All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | search user_name=* | table _time reques... See more...
Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | search user_name=* | table _time request_id user_name or sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | search user_name=* request_id =* | table _time request_id user_name Ciao. Giuseppe
Hi, this is opposite situation. I am looking to identify old saved searches scheduled, running and consume resources but don't return results for several weeks (they are broken or incorrect) or nobo... See more...
Hi, this is opposite situation. I am looking to identify old saved searches scheduled, running and consume resources but don't return results for several weeks (they are broken or incorrect) or nobody checked  them (user left, and let search scheduled). I tried rest API but range is short and  index=_audit  savedsearch_name!="" to find these searches but it looks quite hard to identify if search is really broken or not used by user or app for longer time
Hi Team, We are configuring in it in our splunk web, my AWS namespace is  custom/namespace  metric 1 ,2 .... metric is created with no dimensions. Configured in splunk  AWS account : xxx AWS re... See more...
Hi Team, We are configuring in it in our splunk web, my AWS namespace is  custom/namespace  metric 1 ,2 .... metric is created with no dimensions. Configured in splunk  AWS account : xxx AWS region: eu-west-1 index: B Metrics Configuration : custom/namespace  Name: A SourceType: aws:cloudwatch I still don't see any logs, Am I configuring in right way 
Yep, that got it working.
Thanks, I hadn't considered that. I'll give that a try.
Thanks, I hadn't considered that.  I'll give that a try.
Assuming you have a count per minute, you can add another timechart command | timechart span=1h max(count) as peak_per_minute
It was not my suggestion. I was asking whether someone didn't try to upgrade or do something else with that installation so that it was modified unbeknownst to you.
Hi, I'm after some assistance. I am trying to capture the peak number of concurrent users in a single minute block using timecharts.  I can do this one minute blocks no problem.   Where this gets ... See more...
Hi, I'm after some assistance. I am trying to capture the peak number of concurrent users in a single minute block using timecharts.  I can do this one minute blocks no problem.   Where this gets complicated is that I have been given the requirement that I should be able to change the timechart span from 1m to 1h and identify the peak minute with the highest number of users within each hour (if hour selected) and display the number of users for that peak minute (frather than the peak number of users for that hour). Can anyone assist me with this, or advise if it's even possible? Thanks
Hi @gcusello , little correction, user_name is displayed in logs when we search with request_id. I used what you have given, but it is not displaying user_name still, so I removed the last  | tab... See more...
Hi @gcusello , little correction, user_name is displayed in logs when we search with request_id. I used what you have given, but it is not displaying user_name still, so I removed the last  | table _time request_id user_name to see if it is displaying  user_name, but it is not displaying user_name, so I think below one is not searching based on the request_id  | search request_id=*
Hi @vihshah, let me understand: user_name is present only when there's also request_id? If this is your requirement, please try this: sourcetype="mykube.source" "failed request" | rex "failed re... See more...
Hi @vihshah, let me understand: user_name is present only when there's also request_id? If this is your requirement, please try this: sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | search request_id=* | table _time request_id user_name Ciao. Giuseppe
Is it possible to do using python script having in backend?
Hi @gcusello , regarding #2, I added the fields I was looking for, I tried the below query sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | table ... See more...
Hi @gcusello , regarding #2, I added the fields I was looking for, I tried the below query sourcetype="mykube.source" "failed request" | rex "failed request:(?<request_id>[\w-]+)" | table _time request_id user_name  however, I did not get `user_name` as my output. the reason was user_name was not populated as part of my first search. user_name gets populated when I do search by the `request_id` (but this request_id is not known to me before first search). Issue here is, I can not write 2 separate queries, I need to club both the queries to get the final result
It is not clear what searches are giving what results - you mentioned 3 searches, but showed only two sets of panels. All the searches you have shown use earliest and latest settings which override a... See more...
It is not clear what searches are giving what results - you mentioned 3 searches, but showed only two sets of panels. All the searches you have shown use earliest and latest settings which override anything you have chosen in the timepicker, so it is not clear which timeperiods have been used for which sets of panels. Please clarify
Hi @vihshah , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the... See more...
Hi @vihshah , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @uagraw01 , if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period. If you haven't (as from your scr... See more...
Hi @uagraw01 , if you were in License Violation, Indexing didn't stop, only searching was stopped, so you should have all the logs, also in the no licensing period. If you haven't (as from your screenshot), there is another reason for this, as I described in my answer. Ciao. Giuseppe
okay, let me try
So you mean after the restart of the Splunk, the previous data should visible.
The numbers in the panels are the same when trying different time ranges as I mentioned in the above search query
The principle of what you are doing is correct. So, if it is not working, it may come down to the actually data, which understandably you might not want to share. How are the values which are getting... See more...
The principle of what you are doing is correct. So, if it is not working, it may come down to the actually data, which understandably you might not want to share. How are the values which are getting through different to the ones which are being removed? How large is your lookup table? Are there any special characters being used?