All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition v... See more...
I want to combine these two <condition> into one. <input> ..... <change> <condition value = "BT"> <unset token="show_wifi_connect_type"></unset> </condition> <condition value="UART"> <unset token="show_wifi_connect_type"></unset> </condition> </change> ... </input> I tried combine these two status using "match", but it doesn't work. How could I solve this problem?
Thank you @dtburrows3  This was exactly what i was looking for.
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG f... See more...
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.
Hi Pinggg    I'm facing the same issue and do not understand where the issue is.. Did you by any chance find a solution? Thanks 1000!   Greetings
Hi @palomalgrv, you can put the inputs in the first panel after Panel B or in a dedicated empty panel. To move inputs you can use drag&drop or copy the code in that panel. Ciao. Giuseppe
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf [your_sourcetype] TRANSFORMS-routing = AnthosGSP #transfo... See more...
Hi @syaseensplunk, in transforms.conf, you put a transformation called from the props.conf, so you can put whatever you want: # props.conf [your_sourcetype] TRANSFORMS-routing = AnthosGSP #transforma.conf [AnthosGSP] REGEX = drnt0-retail-sabbnetservices DEST_KEY = _MetaData:Index FORMAT = gsp Ciao. Giuseppe
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events> | chart count OVER appName B... See more...
Hi @xxxxxxxxxxxxxx , try the chart command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Chart <initial search that returns the above events> | chart count OVER appName BY resultCode   Ciao. Giuseppe
Is there a way I can use "namespace" in transforms.conf to seperate the data after using sourcetype in props.conf
Hi have you look at eventstats with chart? r. Ismo
How can we fetch the events performed by users in Splunk Enterprise security product from API's?
Hi Team, I have installed the on-prem controller in http format now, I need to change it to https format. Kindly provide the steps for changes.
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of th... See more...
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of them. Below is an example of      | makeresutls | eval file_hash="43dbf0a7df3b78cffbe5732b9da758fddfe13a8c9775da1214622837e8d30d28" | vt4splunk hash=file_hash     the results   Here is an example of a particular API request I found in the VT docs and want to use with splunk: https://docs.virustotal.com/reference/files-comments-get Thanks in advance!
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Las... See more...
Hi @VatsalJagani - apologies for the delayes response. Yes, that static Month is already in place. I have got 35 dashboards having three different Time ranges available to select in the dropdown (Last Month, Last to Last Month, Month To Date) - so I am looking for the header to update based on the time range selected. For example, if I run this report today for "Last Month" - Report Title would be Monthly Report - Nov 2023  if I run this report today for "Last to last Month" - Report Title would be Monthly Report - Oct 2023  if I run this report today for "Month to date" - Report Title would be Monthly Report - Dec 2023  Thank you.
in splunk dashboard i see there are ways to add default visualisation. I want to add my own visualisation from my own app to this menu how do I do that?
I am trying to generate a list of the percentages of response codes by resultCode by app.   A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appNa... See more...
I am trying to generate a list of the percentages of response codes by resultCode by app.   A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appName=app1, resultCode=404 appName=app2, resultCode=404 ... If I do  <initial search that returns the above events>   |   stats count by appName resultCode it gets me very close to what I am trying to do and outputs something like this to the Statistics tab: appName resultCode count app1 500 25 app1 404 10 app1 200 100 app2 500 14 I need to take this one step further, and have an output that instead of showing the count by resultCode, will instead show the percentage each resultCode comprises by appName.   The ideal result is: appName 200 404 500 app1 90 2 8 app2 85 10 5 ...       This is ideal, but even if the result was  app1, 200, 90 app1, 404, 2 app1, 500, 8 ... (where the columns are appName, resultCode, and percentage (based on the count of events by code for an app over all events for the app) I can get a count of events by appName in a separate query to be able to get to the total, but I am just not finding how to use that specific appName's total used for each of the specific app error values all together.   I'm missing how to do  | stats count by appName as appTotal | stats count by appName resultCode as appResult | eval resultPerc=rount((appResult*100)/appTotal, 2) and have that show in a table in a way that can be clearly displayed.   Thanks for any ideas on what I might be missing here would be appreciated!      
I think doing something like this would work.       <base_search> | lookup <lookup_name> UserID OUTPUT Attribute | eval attribute_regex=".*\-(\d+)\-.*", max_attribute=... See more...
I think doing something like this would work.       <base_search> | lookup <lookup_name> UserID OUTPUT Attribute | eval attribute_regex=".*\-(\d+)\-.*", max_attribute=case( isnull(Attribute), null(), mvcount(Attribute)==1, max(tonumber(replace(Attribute, attribute_regex, "\1"))), mvcount(Attribute)>1, max(mvmap(Attribute, tonumber(replace(Attribute, attribute_regex, "\1")))) ), max_attribute_full=mvdedup( case( isnull(Attribute), null(), mvcount(Attribute)==1, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null()), mvcount(Attribute)>1, mvmap(Attribute, if(tonumber(replace(Attribute, attribute_regex, "\1"))=='max_attribute', 'Attribute', null())) ) )       You can see in the screenshot below I used simulated data to do what I think you are asking for.     The regex used in the replace command can be adjusted to fit the pattern that is stored in the Attribute field value to just grab the number.
The issue is with the data quality and there is some sort of errant spacing in it.  I still have a ticket open in splunk as clicking the value of a field should properly put in such spacing but this ... See more...
The issue is with the data quality and there is some sort of errant spacing in it.  I still have a ticket open in splunk as clicking the value of a field should properly put in such spacing but this works as a workaround for me for now.  Im further going to speak with the team where the data is coming out of to make sure the data is going out properly (actually need to verify in raw before I go there).  thanks.
Hi All, This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.cs... See more...
Hi All, This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.csv import) that is pulled into the query via the "lookup" command. The table has 4 possible "Attribute" values which range from "level-1-access" to "level-4-access". In the stats table, a given UserID may have activity that reflect 1 or more of these (thus, a maximum of 4 per UserID). Below is a sample dataset. What I'm attempting to do is filter this data so that it's only showing the "maximum" (or, "highest") value for each UserID. The rows bolded in green is what I'd want to see, with everything else excluded; thus, there should only be 1 row per distinct UserID. One possible thought that comes to mind is adding an numeric field to the .csv lookup, though still not 100% certain how to go about rendering the stats table to only include the highest value per UserID.  Any help would be appreciated. Thanks!  UserID Attribute jdoe level-1-access jdoe level-3-access jdoe level-4-access asmith level-1-access asmith level-2-access ejones level-3-access ejones level-4-access pthomas level-1-access pthomas level-2-access pthomas level-3-access pthomas level-4-access
and oh wow.  I owe you a big apology as yes, splunk itself is somehow not putting in whats there even when selected with the mouse.  so its still an issue they are looking into and on my side I will ... See more...
and oh wow.  I owe you a big apology as yes, splunk itself is somehow not putting in whats there even when selected with the mouse.  so its still an issue they are looking into and on my side I will be talking to a team about data cleanup but Im going to try your workaround and if it works I will mark it as the fix.