All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example:  alert has trigger for the below data is 2:40 _... See more...
How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example:  alert has trigger for the below data is 2:40 _time ID Bill_ID 2024-01-12T03:10:53.000-06:00 TTF5 80124 2024-01-12T03:08:07.000-06:00 TFB6 84958       2024-01-12T02:34:54.000-06:00 TFB6 84958 2024-01-12T02:09:48.000-06:00 TTF5 80124 2024-01-12T02:07:02.000-06:00 TFB6 84958 2024-01-12T01:36:59.000-06:00 TTF5 80124 2024-01-12T01:33:37.000-06:00 TFB6 84958 2024-01-12T01:11:13.000-06:00 TTF5 80124 2024-01-12T01:07:22.000-06:00 TFB6 84958 2024-01-12T00:37:08.000-06:00 TTF5 80124 2024-01-12T00:35:08.000-06:00 TFB6 84958 2024-01-12T00:11:16.000-06:00 TTF5 80124 2024-01-12T00:10:20.000-06:00 TFB6 84958 2024-01-11T23:36:19.000-06:00 TTF5 80124 2024-01-11T23:34:17.000-06:00 TFB6 84958
ok, if I use Percentage instead of Value - it gives 2 decimal points. Thank you.  
Not working I want list of servers which are having index data from the list provided
Hi this is not a json data. It could be part of if but not really full, working json. If you have full json, it should be usable without any difficulties e.g. with spath if/when onboarding has done... See more...
Hi this is not a json data. It could be part of if but not really full, working json. If you have full json, it should be usable without any difficulties e.g. with spath if/when onboarding has done correctly. If it's not working json then you must use e.g. rex command to get wanted values from _raw event. | rex "\"reqUser\":\"(?<reqUser>[^\"]+)\",\"evtTime\":\"(?<evtTime>[^\"]+)\"," | rex "\"resource\":\"(?<resource>[^\"]+)\"" | table reqUser evtTime resource r. Ismo
@cmg as @inventsekar has confirmed, this is possible.  When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of t... See more...
@cmg as @inventsekar has confirmed, this is possible.  When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of that task.  I would recommend also updating the task during the playbook run to assign to the playbook runner and change the status automatically too.  In most of my customers even if there is a status/label change on the container we control it via playbook to control and track the lifecycle of Security Events.
I sent feedback to doc team and they promise to take this on their backlog and clarify this on docs.
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz.  for example, I would like to ... See more...
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz.  for example, I would like to display this as 99.60 and not 100. Is it not possible to do at the moment in dashboard studio or is there any workaround available to achieve this? Thank you.  
Hi @nehamvinchankar, you could insert the server list in a lookup (called e.g. "perimeter.csv"9 containing at least one column (host). Remember to create also the lookup definition. then you could... See more...
Hi @nehamvinchankar, you could insert the server list in a lookup (called e.g. "perimeter.csv"9 containing at least one column (host). Remember to create also the lookup definition. then you could run a search like this: | tstats count WHERE index=your_index BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 Ciao. Giuseppe  
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,veh... See more...
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,vehicle_type_desc,warranty_start_date,vehicle_type_desc,warranty_start_date","resType":"@column","action":"select","result":1,"agent":"hiveServer2","policy":101343,"enforcer":"ranger-acl","sess":"00ef27f9-75a4-4821-9e8a-60f16af6b962","cliType":"HIVESERVER2","cliIP":"19.51.78.185","reqData":"SELECT * FROM (SELECT `Left`.`advisor_name`, `Left`.`appointment_created_by`, `Left`.`appointment_datetime   Fields to be extract  reqUser, evtTime, resource    
Hi all, I have list of 3k+ servers for which i want to check data flow from specific index. How can i do this with optimize search
Thanks a lot. This worked perfectly.
Hi @ckang, Unfortunately, I don't think Splunk Cloud support will do this. 
These are all individual commands and are running at every a minute.  We are looking for the same as these are critical to the business and trying to figure out how we can achieve it using Splunk Ob... See more...
These are all individual commands and are running at every a minute.  We are looking for the same as these are critical to the business and trying to figure out how we can achieve it using Splunk Observability. Kindly help
Hello @Rajesh.Ganapavarapu, Thanks for your reply it really help us, To set the sim.docker.monitorAPMContainersOnly property as false, we have raised a ticket with the OPS team. Once the issue is ... See more...
Hello @Rajesh.Ganapavarapu, Thanks for your reply it really help us, To set the sim.docker.monitorAPMContainersOnly property as false, we have raised a ticket with the OPS team. Once the issue is solve i will update here. Thanks & Regards, Dishant
Hi @inventsekar, There's a much simpler solution! The regular expression \X token will match any Unicode grapheme. Combined with a lookahead to match only non-whitespace characters, we can extract a... See more...
