All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

These searches don't look right - please confirm that they accurately represent what you are actually doing
Below is the query I tried sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | request_id | fields request_... See more...
Below is the query I tried sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | request_id | fields request_id | rename request_id as search] | table user_id user_name Here I got only one use id multiple times but when I do normal query like below sourcetype=“my_source” "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | table request_id Here I see more than 250 events
Hi. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. We have 4 indexes to monitor with a lot of log sources. So, having the log sources in input looku... See more...
Hi. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. We have 4 indexes to monitor with a lot of log sources. So, having the log sources in input lookup would not be a good idea as it would have to be maintained every time new log source is added. Thus, i am looking for a query which alerts me if any of the log sources currently configured in any of the 4 indexes goes silent for 24 hours. Would prefer not to have lookup command in the query as file would have to be maintained in that scenario. Need to run this query on all the currently configured log sources. Thank you.
Again, you aren't really giving me any useful information. What is your complete search which is not doing as you expect? How many of each request id are you getting? How many of each request id w... See more...
Again, you aren't really giving me any useful information. What is your complete search which is not doing as you expect? How many of each request id are you getting? How many of each request id were you expecting?
Hi @saskn, If the query works when Operation!="Disable Strong Authentication.", it shows no user disabled MFA. Normally, you have no results if all users are using MFA.  
I printed request ids I see only first one is printing multiple times. Whereas original has more than 250+ request ids
Hi @jip31, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
index=mem tag=a return results but not tag=a  you are right, when I add the tage add the index level tag=a works
Why can't you use the drilldown feature?
Hi @jip31, which search did you run: tag="a" or index=your_index tag="a" ? if you didn't inserted the index in the eventtype, you don't have it in the tag search and probably your index isn't i... See more...
Hi @jip31, which search did you run: tag="a" or index=your_index tag="a" ? if you didn't inserted the index in the eventtype, you don't have it in the tag search and probably your index isn't in the default search path. Try to add the index in the eventtype (also index=* if you don't want to associate the tag to a specific index) and try again. Ciao. Giuseppe
How do you know you are getting fewer results (than expected)? Which events are being missed? Is there a common theme to the missing events? Does it happen all the time or only with certain timefr... See more...
How do you know you are getting fewer results (than expected)? Which events are being missed? Is there a common theme to the missing events? Does it happen all the time or only with certain timeframes? What else have you done to investigate the issue?
I understand, what data I can give for better understanding? 
hi I can see the tag But when I am doing  tag="a", i have no results
How do you imagine I am going to be able to determine that?
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @keorus, if the events are truncated also in raw visualization, this means that the logs are truncated at the ingestion and you canot do anything to solve the issue, only notice the problem to yo... See more...
Hi @keorus, if the events are truncated also in raw visualization, this means that the logs are truncated at the ingestion and you canot do anything to solve the issue, only notice the problem to your colleagues that manage Splunk ingestion to change configuration. Ciao. Giuseppe
Hi @jip31, let me understand: you created an eventtype like the following counter="a" and you associated to this eventtype a tag called "a" then, when you run a search where this field is present... See more...
Hi @jip31, let me understand: you created an eventtype like the following counter="a" and you associated to this eventtype a tag called "a" then, when you run a search where this field is present, you don't see the value "a" in the tag field,  or the search tag="a" hasn't any result, is it correct? did you check if in the results of the search that you're analyzing the counter field is present? then, are you sure about the exact value of tag? tag field is case sensitive. Ciao. Giuseppe
Thanks for your message @gcusello  I just have a little issue, for now i can't touch the configuration of splunk, I have to handle with this configuration. It is a requirement of my team project... See more...
Thanks for your message @gcusello  I just have a little issue, for now i can't touch the configuration of splunk, I have to handle with this configuration. It is a requirement of my team projects. Would that mean that the only solution was to change the splunk configuration? and that there would not be another solution
Thanks @gcusello @ITWhisperer 
the above query not working but when i Operation!="Disable Strong Authentication."  getting enabled mfa users list. i have already ingested the Splunk logs and completed the macro creation