All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How to display top 10 and replace the rest with others? I tried using   top limit 5 with userother, but the number didn't match and showed other fields like count, percent and _tc.  This is just ... See more...
How to display top 10 and replace the rest with others? I tried using   top limit 5 with userother, but the number didn't match and showed other fields like count, percent and _tc.  This is just an example.  I have a lot of fields and rows in real data  Thank  you for your help | addcoltotals labelfield=Name | top limit=5 userother=t Name Score ==> number didn't match Before Expense Name Score 1 Rent 2000 2 Car 1000 3 Insurance 700 4 Food 500 5 Education 400 6 Utility 200 7 Entertainment 100 8 Gym 70 9 Charity 50 10 Total 5020 After Expense Name Score 1 Rent 2000 2 Car 1000 3 Insurance 700 4 Food 500 5 Education 400 6 Others 420 7 Total 5020
Argh. This is a case of a very badly prepared data. And without external manipulation you won't get it into Splunk (or parse it after ingestion). The <Data> part of your data is so ugly organized - t... See more...
Argh. This is a case of a very badly prepared data. And without external manipulation you won't get it into Splunk (or parse it after ingestion). The <Data> part of your data is so ugly organized - there is no explicit relationship between the <ColumnNames> and <DataRows>. Whoever thought about preparing data in this format did it very very wrong. Even if you were to manipulate it with a solution different than Splunk you'd have a hard time to compose those associations between column names and their values because of the need to externally keep the order of those values.
You can extend this search from _audit index to find those searches that have result_count=0. But to be fully honest, it seems like a case of underdocumenticitis - when you have no control over what... See more...
You can extend this search from _audit index to find those searches that have result_count=0. But to be fully honest, it seems like a case of underdocumenticitis - when you have no control over what your users do and have no documentation for it. And that's the root cause of your problem.
Hi ,   I have two sets of JSON data. I want to find the keys which are unique in one dataset and also keys which are missing in the same in comparison with the other dataset. My first data set ... See more...
Hi ,   I have two sets of JSON data. I want to find the keys which are unique in one dataset and also keys which are missing in the same in comparison with the other dataset. My first data set looks as below :   { "iphone": { "price" : "50", "review" : "Good" }, "desktop": { "price" : "80", "review" : "OK" }, "laptop": { "price" : "90", "review" : "OK" } } My second data set looks as below : { "tv": { "price" : "50", "review" : "Good" }, "desktop": { "price" : "60", "review" : "OK" } } Therefore, for the first data set (w.r.t second data set): unique values will be :  iphone and laptop and missing values will be : tv  How can I find out this difference and show then in a table with columns like "uniq_value" and "missing_value" I could only write the query up to this , but this is half part and not what I want: index=product_db | |eval p_name=json_array_to_mv(json_keys(_raw)) |eval p_name = mvfilter(NOT match(p_name, "uploadedBy") AND NOT match(p_name, "time") | mvexpand p_name| table p_name Thanks
This was very helpful. Thank you so much!
Even though I configured in AWS correctly I am getting this error in Splunk Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure... See more...
Even though I configured in AWS correctly I am getting this error in Splunk Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:< metric > " (e.g..."metric_name:cpu.idle") with corresponding floating point values.
Hi @vihshah , I don't know how the fiels is named, maybe "OrderDetails.user_name", see in interesting field its correct name. If instead the issue is the extraction of the field, it seems to be a j... See more...
Hi @vihshah , I don't know how the fiels is named, maybe "OrderDetails.user_name", see in interesting field its correct name. If instead the issue is the extraction of the field, it seems to be a json log, so you could use spath to extract fields. If instead you want to use a regex, please share a sample of your logs. Ciao. Giuseppe  
The issue resolve by manually create the index which we think its automatically created based on command in the documentation. So need to create manually the index and then run the rebuild command ag... See more...
The issue resolve by manually create the index which we think its automatically created based on command in the documentation. So need to create manually the index and then run the rebuild command again, if facing this similar error message. 
I'm appreciative of your response. I tried the one below, but it contains more information than just the credit card number. I'm wondering how I can mask the field value contains the credit card numb... See more...
I'm appreciative of your response. I tried the one below, but it contains more information than just the credit card number. I'm wondering how I can mask the field value contains the credit card number and expiration date along with some information in the field. Fieldname: abcd field value :n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0002 4786 Expiry Date of HDFC card 02/28 Any other relevant info Thanks and Regards, santhosh. From SEDCMD-accmasking = s/abcd=(.)(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/ But to be honest this  part in Splunk I am not bit confident. could you please help me   
We did basically. /opt/Splunk/... Above screenshot just want to show  the error message
Thanks for the reply. actually we did that. above just example to show the error message
What have you tried so far and how did those attempts not meet expectations?
Would you kindly assist us in hiding the credit card number and expiration date for the following field some ab n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master ca... See more...
Would you kindly assist us in hiding the credit card number and expiration date for the following field some ab n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0009 2321 Expiry Date of HDFC card 01/26 Any other relevant info Thanks and Regards, Murali. From
What events do you have in Splunk to work with?
Hi @isoutamo , Yes, I can see the Entry data in a separate event, but there are no fields parsed through this. I need fields and values to be parsed like the below table. Field Name Field Valu... See more...
Hi @isoutamo , Yes, I can see the Entry data in a separate event, but there are no fields parsed through this. I need fields and values to be parsed like the below table. Field Name Field Value Sender Component XYZ Receiver Component ABC Interface Mobile System Error - Waiting 3
  <?xml version="1.0" encoding="UTF-8" ?> <Results xmlns:xsi="http://www.w3.org"> <Result> <Code>OK</Code> <Details>LoadMessageOverviewData</Details> <Text>Successfull</T... See more...
  <?xml version="1.0" encoding="UTF-8" ?> <Results xmlns:xsi="http://www.w3.org"> <Result> <Code>OK</Code> <Details>LoadMessageOverviewData</Details> <Text>Successfull</Text> </Result> <Data> <ColumnNames> <Column>Sender&#x20;Component</Column> <Column>Receiver&#x20;Component</Column> <Column>Interface</Column> <Column>System&#x20;Error</Column> <Column>Waiting</Column> </ColumnNames> <DataRows> <Row> <Entry>XYZ</Entry> <Entry>ABC</Entry> <Entry>Mobile</Entry> <Entry>-</Entry> <Entry>3</Entry> </Row> </DataRows> </Data> </MessageStatisticsQueryResults> Hi @PickleRick ,   Above is my xml data, My expected parsed data are below Field Name Field Value Sender Component XYZ Receiver Component ABC Interface Mobile System Error - Waiting 3
Hi, I want to create a search query that looks for users who have received phishing emails, clicked the link, or downloaded a file from the email. Thanks
Joins (with the join command) are generally best avoided as they are slow and have limitations. However, if you want to continue down this route, you should also note that field names are case sensit... See more...
Joins (with the join command) are generally best avoided as they are slow and have limitations. However, if you want to continue down this route, you should also note that field names are case sensitive, so if you were expecting Host from one set of events to be "joined" with host in the other set of events, they would have to share exactly the same field name. Without you sharing some sample events, it is not easy to determine whether this is your issue.
You asked a question, I gave you a suggestion, you have completely ignored my suggestion. Please try what I suggested and share your results.
 @gcusello okay, I think I know my issue, my user_name is part object string like below OrderDetails{userId:"1", user_name:"A"} if this is the case, how can I search it?