All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I also try this for my search: source="WinEventLog:Application" OR WinEventLog:Security EventCode=* user=*   Received this for a message: No results found. Try expanding the time range.  
Sharing is specified in default.meta rather than in .conf files.  To make a search global, use settings like these [savedsearches/<<URL-encoded search name>>] export = system
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source. The search job has failed due to an error. You may be able vie... See more...
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source. The search job has failed due to an error. You may be able view the job in the 
Thanks for the help!  Do you have an example of what it looks like to share a search globally? I've read lots of forum posts and Splunk Docs but haven't gotten a clear answer on how to configure t... See more...
Thanks for the help!  Do you have an example of what it looks like to share a search globally? I've read lots of forum posts and Splunk Docs but haven't gotten a clear answer on how to configure this in the .conf file.
I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search |inputlookup {collection_name} I would get back all the entries from my collection ba... See more...
I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search |inputlookup {collection_name} I would get back all the entries from my collection based on the selected time range.  Are you saying that since it's a KV store I'll need to include time constraints in each query to make this work? 
I really appreciate the suggestion. You do seem to get what I'm after, though the mvcount(indexes) returned no results. It seems so simple to me conceptually, but finding it very frustrating to try a... See more...
I really appreciate the suggestion. You do seem to get what I'm after, though the mvcount(indexes) returned no results. It seems so simple to me conceptually, but finding it very frustrating to try and wrap my head around "how splunk does it". I'm trying to include just the InstanceIds seen in both indexes while keeping the rest of the values from ResourceId in index=main. Index=main contains many different values in ResourceId (some of which are instance IDs). Index=other has a field called InstanceId.  This works, but I am not sure how to filter the MV index results (where mvcount(index)=2 did not work)     (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=coalesce(ResourceId, InstanceId) | stats values(index) as index by InstanceId       I've tried to use if/match, which sounds like it is exactly what I need, but it looks like you can't specify dynamic values for the match.      (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=if(match(ResourceId, InstanceId, ResourceId, "null")) | stats values(index) as index by InstanceId      
@AL3Z - Search for "lateral" on this website - https://research.splunk.com/ (ES Content Update App) and you will find some common use-case along with details.   I hope this helps!!!
@xathviar - FYI, There is an idea already someone submitted - https://ideas.splunk.com/ideas/EID-I-1704 And its under development, which means you may see it as core feature to Splunk in near future... See more...
@xathviar - FYI, There is an idea already someone submitted - https://ideas.splunk.com/ideas/EID-I-1704 And its under development, which means you may see it as core feature to Splunk in near future.   I hope this helps!!!
Sender_ID is present in log line: 2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application ... See more...
Sender_ID is present in log line: 2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application for TxID=20240216095535623-0EEu Sender_ID=hC Bioscience Inc Receiver_ID=ThermoFisher Scientific TxnType=USCustomer_PO Format=cXML Direction=Inbound PO_Num=2550 Status=Success       I have updated the query bit still space is truncated  InterfaceName=USCUSTOMERPO Status=Success OR Status=Failure | eval timestamp=strftime(_time, "%F")|chart limit=30 dc(TxID) over Sender_ID by timestamp|rex "Sender_ID=(?<Sender_ID>.+)\s"    
index=<index-name> source="WinEventLog:Application" EventCode=* user=*   Also, please mention the specific error that you are getting, so we can help!!
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and ho... See more...
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and how I can prevent this? 
Right, @Tron-spectron47 - more details would be needed to say whether are you referring to transaction search command or anything else. Also, what do you mean by specifying index and source??
Quick update: I manually removed '.DS_Store' from the etc/users directory and could then start. I'm not sure why this issue keeps coming up but that's at least an easier fix than reinstalling.
@Iris  - I have also never done it myself but I have thought of it a couple of times. I think a more widely known option is Selenium for web application testing. You can try that.   I hope this he... See more...
@Iris  - I have also never done it myself but I have thought of it a couple of times. I think a more widely known option is Selenium for web application testing. You can try that.   I hope this helps!!!
One more option is also to connect other Splunk machines to connect as clients of the deployment server to deploy these Apps. * This is something people follow as practice, I don't find it helpful a... See more...
One more option is also to connect other Splunk machines to connect as clients of the deployment server to deploy these Apps. * This is something people follow as practice, I don't find it helpful as it creates so much confusion managing apps and upgrading them.   A good option for automation (ex. ansible) if you have it in place, or manual.
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and u... See more...
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and understand the cause / fix.  Splunk was running but seemed to hand when I tried to restart from the webUI. After that I get this error when trying to start. If I try to stop via CLI I it says splunkd is not running. Help is very much appreciated as this is getting to be a real pain. 
Hi @Tetiana.Kovalchuk, Thanks for posting your question on the Community. Since it's been a few days and the community has not jumped in to help, you have a few options. 1. You can request a cal... See more...
Hi @Tetiana.Kovalchuk, Thanks for posting your question on the Community. Since it's been a few days and the community has not jumped in to help, you have a few options. 1. You can request a call with an AppD Consultant 2. You can submit a Support ticket How do I submit a Support ticket? An FAQ 
Hi @av_ , if you don't have a streming command (as stats or timechart) in the base search, you must specify, at the end of the base search, all the fields that you need to use in the panels, in your... See more...
Hi @av_ , if you don't have a streming command (as stats or timechart) in the base search, you must specify, at the end of the base search, all the fields that you need to use in the panels, in your case: index=main source=xyz | fields host panel _time Ciao. Giuseppe 
Thank you @richgalloway you are helpful as always
Hi @Iris, I never tested atomatic testing tools on Splunk but many years ago I used LoadRunner on other web applications. Are you searching a tool or what else? Ciao. Giuseppe