Hi Ryan,
I have raised a request.
[AppDyanmics Internal Ticket # 388553]
Is there any way we can reach out to product team, if they can help out with requirement.
Thanks,
Jahnavi
After a lot of tries, I finally did it Looks simple when you know what to do Thank you for advertising the substr function The final result is below props.conf [oce_file_rphost]
TRANSFORM...
See more...
After a lot of tries, I finally did it Looks simple when you know what to do Thank you for advertising the substr function The final result is below props.conf [oce_file_rphost]
TRANSFORMS-oce_file_tc0 = oce_file_tc0
LINE_BREAKER = ()\d{2}:\d{2}.\d+-\d+,
SHOULD_LINEMERGE = false transform.conf [oce_file_tc0]
INGEST_EVAL = _time = strptime("20" + replace(source,".*\\\\(\d{8}).log","\1") + substr(_raw,0,12),"%Y%m%d%H%M:%S.%6Q")
Hi Splunkers, I would like to pass the label value to the macro based on some condition, when a single value is selected, the value is correctly passed to macro and search is loading the results ...
See more...
Hi Splunkers, I would like to pass the label value to the macro based on some condition, when a single value is selected, the value is correctly passed to macro and search is loading the results but when the multiple values were selected the search is throwing error in macro.
</input>
<input type="multiselect" token="machine" searchWhenChanged="true">
<label>Machine type</label>
<choice value="*">All</choice>
<choice value="VDI">VDI</choice>
<choice value="Industrial">Industrial</choice>
<choice value="Standard">Standard</choice>
<choice value="MacOS">MacOS</choice>
<choice value="**">DMZ</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter>, </delimiter>
<change>
<condition match="$label$ == "*DMZ*"">
<set token="machine_type_dmz">"mcafee_DMZ=DMZ"</set>
</condition>
<condition match="$label$ != "*DMZ*"">
<unset token="machine_type_dmz"></unset>
</condition>
</change>
</input>
Thanks in Advance!
How can I get the complete date time format for both the queries in graph, for eg. index="abc" sourcetype="Prod_logs" | eval "yesterday_datetime_formatted" = strftime(_time,"%Y-%m-%d %H:%M:%S") ...
See more...
How can I get the complete date time format for both the queries in graph, for eg. index="abc" sourcetype="Prod_logs" | eval "yesterday_datetime_formatted" = strftime(_time,"%Y-%m-%d %H:%M:%S") | stats count(transactionId) AS TotalRequest by yesterday_datetime_formatted URI (***earliest and latest needs to be derived as per user selection from drop down) appendcols [search index="abc" sourcetype="Prod_logs" earliest=xxx, latest=now | eval "Today_datetime_formatted" = strftime(_time,"%Y-%m-%d %H:%M:%S") | stats count(transactionId) AS TotalRequest by Today_datetime_formatted URI] | fields "yesterday_datetime_formatted" "Today_datetime_formatted"
It depends what you mean by first - if you want the first event returned by the search, this is going to be the latest as events are returned newest first - if you want the first event in time, then ...
See more...
It depends what you mean by first - if you want the first event returned by the search, this is going to be the latest as events are returned newest first - if you want the first event in time, then you could sort by _time first. In both cases, you could then use dedup which keeps the first event for each unique field values, in your instance you want host and field type | dedup Host Field-Type
Hi @Nawab, I have only 7.2 version, but this issue is really strange because I don't think that Splunk remoived filters from this dashboard. I suppose that the Splunk Support should help you. Ciao...
See more...
Hi @Nawab, I have only 7.2 version, but this issue is really strange because I don't think that Splunk remoived filters from this dashboard. I suppose that the Splunk Support should help you. Ciao. Giuseppe
Hi @ilhwan , in addition tho the perfect answer of @richgalloway , I hint to compare (in structure and data) the Data Models on the two SH, because Data Models are usually located on SH, except if y...
See more...
Hi @ilhwan , in addition tho the perfect answer of @richgalloway , I hint to compare (in structure and data) the Data Models on the two SH, because Data Models are usually located on SH, except if you forward them to an Indexer Cluster. Ciao. Giuseppe
Yes, i am talking about the incident review dashboard of version 7.3.0, and I tried clicking it multiple times, still same. Also opened a case with splunk support
Hi @jmrubio , if you have this message on Indexer, it seems that you forgot to create the index on Indexers or that maybe there's a difference between the index name and the index that you configure...
See more...
Hi @jmrubio , if you have this message on Indexer, it seems that you forgot to create the index on Indexers or that maybe there's a difference between the index name and the index that you configured in the inputs.con of the HF. If the message is in the HF, it seems that there's an issue in forwardring configuration. Ciao. Giuseppe
Hi @snobyink, at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted. Anyway, you can use a regex to ext...
See more...
Hi @snobyink, at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted. Anyway, you can use a regex to extract the use field (the host should be already extracted: index=your_index
| rex "for user (?<user>\w+)"
| table _time host user Ciao. Giuseppe
Hi @Mariam001, how are you ingesting database logs? are you using DB-Connect or are you reading log files? In both cases, check the relative input. Ciao. Giuseppe
Hi @Nawab, in Enterprise Security there are many dashboards: the filters you shared seem to be the ones in the Incident Review dashboard. Did you tried to click two times the Hide Filters button? ...
See more...
Hi @Nawab, in Enterprise Security there are many dashboards: the filters you shared seem to be the ones in the Incident Review dashboard. Did you tried to click two times the Hide Filters button? Ciao. Giuseppe
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm...
See more...
Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashbo...
See more...
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashboard version="1.1" script="table_icons_rangemap.js" stylesheet="table_decorations.css"> when I run the dashboard nothing happens I just have severe, high instead an icon I use 9..1.0.1 Splunk Enterprise version is anybody cant help please?? thanks
