Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-08-2024
06:16 AM
1 Karma
Hi @shashankk , please try this: <your_search>
| rex "instance(?<key1>\d*)\.R(?<key2>[^:]+)"
| rex "\[Priority\=(?<Priority>\w+)"
| eval TestMQ="TEST.SEP".key1.".".key2
| stats count(eval(Priority=...
See more...
Hi @shashankk , please try this: <your_search>
| rex "instance(?<key1>\d*)\.R(?<key2>[^:]+)"
| rex "\[Priority\=(?<Priority>\w+)"
| eval TestMQ="TEST.SEP".key1.".".key2
| stats count(eval(Priority="Low")) as Low, count(eval(Priority="Medium")) as Medium, count(eval(Priority="High")) as High BY TestMQ
| fillnull value=0
| addtotals Ciao. Giuseppe
01-08-2024
06:14 AM
1 Karma
prestats=t is an option which tells tstats to produce results in format apropriate for further processing (most typically by timechart). So the main thing here is the timechart command - it is respon...
See more...
prestats=t is an option which tells tstats to produce results in format apropriate for further processing (most typically by timechart). So the main thing here is the timechart command - it is responsible for creating the timeseries with "empty" days counted as 0.
01-08-2024
06:14 AM
Hi Team, Hope this finds all well. I am trying to create a alert search query and need to create the splunk url as a dynamic value. Here is my search query- index=idx-cloud-azure "c899b9d3-bf20-4...
See more...
Hi Team, Hope this finds all well. I am trying to create a alert search query and need to create the splunk url as a dynamic value. Here is my search query- index=idx-cloud-azure "c899b9d3-bf20-4fd6-8b31-60aa05a14caa" metricName="CpuPercentage"
| eval CPU_Percent=round((average/maximum)*100,2)
| where CPU_Percent > 85
| stats earliest(_time) AS early_time latest(_time) AS late_time latest(CPU_Percent) AS CPU_Percent by amdl_ResourceName
| eval InstanceName="GSASMonitoring.High.CPU.Percentage"
| lookup Stores_IncidentAssignmentGroup_Reference InstanceName
| eval Minutes=(threshold/60)
| where Enabled=1
| eval short_description="GSAS App Service Plan High CPU",
comments="GSAS Monitoring: High CPU Percentage ".CPU_Percent. " has been recorded"
```splunk url=""```
| eval key=InstanceName."-".amdl_ResourceName
| lookup Stores_SNOWIntegration_IncidentTracker _key as key OUTPUT _time as last_incident_time
| eval last_incident_time=coalesce(last_incident_time,0)
| where (late_time > last_incident_time + threshold)
| join type=left key
[| inputlookup Stores_OpenIncidents
| rex field=correlation_id "(?<key>(.*))(?=\_\w+\-?\w+\_?)"]
| where ISNULL(dv_state)
| eval correlation_id=coalesce(correlation_id,key."_".late_time)
| rename key as _key
| table short_description comments InstanceName category subcategory contact_type assignment_group impact urgency correlation_id account _key location and here is the url of the entire search I am trying to convert into dynamic for line no 11- https://tjxprod.splunkcloud.com/en-US/app/stores/search?dispatch.sample_ratio=1&display.page.search.mode=verbose&q=search%20index%3Didx-cloud-azure%20%22c899b9d3-bf20-4fd6-8b31-60aa05a14caa%22%20metricName%3D%22CpuPercentage%22%0A%7C%20eval%20CPU_Percent%3Dround((average%2Fmaximum)*100%2C2)%0A%7C%20where%20CPU_Percent%20%3E%2085%0A%7C%20stats%20earliest(_time)%20AS%20early_time%20latest(_time)%20AS%20late_time%20latest(CPU_Percent)%20AS%20CPU_Percent%20by%20amdl_ResourceName%0A%7C%20eval%20InstanceName%3D%22GSASMonitoring.High.CPU.Percentage%22%0A%7C%20lookup%20Stores_IncidentAssignmentGroup_Reference%20InstanceName%0A%7C%20eval%20Minutes%3D(threshold%2F60)%0A%7C%20where%20Enabled%3D1%0A%7C%20eval%20short_description%3D%22GSAS%20App%20Service%20Plan%20High%20CPU%22%2C%0A%20%20%20%20%20%20%20comments%3D%22GSAS%20Monitoring%3A%20High%20CPU%20Percentage%20%22.CPU_Percent.%20%22%20has%20been%20recorded%22%0A%7C%20eval%20key%3DInstanceName.