Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-14-2023
07:56 AM
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder I would like to make them in a below f...
See more...
I have a Splunk result like below. VM col1 col2 vm1 car sedan vm2 car sedan vm3 plane Priv vm4 bike Fazer vm5 bike thunder I would like to make them in a below format, would you please suggest me. I want to merge the same value into one (columns merge)
12-14-2023
07:56 AM
Hi @the_dude, your above search permits you to find the values common to both the indexes. The last search gives you (in drilldown), the informations, from both the indexes relative to the choosed ...
See more...
Hi @the_dude, your above search permits you to find the values common to both the indexes. The last search gives you (in drilldown), the informations, from both the indexes relative to the choosed value. So, what do you want to filter? Ciao. Giuseppe
Hi @parthiban, ok, adapt my hint to your requirement. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.:...
See more...
Hi @parthiban, ok, adapt my hint to your requirement. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
12-14-2023
07:53 AM
thanks @VatsalJagani - Couchbase JSON Document is also showing 17 and not 17.0 so here, Source System (Couchbase) and Splunk Record (when viewed as "highlight syntax") are same, its just Splunk Reco...
See more...
thanks @VatsalJagani - Couchbase JSON Document is also showing 17 and not 17.0 so here, Source System (Couchbase) and Splunk Record (when viewed as "highlight syntax") are same, its just Splunk Record _raw is different. What could be possibly causing this? Thank you.
12-14-2023
07:51 AM
Hi @AL3Z, if you don't use the original CS, you don't have the notables for searching. For this reason I hinted to use the risk score instead the notable as action. You need someone that really kn...
See more...
Hi @AL3Z, if you don't use the original CS, you don't have the notables for searching. For this reason I hinted to use the risk score instead the notable as action. You need someone that really knows ES to guide you or a training on ES using or administering. Ciao. Giuseppe
12-14-2023
07:51 AM
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or m...
See more...
Hello I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or multiple IDs. The idea is that the first panel lists IDs. The next panel in the dashboard will search an index but only for IDs from the first panel. For example: Panel 1 index=db source=MSGTBL MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>"
| eval MSGID1="MSGID="+MSGID+" OR"
| table MSGID might give you a table of MSGIDs: MSGID=56454GF-5RT1KL-566IOS-FT5GFAS OR MSGID=56454GF-65WE-566IOS-5845UIK OR MSGID=SD8734-DFH745-DFHJ7867-GKJH8 OR I can then set that as a token like <done>
<set token="tokMSGID1">$result.MSGID1$</set>
</done> The issue im having is that if there is only a single MSGID it will have an 'OR' at the end as well as the last result in a set of IDs would have the 'OR' at the end. Can anyone tell me search-wise how to handle this? Thanks!
12-14-2023
07:34 AM
I need to filter out the white noise.
index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")
If I use the ...
See more...
I need to filter out the white noise.
index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")
If I use the correct one, 75% of it is white noise. I need to use the above to isolate what I need specifically from the indexes. I need to show a 1:1 match plus a few other columns. I was asked to get the former but now they need more.
Hi @gcusello The given query is working in some scenarios only. It works only when the online message condition is present. However, when both online and offline messages are present, the conditi...
See more...
Hi @gcusello The given query is working in some scenarios only. It works only when the online message condition is present. However, when both online and offline messages are present, the condition does not work. I have shared a screenshot for reference. FYI: I delete the below search in my query, because it is not working. | search condition="Offline" OR condition="Offline but newly online"
| table condition working scenario Non-working scenario We can remove offline_time and online_time, this is not required.
12-14-2023
07:30 AM
@madhav_dholakia - Splunk _raw shows the price as "17.0", I'm sure that Splunk cannot convert 17 to 17.0 Hence, I'm leaning towards that something else is wrong and Splunk is not modifying anything ...
See more...
@madhav_dholakia - Splunk _raw shows the price as "17.0", I'm sure that Splunk cannot convert 17 to 17.0 Hence, I'm leaning towards that something else is wrong and Splunk is not modifying anything in the data unless you explicitly added any parsing configs in Splunk. I hope this helps!!!
12-14-2023
07:15 AM
Hi,
When I execute this search
index=foo | stats count by _raw, sourcetype, source, host | where count>1
, I'm able to observe events with counts higher than 1. However, I'm uncertain if these ...
See more...
Hi,
When I execute this search
index=foo | stats count by _raw, sourcetype, source, host | where count>1
, I'm able to observe events with counts higher than 1. However, I'm uncertain if these events are being duplicated. Is there an alternative search method I can use to verify whether these events are being double-ingested?
Thanks..
Labels
- Labels:
-
data quality
-
license usage
12-14-2023
07:10 AM
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore....
See more...
Hello, at the moment we are indexing JSON files in Splunk and then rename the fields with a Field Alias function. This leads to the problem, that we cannot use tStats on these renamed fields anymore. Now to the question: Is there a way to rename the fields with splunk before indexing the data? The goal is that we can use tStats on all fields with the new renamed names.
Labels
12-14-2023
07:08 AM
Hi @gcusello , Can we use it as a CS to trigger an alert when it exceeds the alert threshold ?
12-14-2023
06:55 AM
Hi @the_dude, your search is correct and I like that you don't use join. but what's te issue? You can use the name value for the drilldown, remembering that the filed name is different in the two ...
See more...
Hi @the_dude, your search is correct and I like that you don't use join. but what's te issue? You can use the name value for the drilldown, remembering that the filed name is different in the two indexes: so the drilldown search could be: index=jedi OR index=sith
| eval name=coalesce(Jname, Sname)
| search name=$name$
| table ... Ciao. Giuseppe
12-14-2023
06:50 AM
1 Karma
Hi @AL3Z, I don't know: the above search lists all the triggered alerts. Otherwise you could run a search on the notable index and have the count for the triggered searches: index=notable
| stats ...
See more...
Hi @AL3Z, I don't know: the above search lists all the triggered alerts. Otherwise you could run a search on the notable index and have the count for the triggered searches: index=notable
| stats count BY search_name
| where count>10 Ciao. Giuseppe
12-14-2023
06:45 AM
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")
| table saber_color, Jname, strengths, mentor, skill, domain, mission
index-=sith broker sithlord!=dar...
See more...
index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")
| table saber_color, Jname, strengths, mentor, skill, domain, mission
index-=sith broker sithlord!=darth_maul
| table saber_color, Sname, strength, teacher, actions
I need to list where Jname=Sname, but I need to list all columns
The third one is
where the Jname!=Sname
The caveat is I cannot use the join for this query.
This helped however I am unable to utilize the index drill down for each in the search otherwise the query is 75% white noise.
index=jedi OR index=sith
| eval name=coalesce(Jname, Sname)
| stats values(name) as names by saber_color strengths
| where mvcount(names)=1
Please help.
12-14-2023
06:23 AM
@Muthu_Vinith Create metrics index - https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Setupmultipleindexes#Create_metrics_indexes You can monitor the CSV file inside a Metrics index. ...
See more...
@Muthu_Vinith Create metrics index - https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Setupmultipleindexes#Create_metrics_indexes You can monitor the CSV file inside a Metrics index. https://docs.splunk.com/Documentation/Splunk/9.1.2/Metrics/GetMetricsInOther You may require to format the CSV file to create the metrics as you need. I hope this helps!!!
12-14-2023
06:20 AM
Hi All, I opened a ticket at Cisco support and they promised that the app will be updated soon. KR
12-14-2023
06:09 AM
@gcusello I had chosen to specify only ES and I haven't consider the disabled CS but still, not all the alerts are showing up.
