Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-10-2024
06:45 AM
Hi there, I'm new to Splunk and will be grateful for advice I have the following events: {
PROJECT_NAME = project1
JOB_NAME = jobA
JOB_RESULT = success
} {
PROJECT_NAME = pr...
See more...
Hi there, I'm new to Splunk and will be grateful for advice I have the following events: {
PROJECT_NAME = project1
JOB_NAME = jobA
JOB_RESULT = success
} {
PROJECT_NAME = project2
JOB_NAME = job2
JOB_RESULT = fail
} I need to build the following table: JOB_NAME TOTAL_SUCCESS TOTAL_FAILS "for each JOB_NAME in PROJECT_NAME" "sum of JOB_RESULT success for JOB_RESULT " "sum of JOB_RESULT fail for JOB_RESULT " Could you please help with queries for the table? Many thanks in advance!
Labels
- Labels:
-
search
01-10-2024
06:45 AM
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry...
See more...
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry its SUPER long) 2024-01-08 12:09:43.000, LOAD_DATE="2024-01-08 12:09:43.0", EVENT_LENGTH="14912", ID="3f29f958-af6e-4050-919e-fb23fc27e2bc", MSG_src="PXXXX", MSG_DOMAIN="APP", MSG_TYPE="INBOUND", MSG_DATA="<?xml version='1.0' encoding='UTF-8'?>
<Message>
<header>
<domain>APP</domain>
<source>PXXXX</source>
<messageType>INBOUND</messageType>
<eventId>f8y6jk45-af6e-4050-919e-fb23fc27e2bc</eventId>
</header>
<parsing>
<parsingStatus>SUCCESS</parsingStatus>
<parsingStatusDesc>Success</parsingStatusDesc>
<formType>1234</formType>
</parsing>
<ABC>
<Code>ABC</Code>
<Number>209819</Number>
<sequence>0236</sequence>
<ReceiptDate>2024-01-08T00:00:00.000-05:00</ReceiptDate>
<FirstDate>2024-01-08T00:00:00.000-05:00</FirstDate>
<Status>SUCCESS</Status>
<location>xxxxxxxx</location>
<id>ci1704729189245.431902@fdsahl86ceb40c</id>
<format>ABCD</format>
</ABC>
<applicationDetails>
<applicationGlobalId>500168938</applicationGlobalId>
<applicationType>ABC</applicationType>
<applicationSubtype>UNKNOWN</applicationSubtype>
<applicationNumber>123456</applicationNumber>
<applicationRelationships>
<applicationRelationship>
<ReasonCode>XYZ</ReasonCode>
<Desc>BLAH BLAH BLAH</Desc>
<applicationGlobalId>123456789</applicationGlobalId>
<applicationNumber>123456</applicationNumber>
<applicationSubtype>UNKNOWN</applicationSubtype>
<applicationType>RED</applicationType>
</applicationRelationship>
</applicationRelationships>
<applicationPatents/>
<applicationStatuses>
<applicationStatus>
<statusCode>APPROVED</statusCode>
<statusDescription>APPROVED</statusDescription>
<statusStartDate>2017-11-30T00:00:00.000-05:00</statusStartDate>
</applicationStatus>
</applicationStatuses>
<applicationProperties/>
</applicationDetails>
<InboundDetails>
<InboundType>Reply</InboundType>
<InboundSubtype>Reply2</InboundSubtype>
<InboundSequenceNumber>0236</InboundSequenceNumber>
</InboundDetails>
<form>
<attributes>123-4560910-0001"/>
<attribute description="EXPIRATION DATE" name="Expiration Date" value="03/31/2024"/>
<attribute description="name" name="name_holder" value="Place Inc."/>
<attribute description="NUMBER" name="number" value="209819"/>
<attribute description="Bunch of strings" name="Desc"/>
</attributes>
<List>
<items/>
</List>
<infoList>
<info>
<Type>Information goes here</Type>
<name>Me Formal</name>
<phoneNumber>+1 (111) 222-333</phoneNumber>
<addressLine1>1234 Road Drive</addressLine1>
<city>Place, MO</city>
<zipCode>12345</zipCode>
<emailAddress>me.formal@domain.com</emailAddress>
<partyContacts>
<partyContact>
<Date>2024-01-04T00:00:00.000-05:00</Date>
<state>MO</state>
<emailAddress>me.formal@domain.com</emailAddress>
<addressLine1>1234 Road Drive</addressLine1>
<city>Place</city>
<country>UNITED STATES</country>
<phoneNumber>+1 (111) 222-333</phoneNumber>
<zipCode>12345</zipCode>
<name>Me Formal</name>
<contactType>United States</contactType>
</partyContact>
</partyContacts>
</info>
</infoList>
</form>
<Information>
<Number>11,222,333</Number>
