Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
Hi @gcusello The below code I am getting correct results, Could you please add alert condition in that. index= "XXXXX" "Genesys system is available" | spath input=_raw output=new_field path=res...
See more...
Hi @gcusello The below code I am getting correct results, Could you please add alert condition in that. index= "XXXXX" "Genesys system is available" | spath input=_raw output=new_field path=response_details.response_payload.entities{} | mvexpand new_field | fields new_field | spath input=new_field output=serialNumber path=serialNumber | spath input=new_field output=onlineStatus path=onlineStatus | where serialNumber!="" | lookup Genesys_Monitoring.csv serialNumber | where Country="Bangladesh" | stats count by onlineStatus, Country
12-14-2023
12:19 AM
Hi, Did you made any changes to 'user' or 'power' role? 'Power' inherits some capabilities from 'user', so if you removed/changed some capabilities from 'user', they will also be reflected on 'powe...
See more...
Hi, Did you made any changes to 'user' or 'power' role? 'Power' inherits some capabilities from 'user', so if you removed/changed some capabilities from 'user', they will also be reflected on 'power'. ------------ If this was helpful, some karma would be appreciated.
12-14-2023
12:10 AM
Yes for real! That was my first idea. I think for static field length one could use something along this line of thought (does not work as is but should be doable): | makeresults
| eval
mv_f...
See more...
Yes for real! That was my first idea. I think for static field length one could use something along this line of thought (does not work as is but should be doable): | makeresults
| eval
mv_field=split("a|b|c|d|e|f|aa", "|")
| fields ```other fields of interest``` mv_field [| makeresults count=7
| streamstats count
| eval temp="mv_field_",
fieldname=temp.count
| stats values(fieldname) AS fieldname
| return $fieldname]
| foreach mode=multifield mv_field_*
[ eval "<<FIELD>>"=mvindex(mv_field,tonumber(<<MATCHSTR>>),tonumber(<<MATCHSTR>>))] but seing this solution it is more elegant and general
12-14-2023
12:01 AM
Hi @nithys , you cannot put the case funtion directly in the search, but only in the eval command, in addition there are some errors and the case condition isn't clear, please better describe them. ...
See more...
Hi @nithys , you cannot put the case funtion directly in the search, but only in the eval command, in addition there are some errors and the case condition isn't clear, please better describe them. 1) what's the case condition? CASE("latest") AND "id" AND "dynamoDB data retrieved for ids" AND "material" 2) The errors are: case: there a parenthesis after the first value, there's only one condition and there isn't the value to assign if the condition is true, | sort- PST_TIME3, should be sort - PST_TIME3: a space after sort command is missed, you don't need an intermediate table command, what do you want to do with appendcols? in other words, please better describe it. Ciao. Giuseppe
12-13-2023
11:51 PM
Hi @anandhalagaras1, to compare dates you have to convert them in epochtime and compare using the eval command and strptime function: e.g. to take only events with Timestamp in the period from 202...
See more...
Hi @anandhalagaras1, to compare dates you have to convert them in epochtime and compare using the eval command and strptime function: e.g. to take only events with Timestamp in the period from 2023-12-13 00:00:00 to 2023-12-13 23:59:59, yu could run: <your_search>
| eval
Timestamp=strptime(Timestamp,"%Y-%m-%d %H:%M:%S"),
from=strptime("2023-12-13 00:00:00","%Y-%m-%d %H:%M:%S"),
to=strptime("2023-12-13 23:59:59"","%Y-%m-%d %H:%M:%S")
| where Timestamp>=from AND Timestamp<=to Ciao. Giuseppe
12-13-2023
11:48 PM
@inventsekar Could you please suggest. Yes that app was installed.
Hi @parthiban, logic and syntax of this search is correct, if it doesn't give results, you have to check the data that maybe are different than we supposed creating the search, and I cannot help you...
See more...
