Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-15-2024
04:13 AM
OK. Thanks for your help. index=<myindex> logid="0000000013" AND logid!="13" | stats count gives 3,183,571.
01-15-2024
03:57 AM
Hi @Nawab, no it isn't possible: in Splunk data are replicated between all the indexers (based on Replication Factor and Search Factor) and all the Indexers partecipate to searches. You can choose ...
See more...
Hi @Nawab, no it isn't possible: in Splunk data are replicated between all the indexers (based on Replication Factor and Search Factor) and all the Indexers partecipate to searches. You can choose the number of copies of replicated raw data (Replication Factor) that use around 15% or the original data and the number of copies of idxs (Replication Factor) that use around 35% or the original data. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Aboutclusters. Ciao. Giuseppe
01-15-2024
03:33 AM
Hello Community, We have a challenge with our SysMon Instance. While testing compatibilities we noticed that after SysMon gets upgraded it no longer talks to the SIEM for some weird reason. Has a...
See more...
Hello Community, We have a challenge with our SysMon Instance. While testing compatibilities we noticed that after SysMon gets upgraded it no longer talks to the SIEM for some weird reason. Has anyone experienced anything like this before? Regards, Dan
01-15-2024
03:04 AM
Hi @Real_captain , sorry, if you want to exclude results from search 2 you have to use the NOT operator: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 NOT [ search (index=events_prod_...
See more...
Hi @Real_captain , sorry, if you want to exclude results from search 2 you have to use the NOT operator: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 NOT [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted"
| fields messageBusinessIdentifier ]
| table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform Ciao. Giuseppe
01-15-2024
03:03 AM
1 Karma
Ok, in reality this logid is not a numeric field, it's a string, but some unknown reason splunk convert it to number. Maybe this is bug and you should create a support case. What happen if you try t...
See more...
Ok, in reality this logid is not a numeric field, it's a string, but some unknown reason splunk convert it to number. Maybe this is bug and you should create a support case. What happen if you try this index=<myindex> logid="0000000013" AND logid!="13" | stats count If this didn't help, I don't know how to tell in search to splunk that this field should keep as string instead of convert it to numeric.
01-15-2024
02:35 AM
Providing the source of your dashboard (in a code block </>) would be useful, as would a sample of your lookup (anonymised appropriately).
01-15-2024
02:32 AM
| eval merged=API."|".host."|".method
| chart count over merged by StatusCode
| addtotals
| eval API=mvindex(split(merged,"|"),0)
| eval host=mvindex(split(merged,"|"),1)
| eval method=mvindex(split(...
See more...
| eval merged=API."|".host."|".method
| chart count over merged by StatusCode
| addtotals
| eval API=mvindex(split(merged,"|"),0)
| eval host=mvindex(split(merged,"|"),1)
| eval method=mvindex(split(merged,"|"),2)
| fields - merged
01-15-2024
02:25 AM
Hi Can we use below to fetch only those events which are extracted by Search1 and not extracted by Search2 based on the field messageBusinessIdentifier. `eoc_stp_events_indexes` host=p* OR host...
See more...
Hi Can we use below to fetch only those events which are extracted by Search1 and not extracted by Search2 based on the field messageBusinessIdentifier. `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 NOT [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted" | fields messageBusinessIdentifier ] | fillnull timestampOfReception , messageOriginIdentifier, messageBusinessIdentifier, direction, messageType, currentPlatform, sAAUserReference value="-" | sort timestampOfReception | table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform, | rename timestampOfReception AS "Timestamp of reception", originPlatform AS "Origin platform", sourcePlatform AS "Source platform", targetPlatform AS "Target platform", senderIdentifier AS "Sender identifier", receiverIdentifier AS "Receiver identifier", messageOriginIdentifier AS "Origin identifier", messageBusinessIdentifier AS "Business identifier", direction AS Direction, currentPlatform AS "Current platform", sAAUserReference AS "SAA user reference", messageType AS "Message type"
01-15-2024
02:19 AM
while configuring RF and SH, can we configure that only one server should be used for saving all copies of data and does not participate in indexing, only participate in searching when needed.
Labels
- Labels:
-
indexer clustering
01-15-2024
02:18 AM
recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts i...
See more...
recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts in backend.
Labels
- Labels:
-
table
01-15-2024
02:12 AM
HI All, I need to display the results same as like below |chart count over API by StatusCode API 200 300 400 400 total -- --- ---- -- --- but I need to display the results...
See more...