%22-%22.amdl_ResourceName%0A%7C%20lookup%20Stores_SNOWIntegration_IncidentTracker%20_key%20as%20key%20OUTPUT%20_time%20as%20last_incident_time%0A%7C%20eval%20last_incident_time%3Dcoalesce(last_incident_time%2C0)%0A%7C%20where%20(late_time%20%3E%20last_incident_time%20%2B%20threshold)%0A%7C%20join%20type%3Dleft%20key%20%0A%20%20%20%20%5B%7C%20inputlookup%20Stores_OpenIncidents%20%0A%20%20%20%20%7C%20rex%20field%3Dcorrelation_id%20%22(%3F%3Ckey%3E(.*))(%3F%3D%5C_%5Cw%2B%5C-%3F%5Cw%2B%5C_%3F)%22%5D%20%0A%7C%20where%20ISNULL(dv_state)%0A%7C%20eval%20correlation_id%3Dcoalesce(correlation_id%2Ckey.%22_%22.late_time)%20%0A%7C%20rename%20key%20as%20_key%0A%7C%20table%20short_description%20comments%20InstanceName%20category%20subcategory%20contact_type%20assignment_group%20impact%20urgency%20correlation_id%20account%20_key%20location&earliest=-60m%40m&latest=now&display.page.search.tab=statistics&display.general.type=statistics&sid=1704721919.326369_52C57BD9-5296-4397-B370-BF36A375A0A5
- Tags:
- alert
- splunk alert
01-08-2024
05:58 AM
Hi, my employer uses Splunk Enterprise v9.1.2 which is running On-Prem. We have recently enabled SSO with Azure. After enabling SSO we noticed that authentication to the REST API no longer worke...
See more...
Hi, my employer uses Splunk Enterprise v9.1.2 which is running On-Prem. We have recently enabled SSO with Azure. After enabling SSO we noticed that authentication to the REST API no longer worked with PAT tokens or username/password authentication methods. I created an Authentication Extension script using the example SAML_script_azure.py script. I implemented the getUserInfo() function which has allowed users to authenticate to the REST API and CLI commands with PAT tokens. However, I have been unable to make username/password authentication work with the REST API or CLI since I enabled SSO. I tried adding a login() function to my Authentication Extension script but it does not work. The option for "Allow Token Based Authentication Only" is set to false. The login() function is not called when a user sends a request to API with username/password like this example: curl --location 'https://mysplunkserver.company.com:8089/services/search/jobs?output_mode=json' --header 'Content-Type: text/plain' --data search="search index=main | head 1 " -u me These are the documentation pages I have been referencing: https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/ConfigureauthextensionsforSAMLtokens https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Createtheauthenticationscript It is possible to use username/password for API and CLI authentication with SSO enabled?
Labels
- Labels:
-
administration
-
configuration
01-08-2024
05:51 AM
Hello @PickleRick, Thank you for your inputs. It helped to resolve the issue. It would be very helpful if you could share how the use of prestats helped in this case so that its usage becomes more ...
See more...
Hello @PickleRick, Thank you for your inputs. It helped to resolve the issue. It would be very helpful if you could share how the use of prestats helped in this case so that its usage becomes more clear to understand. Thank you Taruchit
01-08-2024
05:33 AM
2 Karma
Since you have provided more sample data and stated what the common field across the events are, I think a search like this may work. <base_search>
| rex field=_raw "Priority\=(?<Priority>[^\...
See more...
Since you have provided more sample data and stated what the common field across the events are, I think a search like this may work. <base_search>
| rex field=_raw "Priority\=(?<Priority>[^\,]+)"
| rex "(?:\={3}\>|\<\-{3})\s+TRN[^\:]*\:\s+(?<trn>[^\s]+)"
| rex "RCV\.FROM\.(?<TestMQ>.*)\@"
| stats
count(eval(Priority=="Low")) as Low,
count(eval(Priority=="Medium")) as Medium,
count(eval(Priority=="High")) as High,
values(TestMQ) as TestMQ
by trn
| stats
sum(Low) as Low,
sum(Medium) as Medium,
sum(High) as High
by TestMQ
| addtotals fieldname="TotalCount" This is what the final result looks like running against the sample data you provided.
01-08-2024
05:13 AM
1 Karma
Hi @shashankk source="MQlogs.txt" host="test" sourcetype="MQ"
| rex "\: (?<testgettrn>.*) \- S from"
| rex "RCV\.FROM\.(?<TestMQ>.*)\@"
| rex field=TestMQ "\w+\.\w+\.(?<key>\w+)"
| rex "TRN\@\\...
