All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The field name "search" is given special treatment when returned in a subsearch in that the field name is not returned, so instead of the subsearch being ((request_id="valueA") OR (request_id="valueB... See more...
The field name "search" is given special treatment when returned in a subsearch in that the field name is not returned, so instead of the subsearch being ((request_id="valueA") OR (request_id="valueB")), it becomes (("valueA") OR ("valueB")). The same goes for field name "query".
And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.   If you are aggregating number of da... See more...
And in the end I want it to display the days out of the 12 months the users logged in. SO if a user logged in 4 time in one day it should count it as 1 day.   If you are aggregating number of days over 12 months, why do you use timechart?  That splits output into individual days the user logged on, therefore the count is the number of times the user logged on each day, i.e., 4 times. This is the aggregate index=windows source="WinEventLog:Security" EventCode=4624 host IN (Server1, Server2) Logon_Type IN (10, 7) | bucket _time span=1d@d | eval Account_Name = mvindex(Account_Name,1) | stats dc(_time) as count by Account_Name
I wasn't sure if having multiple different license managers would cause any violations.  Ideally we really do not like the idea of having a single point of failure for our license manager, and are lo... See more...
I wasn't sure if having multiple different license managers would cause any violations.  Ideally we really do not like the idea of having a single point of failure for our license manager, and are looking to implement redundancy.  Is this possible or will it cause issues?
it doesn't work to me, i am using de ofial app Mimecast for Splunk, and i created two custom apps called Mimecast for LiveSOC and Mimecast for neither works what name do you recommend to me ... See more...
it doesn't work to me, i am using de ofial app Mimecast for Splunk, and i created two custom apps called Mimecast for LiveSOC and Mimecast for neither works what name do you recommend to me using for that?
@Muthu_Vinith Please use descriptive title.  This helps future users finding the answer.
How many hosts are typically returned?  If there are not many, you can just use metadata to filter index search.  This would meet your original requirement.   [metadata type=hosts | where recentTim... See more...
How many hosts are typically returned?  If there are not many, you can just use metadata to filter index search.  This would meet your original requirement.   [metadata type=hosts | where recentTime < now() - 10800| stats values(host) as host] | dedup host   If there are too many, performance can be a concern.  (You can also add other filters in addition to | metadata.) As @PickleRick noted, you probably don't want to send raw events, especially not a lot of them, in E-mail.  In theory, you SHOULD have this "somenumber-somename-ks-srx" extracted in a field it means something.  Haven't you?  Assuming the field name is somefield.   [metadata type=hosts | where recentTime < now() - 10800| stats values(host) as host] | dedup host | table host _time somefield    
Can you share your SPL and data. This example works | makeresults | eval line="SOMEALPHA9876NUMERIC_ETC_RFG: play this message: announcement/12345678" | rex field=line "(?<ID>\w+)_ETC_RFG:.*/(?<NUM>... See more...
Can you share your SPL and data. This example works | makeresults | eval line="SOMEALPHA9876NUMERIC_ETC_RFG: play this message: announcement/12345678" | rex field=line "(?<ID>\w+)_ETC_RFG:.*/(?<NUM>\d+)"  
@EPitch I don't believe there is a break on condition function to abort the search, but what you could do, is to turn on sampling at an appropriately large ratio so you run the search on a subset of ... See more...
@EPitch I don't believe there is a break on condition function to abort the search, but what you could do, is to turn on sampling at an appropriately large ratio so you run the search on a subset of the data. This will be quicker - if you get >10 then you don't need to re-run - but if you get <10, you will need to re-run at a lower sampling ratio. I'm not sure this solves the problem in that if you don't expect or want >10 then you will always end up running the search with 1:1 ratio. The other alternative is to craft your search criteria to use the TERM() directive if possible and if these data fields can be reduced to TERM elements then you can even use tstats. See this .conf presentation  https://conf.splunk.com/files/2020/slides/PLA1089C.pdf So maybe you can do  index=blah sourcetype=blah (TERM(name=Name1) TERM(ip=IP1) TERM(id=id1)) OR... but you will have to know your data well to know if the terms exist as real terms in the data and you need to understand major and minor breakers in the data. If all the search criteria can be converted to TERM then you could do | tstats count where index=blah sourcetype=blah (TERM(name=Name1) TERM(ip=IP1) TERM(id=id1)) OR... by PREFIX(name=) PREFIX(ip=) PREFIX(id=) | rename *= as *
We are experiencing the same thing. The clients are showing up in the client_events logs checking in and phoning home on the deployment server. But after updating to 9.2 they aren't appearing under t... See more...
We are experiencing the same thing. The clients are showing up in the client_events logs checking in and phoning home on the deployment server. But after updating to 9.2 they aren't appearing under the Settings>Forwarder Management page on the DS. We have not made any changes to the forwarders yet.
Hi @Fernando.Moreira, Thanks for asking your question on the Community. I found this AppD Docs page that might be helpful. https://docs.appdynamics.com/sap/en/set-up-sap-netweaver-systems/set-up... See more...
Hi @Fernando.Moreira, Thanks for asking your question on the Community. I found this AppD Docs page that might be helpful. https://docs.appdynamics.com/sap/en/set-up-sap-netweaver-systems/set-up-sap-abap-agent
Both
Hi @Jahnavi.Vangari, Thanks for following up. Since the Community did not jump in and help. At this point, it might be best to contact Support.  How do I submit a Support ticket? An FAQ 
Hi @Paul.Mateos  given this post is from 2018, it's unlikely anyone is going to reply to this. 
Yep, sorry about that. It wouldn't let me leave karma on the post I marked correct. Karma given for this one.
Version 3.15.0
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universa... See more...
Hi there! How are you doing? Our FIM tool is detecting modifications to the /etc/passwd file by the splunkfwd user found on some of our critical Linux servers for our operation with Splunk Universal Forwarder installed. Do you know if this behavior is correct? Shouldn't it be modifying /opt/splunkforwarder/etc/passwd?   Thank you very much! Regards, Juanma   PS: when echoing $SPLUNK_HOME it appears to be blank in other users, but the tools is sending logs correctly to SplunkCloud
thank you - this would work as well:  we are now  going the old data fall out of dashboard and be updated with data from the new DUO site.  You can have data ingested from multiple DUO APIs in the da... See more...
thank you - this would work as well:  we are now  going the old data fall out of dashboard and be updated with data from the new DUO site.  You can have data ingested from multiple DUO APIs in the dashboard concurrently, so we have visibility from both sites on the same dashboard, but consolidated.  Appreciated!
Great solution - I like how it also takes out need for subsearch Thank you!!
Great way to sanity check - didn't think of this til you mentioned it. Ty!!
hi @richgalloway  ¿Do I have to change the name app or folder name or both?