All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Use the eval command to create an "expected value" field.     | stats count | eval expected=30   or   | stats count | eval count=count . "/30"    
To extract a single field from the event, I'd use the rex command.  It will give you a multi-value field with all of the title values. | rex max_match=0 "\<title>(?<title>[^\<]+)"  
@inventsekar  yes, when we put result = 0 it shows the result . But if we put greater than =0 it doesn't shows the result .
@gcusello , Can you pls share more info. 
is there a answer for this, im looking for same solution. 
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login pag... See more...
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login page in magic info. Are the other softwares that can be used to broadcast splunk dashboards? I am aware that there is a splunk app name SLIDESHOW, but that also require splunk login. Thank you
With the assumption the field MSG_DATA is properly extracted and a valid XML object then I think this SPL will get you a MV field of "file_title". <base_search> | eval file_title=coalesc... See more...
With the assumption the field MSG_DATA is properly extracted and a valid XML object then I think this SPL will get you a MV field of "file_title". <base_search> | eval file_title=coalesce(spath(MSG_DATA, "Message.additionalInfo.fileDetails{}.fileDetail.title"), spath(MSG_DATA, "Message.additionalInfo.fileDetails.fileDetail.title")) Screenshot of it on my local instance:  
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the ... See more...
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?   index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]   My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel      
Hi, Probably worth mentioning--the oracledb receiver is not something that is accessed with http, so you don't want to try to use ".htaccess". You need to use a service account within oracle that ha... See more...
Hi, Probably worth mentioning--the oracledb receiver is not something that is accessed with http, so you don't want to try to use ".htaccess". You need to use a service account within oracle that has some basic grant privileges. The receiver connects to your Oracle DB and pulls out the metrics for monitoring. The config for this will look like this: receivers:   oracledb:     datasource: "oracle://USERNAME:PASSWORD@HOST:PORT/DATABASE" https://docs.splunk.com/observability/en/gdi/opentelemetry/components/oracledb-receiver.html
Assuming the fields are already extracted, the stats command should do what you want. | stats count(eval(JOB_RESULT="success")) as TOTAL_SUCCESS, count(eval(JOB_RESULT="fail")) as TOTAL_FAIL... See more...
Assuming the fields are already extracted, the stats command should do what you want. | stats count(eval(JOB_RESULT="success")) as TOTAL_SUCCESS, count(eval(JOB_RESULT="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME  
Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from... See more...
Hi,  I have following setup. Splunk HF running on 9.1.2 Splunk Dbconnect latest version - 3.15 Splunk DBX Add on for oracle DB JDBC - 2.2.0 ( has ojdbc8-21.7.0.0.jar) Configured to use JRE from Oracle's Open jdk-18.0.2 Our Oracle database is running on 19c.  I have re-loaded the driver. I have verified the connectivity from the Splunk HF server to DB server via telnet/curl and connection exists ( had to open firewall). However, when I try create a connection getting errors like "IO Error: Network Adapater could not establish connection) from the internal logs.  Suspected, it could be an issue with jdbc driver, so downloaded "ojdbc8-21.1.0.0.jar" from oracle and placed them under drivers folder within splunk_app_db_connect as well as in the lib folder within the DBX add-on. re-loaded the driver and I can see internal logs loading the new jar, but still same issue. Any pointers/thoughts to troubleshoot? java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection (CONNECTION_ID=5gNEcEZfSnyI6PN7r2LGog==) at oracle.jdbc.driver.T4CConnection.handleLogonNetException(T4CConnection.java:892) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:697) at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1041) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:89) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:732) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:648) at com.splunk.dbx.service.driver.DelegatingDriver.connect(DelegatingDriver.java:25) Thanks in advance.
I'm not sure If I am completely understanding the ask here but will give it a shot. So just going off your 2 sample events I think something like this would work. (There is an assumption that the ... See more...
