All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello No, that is just an example. I don't actually have the characters "METRIC_NAME" in my data. METRIC_NAME can be anything from "CPU usage" to "paychek value" or whatever. That's why I tr... See more...
Hi @gcusello No, that is just an example. I don't actually have the characters "METRIC_NAME" in my data. METRIC_NAME can be anything from "CPU usage" to "paychek value" or whatever. That's why I tried TIME_PREFIX = \S+\s\S+\s at first.   I'll edit the examples in my original post to avoid misunderstandings
The IN operator expects a parenthesized list of values.  The if function is not valid in the search command so, no this will not work.
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. ... See more...
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. Both browser are latest version. I already tried following   When I clicked on Login, it will redirect to following and shown 403 error   https://www.splunk.com/saml/login?module=nav&redirecturl=https://www.splunk.com/   Windows 11 (updated with latest MS patches) and home network   - rebooted the laptop and router - Clear cache of browsers - Added www.splunk.com to trusted zone - Disabled Windows Firewall - Disabled AV   Anything else I should be checking?
Hi @tommasoscarpa1, sorry I didn't see it! Anyway, if before the timestamp in epochtime you always have METRIC_NAME , you could try TIME_PREFIX = METRIC_NAME\s+ TIME_FORMAT = %s Ciao. Giuseppe
Try now. I "fixed" it but I overthought it so I "fixed it back".
By default, a subsearch returns its results as a formatted string.  Run the subsearch by itself with | format appended to see what it looks like. A workaround may be to use the return command instea... See more...
By default, a subsearch returns its results as a formatted string.  Run the subsearch by itself with | format appended to see what it looks like. A workaround may be to use the return command instead of table. main search| eval onerowevent=if(like(onerowevent,, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|return $onecompare }]."%"]])),onerowevent,"")
Hi Giuseppe. I've added an example in my original post
Hi @tommasoscarpa1, could you share a sample of your logs? Ciao. Giuseppe
Perhaps the app didn't download at all.  Try again or use a different browser.
something is missing here, there aren't any values in the column "changed" 
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue>   These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to se... See more...
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue>   These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to set Splunk to recognize <epochtime> as the event timestamp. <servername> and <metricname> are alphanumerical words with no whitespaces inside, while <metricvalue> is numerical. <epochtime> is a 10 digits, integer epoch time.   I've set up props.conf file on heavy forwarder as follows: [sourcetypename] TIME_FORMAT = %s   But events are not indexed with the correct timestamp. I also tried to add this property: TIME_PREFIX = \S+\s\S+\s But no luck.   Can you help me understand what am I doing wrong?   EDIT---- Log example: mywebserver123 SOME_METRIC 1706569460 5 myotherwebserver456.domain.com ANY_OTHER_NAME 1706569582 3
Not using that add-on, but looks to me that: it is because the custom command is trying to sort the results before returning. you will notice that it  it will probably work if you only pipe 1 eve... See more...
Not using that add-on, but looks to me that: it is because the custom command is trying to sort the results before returning. you will notice that it  it will probably work if you only pipe 1 event into the command. easy way out: remove results.sort() from the custom command hoping they fix the add-on for you
Hi @SplunkDash , I don't know why, but the form adds a part to the address. remove all the chars after 742 in the url address. or go in apps.splunk.com and search Splunk Add-On for Windows. Ciao.... See more...
Hi @SplunkDash , I don't know why, but the form adds a part to the address. remove all the chars after 742 in the url address. or go in apps.splunk.com and search Splunk Add-On for Windows. Ciao. Giuseppe
Thanks for your quick response @richgalloway  I have already tried that, and it doesn't show me any folder where it is saved. I check my local machine too unable to locate the same.
See my response from this thread https://community.splunk.com/t5/Splunk-Search/Tracking-Field-Changes-in-Events/m-p/675494/highlight/true#M231114
It should be in your browser's downloads folder.  Type CTRL-J to see the files your browser downloaded.  Right-click on a file and click "Show in folder" to see where it is.
Real-time searches are eeeeeevil and generally should not be used at all. Also there's not much to replicate in case of a real-time search since... they occur real-time and if you tried to run it ano... See more...
Real-time searches are eeeeeevil and generally should not be used at all. Also there's not much to replicate in case of a real-time search since... they occur real-time and if you tried to run it another time you'd be running it with another set of data. But if you meant ad-hoc search - I think the assumption is that ad-hoc search are used interactively so that you're not probably gonna need the results in another session, called with loadjob by another person logged in to another SHC member. With scheduled search it's different because a quite common way to optimize load is to schedule separate searches asynchronously so that one search uses the results from the already-performed search. So it's simply that in some cases it seems to make much more sense than in others.
@gcusello  Thank you so much for your quick response. The link you sent to me is not working and getting blank screen. When you get a chance, please send the name of the Add On, so I can search for ... See more...
@gcusello  Thank you so much for your quick response. The link you sent to me is not working and getting blank screen. When you get a chance, please send the name of the Add On, so I can search for it in Splunk base. Thank you again!
Result should get common in both databases and also unique/rest values from database2. Please help me with query. Databse1 Database2 Result A A A B B B C C C D  E E E F ... See more...
Result should get common in both databases and also unique/rest values from database2. Please help me with query. Databse1 Database2 Result A A A B B B C C C D  E E E F F   G G   H H
What do you mean by "the field abcd is already extracted"? Remember that most of the fields you work with in Splunk are so called "search-time" extractions which means that they are extracted dynami... See more...
What do you mean by "the field abcd is already extracted"? Remember that most of the fields you work with in Splunk are so called "search-time" extractions which means that they are extracted dynamically when you are searching and displaying the data while SEDCMD works in so called "index-time" which means _before_ the data is written to Splunk's indexes. SEDCMD as @richgalloway pointed out does not know anything about the search-time extracted fields so you can't rely on their values. SEDCMD is a regex-based text substitution which works on the _raw data. There is no concept of field here whatsoever.