All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Create custom fields at indextime on Heavy Forwarders

by SplunkTrust in Getting Data In
‎02-29-2024 03:46 PM
1 Karma
‎02-29-2024 03:46 PM
1 Karma
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#KEYS: SOURCE_KEY = MetaData:Source BTW, you don't need fields.conf on the HF. You need it on SH.

Re: Authentication.conf files

by SplunkTrust in Security
‎02-29-2024 03:41 PM
‎02-29-2024 03:41 PM
There is no posibility that you have two identically named files in one directory. Maybe one has a typo in its name, maybe the case of the letters in the name is wrong. We don't know but check again.... See more...
There is no posibility that you have two identically named files in one directory. Maybe one has a typo in its name, maybe the case of the letters in the name is wrong. We don't know but check again. (Hint - wrong named file won't be used and values in it won't get encrypted on first read).

Re: How to get events that have only a starting 'string' with no ending 'string' ?

by SplunkTrust in Splunk Search
‎02-29-2024 03:36 PM
1 Karma
‎02-29-2024 03:36 PM
1 Karma
Yep. You're overthinking it a bit. Either you have a field containing the job state (Starting/Completed) or you can create one by | eval state=case(searchmatch("Starting",_raw),"Starting",searchmatc... See more...
Yep. You're overthinking it a bit. Either you have a field containing the job state (Starting/Completed) or you can create one by | eval state=case(searchmatch("Starting",_raw),"Starting",searchmatch("Completed"),"Completed",1=1,null()) Then you need to check the state for each separate job | stats values(state) as states by whatever_id_you_have_for_each_job (If you want to retain the jobname, which I assume is a more general clasifier than a single job identifier, add values(aJobName) to that stats command. Then you can filter to see only non-finished jobs by | where NOT states="Completed" Keep in mind that matching multivalued fields can be a bit unintuitive at first.

Re: join two indexes based on the date and the hour and try to match inside of minute

by SplunkTrust in Splunk Search
‎02-29-2024 03:27 PM
‎02-29-2024 03:27 PM
You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course). Or you can use the tra... See more...
You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course). Or you can use the transaction command (generally, transaction should be avoided since it's relatively resource intensive and has its limitations but sometimes it's the only reasonable solution).

Re: difference between pipe summaryindex and collect

by SplunkTrust in Splunk Search
‎02-29-2024 03:23 PM
3 Karma
‎02-29-2024 03:23 PM
3 Karma
@kiran_panchavatPlease stop spreading misinformation (especially created by generative language models). The summaryindex command is an alias for the collect command. There is absolutely no differen... See more...
@kiran_panchavatPlease stop spreading misinformation (especially created by generative language models). The summaryindex command is an alias for the collect command. There is absolutely no difference in behaviour of those two commands since they're the same command which can be called with either name. This is just my speculation but I suspect the command was originally called summaryindex because it was meant to collect data for summary indexing but was later "generalized" to the "collect" name which is the current command name in docs and the "summaryindex" command name was retained for backward compatibility reasons.

Re: Graph the difference between the totals of 2 search calculations

by in Splunk Search
‎02-29-2024 03:20 PM
‎02-29-2024 03:20 PM
Thanks, I would appreciate it  if you stepped back from this : I will see if anyone else in the community has an idea / understands what I am saying   Have a great day Rick

How to get events that have only a starting 'string' with no ending 'string' ?

by in Splunk Search
‎02-29-2024 03:19 PM
‎02-29-2024 03:19 PM
What I am trying to write is some SPL code that will identify log events that only have a "Starting" event with no "Completed" event.  By a specific Job Name extracted from each log event that are in... See more...
What I am trying to write is some SPL code that will identify log events that only have a "Starting" event with no "Completed" event.  By a specific Job Name extracted from each log event that are in the same index & sourcetype ? A Job is still 'running' if it only has a "Start" event with no "Completed" event. If my starting query is: index=anIndex sourcetype=aSourcetype (jobName1 OR jobName2 OR jobName3) AND "Starting" | rex field=_raw "Batch::(?<aJobName1>[^\s]*)" | stats count AS aCount1 by aJobName1 Then I only want to keep log events that have no "Completed" event from the same index and sourcetype: index=anIndex sourcetype=aSourcetype (jobName1 OR jobName2 OR jobName3) AND "Completed" | rex field=_raw "Batch::(?<aJobName2>[^\s]*)" | stats count AS aCount2 by aJobName2 I have tried using: where isnull(aCount2) but I used appendcols but stats is removing _raw data ? for the rest of my code... How would I go about just getting those log events (_raw) for jobs that are only "Started" I might be overthinking this but am struggling...
Labels

Re: Graph the difference between the totals of 2 search calculations

by SplunkTrust in Splunk Search
‎02-29-2024 03:14 PM
‎02-29-2024 03:14 PM
Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you... See more...
Ok, have it your way - don't give more details. Have two values and chart them across time. What do you want to chart? The same value through whole time period? Be my guest. It makes no sense but you apparently know better. But then again - why asking for help in the first place?

Re: How to migrate a distributed, clustered Splunk (9.0.4.1) deployment from OS RHEL 7 to new servers RHEL 9?

by SplunkTrust in Splunk Enterprise
‎02-29-2024 03:11 PM
‎02-29-2024 03:11 PM
Well... there are two possible approaches to migration of such environment. First is as you want to do it - swap "one for one" leaving the same addresses, names and so on. You might get away with mo... See more...
Well... there are two possible approaches to migration of such environment. First is as you want to do it - swap "one for one" leaving the same addresses, names and so on. You might get away with moving whole splunk installation from one server to another and pretending nothing changed but that might be tricky depending on your data layout and - you don't have much room for error - you replace the machine and it must be working perfectly OK. Otherwise it's very hard to diagnose/fix. Another way, at least with some components (clustered indexers, clustered search heads, possibly HFs) would be to deploy new component, add it to environment, migrate data if applicable, decomission old one.

