All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try including by _time on this line | stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest by _time
Probably a few ways of doing this, but if you have access to index=_internal you can try something like this. index=_internal component=Metrics group=per_index_thruput earliest=-30d@d latest=now ... See more...
Probably a few ways of doing this, but if you have access to index=_internal you can try something like this. index=_internal component=Metrics group=per_index_thruput earliest=-30d@d latest=now | bucket span=1h _time | stats sum(kb) as hourly_kb, sum(ev) as hourly_events, by _time, series | stats earliest(_time) as earliest_event, latest(_time) as latest_event, count as sample_size, avg(hourly_kb) as avg_hourly_kb, sum(hourly_kb) as total_kb, avg(hourly_events) as avg_hourly_events, sum(hourly_events) as total_events by series | convert ctime(earliest_event), ctime(latest_event) | rename series as index
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserte... See more...
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserted in the asset By default, this is in the http app with the get data method
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I wo... See more...
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I would like to calculate the failureRate for each ROW.   [SEARCH] | bin _time span=15m | stats count as NumberOfAuthErrors by _time | append [ SEARCH | bin _time span=15m | stats count as TotalRequest by _time ] | stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest | eval failureRate = round((NumberOfAuthErrors / TotalRequest) * 100,3) | table TotalRequest NumberOfAuthErrors failureRate     thanks
Hi,  I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data with... See more...
Hi,  I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data within the last 30 days.   Thanks in advance!    
Thank you mate for the help,  Below corrected one helped with faster results.   |chart latest(Count) as Count by ProcessDate,Name |sort 0 - ProcessDate | transpose 0 column_name=Name header_field... See more...
Thank you mate for the help,  Below corrected one helped with faster results.   |chart latest(Count) as Count by ProcessDate,Name |sort 0 - ProcessDate | transpose 0 column_name=Name header_field=ProcDate      
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert informati... See more...
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert information, and use the sendemail command. So this capability is by default provided to power user roles.  You can clone the power user role to a custom name for your organization.  Inside that cloned version you can remove the above capability.  Some apps such as ITSI are preset to inherit the power user role so you still have to watch the inherited capability lists.   Updated: Copy and Pasted wrong capability originally.
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=tru... See more...
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=true in the inputs.conf and the inputs.conf files in the Splunk_TA_windows are the same for each endpoint. I can't find the difference causing this. One thing I have learned through this is that I may prefer non-XML so if these two endpoints are not respecting renderXml=true, how do I know all the others will respect the false value to match them all up? Is there somewhere overriding this? I have not edited any \etc\system\default\inputs.conf files. They're all in local or an app. Thank you in advance! Edit: I am on Splunk Cloud. Scott
It sounds like the original data has too many lines/events.  You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvex... See more...
It sounds like the original data has too many lines/events.  You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvexpand.
| transpose 0 column_name=Date header_field=Name | sort 0 -Date | transpose 0 column_name=Name header_field=Date
No, it is not working
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search... See more...
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search/How-to-display-column-results-in-descending-order/m-p/405619
Hello, I tested your solution and it worked.    Thank you for your help.  1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got ... See more...
Hello, I tested your solution and it worked.    Thank you for your help.  1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got the following error. How do I fix this without increasing memory limit? command.mvexpand: output will be truncated at 1000 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached
SEDCMD-strip-tcp-priority=s/^<\d+>\d\s//
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format... See more...
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format where headers of processDates are higher to lower. Query: |chart latest(Count) as Count by Name ,ProcessDate Current Output: Name    20240101  20240102  20240103 xyz NA NA NA 123 NA NANA NA     Expecting output: Name    20240103 20240102  20240101 xyz NA NA NA 123 NA NANA NA    
Hi @avadhutha - I’m a Community Moderator in the Splunk Community.  This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend... See more...
Hi @avadhutha - I’m a Community Moderator in the Splunk Community.  This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictl... See more...
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictly limited to users with admin access. Is there a way to do this? I'm having a hard time finding this in the docs. 
The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using ... See more...
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:       curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \ --header "Authorization: Bearer eyJhbGciOiJ....."       When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code: error 401 Data from server: {"errors":["Missing token"]} I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself. Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.