All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick  Sorry for the late reply. Thank you for the clear explanation. I understand!!!   
Thank you! It is working
Using leading wildcards in searches is generally not a good idea, however, since this is on index it won't be searching all events in all indexes to see if the index matches, it will find the indexes... See more...
Using leading wildcards in searches is generally not a good idea, however, since this is on index it won't be searching all events in all indexes to see if the index matches, it will find the indexes from the list of indexes and only search those.
Hello I have a question. We have lots of indexes, and rather than specify each one, I use index=*proxy* to search across index=some_proxy1 and index=some_proxy2 I understand that obviously index=* ... See more...
Hello I have a question. We have lots of indexes, and rather than specify each one, I use index=*proxy* to search across index=some_proxy1 and index=some_proxy2 I understand that obviously index=* is a bad thing to do, but does index=*proxy* really cause bad things to happen in Splunk? I've been using syntax like this for several years, and nothing bad has ever happened. I did a test on one index with index=*proxy* This search has completed and has returned 1,000 results by scanning 117,738 events in 7.115 seconds with index=some_proxy1 This search has completed and has returned 1,000 results by scanning 121,162 events in 7.318 seconds As you can see in the example using *proxy* over the same time period was actually quicker.
Hi,  I have this query that calulates how much time the alerts are open, so far so good, but unfortunatelly if the rule name repeats (duplicate rule name) in a new event, then now() function does no... See more...
Hi,  I have this query that calulates how much time the alerts are open, so far so good, but unfortunatelly if the rule name repeats (duplicate rule name) in a new event, then now() function does not know how to calculate the correct time for the first rule that triggered.  How can I calculate SLA time without deleting duplicates and keeping the same structure as showed in the picture ?   
First, surround the token name with dollar signs, i.e., $time_token$.  Second, if _time in your second search is Splunk's built in event time, its value is epoch, and will never equal a string like "... See more...
First, surround the token name with dollar signs, i.e., $time_token$.  Second, if _time in your second search is Splunk's built in event time, its value is epoch, and will never equal a string like "2024-01-23".  Third, when you rename _time in the first search to Date then use fieldformat on this field, you are only changing the display.  $time_token$ transmitted to the second search is still the original _time value, which is NOT the date value, but the precise event value in the first search.  As such, chances are extremely slim that the second search will find a match. You need to rethink what value to send to the second search.  The solution depends very much on what are you doing with Date field in the first search and what exact value you are trying to match in the second search.  No one else knows those conditions but yourself.  So, you will need to describe them very clearly. I will give you one example.  Suppose _time in your second search is event time, Date in the first search is just for display, and that you want to match calendar date between the first and second searches, even though the events' time of day is different. (These are big IFs.  Like I said, no one else knows what your use case is and how data look like.)  In this case, you can keep the first search, and work on the second search to match calendar date like this: | where relative_time(_time, "-0d@d") == relative_time($time_token$, "-0d@d") This is perhaps the most expressive way to implement the use case I exemplified above, although it is not the most semantic in accordance to your original design.  If you want to be semantical, both the first search and second search need a change.
That's simply how Splunk shows the _time field. The data is consistent, the presentation might indeed be a bit confusing. You can get  around it as @ITWhisperer showed already.
in table , _time is converted into month buckets but in chart, in X-axis its not getting showing monthly buckets  
| where _time = strptime(time_token,"%Y-%m-%d")
The data in the chart is consistent with the data in the table - the issue is that the chart is treating _time as a special case of field - you can get around this by creating a new field called time... See more...
The data in the chart is consistent with the data in the table - the issue is that the chart is treating _time as a special case of field - you can get around this by creating a new field called time and removing _time - you would need to ensure that the time field is listed first so that it becomes the x-axis | gentimes start=-365 | rename starttime as _time | fields _time | eval location=mvindex(split("ABCDEFGH",""),random()%8) ``` the lines above generate random data for testing ``` | timechart span=1mon count by location | tail 6 | eval time=strftime(_time,"%Y-%m") | fields - _time | table time *
What do you mean by "different results"? They seem pretty much consistent.
Iam getting different results for same query when checked in statistics and visualizations, Attaching both screenshots        
For conditional evaluations you can use if() or case() functions with the eval command. I still don't understand what you want to "not consider". You want to return values not matching a filter? Eva... See more...
For conditional evaluations you can use if() or case() functions with the eval command. I still don't understand what you want to "not consider". You want to return values not matching a filter? Evaluate a field only for some subset of events? Something else? A multiselect is a widget in a dashboard. You're posting this in Splunk Search section. What's the connection between one and the other? Please post some sample of events (anonymized if needed), desired outcome and additional conditions affecting the search (like this multisearch).
Hi @PickleRick ,    I don't want that condition to be considered, Its a multiselect value, when some other values are passed along with this, its working but when DMZ alone is passed, its not workin... See more...
Hi @PickleRick ,    I don't want that condition to be considered, Its a multiselect value, when some other values are passed along with this, its working but when DMZ alone is passed, its not working, because in type, we don't categorized dmz, so we weren't use that value, so I want to skip only for that value, is that possible.
I made a graph that send time data at click point. I use "fieldformat" to change time data shown. This is my code about time part at this graph.  | rename _time AS Date | fieldformat Date = strft... See more...
I made a graph that send time data at click point. I use "fieldformat" to change time data shown. This is my code about time part at this graph.  | rename _time AS Date | fieldformat Date = strftime(Date,"%Y-%m-%d")  So the token data send like this "2024-01-23"   I want to set the time with the data received from the token about another graph. For example, If time_token send me "2024-01-23", I want to show only the data from 2024-01-23 in another graph. I tried this code, but it not worked. (Maybe it cause about format changing) | where _time = time_token How could I solve this problem? 
What do you mean by "skip"?
Hi @PickleRick ,    I don't want to remove the value, I just want to skip for that instance only if DMZ is passed as token value, when other values are passed, the condition needs to be there,    I... See more...
Hi @PickleRick ,    I don't want to remove the value, I just want to skip for that instance only if DMZ is passed as token value, when other values are passed, the condition needs to be there,    I'm having a value from dashboard input dropdown to macro, where I need the condition to skip when DMZ is passed.     Thanks in Advance! Manoj Kumar S
If you run the code snippet I shared, you should see results i.e. it works. This seems to imply that there is something else going on in your search which is causing you to have no results. Please sh... See more...
If you run the code snippet I shared, you should see results i.e. it works. This seems to imply that there is something else going on in your search which is causing you to have no results. Please share your full search in a code block </>
sorry , I have put them in double inverted commas , still no results
Your time format string should be in double quotes | makeresults | where false() | appendpipe [stats count | where count=0 | eval timeval=strftime(now(), "%d/%m/%Y") | where count = 0]