All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

HI,  I concatenate strings that I want successfully, but i can't use it to find data when I put the strings into subsearch. Here's my code below: index="list"  device=C* | eval x="IPAD,NB,PC" ... See more...
HI,  I concatenate strings that I want successfully, but i can't use it to find data when I put the strings into subsearch. Here's my code below: index="list"  device=C* | eval x="IPAD,NB,PC" | eval x=split(x, ",") | mvexpand x | eval combine= "device_No=" . x | stats values(combine) as combine | eval final_condition = mvjoin(combine, " OR ") | search final_condition
Can anyone point me to where this escaping is documented in the Splunk manuals? I can across it in a dashboard today and have not been able to track it down - very confusing until a colleague told m... See more...
Can anyone point me to where this escaping is documented in the Splunk manuals? I can across it in a dashboard today and have not been able to track it down - very confusing until a colleague told me what it did.
Hello @richgalloway , Thank you so much for your quick response. Regarding the Add On, I haven't, but you link is not working.  
Have you tried installing the Splunk Add-on for Microsoft Windows (https://splunkbase.splunk.com/app/742) on that UF?
Hello, I have a windows machine with UF installed on that machine. How can I configure my Universal forwarder to ingest windows performance monitoring logs into SPLUNK. Our Windows Source server is ... See more...
Hello, I have a windows machine with UF installed on that machine. How can I configure my Universal forwarder to ingest windows performance monitoring logs into SPLUNK. Our Windows Source server is located in different location SPLUNK should be getting performance data from. Any help would be greatly appreciated. Thank you!  
It's not clear if your two datasets are in the same event or in different events. Generally you can use mvmap to compare multivalue fields in the same event for unique/missing, see this example. | m... See more...
It's not clear if your two datasets are in the same event or in different events. Generally you can use mvmap to compare multivalue fields in the same event for unique/missing, see this example. | makeresults | eval data1="{ \"iphone\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"80\", \"review\" : \"OK\" }, \"laptop\": { \"price\" : \"90\", \"review\" : \"OK\" } }", data2="{ \"tv\": { \"price\" : \"50\", \"review\" : \"Good\" }, \"desktop\": { \"price\" : \"60\", \"review\" : \"OK\" } }" | eval p_name_1=json_array_to_mv(json_keys(data1)) | eval p_name_2=json_array_to_mv(json_keys(data2)) | eval p_unique = mvmap(p_name_1, if(isnull(mvfind(p_name_2, "^".p_name_1."$")), p_name_1, null())) | eval p_missing = mvmap(p_name_2, if(isnull(mvfind(p_name_1, "^".p_name_2."$")), p_name_2, null())) | table data1 data2 p_unique p_missing  
As I said in my original reply, you just have to set up the anchors correctly. regex101.com is a great site for testing regex.
Yes, except you haven't shown what you would be sorting by. The original ask was to sort by Score descending. How would you sort if you also had Score2 and Score3?
Hello, I meant that if I used the following, the "other" won't match the rest of the numbers.   Thanks | top limit=5 userother=t Name Score  
Hello, If I have additional fields (Score2, Score3), should I add those fields in the search like below? I am not how to do it on eval Name. Please suggest. Thank you for your help | streamsta... See more...
Hello, If I have additional fields (Score2, Score3), should I add those fields in the search like below? I am not how to do it on eval Name. Please suggest. Thank you for your help | streamstats count as row sum(Score) as running, sum(Score2) as running2, sum(Score3) as running3 | eventstats sum(Score) as total, sum(Score2) as total2, sum(Score3) as total3) | where row <= 7 | eval Score=case(row == 6, total - running + Score, row == 7, total, true(), Score) | eval Score2=case(row == 6, total2 - running2 + Score2, row == 7, total2, true(), Score2) | eval Score3=case(row == 6, total3 - running3 + Score3, row == 7, total3, true(), Score3) | eval Name=case(row == 6, "Other", row == 7, "Total", true(), Name) | fields - row running running2 running3  total total2 total3
Sorry for not being clear. The process of building these VMs is ongoing, and during this process we would like to be absolutely sure that these VMs are ready to host all the Splunk components. For ex... See more...
Sorry for not being clear. The process of building these VMs is ongoing, and during this process we would like to be absolutely sure that these VMs are ready to host all the Splunk components. For example. our SE suggested to check the following - THP turned off. All internal logs are being forwarded to indexer tier. MC set-up Splunk running as correct user Splunk restart enabled So I wonder what would be the best way to ensure that these VMs are built correctly? I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?
Thanks for the response. How do I step 4 modifying searches/apps to use the realName field as the owner?
Works perfectly, thanks
great! thank you
FYI and perhaps this will be helpful to others. I was getting all the same errors and finding little of use in the log files. In my case the problem was that something had deleted these files: C:\... See more...
FYI and perhaps this will be helpful to others. I was getting all the same errors and finding little of use in the log files. In my case the problem was that something had deleted these files: C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe Files of the same name still existed under: ...\windows_x86\bin ...\linux_x86\bin ...\linux_x86_64\bin So we suspect some antivirus or similar must have deleted them for some reason. As soon as I put them back DB Connect was fine.
Look in the internal python.log for "sendemail" to see if Splunk had a problem sending the email to your SMTP server.  If there's nothing there then contact your email admin for help.
Hi @Geoff.Wild, I, unfortunately, don't have an answer to that. If I can find anything on that, I will report back.
Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.   Expanded Sample Data; dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type R... See more...
Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.   Expanded Sample Data; dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bm%3A-1y2p0ij02lp4k%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22HKEY_LOCAL_MACHINE%5C%5CSoftware%5C%5CMicrosoft%5C%5CWindows%5C%5CCurrentVersion%5C%5CPolicies%5C%5CExplorer|NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10 Say I wanted the fields NodeType, RuleType, fname, duser, sproc?   Thanks
Why do you say the numbers don't match? Instead of 200, 100, 70, 50 you have one row with value of 420.
That's not the same regex as the one I provided.  Spaces are significant. Here's a variation with more explicit spaces. SEDCMD-accmasking = s/card number \d{4}\s\d{4}\s\d{4}\s(\d{4})/card number xxx... See more...
That's not the same regex as the one I provided.  Spaces are significant. Here's a variation with more explicit spaces. SEDCMD-accmasking = s/card number \d{4}\s\d{4}\s\d{4}\s(\d{4})/card number xxxx xxxx xxxx \1/