Re: Graph the difference between the totals of 2 search calculations

by in Splunk Search
‎02-29-2024 03:06 PM
‎02-29-2024 03:06 PM
I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one... See more...
I do not believe you need to know about the specifics of the search .. I have 2 searches returning numerical values as per the stats command this could be any search on any data, I am subtracting one from the other and want to graph that value against time. 

Re: Graph the difference between the totals of 2 search calculations

by SplunkTrust in Splunk Search
‎02-29-2024 03:02 PM
‎02-29-2024 03:02 PM
But your search shows just two data points. Without more details on your data it's impossible to help you.

Re: Add associated domain to values of dest_ip

by SplunkTrust in Splunk Search
‎02-29-2024 03:00 PM
1 Karma
‎02-29-2024 03:00 PM
1 Karma
Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued ... See more...
Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued fields, they are not connected with each other in any way. You need to either combine both values prior to statsing | eval destipdomain =dest_ip.":"dest_domain | stats values(destipdomain) by src_ip Then if you need  you'll have to split the value by the colon character. Alternative approach would be to stats by more fields. | stats values(dest_domain) by src_ip dest_ip  

Re: Graph the difference between the totals of 2 search calculations

by in Splunk Search
‎02-29-2024 02:27 PM
‎02-29-2024 02:27 PM
Timechart the difference against time...  The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermi... See more...
Timechart the difference against time...  The specific use case is in itself around logging I have a third party SaaS provider send logs to our GCP SPLUNK over the internet, issue is they are intermittently and significantly duplicating individual log entries due to something in the way they are forwarding so I want to chart this to have an artefact I can point at for analysis.

Re: Graph the difference between the totals of 2 search calculations

by SplunkTrust in Splunk Search
‎02-29-2024 02:17 PM
‎02-29-2024 02:17 PM
What would you want to timechart here as you have only two values? This makes no sense.

Re: EWS for O365 SOAR app. Message Id error.

by in All Apps and Add-ons
‎02-29-2024 02:00 PM
‎02-29-2024 02:00 PM
How did you go with this? I'm facing the same issue.

Replication Bundle

by in Splunk Cloud Platform
‎02-29-2024 01:54 PM
‎02-29-2024 01:54 PM
How do I fix replication bundle on Splunk Cloud SH?
Labels

Re: ClassNotFoundException: com.appdynamics.apm.appagent.api.NoOpInvocationHandler

by Community Manager in Splunk AppDynamics
‎02-29-2024 01:40 PM
‎02-29-2024 01:40 PM
Hi @Priyaranjan.Behera, I did some searching and I found this info, but I don't think it's related to your issue, but wanted to share just in case. javaagent should be instrumented to the local ... See more...
Hi @Priyaranjan.Behera, I did some searching and I found this info, but I don't think it's related to your issue, but wanted to share just in case. javaagent should be instrumented to the local Java application along with the java agent API. Since you didn't instrument the java process with the Java agent, you are getting that exception. So, can you please try to instrument the java process with the javaagent along with the javaagent API and see how it goes?

Re: Controller Tenants token is not available in 15-days free trail

by Community Manager in Splunk AppDynamics
‎02-29-2024 01:21 PM
‎02-29-2024 01:21 PM
Hi @Taj.Hassan  I'm going to be sending you a Community Private Message to ask for some sensitive info. Please respond there. 

Graph the difference between the totals of 2 search calculations

by in Splunk Search
‎02-29-2024 12:47 PM
‎02-29-2024 12:47 PM
Dear SPLUNKos I need to create a time chart as per the below Run one “grand total” search Run second search which is a dedup of the first search. Subtract the difference and timechart only the d... See more...
Dear SPLUNKos I need to create a time chart as per the below Run one “grand total” search Run second search which is a dedup of the first search. Subtract the difference and timechart only the difference. I have got to the point below which gives me a table of data but I cannot get this to chart : Mr SPLUNK in my organisation tells me this cannot be done which is  borne out by the documentation on the timechart command which indicates it can only reference field data not calculated data . Is there a way? <SEARCH-GRANDTOTAL> | stats count as Grandtotal | appendcols [ <SEARCH-2> | stats count as TotalDeDup ] | eval diff= Grandtotal - TotalDeDup
Labels

Add associated domain to values of dest_ip

by in Splunk Search
‎02-29-2024 12:37 PM
‎02-29-2024 12:37 PM
I have a query that gets a list of destination ips per source ip. I also want to add a column for the associated domain name per destination ip. The query I have to get destination ips per source ip ... See more...
I have a query that gets a list of destination ips per source ip. I also want to add a column for the associated domain name per destination ip. The query I have to get destination ips per source ip is:      index=network | stats values(dest_ip) by src_ip     I am not wanting to use eval to combine the values of dest_ip and domain into one field, and I tried mvappend but I am unable to achieve the result I want.  I tried |stats values(dest_ip) values(domain) by src_ip, but the dest_ip and domain columns appear to be independent of each other. What I am looking for is below:  src_ip domain_ips domain I just need the domain name to be "connected" with the domain_ip
Labels