Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-29-2024
05:26 AM
1 Karma
Hi @man03359, probably your search doesn't run because you renamed a field and used the previous field name. Anyway, in general, avoid to use join because it's avery slow search, try using stats: ...
See more...
Hi @man03359, probably your search doesn't run because you renamed a field and used the previous field name. Anyway, in general, avoid to use join because it's avery slow search, try using stats: (index="idx-enterprise-tools" sourcetype="spectrum:alarm:json") OR
(index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER"))
| stats
count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer
BY host Ciao. Giuseppe
01-29-2024
05:19 AM
Hi guys, Great discussion, it is both interesting and insightful to get to see and "listen in on" experts having both problems and being willing to do so publicly. Thank you. Cheers,
01-29-2024
05:08 AM
I am noob with Splunk. I am trying to join two indexes in one search - index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9) Second Index - index=idx-sec-c...
See more...
I am noob with Splunk. I am trying to join two indexes in one search - index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9) Second Index - index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER")
| rename custom_details.eventName as EventName custom_details.errorId as ErrorCode custom_details.clusterName as ClusterName custom_details.location as LocationName
| eventstats count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer by summary I am trying like this but I do not see any events where as both the indexes are giving events for same time frame- index="idx-enterprise-tools" sourcetype="spectrum:alarm:json"
| eval Host=substr(host,1,9)
| join host
[ search index=idx-sec-cloud sourcetype=rubrik:json NOT (summary="*on demand backup*" OR custom_details.clusterName="ART1RBRK100P" OR custom_details.clusterName="ONT1RBRK100P" OR custom_details.clusterName="GRO1RBRK100P")
(custom_details.eventName="Snapshot.BackupFailed" NOT (custom_details.errorId="Oracle.RmanStatusDetailsEmpty" OR custom_details.errorId="Vmware.VmwareCBTCorruption"))
OR (custom_details.eventName="Mssql.LogBackupFailed")
OR (custom_details.eventName="Snapshot.BackupFromLocationFailed" NOT (custom_details.errorId="Fileset.FailedDataThresholdNas" OR custom_details.errorId="Fileset.FailedFileThresholdNas" OR custom_details.errorId="Fileset.FailedToFindFilesNas"))
OR (custom_details.eventName="Vmware.VcenterRefreshFailed")
OR (custom_details.eventName="Hawkeye.IndexOperationOnLocationFailed")
OR (custom_details.eventName="Hawkeye.IndexRetryFailed")
OR (custom_details.eventName="Storage.SystemStorageThreshold")
OR (custom_details.eventName="ClusterOperation.DiskLost")
OR (custom_details.eventName="ClusterOperation.DiskUnhealthy")
OR (custom_details.eventName="Hardware.DimmError")
OR (custom_details.eventName="Hardware.PowerSupplyNeedsReplacement")
OR (custom_details.location="*/MSSQLSERVER")
]
| rename custom_details.eventName as EventName custom_details.errorId as ErrorCode custom_details.clusterName as ClusterName custom_details.location as LocationName
| eventstats count(eval(custom_details.location="*/MSSQLSERVER")) as MsSqlServer by summary
01-29-2024
04:59 AM
Hi @PickleRick , for my knowledge, there wasn't any upgrade, in few minutes I'll have a call with Splunk Suppot: I hope well! Ciao. Giuseppe
01-29-2024
04:58 AM
Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=*
| table _time reques...
See more...
Hi @vihshah , check what are the conditions for user_name with: sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=*
| table _time request_id user_name or sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search user_name=* request_id =*
| table _time request_id user_name Ciao. Giuseppe
01-29-2024
04:53 AM
Hi, this is opposite situation. I am looking to identify old saved searches scheduled, running and consume resources but don't return results for several weeks (they are broken or incorrect) or nobo...
See more...