<IssueDate>2023-12-12</IssueDate>
<ApprovalDate>2017-11-30</ApprovalDate>
<ExpirationDate>2035-11-06</ExpirationDate>
<SubType>Y</SubType>
<Status>SUCCESS</Status>
</Information>
<index/>
<additionalInfo>
<attributes>
<attribute description="title" name="title" value="Letter"/>
</attributes>
<fileDetails>
<fileDetail>
<Toc>application||form</Toc>
<title>FABDC REDS</title>
<fileName>file.pdf</fileName>
<fileType>pdf</fileType>
<formType>Long sting of data</formType>
<filePath>\\filepath\file.pdf</filePath>
</fileDetail>
<fileDetail>
<abcdToc>v1-place||v1-2-file-name</abcdToc>
<title>Letter</title>
<fileName>letter.pdf</fileName>
<fileType>pdf</fileType>
<filePath>\\us\letter.pdf</filePath>
</fileDetail>
<fileDetail>
<abcdToc>information</abcdToc>
<title>11-222-333</title>
<fileName>11-222-333.pdf</fileName>
<fileType>pdf</fileType>
<filePath>\\ab\11-222-333.pdf</filePath>
</fileDetail>
</fileDetails>
<tags/>
</additionalInfo>
</Message>" At the end, I am trying to get the data from the "<fileDetails>" section, specifically the "<title>" for each file. It would have to be multi-value since there may, for a single record, be a single OR multiple Titles. I've tried a few variations of spath, as well as xmlkv, but as of yet haven't found anything that has given me the results I am expecting. For the example above I would expect to have 3 "Titles": FABDC REDS
Letter
11-222-333 Any ideas how to get this data out? Thanks for the help!
Labels
- Labels:
-
field extraction
-
fields
01-10-2024
06:44 AM
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be ...
See more...
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be 30 each day, but sometimes there are only 29 due to errors. Is it possible to visualize that info against the expected number of 30? Or even just visualize it on the dashboard report as 29/30?
Labels
- Labels:
-
single value
01-10-2024
06:32 AM
01-10-2024
06:21 AM
@PickleRick did you manage to figure out a solution to this, please?
01-10-2024
06:04 AM
1 Karma
Hi @darkhorse91 , you could use join command but I don't hint because you'll have a very slow search. Otherwise, you could run something like this: (index=retrospective earliest=-30d latest=now) O...
See more...
Hi @darkhorse91 , you could use join command but I don't hint because you'll have a very slow search. Otherwise, you could run something like this: (index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats
values(field_retrospective_1) AS field_retrospective_1
values(field_retrospective_2) AS field_retrospective_2
values(field_retrospective_3) AS field_retrospective_3
values(field_current_1) AS field_current_1
values(field_current_2) AS field_current_2
BY my_field if you want also to add the condition that my_field must be present in both the indexes, you could run (index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now)
| stats
values(field_retrospective_1) AS field_retrospective_1
values(field_retrospective_2) AS field_retrospective_2
values(field_retrospective_3) AS field_retrospective_3
values(field_current_1) AS field_current_1
values(field_current_2) AS field_current_2
dc(indexes) AS index_count
BY my_field
| where index_count=2 Ciao. Giuseppe
01-10-2024
05:50 AM
we have an scheduled alert configured in splunk which is working fine as per event from the user logs but its delayed in sending email as alert notification
Labels
01-10-2024
05:17 AM
Splunk doesn't care what OS it runs on as long as the kernel version is at least 3. See https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/SystemRequirements#Unix_operating_systems . Lo...
See more...
Splunk doesn't care what OS it runs on as long as the kernel version is at least 3. See https://docs.splunk.com/Documentation/Splunk/9.1.2/Installation/SystemRequirements#Unix_operating_systems . Look in older versions of that document to find an older kernel version.
