All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

More like this index=index1 OR index=index2 | eval Result=coalesce(field1, field2) | stats values(*) as * by Result
hi @maverick27 , you have to expend my search: index=index1 OR index=index2 | eval Result=coalesce(field1, field2) | table Result DEPT UID REGION Ciao. Giuseppe
Sounds like you need to raise it as a new idea unless someone has already raised it, in which case up-vote it. So, either an option to set the series default colours by app or by extending the charti... See more...
Sounds like you need to raise it as a new idea unless someone has already raised it, in which case up-vote it. So, either an option to set the series default colours by app or by extending the charting.seriesColors option to cover tables.
hi @asncari, there's no reason for this behavior! Please, make a last try: remove TIME_PREFIX, restart Splunk and try again. Ciao. Giuseppe
If you are using Forwarder Monitoring in the Monitoring Console, you can find all forwarders that were sending logs to your environment (from the last inventory reset point).
Have you tried the -dedup option for the fill_summary_index.py? Run your fill_summary_index.py script with '-h', like $ splunk cmd python fill_summary_index.py -h There's all sorts of options in t... See more...
Have you tried the -dedup option for the fill_summary_index.py? Run your fill_summary_index.py script with '-h', like $ splunk cmd python fill_summary_index.py -h There's all sorts of options in there, including dedup and timeframe changes.  It might be useful to spend a few minutes reading that carefully. You may also find it useful to review the fine docs on this: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps   Happy Splunking! 
Hi Giuseppe, We have configured the props.conf with the sourcetype and the behavior is the same. Thx Giuseppe.
Thank you for your reply. I've sort of gotten that far, but where I'm really struggling is trying to make each index their percentage of their respective thruput, sorry if I didn't clarify that in th... See more...
Thank you for your reply. I've sort of gotten that far, but where I'm really struggling is trying to make each index their percentage of their respective thruput, sorry if I didn't clarify that in the question. 
A subsearch seems like the right answer here.  A subsearch is enclosed in [] brackets inside your main search, runs first, and the results of that subsearch get fed back into the main search as sear... See more...
A subsearch seems like the right answer here.  A subsearch is enclosed in [] brackets inside your main search, runs first, and the results of that subsearch get fed back into the main search as search terms. So you have two searches here, the search that finds the cyberark data, and the one that finds the AD data.  You didn't provide either of those separate searches, so I'm just making up some pseudosearches for those. Let's say your cyberark search is something like index=cyberark action=doAnImportantThing | dedup user Which would return a short list of users involved in ... well, whatever doAnImportantThing is in this case.  Let's say 'Mary" and "John" So, at its simplest, you just use that as your subsearch. index=ad [search index=cyberark action=doAnImportantThing | dedup user] Don't forget to add "search" to the subsearch, it's automatic in the main search, but not anywhere else. So your subsearch runs, returns its data formatted like (( user=Mary ) OR (user=John) ), which means your outer search ends up being index=ad ( ( user=Mary ) OR (user=John) ) And there you go. You'll want to refer to here for more and more examples: https://docs.splunk.com/Documentation/Splunk/9.1.3/Search/Aboutsubsearches Some other comnmands/stuff to know - 'earliest=...' and 'latest=...', and also check out the 'format' command which can alter how the subsearch get returned (to do things like AND, or whatever else if you want).
I'll test it and tell you. Thx Giuseppe
Hi @asncari, probaly the options aren't applied to your sourcetype, please add them in a sourcetype, not to default, in props.conf: [your_sourcetype] TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S... See more...
Hi @asncari, probaly the options aren't applied to your sourcetype, please add them in a sourcetype, not to default, in props.conf: [your_sourcetype] TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S Ciao. Giuseppe
Good afternoon, I have a very strange problem. I have a log with these 2 events: 01/02/2024 13:06:16 - SOLISP1 IP: 10.229.87.80 USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko... See more...
Good afternoon, I have a very strange problem. I have a log with these 2 events: 01/02/2024 13:06:16 - SOLISP1 IP: 10.229.87.80 USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 01/02/2024 13:00:54 - GGCARO3 IP: 10.229.87.80 USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 The date format in the event is dd/mm/yyyy Well, splunk indexes one of them in January and another in February. We have tried editing the props file as follows: [default] TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S Anyone know what might be happening?
Exactly, This is my search `notable_by_id("*")` | search status_end="false" | where severity IN ("high", "critical") | eval time_difference=tostring(now() - _time) | eval time_difference = strftime... See more...
Exactly, This is my search `notable_by_id("*")` | search status_end="false" | where severity IN ("high", "critical") | eval time_difference=tostring(now() - _time) | eval time_difference = strftime(time_difference, "%H:%M:%S") | table _time, time_difference, rule_name, owner, status_label, "Audit Category", urgency | rename status_label as Status
May be I wasn't clear with my requirement. Apologies guys! Let me give you an example as to what I'm trying to do.  1st search contains the following data: Field1 DEPT UID 1 Accounts A... See more...
May be I wasn't clear with my requirement. Apologies guys! Let me give you an example as to what I'm trying to do.  1st search contains the following data: Field1 DEPT UID 1 Accounts AA 3 HR CC 5 Ops EE 7 Tech GG 9 Ops II 10 Tech JJ 11 HR KK   2nd search contains the following data: Field2 REGION 2 NA 4 TY 6 HK 8 AS 10 EU 11 AS   Now, I need to get common as well as disctinct rows from both the tables as shown below: Result DEPT UID REGION 1 Accounts AA   2     NA 3 HR CC   4     TY 5 Ops EE   6     HK 7 Tech GG   8     AS 9 Ops II   10 Tech JJ EU 11 HR KK AS
thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewra... See more...
thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewrap the todays total is 25 and yesterday total is 13.  Splunk Query: basesearch earliest=-7d@d latest=now() | timechart span=1h count | timewrap d series=short | addtotals s* | eval 7dayavg=Total/7.0 | table _time, s0, s1, Total, 7dayavg | rename s0 as Today, s1 as yesterday Results: _time Today yesterday Total 7dayavg 2024-01-31 08:00 0 0 0 0.0 2024-01-31 09:00 0 0 0 0.0 2024-01-31 10:00 2 0 4 0.57
Hi No these are the default ones. The issue i have many tables I want to set for all the APP  Only- not the full Splunk install. I have tried things like below from other answers but i cant ge... See more...
Hi No these are the default ones. The issue i have many tables I want to set for all the APP  Only- not the full Splunk install. I have tried things like below from other answers but i cant get it to work. https://community.splunk.com/t5/Dashboards-Visualizations/Are-there-different-dashboard-colors-since-update-to-9-0-2/m-p/629683
How are you currently configuring the colours for this table?
Hi For a table how can I get back to 8.0 colors the 9.0 are very bright.  
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with... See more...
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error: Which suggests the account is actually "SplunkForwarder" not "splunkfwd" When I check the Windows Service Log On user I also see the user "SplunkForwarder":   And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users: get-service | foreach {Write-Host NT Service\$($_.Name)}   Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?   Thanks  
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working  We have checked the connectivity with command "nc -vzu host port " the u... See more...
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working  We have checked the connectivity with command "nc -vzu host port " the udp port and its showing open any ideas !!!