All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Here's an alternative using rex and eval that should accommodate chars that aren't XML entities: | rex field=name max_match=0 "(?<name>(?:&#[^;]+;|.))" | eval name=mvjoin(mvmap(name, if(match(name, ... See more...
Here's an alternative using rex and eval that should accommodate chars that aren't XML entities: | rex field=name max_match=0 "(?<name>(?:&#[^;]+;|.))" | eval name=mvjoin(mvmap(name, if(match(name, "^&#"), printf("%c", if(match(name, "^&#x"), tonumber(replace(name, "[&#x;]", ""), 16), tonumber(replace(name, "[&#;]", ""), 10))), name)), "") If I were using any of these solutions myself, I'd choose spath. It should handle any valid XML without needing to handle edge cases in SPL.
Hi all, I'm actually have to decomission 6 indexers on a 9/9 multi site cluster of indexers. The command passed : splunk offline --enforce-counts 3 days have passed, and im still having a lar... See more...
Hi all, I'm actually have to decomission 6 indexers on a 9/9 multi site cluster of indexers. The command passed : splunk offline --enforce-counts 3 days have passed, and im still having a large amount of buckets for the offlined indexer. Buckets dont reduce... or a very little amount. The Indexer is still in "Decomissionning" status in the Cluster master (setting/indexer clustering) The RP/SF is KO. There is no more active tasks (all complete around 12 000 tasks performed and OK) exept for 4 tasks who are waiting the RF/SF back to OK. (pending) All the indexers of both site are communicating well ones with others. Does anybody have all ready encounter this problem ? I have checked errors messages (splunkd.log) in CM / Decomissionned indexer / and other indexers and I dont find any revealant messages or errors. Is it safe to launch a rolling restart ? Or to shoud I restart splunkd on the decommissionned indexer? Thanks for any help
@sidtalup27  I have the exact issue, there is nothing wrong with the port configuration on the vm and everything looks fine with NSG at Azure, but still facing issues with splunk web.   Were you ab... See more...
@sidtalup27  I have the exact issue, there is nothing wrong with the port configuration on the vm and everything looks fine with NSG at Azure, but still facing issues with splunk web.   Were you able to solve the issue you had?
That's another story. In order to keep the forums tidy, please create a separate thread for a new problem. Describe precisely what's going on and we'll see if we can help you.
Hi @Veerendra, the lookup isn't relevant, it depends on the fields you have. You have to adapt the code I sent to your lookup, nt the lookup to the code. Ciao. Giuseppe
Hi @gcusello  could you please send me the lookup file you are using  
Okey Thank you, and what is this _key that you have used?  
Hi @AL3Z , this means that the issue on the upload procedure is solved, now you have to debug your code to understand if there's something wrong or missing, e.g. an image or a JS. If you need help,... See more...
Hi @AL3Z , this means that the issue on the upload procedure is solved, now you have to debug your code to understand if there's something wrong or missing, e.g. an image or a JS. If you need help, you should share the dashboard code (only if it's in Classical Dashboard). Ciao. Giuseppe
@gcusello, Yes it is in the dashboard running, Do you want me to paste the source code of dashboard here ?
Hi @Veerendra , no, the solution to have all in one panel is to use a JS, this is a workaround that I created to avoid to use JS. Ciao. Giuseppe
@gcusello Thanks for the sample code, I would like to ask can we do the same in single panel. where we click the record and it will be updated in the same panel?
Hi @AL3Z , where is the issue: in the upload procedure or in dashboard running? if in upload procedure, the message should say what's the object with the issue. In in dashboard running, there's so... See more...
Hi @AL3Z , where is the issue: in the upload procedure or in dashboard running? if in upload procedure, the message should say what's the object with the issue. In in dashboard running, there's something wrong or missing in the dashboard. Ciao. Giuseppe
@gcusello @PickleRick , I have changed the permissions sucessfully but after installing it is throwing a new error  Something went wrong! Failed to load current state for selected entity in form! ... See more...
@gcusello @PickleRick , I have changed the permissions sucessfully but after installing it is throwing a new error  Something went wrong! Failed to load current state for selected entity in form! Details Error: Request failed with status code 500 ERR0005 How do we fix this issue any idea? Thanks in advance.
Index names don't matter here. It's about the data in indexes. Anyway, perfmon data does not include OS version as far as I remember so you need to make sure you have this ingested another way. Wha... See more...
Index names don't matter here. It's about the data in indexes. Anyway, perfmon data does not include OS version as far as I remember so you need to make sure you have this ingested another way. What data you have in your linux index is beyond me - you should have it docummented somewhere. I suppose you have TA_nix deployed across your environment and some inputs enabled but we don't know which ones and what data you're ingesting. So the question is what data you _have_. If you know this, you'll probably know what to search for yourself.
As @gcusello already pointed out, if working with _time it's usually (there are some use cases against it but they are rare) good do leave it as a unix timestamp throughout your whole search pipeline... See more...
As @gcusello already pointed out, if working with _time it's usually (there are some use cases against it but they are rare) good do leave it as a unix timestamp throughout your whole search pipeline and only render it to human-readable text at the end for presentation. (you can also use fieldformat to keep the data in machine-convenient form but present the time to the user as a formatted string - that's my preferred approach). The question is what kind of data you actually have and how your firewall reports traffic on an ongoing connection. Some firewalls (for example Juniper) give you an event on flow creation and on flow closing with just one value on session close giving you summarized traffic across the whole flow. Other firewalls can give you "keep-alive" events on already established sessions providing you with differential traffic updates (but some can also give you aggregated traffic over the whole session). So it's not that obvious how to query for that data. Also if you have your data normalized into CIM datamodel and your datamodel accelerated, you could use that datamodel to make your searches way way faster.
This is a very very old thread. It's highly unlikely that its participants are still on this forum. If you have a similar problem, just post a question with a description of your issue in a new thre... See more...
This is a very very old thread. It's highly unlikely that its participants are still on this forum. If you have a similar problem, just post a question with a description of your issue in a new thread, possibly putting a link to this thread for reference.
And how did you come up with the range() stats function? This function is for something completely different - it tells you what's the difference between lowest and highest value in your result set w... See more...
And how did you come up with the range() stats function? This function is for something completely different - it tells you what's the difference between lowest and highest value in your result set whereas you want to count things. The range() function is completely unsuited for this. You should be doing count by Account_Name. In order to make it over sliding window, you need to use streamstats with a proper time window. <your_initial_search> | streamstats time_window=10m count by Account_Name This will give you counts of logins over 10 minute windows. From this you'll be able to pick the one with the highest count. For example with | sort - count | head  
I want to search for an Account_Name that has the maximum number of login attempts within a span of 10 minutes with range() function.....   I don't know how can i provide the parameters to this fun... See more...
I want to search for an Account_Name that has the maximum number of login attempts within a span of 10 minutes with range() function.....   I don't know how can i provide the parameters to this function.... some help will be appreciated!
Where exactly do you see this error?
Hi @rsreese , sorry, I didn't notice the "Dashboard Studio" label! No it works only in Dashboard Classic: I haven't started using Dashboard Studio yet because it still can't do everything I can do ... See more...
Hi @rsreese , sorry, I didn't notice the "Dashboard Studio" label! No it works only in Dashboard Classic: I haven't started using Dashboard Studio yet because it still can't do everything I can do with the Classic version. Ciao. Giuseppe