I'm not sure If I am completely understanding the ask here but will give it a shot. So just going off your 2 sample events I think something like this would work. (There is an assumption that the fields "JOB_RESULT", "JOB_NAME", and "PROJECT_NAME" are already extracted and ready to use) This search is tallying up the success and fails across all jobs grouped into the projects, so each project will have its own row in the final results. <base_search> | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME  Output would look something like this. Or if you need it more granular to see the numbers at the Job level you can use this. <base_search> | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME  This will provide you output that each unique combo of PROJECT_NAME/JOB_NAME will have their own row and output would look like this. For reference, here is the SPL used to simulate your problem on my local instance. | makeresults | eval _raw="{ PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success }" | append [ | makeresults | eval _raw="{ PROJECT_NAME = project2 JOB_NAME = job2 JOB_RESULT = fail }" ] ``` | extract pairdelim=" " kvdelim="=" | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME ``` | extract pairdelim=" " kvdelim="=" | stats count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS, count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME
Hi @AL3Z, you cannot compile (in literal sense) an app in Splunk. You have a predefined folder structure in which you can put you conf files and then aggregate (using tar.gz) in an app. Here you c... See more...
Hi @AL3Z, you cannot compile (in literal sense) an app in Splunk. You have a predefined folder structure in which you can put you conf files and then aggregate (using tar.gz) in an app. Here you can find the information you need. Ciao. Giuseppe
In the mean time why don't you try appending "+0000" to your REPORTED_DATE and convert to epoch including the timezone specifier This was  perfect and worked great. I am very interested in macros I... See more...
In the mean time why don't you try appending "+0000" to your REPORTED_DATE and convert to epoch including the timezone specifier This was  perfect and worked great. I am very interested in macros I have never done them can you help me build the ones out you did       
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = pr... See more...
Hi there, I'm new to Splunk and will be grateful for advice  I have the following events:     { PROJECT_NAME = project1 JOB_NAME = jobA JOB_RESULT = success } { PROJECT_NAME = project2 JOB_NAME = job2 JOB_RESULT = fail }     I need to build the following table: JOB_NAME TOTAL_SUCCESS TOTAL_FAILS "for each JOB_NAME in PROJECT_NAME" "sum of JOB_RESULT success for JOB_RESULT " "sum of JOB_RESULT fail for JOB_RESULT "               Could you please help with queries for the table?  Many thanks in advance!
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry... See more...
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry its SUPER long)     2024-01-08 12:09:43.000, LOAD_DATE="2024-01-08 12:09:43.0", EVENT_LENGTH="14912", ID="3f29f958-af6e-4050-919e-fb23fc27e2bc", MSG_src="PXXXX", MSG_DOMAIN="APP", MSG_TYPE="INBOUND", MSG_DATA="<?xml version='1.0' encoding='UTF-8'?> <Message> <header> <domain>APP</domain> <source>PXXXX</source> <messageType>INBOUND</messageType> <eventId>f8y6jk45-af6e-4050-919e-fb23fc27e2bc</eventId> </header> <parsing> <parsingStatus>SUCCESS</parsingStatus> <parsingStatusDesc>Success</parsingStatusDesc> <formType>1234</formType> </parsing> <ABC> <Code>ABC</Code> <Number>209819</Number> <sequence>0236</sequence> <ReceiptDate>2024-01-08T00:00:00.000-05:00</ReceiptDate> <FirstDate>2024-01-08T00:00:00.000-05:00</FirstDate> <Status>SUCCESS</Status> <location>xxxxxxxx</location> <id>ci1704729189245.431902@fdsahl86ceb40c</id> <format>ABCD</format> </ABC> <applicationDetails> <applicationGlobalId>500168938</applicationGlobalId> <applicationType>ABC</applicationType> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationNumber>123456</applicationNumber> <applicationRelationships> <applicationRelationship> <ReasonCode>XYZ</ReasonCode> <Desc>BLAH BLAH