HI All, I need to display the results same as like below |chart count over API by StatusCode API 200 300 400 400 total -- --- ---- -- --- but I need to display the results behind API more fields like host and method as well API host method 200 300 400 total -- --- --- -- --- ---- please help to get the results
Labels
- Labels:
-
chart
01-15-2024
02:10 AM
Hi I want to extract only those events of Search1 for which there does not exists the result in Search2. is it possible in SPLUNK ?? Similar to NOT EXISTS in DB2.
01-15-2024
01:50 AM
In a search for logid=13, I looked up the source of the returned events and they do have the logid information. Here is an extract: eventtime=1701795599940432762 tz="+0100" logid="0000000013" type="...
See more...
In a search for logid=13, I looked up the source of the returned events and they do have the logid information. Here is an extract: eventtime=1701795599940432762 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice"
01-15-2024
01:35 AM
Can you check how those logids are in your original data (outside of splunk) or at least in _raw field? Just open event and select "Event Actions -> Show Source".
01-15-2024
01:25 AM
@PickleRick I have to admit that I do not fully understand your explanation. Note that I get more results with a search for 0000000013 than just 13. @isoutamo Here are outputs of other queries, stil...
See more...
@PickleRick I have to admit that I do not fully understand your explanation. Note that I get more results with a search for 0000000013 than just 13. @isoutamo Here are outputs of other queries, still for the very same time intervals: index=<myindex> logid=13 | stats count
822,434 index=<myindex> logid="13" | stats count
0 index=<myindex> logid=0000000013 | stats count
3,183,571 index=<myindex> logid="0000000013" | stats count
8,183,571 index=<myindex> logid=013 | stats count
0 index=<myindex> | stats count by logid
0000000011 8,000
0000000013 3,183,571
0000000023 127,753
0419016384 5,154 I wanted to see which records match 13 and not 0000000013 with the following request index=<myindex> logid=0000000013 AND logid!=13 | stats count but results is 0...
01-15-2024
01:22 AM
1 Karma
Actually, storage is usually not that much of a problem (although it does come with some overhead). It's mostly the losing of flexibility typically associated with Splunk that matters - an indexed fi...
See more...
Actually, storage is usually not that much of a problem (although it does come with some overhead). It's mostly the losing of flexibility typically associated with Splunk that matters - an indexed field is indexed as is on the indexing pipeline and its value cannot be changed afterwards. Also searching indexed fields is different than "normal" Splunk search and can lead to unexpected results, especially if you don't configure your fields properly in fields.conf.
01-15-2024
01:14 AM
There are several possible approaches to this problem. One is to use a subsearch. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchTutorial/Useasubsearch Long story short - if you have sear...
See more...
There are several possible approaches to this problem. One is to use a subsearch. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchTutorial/Useasubsearch Long story short - if you have search1 returning a list of values for field1, you use NOT ([your search | returining| values | table field1]) as part of your main search. This however has its drawbacks - the typical limits of a subsearch - the number of returned results and the execution time limit. That means that your search can be silently finalized without you even realizing that you're getting incomplete/invalid results. Another approach would be to append both of those resultsets adding a field which describes which search they come from and then do stats over the common field and filter out those that do have the identifier. Like <search1> | eval wherefrom=1 | append [ <search2> | eval wherefrom=2 ] | stats values(*) as * by common_field | where NOT wherefrom=2 Append though is also subject to subsearch limitations If both your searches are streaming searches, you can use multisearch instead of appending results - multisearch is _not_ subject to subsearch limitations.
01-15-2024
01:10 AM
@cmg yes you should change the setting but be aware values, where there is an MV field, will now come in as lists and you may need to adjust your playbook(s) to handle that.
01-15-2024
01:10 AM
@cmg No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed alr...
See more...
@cmg No what you do is you have a decision at the beginning of the automation that checks for a container tag, if present don't continue as it would show that the container has been processed already by that playbook. If not present then continue and the next action should be to add the tag you are looking for to the processed container. This means that a container would only have the playbook 'fully' run once on each container. It may still run many times but will halt at the 1st decision. Then if you do ever need to re-run the playbook you just remove the tag.
01-15-2024
01:09 AM
Hi @Real_captain , Please try something like this: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Cre...
See more...
Hi @Real_captain , Please try something like this: `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted"
| fields messageBusinessIdentifier ]
| table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform in few words: you have to use a subsearch putting attention that the fields at the end of the subsearch are only the ones you want to use as key and that the field names are exactly the same. Ciao. Giuseppe
