All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@RedMug  Kindly follow this documentation and try to install the app from the CLI.  Install Splunk IT Essentials Work on a single on-premises instance - Splunk Documentation  Troubleshooting compa... See more...
@RedMug  Kindly follow this documentation and try to install the app from the CLI.  Install Splunk IT Essentials Work on a single on-premises instance - Splunk Documentation  Troubleshooting compatibility issues between components or apps in Splunk Enterprise - Splunk Lantern  
In that case, it should work. Please share your search, in case there is something else stopping it from working.
Each ClientName is in a separate row
Can you use above rest query for kv store lookup also?
I am new to Splunk so I don't know from where to start.
Hello @gcusello... I am not aware... I am new to Splunk... As I got this environment few days back and trying to work on my managers requirements... Please share steps or links for Add-On installation
You could try searching the _audit index for searches which include outputlookup (assuming that this was used to update the lookup)
What do you mean by 3rd or 4th entry? Are you using multi-value fields, or are the entries all on separate rows in the look up file?
@gcusello  Please find the exact query. index="Test" applicationName="sapi" timestamp log.map.correlationId level message ("Ondemand Started*" OR "Process star | rex field-message max_match=0 "\"... See more...
@gcusello  Please find the exact query. index="Test" applicationName="sapi" timestamp log.map.correlationId level message ("Ondemand Started*" OR "Process star | rex field-message max_match=0 "\"Ondemand Started for. filename: (?<OnDemandFileName> [^\n]\w+\S+)" | rex field-message max_match=0 "Process started for (?<FileName>[^\n]+)" |eval OnDemandFileName=rtrim(OnDemandFileName, "Job") |eval "FileName/JobName"= coalesce (OnDemandFileName, FileName) | rename timestamp as Timestamp log.map.correlationId as CorrelationId level as Level message as Message |eval JobType=case (like( 'Message', "%Ondemand Started%"), "OnDemand", like('Message", "Process started%"), "Scheduled", true (), "Unknown") |eval Message=trim(Message, "\"") |table Timestamp CorrelationId Level JobType "FileName/JobName" Message join CorrelationId type=left [search index="Test" applicationName="sapi" level=ERROR | rename log.map.correlationId as CorrelationId level as Level message as Messagel | dedup CorrelationId | table CorrelationId Level Messagel] | table Timestamp CorrelationId Level JobType "FileName/JobName" Messagell join CorrelationId type=left [ search index="Test" applicationName="sapi" message="*file archived successfully *" | rex field-message max_match=0 "\"Concur file archived successfully for file name: (?<Archived FileName>[^\n]\w+\S+)" |eval Archived FileName=rtrim(Archived FileName,"\"") | rename log.map.correlationId as CorrelationId | table CorrelationId ArchivedFileName] | table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName Messagel join CorrelationId type=left [ search index="Test" applicationName="sapi" (log.map.processor Path=ExpenseExtractProcessingtoOraclex AND (" Import*" OR "APL Import*")) | rename timestamp as Timestamp1 log.map.correlationId as CorrelationId level as Level message as Message | eval Status-case (like('Message", "%GL Import flow%"), "SUCCESS", like('Message", "%APL Import flow%"), "SUCCESS", like('Level', "%Exception%"), "ERROR") | rename Message as Response | table Timestamp1 CorrelationId Status Response] | eval Status=if (Level="ERROR", "ERROR", Status) | eval StartTime=round(strptime(Timestamp, "%Y-%m-%dT%H:%M: %S.%QZ")) | eval EndTime=round(strptime (Timestamp1, "%Y-%m-%dT%H:%M: %S.%QZ")) | eval Elapsed TimeInSecs-EndTime-StartTime | eval. "Total Elapsed Time"=strftime (Elapsed TimeInSecs, "%H:%M:%S") | eval Response= coalesce (Response, Message1)|table Status CorrelationId ArchivedFileName] | table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName |search Status=* |stats count by JobType
I was a bit too quick in accepting your Answer as Solution. Now it seems that the search is looking just for the first ClientName in the lookup file and ignoring all the rest. If I put the ClientNa... See more...
I was a bit too quick in accepting your Answer as Solution. Now it seems that the search is looking just for the first ClientName in the lookup file and ignoring all the rest. If I put the ClientName that I am sure will be in the event log as first entry it works. When I put the ClientName as 3rd or 4th Entry in the Column it doesnt find the event.
Hi all, I have one lookup which was having around 1000 entries recently someone has updated the lookup and all entries got deleted. How can i know who has updated the lookup?
Where is the data you want to analysis? Have you already ingested it into Splunk?
I am new to Splunk so I don't know from where to start.
Hi @jatin, have you installed the SA-LDAPSearch Add-On. Ciao. Giuseppe
Do you already have the events ingested into Splunk? If not, start by adding the data.
I am new to Splunk so I don't know from where to start.
I am new to Splunk so I don't know from where to start.
Hello experts... I need help... I want to fetch disabled AD account users... Can someone share splunk query for the same.
Please share some sample (anonymised) events
Please share some sample (anonymised) events