All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Providing the source of your dashboard (in a code block </>) would be useful, as would a sample of your lookup (anonymised appropriately).
| eval merged=API."|".host."|".method | chart count over merged by StatusCode | addtotals | eval API=mvindex(split(merged,"|"),0) | eval host=mvindex(split(merged,"|"),1) | eval method=mvindex(split(... See more...
| eval merged=API."|".host."|".method | chart count over merged by StatusCode | addtotals | eval API=mvindex(split(merged,"|"),0) | eval host=mvindex(split(merged,"|"),1) | eval method=mvindex(split(merged,"|"),2) | fields - merged
Hi  Can we use below to fetch only those events which are extracted by Search1 and not extracted by Search2 based on the field messageBusinessIdentifier.   `eoc_stp_events_indexes` host=p* OR host... See more...
Hi  Can we use below to fetch only those events which are extracted by Search1 and not extracted by Search2 based on the field messageBusinessIdentifier.   `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001   NOT [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted" | fields messageBusinessIdentifier ] | fillnull timestampOfReception , messageOriginIdentifier, messageBusinessIdentifier, direction, messageType, currentPlatform, sAAUserReference value="-" | sort timestampOfReception | table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform, | rename timestampOfReception AS "Timestamp of reception", originPlatform AS "Origin platform", sourcePlatform AS "Source platform", targetPlatform AS "Target platform", senderIdentifier AS "Sender identifier", receiverIdentifier AS "Receiver identifier", messageOriginIdentifier AS "Origin identifier", messageBusinessIdentifier AS "Business identifier", direction AS Direction, currentPlatform AS "Current platform", sAAUserReference AS "SAA user reference", messageType AS "Message type"
while configuring RF and SH, can we configure that only one server should be used for saving all copies of data and does not participate in indexing, only participate in searching when needed.
 recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts i... See more...
 recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts in backend.
HI All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results... See more...
HI All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results behind API more fields like host and method as well API host method 200 300 400  total  --     ---    ---              --      ---    ---- please help to get the results
Hi  I want to extract only those events of Search1 for which there does not exists the result in Search2.  is it possible in SPLUNK ??    Similar to NOT EXISTS in DB2.   
In a search for logid=13, I looked up the source of the returned events and they do have the logid information. Here is an extract: eventtime=1701795599940432762 tz="+0100" logid="0000000013" type="... See more...
In a search for logid=13, I looked up the source of the returned events and they do have the logid information. Here is an extract: eventtime=1701795599940432762 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice"
Can you check how those logids are in your original data (outside of splunk) or at least in _raw field? Just open event and select "Event Actions -> Show Source".
@PickleRick I have to admit that I do not fully understand your explanation. Note that I get more results with a search for 0000000013 than just 13. @isoutamo Here are outputs of other queries, stil... See more...
@PickleRick I have to admit that I do not fully understand your explanation. Note that I get more results with a search for 0000000013 than just 13. @isoutamo Here are outputs of other queries, still for the very same time intervals: index=<myindex> logid=13 | stats count 822,434 index=<myindex> logid="13" | stats count 0 index=<myindex> logid=0000000013 | stats count 3,183,571 index=<myindex> logid="0000000013" | stats count 8,183,571 index=<myindex> logid=013 | stats count 0 index=<myindex> | stats count by logid 0000000011 8,000 0000000013 3,183,571 0000000023 127,753 0419016384 5,154 I wanted to see which records match 13 and not 0000000013 with the following request index=<myindex> logid=0000000013 AND logid!=13 | stats count but results is 0...
Actually, storage is usually not that much of a problem (although it does come with some overhead). It's mostly the losing of flexibility typically associated with Splunk that matters - an indexed fi... See more...
Actually, storage is usually not that much of a problem (although it does come with some overhead). It's mostly the losing of flexibility typically associated with Splunk that matters - an indexed field is indexed as is on the indexing pipeline and its value cannot be changed afterwards. Also searching indexed fields is different than "normal" Splunk search and can lead to unexpected results, especially if you don't configure your fields properly in fields.conf.
There are several possible approaches to this problem. One is to use a subsearch. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchTutorial/Useasubsearch Long story short - if you have sear... See more...