Hi @parthiban, logic and syntax of this search is correct, if it doesn't give results, you have to check the data that maybe are different than we supposed creating the search, and I cannot help you because I haven't your data. Debug it removing, one by one, the rows and identifying where is the issue: I suppose that's in the field names or in the field values. Ciao. Giuseppe
12-13-2023
11:42 PM
1 Karma
If you want the list of triggered alerts please try this: index=_audit action=alert_fired ss_app=*
| eval ttl=expiration-now()
| search ttl>0
| convert ctime(trigger_time)
| table trigger_time s...
See more...
If you want the list of triggered alerts please try this: index=_audit action=alert_fired ss_app=*
| eval ttl=expiration-now()
| search ttl>0
| convert ctime(trigger_time)
| table trigger_time ss_name severity
| rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity" if instead tu want the list of alerts in your environment, you could use: |rest/servicesNS/-/-/saved/searches
| search alert.track=1
| fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Ciao. Giuseppe
12-13-2023
11:35 PM
Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now. Actually splunkernator and I unco...
See more...
Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now. Actually splunkernator and I uncovered the root cause a few days ago in Do you lose any information between Chain Searches in Dashboards? It's intricate, but everyone using Dashboard Studio should be aware until DS releases a fix. You didn't illustrate under which conditions your original code failed. But based on splunkernator and my findings, I speculate that you had | spath output=metrics path=metrics in main search, but |rename metrics.data{}.name as name, metrics.data{}.status as status in chain search. Is this correct? Then, your workaround is to add | fields metrics.data{}.name metrics.data{}.status into main search. If you add this to subsearch, nothing will change. You would still have a broken panel. Meanwhile, are you sure you want a multivalue field name?
12-13-2023
11:25 PM
Many thanks for the update. I will verify and get back to you
12-13-2023
11:24 PM
hello, Could anyone assist me in creating a correlation search to detect triggered alerts across all searches. This will enable us to monitor counts and automatically notify us if any situation esca...
See more...
hello, Could anyone assist me in creating a correlation search to detect triggered alerts across all searches. This will enable us to monitor counts and automatically notify us if any situation escalates beyond control. Thanks
Labels
- Labels:
-
monitoring console
12-13-2023
11:21 PM
Hi All, Need a help to write a query based on the field "Timestamp" which is different from "_time" value. Sample Event in XML Format: Email: xyz@gmail.com RoleName: User RowKey: 123456 Timesta...
See more...
Hi All, Need a help to write a query based on the field "Timestamp" which is different from "_time" value. Sample Event in XML Format: Email: xyz@gmail.com RoleName: User RowKey: 123456 Timestamp: 2023-12-13T23:56:18.200016+00:00 UserId: mno UserName: acho This is one of the sample event in xml format and there is a specific field as "Timestamp" in the event and this "Timestamp" field is completely different from _time value. Hence I want to pull only the "Timestamp" value for a particular day might be yesterday 2023-12-13 i.e. from 2023-12-13 00:00:00 to 2023-12-13 23:59:59 So how can I write the query for the same. index=abc host=xyz sourcetype=xxx
Labels
- Labels:
-
subsearch
12-13-2023
11:20 PM
PST_TIME4 objectType version republishType publish nspConsumerList snsPublishedCount dataNotFoundIdsCount 2023-17-11 01:50:35 material latest id NSP ALL 3 1 2023-20-11 02:55:12 materia...
See more...
PST_TIME4 objectType version republishType publish nspConsumerList snsPublishedCount dataNotFoundIdsCount 2023-17-11 01:50:35 material latest id NSP ALL 3 1 2023-20-11 02:55:12 material latest id NSP ALL 3 1 2023-16-11 09:18:14 material latest id NSP ALL 3 1 2023-12-12 05:03:37 material latest id ALL ALL 1 2
12-13-2023
11:20 PM
Hi Team,I am using a query which has same index and source but fetch two results based on the search and combine to a single table..now i want to display the result along with the timestamp it appear...