01-10-2024
05:08 AM
Or is there any chance to create a single token for two indexes
01-10-2024
04:57 AM
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one to...
See more...
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one token As a result it's is logging only metrics index data in splunk, we have both metrics and platform_benefits dashboards Is there any way to configure two tokens inside the app.dev yaml file to get both index logs? https://github.com/mulesoft-catalyst/metrics-toolkit/blob/main/src/main/resources/properties/secure/_template.yaml
- Tags:
- metrics-toolkit
01-10-2024
04:57 AM
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies other helps me find consistencies sourcetype="my_s...
See more...
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies other helps me find consistencies sourcetype="my_source" someLog consistencies This gives me both consistencies and inconsistencies: sourcetype="my_source" someLog Note that someLog is just a text used an identifier that's common for both the queries. if the someField was logged as inconsistent it can be logged as consistent in the future. How can I find those values of someField that are truly inconsistent in a given time frame, retrospectively?i.e. if currently values are inconsistent I want to be able to search (in the past or future relative to the current search) those values that are truly inconsistent - not part of the consistent results in that time frame
Labels
- Labels:
-
field extraction
-
subsearch
01-10-2024
04:45 AM
@Ryan.Paredez can you help me
01-10-2024
04:30 AM
Hi @gcusello Amazing. This works. Thanks I have Another query: how can I print those field values from subsearch that are not in the main search? In this case the results of the main search...
See more...
Hi @gcusello Amazing. This works. Thanks I have Another query: how can I print those field values from subsearch that are not in the main search? In this case the results of the main search is a superset of the subsearch
01-10-2024
04:29 AM
Darn ! I clicked on Ask a question button here : https://community.splunk.com/t5/c-oqeym24965/Radius+Technical+Add-on/pd-p/4547 and it removed the info about the app. I thought it would've been sent...
See more...
Darn ! I clicked on Ask a question button here : https://community.splunk.com/t5/c-oqeym24965/Radius+Technical+Add-on/pd-p/4547 and it removed the info about the app. I thought it would've been sent to the developer .... Ok, so the add-on is RADIUS Technology Add-On developed by some Brian Daniel Potter The only info splunkbase has about it (and I'm surprised it was published with just that) is: I built this radius TA against a very large dataset that was geographically diverse, with different software (freeradius, radiusd, etc), different versions, etc. This should work for most *nix *Radius implementations. If you have data that fails to parse with this add-on please send me a note and a sample log and I will expand the add-on scope. My understanding would then be it's supposed to monitor some radius configs ... but really it's not explicit.
01-10-2024
04:24 AM
Thanks for your response.
01-10-2024
04:23 AM
Yes, but that isn’t working. So here is a solution that I came up with — Step 1 - first write your results to a lookup file. <your query> |outputlookup yourlookup.csv Step 2 - use tha...
See more...
Yes, but that isn’t working. So here is a solution that I came up with — Step 1 - first write your results to a lookup file. <your query> |outputlookup yourlookup.csv Step 2 - use that lookup in the query as shown below: <your query> |append [|inputlookup yourlookup.csv |outputlookup yourlookup.csv override_if_empty = false create_empty = false] the above query writes the results and stores in yourlookup.csv with wider time range. And we are rewriting the stored results to the same lookupfile. In the last line override and Create_empty commands will make sure it will not give empty results. Note: use |dedup in the last if you see any duplicate results. step 3- Create a saved search with this query and schedule it according to your requirement.
01-10-2024
04:04 AM
What is the latest version of Splunk Enterprise supported on RHEL 7.x?
Labels
- Labels:
-
installation
01-10-2024
03:52 AM
i will do validations but i think that it works , thanks!
01-10-2024
03:47 AM
Hi,
It's a very useful query!
| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action...
See more...
Hi,
It's a very useful query!
| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"
I need the alerts results and the second query doesn't work for me. i have already created an alert and see in under the "Alerts" tab and scheduled in today. What i need to change in the second query to results? maybe something in the alert setting? or different index?
01-10-2024
03:40 AM
1 Karma
| eval _time=strptime(TimeStamp, "%F %T")
| timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f
| untable _time machine count
| where count == 0