There are several possible approaches to this problem. One is to use a subsearch. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchTutorial/Useasubsearch Long story short - if you have search1 returning a list of values for field1, you use NOT ([your search | returining| values | table field1]) as part of your main search. This however has its drawbacks - the typical limits of a subsearch - the number of returned results and the execution time limit. That means that your search can be silently finalized without you even realizing that you're getting incomplete/invalid results. Another approach would be to append both of those resultsets adding a field which describes which search they come from and then do stats over the common field and filter out those that do have the identifier. Like <search1> | eval wherefrom=1 | append     [ <search2> | eval wherefrom=2 ] | stats values(*) as * by common_field | where NOT wherefrom=2 Append though is also subject to subsearch limitations  If both your searches are streaming searches, you can use multisearch instead of appending results - multisearch is _not_ subject to subsearch limitations.
@cmg yes you should change the setting but be aware values, where there is an MV field,  will now come in as lists and you may need to adjust your playbook(s) to handle that. 
@cmg  No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed alr... See more...
@cmg  No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container.  This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.
Hi @Real_captain , Please try something like this: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Cre... See more...
Hi @Real_captain , Please try something like this: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted" | fields messageBusinessIdentifier ] | table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform in few words: you have to use a subsearch putting attention that the fields at the end of the subsearch are only the ones you want to use as key and that the field names are exactly the same. Ciao. Giuseppe  
Hello, Thanks for the reply, will try coalesce(). In my case "create additional indexed fields " improves a search speed without giving headache to non regular splunk users. Apart from the storage... See more...
Hello, Thanks for the reply, will try coalesce(). In my case "create additional indexed fields " improves a search speed without giving headache to non regular splunk users. Apart from the storage, is there any other drawbacks to consider ?  
Hi here is explained how to emulate joins in  SQL in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391290/highlight/true#M113... See more...
Hi here is explained how to emulate joins in  SQL in SPL. https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391290/highlight/true#M113950 There is also several conf presentations how to join datasets without command join e.g. https://conf.splunk.com/files/2019/slides/FNC2751.pdf r. Ismo
As Ismo said - make sure which license you have. By default Splunk installs with a trial license wich most of the features (apart from clustering related ones as far as I remember) which is valid fo... See more...
As Ismo said - make sure which license you have. By default Splunk installs with a trial license wich most of the features (apart from clustering related ones as far as I remember) which is valid for 60 days. After that time you have an option to either use your installation with a Splunk Free license (which is limited - doesn't contain ability to create multiple users, doesn't run scheduled searches, doesn't have forwarder management...) or provide a purchased commercial license/dev license/any other license. So if you open your Splunk's web interface and it doesn't let you provide user/password to log you in and your web interface doesn't contain the whole "Users and authentication" section, you're most probably using the Free license, not the Trial one. You can check which license you have by going to Settings -> System/Licensing
How about this | makeresults | eval Properties.appHdr = "{ \"fr\": { \"fiId\": { \"finInstnId\": { \"bicfi\": \"BNPAGB22PBG\" } } }, \"to\": { \"fiId\": { ... See more...
How about this | makeresults | eval Properties.appHdr = "{ \"fr\": { \"fiId\": { \"finInstnId\": { \"bicfi\": \"BNPAGB22PBG\" } } }, \"to\": { \"fiId\": { \"finInstnId\": { \"bicfi\": \"SICVFRPPEII\" } } }, \"bizMsgIdr\": \"res1caf3c2ac2b3b6d180ff0001aa7eefab\", \"msgDefIdr\": \"seev.047.001.02\", \"creDt\": \"2024-01-11T21:03:56.000Z\" }" | fields - _time ```Generate test event``` | spath input=Properties.appHdr | table bizMsgIdr *
Hi  Can someone help to explain how we can use Not-exists in Splunk.  Example is attached below for which i need to use this  function in Splunk.  1) Search1 generates a set of results.  2) Searc... See more...
Hi  Can someone help to explain how we can use Not-exists in Splunk.  Example is attached below for which i need to use this  function in Splunk.  1) Search1 generates a set of results.  2) Search2 also generated a set of results.  There is a common field between the 2 Searches. I want to add a search in splunk as below :  Results of Search1 (Not exists (results of Search2 )) common field = Field1    Search1 `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001   | table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform Search2 : (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted" | table  messageBusinessIdentifier Field1 messageBusinessIdentifier