Hi @inventsekar, There's a much simpler solution! The regular expression \X token will match any Unicode grapheme. Combined with a lookahead to match only non-whitespace characters, we can extract and count each grapheme: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | rex max_match=0 "(?<char>(?=\\S)\\X)" | eval length=mvcount(char) length = 31 | makeresults | eval _raw="இடும்பைக்கு" | rex max_match=0 "(?<char>(?=\\S)\\X)" | eval length=mvcount(char) length = 6 We can condense that to a single eval expression: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | eval length=len(replace(replace(_raw, "(?=\\S)\\X", "x"), "\\s", "")) length = 31 You can then use the eval expression in a macro definition and call the macro directly: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | eval length=`num_graphemes(_raw)` To count whitespace characters, remove (?=\S) from the regular expression: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | eval length=len(replace(_raw, "\\X", "x")) length = 37 Your new macro would then count each Unicode grapheme, including whitespace characters.
Sure @tscroggins .. i spoke with my account mgr and wrote to a Splunk account manager(or sales manager i am not sure) and he said he will look into it and reply back within a day.. and three days pas... See more...
Sure @tscroggins .. i spoke with my account mgr and wrote to a Splunk account manager(or sales manager i am not sure) and he said he will look into it and reply back within a day.. and three days passed. still i am waiting, waiting and waiting. lets see, thanks a lot for your help. (as you can see in my youtube channel "siemnewbies", i have been working on this for more than half year.. but good learning actually)
Excellent @tscroggins .. (if community could allow, i should have added more than 1 upvote. thanks a ton! ) (I should start focusing on Python more, python really solves "big issues,.. just like tha... See more...
Excellent @tscroggins .. (if community could allow, i should have added more than 1 upvote. thanks a ton! ) (I should start focusing on Python more, python really solves "big issues,.. just like that")
Hi @inventsekar, The PDF appears to have modified the code points! I prefer to use SPL because it doesn't usually require elevated privileges; however, it might be simpler to use an external lookup ... See more...
Hi @inventsekar, The PDF appears to have modified the code points! I prefer to use SPL because it doesn't usually require elevated privileges; however, it might be simpler to use an external lookup script. The lookup command treats fields containing only whitespace as empty/null, so the lookup will only identify non-whitespace characters. We'll need to create a script and a transform, which I've encapsulated in an app:   $SPLUNK_HOME/etc/apps/TA-ucd/bin/ucd_category_lookup.py (this file should be readable and executable by the Splunk user, i.e. have at least mode 0500) #!/usr/bin/env python import csv import unicodedata import sys def main(): if len(sys.argv) != 3: print("Usage: python category_lookup.py [char] [category]") sys.exit(1) charfield = sys.argv[1] categoryfield = sys.argv[2] infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: if result[charfield]: result[categoryfield] = unicodedata.category(result[charfield]) w.writerow(result) main()  $SPLUNK_HOME/etc/apps/TA-ucd/default/transforms.conf [ucd_category_lookup] external_cmd = ucd_category_lookup.py char category fields_list = char, category python.version = python3 $SPLUNK_HOME/etc/apps/TA-ucd/metadata/default.meta [] access = read : [ * ], write : [ admin, power ] export = system   With the app in place, we count 31 non-whitespace characters using the lookup: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | rex max_match=0 "(?<char>.)" | lookup ucd_category_lookup char output category | eval length=mvcount(mvfilter(NOT match(category, "^M")))   Since this doesn't depend on a language-specific lookup, it should work with text from the Kural or any other source with characters or glyphs represented by Unicode code points. We can add any logic we'd like to an external lookup script, including counting characters of specific categories directly: | makeresults | eval _raw="இடும்பைக்கு இடும்பை படுப்பர் இடும்பைக்கு இடும்பை படாஅ தவர்" | lookup ucd_count_chars_lookup _raw output count If you'd like to try this approach, I can help with the script, but you may enjoy exploring it yourself first.
Hi @erikhill  That doc is for "Splunk Cloud"(CLI access is with Splunk Cloud Support Team) and from the GUI page you can not delete. For Splunk Enterprise, i tried it on my lab setup: C:\Program... See more...
Hi @erikhill  That doc is for "Splunk Cloud"(CLI access is with Splunk Cloud Support Team) and from the GUI page you can not delete. For Splunk Enterprise, i tried it on my lab setup: C:\Program Files\Splunk\bin>.\splunk.exe remove index main WARNING: Server Certificate Warning - ignore this cannot remove idx=main, is internal C:\Program Files\Splunk\bin>   so, we can not remove the default index(es), thanks. 
Maybe you don't have permission to do summary indexing, but that option is in the searches, reports and alerts