Hi, this is opposite situation. I am looking to identify old saved searches scheduled, running and consume resources but don't return results for several weeks (they are broken or incorrect) or nobody checked them (user left, and let search scheduled). I tried rest API but range is short and index=_audit savedsearch_name!="" to find these searches but it looks quite hard to identify if search is really broken or not used by user or app for longer time
01-29-2024
04:42 AM
Hi Team, We are configuring in it in our splunk web, my AWS namespace is custom/namespace metric 1 ,2 .... metric is created with no dimensions. Configured in splunk AWS account : xxx AWS re...
See more...
Hi Team, We are configuring in it in our splunk web, my AWS namespace is custom/namespace metric 1 ,2 .... metric is created with no dimensions. Configured in splunk AWS account : xxx AWS region: eu-west-1 index: B Metrics Configuration : custom/namespace Name: A SourceType: aws:cloudwatch I still don't see any logs, Am I configuring in right way
01-29-2024
04:30 AM
Thanks, I hadn't considered that. I'll give that a try.
01-29-2024
04:29 AM
Thanks, I hadn't considered that. I'll give that a try.
01-29-2024
04:11 AM
1 Karma
Assuming you have a count per minute, you can add another timechart command | timechart span=1h max(count) as peak_per_minute
01-29-2024
03:57 AM
It was not my suggestion. I was asking whether someone didn't try to upgrade or do something else with that installation so that it was modified unbeknownst to you.
01-29-2024
03:03 AM
Hi, I'm after some assistance. I am trying to capture the peak number of concurrent users in a single minute block using timecharts. I can do this one minute blocks no problem. Where this gets ...
See more...
Hi, I'm after some assistance. I am trying to capture the peak number of concurrent users in a single minute block using timecharts. I can do this one minute blocks no problem. Where this gets complicated is that I have been given the requirement that I should be able to change the timechart span from 1m to 1h and identify the peak minute with the highest number of users within each hour (if hour selected) and display the number of users for that peak minute (frather than the peak number of users for that hour). Can anyone assist me with this, or advise if it's even possible? Thanks
Labels
- Labels:
-
timechart
01-29-2024
02:58 AM
Hi @gcusello , little correction, user_name is displayed in logs when we search with request_id. I used what you have given, but it is not displaying user_name still, so I removed the last | tab...
See more...
Hi @gcusello , little correction, user_name is displayed in logs when we search with request_id. I used what you have given, but it is not displaying user_name still, so I removed the last | table _time request_id user_name to see if it is displaying user_name, but it is not displaying user_name, so I think below one is not searching based on the request_id | search request_id=*
01-29-2024
02:48 AM
Hi @vihshah, let me understand: user_name is present only when there's also request_id? If this is your requirement, please try this: sourcetype="mykube.source" "failed request"
| rex "failed re...
See more...
Hi @vihshah, let me understand: user_name is present only when there's also request_id? If this is your requirement, please try this: sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| search request_id=*
| table _time request_id user_name Ciao. Giuseppe
01-29-2024
02:44 AM
Is it possible to do using python script having in backend?
01-29-2024
02:41 AM
Hi @gcusello , regarding #2, I added the fields I was looking for, I tried the below query sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| table ...
See more...
Hi @gcusello , regarding #2, I added the fields I was looking for, I tried the below query sourcetype="mykube.source" "failed request"
| rex "failed request:(?<request_id>[\w-]+)"
| table _time request_id user_name however, I did not get `user_name` as my output. the reason was user_name was not populated as part of my first search. user_name gets populated when I do search by the `request_id` (but this request_id is not known to me before first search). Issue here is, I can not write 2 separate queries, I need to club both the queries to get the final result
01-29-2024
02:40 AM
It is not clear what searches are giving what results - you mentioned 3 searches, but showed only two sets of panels. All the searches you have shown use earliest and latest settings which override a...
See more...
It is not clear what searches are giving what results - you mentioned 3 searches, but showed only two sets of panels. All the searches you have shown use earliest and latest settings which override anything you have chosen in the timepicker, so it is not clear which timeperiods have been used for which sets of panels. Please clarify
01-29-2024
02:29 AM
Hi @vihshah , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the...
See more...
Hi @vihshah , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
