All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Splunk Docs is your friend.  See foreach.  <<FIELD>> is a symbol in SPL's foreach command, not to be replaced by the user.  SPL will iterate this symbol over the field names following the command name.
When you say "a list of", I assume that this list is in a field that is single-valued in each event.  Is this correct?  Assuming yes, and assuming a field name of fullname, you can do   | eval full... See more...
When you say "a list of", I assume that this list is in a field that is single-valued in each event.  Is this correct?  Assuming yes, and assuming a field name of fullname, you can do   | eval fullname = trim(split(fullname, ","), " ") | eval fullname = mvjoin(mvreverse(fullname), " ")   Here is an emulation you can run and compare with real data   | makeresults | fields - _* | eval fullname = "Smith, Suzy" ``` data emulation above ``` | eval fullname = trim(split(fullname, ","), " ") | eval fullname = mvjoin(mvreverse(fullname), " ")   Output is fullname Suzy Smith Hope this helps
hey @ITWhisperer , I see there is one issue, my number of events are less from my actual query.  why it may happened?
Hi, I'm getting the same issue. Waiting for web server at http://x.x.x.x to be available ... done The Splunk web interface is at http://localhost:8000 Tried access the Splunk web but cann... See more...
Hi, I'm getting the same issue. Waiting for web server at http://x.x.x.x to be available ... done The Splunk web interface is at http://localhost:8000 Tried access the Splunk web but cannot be reached. netstat -an | grep 8000 tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN firewall is disabled. telnet is results below: Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. HTTP/1.1 400 Bad Request Date: Thu, 15 Feb 2024 21:21:05 GMT Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 207 Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd <!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>HTTP Request was malformed.</p></body></html> Connection closed by foreign host.  
I have a list of comma separated names (lastname, firstname) that I need to reverse. So "Smith, Suzy" becomes "Suzy Smith".  What's the easiest way to do this? 
Log ingesting intermittently We could not find the path referenced . We have Univerasal forwarder is Windows server and Heavy forwarder is *nix server. How to get the diag files with debug enable of ... See more...
Log ingesting intermittently We could not find the path referenced . We have Univerasal forwarder is Windows server and Heavy forwarder is *nix server. How to get the diag files with debug enable of the UF and the HF? Can you please provide the detailed explanation with commands
Have you edited the data model to create a new calculated field using your eval command?  That should do it. Be warned, however, that once you modify a DM you own it.  Your copy will override any ch... See more...
Have you edited the data model to create a new calculated field using your eval command?  That should do it. Be warned, however, that once you modify a DM you own it.  Your copy will override any changes delivered by Splunk.
@bowesmana just wanted to tag you for awareness, not sure how this community notifies on comment replies.
I can run the below command in a search successfully -    | eval message=replace(Message, "^Installation Successful: Windows successfully installed the following update: ", "")    How can I conv... See more...
I can run the below command in a search successfully -    | eval message=replace(Message, "^Installation Successful: Windows successfully installed the following update: ", "")    How can I convert this to work in a data model?   Below is my base search sample result.  Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad) In my data model I would like to use eval expression on the field message and take off - Installation Successful: Windows successfully installed the following update:  Desired results -  Message= Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad)
What is expected for <<FIELD>>? What value would I add here to get it to cycle through all 3 (or more) values extracted from the spath object?
@ea-2023 If your JSON field 3 has one or more of those field attributes, then after the spath you can do | foreach "Attribute Name", "Resource Name", and "ID" [ | eval type=mvappend(if(isnotnull(... See more...
@ea-2023 If your JSON field 3 has one or more of those field attributes, then after the spath you can do | foreach "Attribute Name", "Resource Name", and "ID" [ | eval type=mvappend(if(isnotnull('<<FIELD>>'), '<<FIELD>>', type) ] which will cycle through the 3 desired fields and for any of the 3 that exist, will make a multi-value field called type with any that do exist.  
Hi @Gregory.Burkhead, I'm going to dig into this for you, but I wanted to make sure this was the documentation you were looking at. https://docs.appdynamics.com/appd/onprem/latest/en/analytics/ad... See more...
Hi @Gregory.Burkhead, I'm going to dig into this for you, but I wanted to make sure this was the documentation you were looking at. https://docs.appdynamics.com/appd/onprem/latest/en/analytics/adql-reference/adql-queries/analytics-functions This explanation does not tell you enough?  This query first selects all error transactions for the "ECommerce" application. It then calculates, for each unique transaction name, the ratio of instances of that transaction name to the total number of error transactions. (The assumption is that any given transaction name can appear in multiple error transactions.) SELECT transactionName, count ( * ) / totalResultCount() FROM transactions WHERE application = 'ECommerce' AND userExperience = 'ERROR'
Hi @Abdulrahman.Kazamel, Thanks for sharing this in-depth work-around. Let's see if the community can jump in to offer a more robust solution for you.
Please can you share some sample events and a mockup of what your expect output would look like
Click on the Add New link?
Hello I have a working dashboard where I have various fields that can be defined (field1 and field2 in the example), and some events have a field that is an extracted JSON object. I have successfull... See more...
Hello I have a working dashboard where I have various fields that can be defined (field1 and field2 in the example), and some events have a field that is an extracted JSON object. I have successfully accessed various elements within the JSON object... but what I am trying to do is create ONE column called "Additional Details" where only certain elements, IF THEY EXIST, will populate in this column.  The search below technically works, but as you can probably see, it will just add a NULL value if the specified element from field3 does not exist. Is there a way to check for other values in the JSON object, and populate those values in that single column, only if they exist? i.e. If field3 has "Attribute Name", "Resource Name", and "ID", but many events have only one of these fields, is it possible to have the value from the field, only if it exists, populate in the "Additional Details" column?   index=test field1=* field2=* | spath input=field3 #(which is a json_object)# | fillnull value=NULL | eval type=if(isnotnull(element_from_field3), ElementName, NULL) | stats count values(type) as "Additional Details" by Other    
Splunk can only tell you what it is told by Windows.  Are you running sysmon on the Windows devices?  If so, then you can get detailed user activity; otherwise, you're limited to what's in the event ... See more...
Splunk can only tell you what it is told by Windows.  Are you running sysmon on the Windows devices?  If so, then you can get detailed user activity; otherwise, you're limited to what's in the event logs (that have been indexed).
Only the fields provided by the metadata command can be displayed unless you add other commands that search indexes for names ending with "srx".  If the desired field *is* returned by metadata then i... See more...
Only the fields provided by the metadata command can be displayed unless you add other commands that search indexes for names ending with "srx".  If the desired field *is* returned by metadata then include it in the fields command then use where or search to filter the desired values. | metadata type=hosts | where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen | search host="*srx"  
Sorry, I did not completely explain, - I would like it to return the full name ending in srx.
You have to edit the DM to see the values, but it's much easier to read it from the manual.