use Splunk to create an ongoing patching countdown that will be Single Value (Days Until Patch) on my Dashboard. How can I go about accomplishing this? I was able to ca...
See more...
Hello everyone, I am trying to use Splunk to create an ongoing patching countdown that will be Single Value (Days Until Patch) on my Dashboard. How can I go about accomplishing this? I was able to calculate 1 patch cycle, but I am not sure how to get it to recalculate for every month. Right now for example, it is telling me the next patch date is 2/29/2024. Hoping someone already has a solution built out. Thank you for any assistance!
This is what I have so far:
| makeresults
| eval start= strptime("02-01-2024", "%m-%d-%Y")
| eval startStr=strftime(start, "%D")
| eval PatchDate = relative_time(start ,"+28d")
| eval PatchDateString= strftime(PatchDate, "%D")
| eval PriorPatchDate = relative_time(start ,"-28d")
| eval PriorPatchDateString = strftime(PriorPatchDate, "%D")
| eval daysCountD= strftime(PatchDate - now(), "%d")
| table daysCountD PriorPatchDateString PatchDateString
Labels
- Labels:
-
Dashboard Studio
03-05-2024
01:19 PM
I am trying to run the following search: index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com" | rex max_match=0 field=_raw "(?<li...
See more...
I am trying to run the following search: index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com" | rex max_match=0 field=_raw "(?<lineData>[^\n]+)" | rex field=Msg "'(?<FilePath>.*)' accessed by" | rex field=_raw "accessed\sby\s'(?<Audit_UserName>.*)'.\sType" | table _time, FilePath, Audit_UserName However, the way I am splitting the multiline data doesn't appear to be working with this data. Here is a sample of the data as viewed in Notepad++ with symbols; Every line ends in CR LF However, in Splunk it isn't splitting up the events. What am I missing here? I have had this work with similar data but unsure what is different in this situation. TIA!
Labels
- Labels:
-
field extraction
03-05-2024
01:18 PM
HOw to retrieve NPA and NXX from CNAC.ca using splunk query.
Labels
- Labels:
-
lookup
03-05-2024
01:05 PM
When a lookup is updated via | outputlookup, does that change the modified time? For example - search for a lookup or kvstore name and see the SPL that gives overall usage, then have the option to ...
See more...
When a lookup is updated via | outputlookup, does that change the modified time? For example - search for a lookup or kvstore name and see the SPL that gives overall usage, then have the option to filter to only those SPL searches that have an outputlookup that modify the file. index=abc sourcetype=xyz | stats count | outputlookup append=true newlookup.csv How can i track whether outputlokkup file is updated or not using _internal or _audit index. Pleae suggest the splunk query to get the status
Labels
03-05-2024
12:55 PM
Thanks Kiran, i will test it .
03-05-2024
12:48 PM
Using the DECRYPT2 app, I have a search that uses the decrypt command to decode a encoded string. It returns results as a table just fine. I created a email alert using this search but the email aler...
See more...
Using the DECRYPT2 app, I have a search that uses the decrypt command to decode a encoded string. It returns results as a table just fine. I created a email alert using this search but the email alert fails to trigger unless I remove the decrypted field from the table. I would like the email alert to be sent which includes the decoded value from the decrypted field. Anyone might know what the issue is?
Labels
- Labels:
-
fields
03-05-2024
12:31 PM
I have a search query S1 which gives me a result X with numeric values (203, 204, 205) and I am able to populate this in a table. Now I want to bind this number with a url to create a dynamic url s...
See more...
I have a search query S1 which gives me a result X with numeric values (203, 204, 205) and I am able to populate this in a table. Now I want to bind this number with a url to create a dynamic url specific to that number. For example URL is https://cnac.ca/data/json/npas.json and from S1 query i get the result value as 203, I want to create URL : https://cnac.ca/data/json/npa203.json and want to hit this to get the response back to get the required data. For this I am using curl command, but when I try to create a dynamic URL and pass it in curl command it doesn't accept it. Please suggest.
03-05-2024
12:14 PM
Hello, How to use specific start date in weekly timechart? For example: I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024 to 3/1/2024 When I use time...
See more...
Hello, How to use specific start date in weekly timechart? For example: I have a set of Grade (Math, English, Science) data for Student1 and Student2 from 2/8/2024 to 3/1/2024 When I use timechart weekly, it always starts with 02/08/2024. | timechart span=1w first(MathGrade) by Student useother=f limit=0 How do I start from other date, such as 02/09/2024 or 02/10/2024? Thank you for your help Here's the search | makeresults format=csv data="_time,Student,MathGrade,EnglishGrade,ScienceGrade
1707368400,Student1,10,10,10
1707454800,Student1,9,9,9
1707541200,Student1,8,8,8
1707627600,Student1,7,7,7
1707714000,Student1,6,6,6
1707800400,Student1,5,5,5
1707886800,Student1,6,6,6
1707973200,Student1,7,7,7
1708059600,Student1,8,8,8
1708146000,Student1,9,9,9
1708232400,Student1,10,10,10
1708318800,Student1,10,10,10
1708405200,Student1,9,9,9
1708491600,Student1,8,8,8
1708578000,Student1,7,7,7
1708664400,Student1,6,6,6
1708750800,Student1,5,5,5
1708837200,Student1,6,6,6
1708923600,Student1,7,7,7
1709010000,Student1,8,8,8
1709096400,Student1,9,9,9
1709182800,Student1,10,10,10
1709269200,Student1,10,10,10
1707368400,Student2,9,9,9
1707454800,Student2,5,5,5
1707541200,Student2,6,6,6
1707627600,Student2,7,7,7
1707714000,Student2,8,8,8
1707800400,Student2,9,9,9
1707886800,Student2,5,5,5
1707973200,Student2,6,6,6
1708059600,Student2,7,7,7
1708146000,Student2,8,8,8
1708232400,Student2,9,9,9
1708318800,Student2,9,9,9
1708405200,Student2,5,5,5
1708491600,Student2,6,6,6
1708578000,Student2,7,7,7
1708664400,Student2,8,8,8
1708750800,Student2,9,9,9
1708837200,Student2,5,5,5
1708923600,Student2,6,6,6
1709010000,Student2,7,7,7
1709096400,Student2,8,8,8
1709182800,Student2,9,9,9
1709269200,Student2,9,9,9"
| table _time, Student, MathGrade, EnglishGrade, ScienceGrade
| timechart span=1w first(MathGrade) by Student useother=f limit=0
Labels
- Labels:
-
timechart
03-05-2024
12:14 PM
Here is my current rex command - EventCode=1004
| rex field=_raw "Files: (?<Media_Source>.+?\.txt)"
| table Media_Source My source data looks like this - Files: C:\ProgramDa...
See more...
Here is my current rex command - EventCode=1004
| rex field=_raw "Files: (?<Media_Source>.+?\.txt)"
| table Media_Source My source data looks like this - Files: C:\ProgramData\Roxio Log Files\Test.test_user_20240305122549.txt SHA1: 73b710056457bd9bda5fee22bb2a2ada8aa9f3e0 My current rex result is - C:\ProgramData\Roxio Log Files\Test.test_user_20240305122549.txt How do I make it - Test.test_user_20240305122549.txt Im trying to drop - C:\ProgramData\Roxio Log Files\