See more...
Hi Team,I am using a query which has same index and source but fetch two results based on the search and combine to a single table..now i want to display the result along with the timestamp it appears in ascending order index=index1 source=source1 CASE("latest") AND "id" AND "dynamoDB data retrieved for ids" AND "material"| eval PST=_time-28800 | eval PST_TIME3=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIdsCount path=dataNotFoundIdsCount | stats values(*) as * by _raw | table dataNotFoundIdsCount, PST_TIME3 | sort- PST_TIME3| appendcols [search index=index1 source=source1 CASE("latest") AND "id" AND "sns published count" AND "material"| eval PST=_time-28800 | eval PST_TIME4=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath snsPublishedCount output=snsPublishedCount |spath output=republishType path=republishType| spath output=version path=republishInput.version| spath output=publish path=republishInput.publish| spath output=nspConsumerList path=republishInput.nspConsumerList{} | spath output=objectType path=republishInput.objectType | stats values(*) as * by _raw | table snsPublishedCount,republishType,version,publish, nspConsumerList,objectType,PST_TIME4 | sort- PST_TIME4 ] |table PST_TIME4 objectType version republishType publish nspConsumerList snsPublishedCount dataNotFoundIdsCount
Labels
- Labels:
-
stats
12-13-2023
10:23 PM
1 Karma
I think you can match() on an MV field directly, e.g. | eval test=if(match(city, "(?i)bangalore|hyderbad|chennai"), 1, 0)
12-13-2023
10:15 PM
1 Karma
Check out the docs for foreach https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/foreach The <<FIELD>> template is replaced with the value of the field being iterated through. In y...
See more...
Check out the docs for foreach https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/foreach The <<FIELD>> template is replaced with the value of the field being iterated through. In your context, it is the value of the row* field being evaluated.
12-13-2023
09:51 PM
Hello Ryan, I understood that I have posted another questions for the same problem, I am trying to contact Bangalore India, AppD sales no response from their side. Could you please suggest any con...
See more...
Hello Ryan, I understood that I have posted another questions for the same problem, I am trying to contact Bangalore India, AppD sales no response from their side. Could you please suggest any contact Email Id of technical support team so that we will discuss whether the issue is with our configurations or there are any limitations in pro trial version. We are running our applications in EKS cluster but in trial version documentation it has given that we can access all the services for 15-days. But all the configurations are made according to the documents, After in dashboard the data's are not reflecting, Could you please suggest work around for this problem. thanks, tharun
12-13-2023
09:37 PM
just a small question what will come in <<FIELD>> ?
12-13-2023
09:32 PM
Thanks @bowesmana - mvmap so it iterates like a for loop and checks. What if I want to do multiple checks. Example, I want to check for different regions. mvcount(Region)>1, mvmap(Region, if(matc...
See more...
Thanks @bowesmana - mvmap so it iterates like a for loop and checks. What if I want to do multiple checks. Example, I want to check for different regions. mvcount(Region)>1, mvmap(Region, if(match(Region, "(?i)bangalore"), "Bangalore", null()) Here it iterates and checks for banglore. What if I want to check for Singapore , USA , China and so on. ? Its becoming quite challenging, please help me Example : Test_loc_method2 is the output I want from Region (mv field) Region Test_loc_method2 sh Bangalore Test Chennai Hyderbad Bangalore test China 1 India China Loc USA 2 London USA
12-13-2023
09:17 PM
Hello @Ryan.Paredez , The query was how i can get license usage report by email on a daily or weekly basis. I didn't seen any option like the same . If emailing report not possible, any other ways...
See more...
Hello @Ryan.Paredez , The query was how i can get license usage report by email on a daily or weekly basis. I didn't seen any option like the same . If emailing report not possible, any other ways we can download the report (Eg: Using API) Thanks, Raj