See more...
Hi @shashankk source="MQlogs.txt" host="test" sourcetype="MQ"
| rex "\: (?<testgettrn>.*) \- S from"
| rex "RCV\.FROM\.(?<TestMQ>.*)\@"
| rex field=TestMQ "\w+\.\w+\.(?<key>\w+)"
| rex "TRN\@\\w+\.R(?<key>[^:]++):"
| rex "Priority\=(?<Priority>\w+)"
|table _raw TestMQ key priority
```| stats values(TestMQ) AS TestMQ count(eval(Priority="Low")) as Low, count(eval(Priority="Medium")) as Medium, count(eval(Priority="High")) as High BY key
| fillnull value=0
| addtotals``` Could you pls run this and update us the results screenshot.. when i run this one, the priority is not extracted. looks like something wrong. pls suggest, thanks.
01-08-2024
05:11 AM
Thanks @tscroggins !
01-08-2024
05:10 AM
2 Karma
That's "by design". You only generate results for those days when you had results. That's how tstats works. You need to use timechart along with tstats and use the prestats feature of tstats. |tsta...
See more...
That's "by design". You only generate results for those days when you had results. That's how tstats works. You need to use timechart along with tstats and use the prestats feature of tstats. |tstats prestats=t count where index=index_name sourcetype=xxx BY _time span=1d
| timechart span=1d count
01-08-2024
04:42 AM
Hello and thank you everyone for the help. What i try to get out the existing data (2024-01-08T04:53:13.028149Z) : UdateDate - YYYY-MM-DD i.e. 2021-08-02 UpdateTime - HH:MM i.e. 13:36
01-08-2024
04:41 AM
Hi @gcusello I have added below more lines of the sample event file - please help me find the right key. Or if not possible with the correlation Key - how to proceed with the JOIN in this case...
See more...
Hi @gcusello I have added below more lines of the sample event file - please help me find the right key. Or if not possible with the correlation Key - how to proceed with the JOIN in this case? Kindly guide and suggest. 240108 07:12:07 17709 testget1: ===> TRN@instance2.RQ1: 0000002400840162931785-AHGM0000bA [Priority=Low,ScanPriority=0, Rule: Default Rule].
240108 07:12:07 17709 testget1: <--- TRN: 0000002400840162929525-AHGM00015A - S from [RCV.FROM.TEST.SEP2.Q2@QM.ABCD101].
01-08-2024
04:27 AM
1 Karma
Hello All, I need to fetch the dates in the past 7 days where events are lesser than average event count. I used the below SPL: - |tstats count where index=index_name sourcetype=xxx BY _time span=...
See more...
Hello All, I need to fetch the dates in the past 7 days where events are lesser than average event count. I used the below SPL: - |tstats count where index=index_name sourcetype=xxx BY _time span=1d
|eventstats avg(count) AS avg_count However, in scenario where on a particular day no events are ingested, the result skips those dates, that is does not return the dates with event count as zero. For example: It skips showing the highlighted rows in the below table: - _time count avg_count 2024-01-01 0 240 2024-01-02 240 240 2024-01-03 0 240 2024-01-04 0 240 2024-01-05 240 240 2024-01-06 240 240 2024-01-07 0 240 And gives below as the result: - _time count event_count 2024-01-02 240 240 2024-01-05 240 240 2024-01-06 240 240 Thus, need your guidance to resolve this problem. Thanking you Taruchit
01-08-2024
04:14 AM
Hi @eilonh The Enterprise Security(ES) is a Premium App and there is no trial version or free download version available. One idea is ES Guided Product Tour https://www.splunk.com/en_us/form/ent...
See more...
Hi @eilonh The Enterprise Security(ES) is a Premium App and there is no trial version or free download version available. One idea is ES Guided Product Tour https://www.splunk.com/en_us/form/enterprise-security-tour.html the other idea is as said on the previous reply.. you should contact Splunk Sales team and they should provide you the ES for a POC purpose. hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
01-08-2024
04:11 AM
Hi @shashankk , as I said, the problem is to identify a key contained in both the types of your logs: the ones with the TestMQ field and the ones containing Priority filed. I identified, from your ...
See more...