BLAH</Desc> <applicationGlobalId>123456789</applicationGlobalId> <applicationNumber>123456</applicationNumber> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationType>RED</applicationType> </applicationRelationship> </applicationRelationships> <applicationPatents/> <applicationStatuses> <applicationStatus> <statusCode>APPROVED</statusCode> <statusDescription>APPROVED</statusDescription> <statusStartDate>2017-11-30T00:00:00.000-05:00</statusStartDate> </applicationStatus> </applicationStatuses> <applicationProperties/> </applicationDetails> <InboundDetails> <InboundType>Reply</InboundType> <InboundSubtype>Reply2</InboundSubtype> <InboundSequenceNumber>0236</InboundSequenceNumber> </InboundDetails> <form> <attributes>123-4560910-0001"/> <attribute description="EXPIRATION DATE" name="Expiration Date" value="03/31/2024"/> <attribute description="name" name="name_holder" value="Place Inc."/> <attribute description="NUMBER" name="number" value="209819"/> <attribute description="Bunch of strings" name="Desc"/> </attributes> <List> <items/> </List> <infoList> <info> <Type>Information goes here</Type> <name>Me Formal</name> <phoneNumber>+1 (111) 222-333</phoneNumber> <addressLine1>1234 Road Drive</addressLine1> <city>Place, MO</city> <zipCode>12345</zipCode> <emailAddress>me.formal@domain.com</emailAddress> <partyContacts> <partyContact> <Date>2024-01-04T00:00:00.000-05:00</Date> <state>MO</state> <emailAddress>me.formal@domain.com</emailAddress> <addressLine1>1234 Road Drive</addressLine1> <city>Place</city> <country>UNITED STATES</country> <phoneNumber>+1 (111) 222-333</phoneNumber> <zipCode>12345</zipCode> <name>Me Formal</name> <contactType>United States</contactType> </partyContact> </partyContacts> </info> </infoList> </form> <Information> <Number>11,222,333</Number> <IssueDate>2023-12-12</IssueDate> <ApprovalDate>2017-11-30</ApprovalDate> <ExpirationDate>2035-11-06</ExpirationDate> <SubType>Y</SubType> <Status>SUCCESS</Status> </Information> <index/> <additionalInfo> <attributes> <attribute description="title" name="title" value="Letter"/> </attributes> <fileDetails> <fileDetail> <Toc>application||form</Toc> <title>FABDC REDS</title> <fileName>file.pdf</fileName> <fileType>pdf</fileType> <formType>Long sting of data</formType> <filePath>\\filepath\file.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>v1-place||v1-2-file-name</abcdToc> <title>Letter</title> <fileName>letter.pdf</fileName> <fileType>pdf</fileType> <filePath>\\us\letter.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>information</abcdToc> <title>11-222-333</title> <fileName>11-222-333.pdf</fileName> <fileType>pdf</fileType> <filePath>\\ab\11-222-333.pdf</filePath> </fileDetail> </fileDetails> <tags/> </additionalInfo> </Message>"     At the end, I am trying to get the data from the "<fileDetails>" section, specifically the "<title>" for each file. It would have to be multi-value since there may, for a single record, be a single OR multiple Titles. I've tried a few variations of spath, as well as xmlkv, but as of yet haven't found anything that has given me the results I am expecting. For the example above I would expect to have 3 "Titles":     FABDC REDS Letter 11-222-333     Any ideas how to get this data out? Thanks for the help!
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be ... See more...
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be 30 each day, but sometimes there are only 29 due to errors. Is it possible to visualize that info against the expected number of 30? Or even just visualize it on the dashboard report as 29/30?
Hello, I'd like to know the process of compiling a Splunk app in a Windows environment, specifically using the default folder containing the props file to create a customized app. Thanks
@PickleRick did you manage to figure out a solution to this, please?
Hi @darkhorse91 , you could use join command but I don't hint because you'll have a very slow search. Otherwise, you could run something like this: (index=retrospective earliest=-30d latest=now) O... See more...
Hi @darkhorse91 , you could use join command but I don't hint because you'll have a very slow search. Otherwise, you could run something like this: (index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 BY my_field if you want also to add the condition that my_field must be present in both the indexes, you could run (index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 dc(indexes) AS index_count BY my_field | where index_count=2 Ciao. Giuseppe