Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-13-2024
06:00 AM
Try adding site to your by clauses on your stats commands
02-13-2024
06:00 AM
I just figured it out with guidance from https://stackoverflow.com/questions/7124778/how-can-i-match-anything-up-until-this-sequence-of-characters-in-a-regular-exp correct rex will be |rex field=_...
See more...
I just figured it out with guidance from https://stackoverflow.com/questions/7124778/how-can-i-match-anything-up-until-this-sequence-of-characters-in-a-regular-exp correct rex will be |rex field=_raw "Error\=(?<ErrDesc>.+?(?=\|\"))" thanks for help!
02-13-2024
05:51 AM
Hi @adamsobczykhsbc, could you share some sample of your logs (both cases)?. Ciao. Giuseppe
02-13-2024
05:43 AM
Hi @gcusello , it works for that specific case, however my extracted field ErrDesc will not always have pipe "|" inside, basically I want to match anything until |" , no matter if pipe is in the fiel...
See more...
Hi @gcusello , it works for that specific case, however my extracted field ErrDesc will not always have pipe "|" inside, basically I want to match anything until |" , no matter if pipe is in the field or not
02-13-2024
05:40 AM
Hi @Strangertinz , please try this: index=_internal
| bucket _time span =1d
| eval date=strftime(_time,"%a-%b")
| stats avg(count) as Count max(count) as maximum by date Ciao. Giuseppe
02-13-2024
05:38 AM
Hi @adamsobczykhsbc, please try this: | rex "Error\=(?<ErrDesc>[^\|]+\|[^\|]+)" that you can test at https://regex101.com/r/mIlDeU/1 Ciao. Giuseppe
02-13-2024
05:37 AM
The issue is the graph shows month on the x axis and I want it to indicate both month and day of the week
02-13-2024
05:35 AM
Hi @ITWhisperer , I tried giving as site=* it’s not working l am getting total value but I need values by site.
02-13-2024
05:28 AM
I have raw data like: Error=REQUEST ERROR | request is not valid.|","time":"1707622073040" and I want to extract "REQUEST ERROR | request is not valid." to a new field, so I try to use ...
See more...
I have raw data like: Error=REQUEST ERROR | request is not valid.|","time":"1707622073040" and I want to extract "REQUEST ERROR | request is not valid." to a new field, so I try to use rex to match until |" with below query but it still only returns "REQUEST ERROR" |rex field=_raw "Error\=(?<ErrDesc>[^|\"]+)"
Labels
- Labels:
-
rex
02-13-2024
05:20 AM
I am trying to script the installation for the Mac Splunk Universal Forwarder package. The package is a disk image (.dmg). I understand that we can mount the image using hidutil and access the vo...
See more...
I am trying to script the installation for the Mac Splunk Universal Forwarder package. The package is a disk image (.dmg). I understand that we can mount the image using hidutil and access the volume to find the .pkg file. The issue comes from where we attempt to run installer pkg the end user is prompted to answer dialog boxes, which we do not want to occur. Is there a switch to use to install the extracted pkg or dmg file silently to install the app on Mac OS Machine ?
Labels
- Labels:
-
splunkd
02-13-2024
05:10 AM
Hello I´ve upgraded DB connect app. from version 3.** to 3.15 not long time ago but I could configure it without any issues. I´ve start to receive this error only recently. I´m also attaching port...
See more...
Hello I´ve upgraded DB connect app. from version 3.** to 3.15 not long time ago but I could configure it without any issues. I´ve start to receive this error only recently. I´m also attaching port related message. I was also trying to downgrade DB connect app. according the instructions but when I change from DONE to PENDING I see no difference it´s still 3.15.0.
02-13-2024
05:05 AM
I see a lot of deprecated errors in _internal index. How can this error be resolved ?
Labels
- Labels:
-
configuration
-
troubleshooting
-
upgrade
02-13-2024
04:55 AM
Is it possible to use something like this: GitHub - okfse/sweden-geojson: Tiny GeoJSON files of Sweden's municipalities and regions or this: GitHub - perliedman/svenska-landskap: Sveriges landskap...
See more...
Is it possible to use something like this: GitHub - okfse/sweden-geojson: Tiny GeoJSON files of Sweden's municipalities and regions or this: GitHub - perliedman/svenska-landskap: Sveriges landskap som öppen geodata i GeoJSON With Splunk? If so, are there any manuals/instructions/blog posts etc you could point me to describing how to achieve this? Best regards
02-13-2024
04:19 AM
Hello Ryan, Thanks for the response. Just to note here we have already configured the database collector and the link which you have shared is to achieve this configuration. However we just want t...
See more...
Hello Ryan, Thanks for the response. Just to note here we have already configured the database collector and the link which you have shared is to achieve this configuration. However we just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether can we detect ORA-00600 error via AppD Db agent? Please let us know the process for the same.
02-13-2024
04:06 AM
In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard: Resoluti...
See more...
In the process of raising a Splunk case I was able to find a Knowledge Article (000012459) that explained how to install the Splunk UF as the LocalSystem user as was previously standard: Resolution For silent installation, a Windows universal forwarder from the command line to use LOCAL_SYSTEM account (which is not a security best practice) looks like below: msiexec.exe /i splunkforwarder-9.1.2-b6b9c8185839-x64-release.msi LAUNCHSPLUNK=0 AGREETOLICENSE=Yes GENRANDOM
PASSWORD=1 SERVICESTARTTYPE=auto USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1 /quiet by using flags: USE_VIRTUAL_ACCOUNT=0 USE_LOCAL_SYSTEM=1
02-13-2024
03:23 AM
Hi @iainp, you could try something like this: index="mydevices" logdesc="Something that speeds the search" earliest=-7d@d latest=now
| eval period=if(now()-_time<1800,"Last 30 minutes","Previous")
...
See more...
Hi @iainp, you could try something like this: index="mydevices" logdesc="Something that speeds the search" earliest=-7d@d latest=now
| eval period=if(now()-_time<1800,"Last 30 minutes","Previous")
| stats
dc(period) AS period_count
values(period) AS period
count
BY devicename
| where period_count=1 period="Previous"
| table devicename See my approach and adapt it to your Use Case. Ciao. Giuseppe
02-13-2024
03:19 AM
| stats latest(_time) as lasttime by devicename
| where now()-lasttime > 1800
02-13-2024
03:00 AM
I have a number of devices that send logs to Splunk. I want to know when devices stop logging. For this example search: index="mydevices" logdesc="Something that speeds the search" | top limit=40 ...
See more...
I have a number of devices that send logs to Splunk. I want to know when devices stop logging. For this example search: index="mydevices" logdesc="Something that speeds the search" | top limit=40 devicename How can i find "devicename"s that have logged in the last week that haven't logged in the last 30 minutes? if that makes sense. Iain.
02-13-2024
02:11 AM
And haven't you lately upgraded the app from an old version? If so, did you read https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/MigratefromDBConnectv1
02-13-2024
02:09 AM
I already wrote this - You can't do anything about it yourself except for either updating the add-on (if possible) or asking the developer to fix it. Unless you want to dig into the app's code.