Hi @shashankk , as I said, the problem is to identify a key contained in both the types of your logs: the ones with the TestMQ field and the ones containing Priority filed. I identified, from your sample few logs the regex to extract Q1 or Q2 or Q3, but evidently it isn't sufficient. can you identify a common key to use for correlation? If you haven't this common key it's very hard to correlate events without any relation. Maybe, if you could share more samples, with more TestMQ, I could help you in key identification and extraction, but anyway, the only approach I see is the one I described: find a common key for correlation. Ciao. Giuseppe
01-08-2024
03:57 AM
Hi @jbv , As said in the previous reply, the landing page/home page of Splunk got re-designed in recent versions. However, you can create a dashboard which will look very similar to that "Data Summ...
See more...
Hi @jbv , As said in the previous reply, the landing page/home page of Splunk got re-designed in recent versions. However, you can create a dashboard which will look very similar to that "Data Summary" and keep it on your landing page/home page. If you could update us, which index/source/sourcetype you are looking to monitor, we can help you create the data summary for you. hope you got some ideas, thanks.
01-08-2024
03:49 AM
Hi @gcusello - Thank you for you continuos support. I am able to proceed next with your suggestion but now stuck at one point. Need your help on it. Kindly suggest. Query Used: index=test_index ...
See more...
Hi @gcusello - Thank you for you continuos support. I am able to proceed next with your suggestion but now stuck at one point. Need your help on it. Kindly suggest. Query Used: index=test_index source=*instance*/*testget*
| rex "\: (?<testgettrn>.*) \- S from"
| rex "RCV\.FROM\.(?<TestMQ>.*)\@"
| rex field=TestMQ "\w+\.\w+\.(?<key>\w+)"
| rex "TRN\@\\w+\.R(?<key>[^:]++):"
| rex "Priority\=(?<Priority>\w+)"
| stats values(TestMQ) AS TestMQ count(eval(Priority="Low")) as Low, count(eval(Priority="Medium")) as Medium, count(eval(Priority="High")) as High BY key
| fillnull value=0
| addtotals Getting results as below: Total count (Q1+Q2) is getting added to Q1 only. And Q2 is remaining null (as shown in below example) key | TestMQ | Low | Medium | High | Total
Q1 | TEST.SEP.Q1 | 20 | 20 | 30 | 70
| TEST.SEP2.Q1
| TEST.SEP3.Q1
Q2 | TEST.SEP.Q2 | 0 | 0 | 0 | 0
| TEST.SEP2.Q2
| TEST.SEP3.Q2 Please guide and suggest.
01-08-2024
03:48 AM
Hi @AL3Z As seen on previous reply, to troubleshoot this issue, lot more details are required from your side. Any changes recently done on those DC systems inputs.conf / apps / addons etc Lets ...
See more...
Hi @AL3Z As seen on previous reply, to troubleshoot this issue, lot more details are required from your side. Any changes recently done on those DC systems inputs.conf / apps / addons etc Lets say you were expecting the 4743 at 5pm yesterday. Pls check if you have events around that time from that particular windows box (search for 4pm to 6pm events from that windows box) As said in other posts, the good questions will receive good answers. the more details you provide, the more better answers/suggestions we can help you with. Thanks.
01-08-2024
03:23 AM
@PickleRick , Are you missing any other events? Nope only 4743 Are you having connection problems? I dnt think so / How to check Are you getting any errors in _internal? How to check ? ...
See more...
@PickleRick , Are you missing any other events? Nope only 4743 Are you having connection problems? I dnt think so / How to check Are you getting any errors in _internal? How to check ? Are you hitting thruput limits? yes Do you ingest all events from the beginning or just current ones? Yes we are ingesting all events from beginning.
01-08-2024
02:58 AM
OK. So you have a different problem. Are you missing any other events? Are you having connection problems? Are you getting any errors in _internal? Are you hitting thruput limits? Do you ingest ...
See more...
OK. So you have a different problem. Are you missing any other events? Are you having connection problems? Are you getting any errors in _internal? Are you hitting thruput limits? Do you ingest all events from the beginning or just current ones?
01-08-2024
01:46 AM
# Import IIS module Import-Module WebAdministration # Get the list of Application Pools $appPools = Get-ChildItem IIS:\AppPools # Display the App Pool names and their statuses in key-value pairs ...
See more...
# Import IIS module Import-Module WebAdministration # Get the list of Application Pools $appPools = Get-ChildItem IIS:\AppPools # Display the App Pool names and their statuses in key-value pairs foreach ($appPool in $appPools) { $status = Get-WebAppPoolState -Name $appPool.name Write-Output "appPoolName=$($appPool.name), appPoolStatus=$($status.Value)" } You can expand with more details inf you like. You can run by either calling with powershell in your stanza or via cmd and call it with powershell that way.
