All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or m... See more...
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or multiple IDs. The idea is that the first panel lists IDs. The next panel in the dashboard will search an index but only for IDs from the first panel.  For example: Panel 1 index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>" | eval MSGID1="MSGID="+MSGID+" OR" | table MSGID might give you a table of MSGIDs: MSGID=56454GF-5RT1KL-566IOS-FT5GFAS OR MSGID=56454GF-65WE-566IOS-5845UIK OR MSGID=SD8734-DFH745-DFHJ7867-GKJH8 OR I can then set that as a token like <done> <set token="tokMSGID1">$result.MSGID1$</set> </done>   The issue im having is that if there is only a single MSGID it will have an 'OR' at the end as well as the last result in a set of IDs would have the 'OR' at the end. Can anyone tell me search-wise how to handle this? Thanks!  
Hi @gcusello ,   I got notifed that this is a bug in Splunk. Known issues - Splunk Documentation UNDEFINED keyword shouldn't be used to replace empty cells.   Thanks, Pravin
I need to filter out the white noise. index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")   If I use the ... See more...
I need to filter out the white noise. index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")   If I use the correct one, 75% of it is white noise. I need to use the above to isolate what I need specifically from the indexes. I need to show a 1:1 match plus a few other columns. I was asked to get the former but now they need more.
Hi @gcusello  The given query is working in some scenarios only. It works only when the online message condition is present. However, when both online and offline messages are present, the conditi... See more...
Hi @gcusello  The given query is working in some scenarios only. It works only when the online message condition is present. However, when both online and offline messages are present, the condition does not work. I have shared a screenshot for reference. FYI: I delete the below search in my query, because it is not working. | search condition="Offline" OR condition="Offline but newly online" | table condition working scenario Non-working scenario We can remove offline_time and online_time, this is not required.
@madhav_dholakia - Splunk _raw shows the price as "17.0", I'm sure that Splunk cannot convert 17 to 17.0 Hence, I'm leaning towards that something else is wrong and Splunk is not modifying anything ... See more...
@madhav_dholakia - Splunk _raw shows the price as "17.0", I'm sure that Splunk cannot convert 17 to 17.0 Hence, I'm leaning towards that something else is wrong and Splunk is not modifying anything in the data unless you explicitly added any parsing configs in Splunk.   I hope this helps!!!
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these ... See more...
Hi, When I execute this search index=foo | stats count by _raw, sourcetype, source, host | where count>1 , I'm able to observe events with counts higher than 1. However, I'm uncertain if these events are being duplicated. Is there an alternative search method I can use to verify whether these events are being double-ingested? Thanks..
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.... See more...
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore.   Now to the question: Is there a way to rename the fields with splunk before indexing the data? The goal is that we can use tStats on all fields with the new renamed names.
Hi @gcusello , Can we use it as a CS to trigger an alert when it exceeds the alert threshold ?
Hi @the_dude, your search is correct and I like that you don't use join. but what's te issue? You can use the name value for the drilldown, remembering that the filed name is different in the two ... See more...
Hi @the_dude, your search is correct and I like that you don't use join. but what's te issue? You can use the name value for the drilldown, remembering that the filed name is different in the two indexes: so the drilldown search could be: index=jedi OR index=sith | eval name=coalesce(Jname, Sname) | search name=$name$ | table ... Ciao. Giuseppe
Hi @AL3Z, I don't know: the above search lists all the triggered alerts. Otherwise you could run a search on the notable index and have the count for the triggered searches: index=notable | stats ... See more...
Hi @AL3Z, I don't know: the above search lists all the triggered alerts. Otherwise you could run a search on the notable index and have the count for the triggered searches: index=notable | stats count BY search_name | where count>10 Ciao. Giuseppe
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=dar... See more...
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | table saber_color, Jname, strengths, mentor, skill, domain, mission index-=sith broker sithlord!=darth_maul | table saber_color, Sname, strength, teacher, actions I need to list where Jname=Sname, but I need to list all columns The third one is where the Jname!=Sname The caveat is I cannot use the join for this query. This helped however I am unable to utilize the index drill down for each in the search otherwise the query is 75% white noise. index=jedi OR index=sith | eval name=coalesce(Jname, Sname) | stats values(name) as names by saber_color strengths | where mvcount(names)=1 Please help.
@Muthu_Vinith  Create metrics index - https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Setupmultipleindexes#Create_metrics_indexes  You can monitor the CSV file inside a Metrics index. ... See more...
@Muthu_Vinith  Create metrics index - https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Setupmultipleindexes#Create_metrics_indexes  You can monitor the CSV file inside a Metrics index. https://docs.splunk.com/Documentation/Splunk/9.1.2/Metrics/GetMetricsInOther  You may require to format the CSV file to create the metrics as you need.   I hope this helps!!!
Hi All, I opened a ticket at Cisco support and they promised that the app will be updated soon. KR
@gcusello  I had chosen to specify only ES and I haven't consider the disabled CS  but still, not all the alerts are showing up.
Hi @AL3Z, they match with the correlation searches, but thei contain also other alerts outside ES and anyway don't matcj with disabled CS. Ciao. Giuseppe
Well, yeah, I understand how I can convert the time from epoch, but I am trying to do this inside of a workflow action.  Someone searches "index=firewall", and then they click on "Event Actions" to c... See more...
Well, yeah, I understand how I can convert the time from epoch, but I am trying to do this inside of a workflow action.  Someone searches "index=firewall", and then they click on "Event Actions" to click on the workflow action.  How does the time get converted through that mechanism?
@gcusello , Why the triggered alerts from the search  are not matching with the incident review alerts why so ?
No, there is not a common userbase for all Splunk products. There is no API request specific to audit logs.  Submit an API request to search the _audit index for the desired information.
I know of one file we have (multifix.js) We use it to modify the behavior of multi-select filters. /************************************************************************************* Multisele... See more...
I know of one file we have (multifix.js) We use it to modify the behavior of multi-select filters. /************************************************************************************* Multiselect Behavior Modification multifix.js v0.2 Automatically removes 'All' option in multiselect fields when a value is selected and remove individual values when 'All' is re-selected. Any multiselect with an CSS id of multi_1 - multi_15 will function in this way if the script is included or the app's dashboard.js or directly. *************************************************************************************/ require(['splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!'], function (mvc) { $(document).ready(function () { var selection = []; for (var i = 1; i < 16; i++) { multiFixer('multi_' + i); } function multiFixer(fieldId) { var multi = splunkjs.mvc.Components.getInstance(fieldId); if (typeof multi !== 'undefined' && multi !== 'undefined') { multi.on('change', function () { selection = multi.val(); if (selection.length > 1 && ~selection.indexOf('*')) { if (selection.indexOf('*') == 0) { selection.splice(selection.indexOf('*'), 1); multi.val(selection); multi.render(); } else { multi.val('*'); multi.render(); } } }); } } }); });  
Hi, I want to import the entities via csv to entity management in Splunk ITSI, so please help me with this. Thanks