All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1,... See more...
I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups For example: user 1 has an old value of group1, group2, group3 user 1 has a new value of group1, group2, group3, group4, and group5 user 2 has an old value of group3, group4, group5 user 1 has a new value of group4, group5, group6, group7, and group8 I'm trying to return group4 and group5 for user and group7 and group8 for user2
Hi @EricMonkeyKing, did you configured INDEXED_EXTRACTIONS = json for that sourcetype or used the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath) ? Ciao. G... See more...
Hi @EricMonkeyKing, did you configured INDEXED_EXTRACTIONS = json for that sourcetype or used the spath command (https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Spath) ? Ciao. Giuseppe
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.  ... See more...
Hi, I have requirement to show the line chart comparison between todays count vs previous day. And, I have below SPL but we see the data from yesterday and today, and each graph line is separate.  I want to see the lines together, one superimposed on the other. please could you suggest?   please can you suggest to compare them? Current SPL:   basesearch earliest=-1d@d latest=now | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | timechart span=15m count by Day Current visualization: Expected visualization is:    
Hi @roberto_baggio , you can create your own dashboard in the apps you like. If you want to see them in a normal Splunk Enterprise App, you have to configure it in [Settings > User Interface > Menu... See more...
Hi @roberto_baggio , you can create your own dashboard in the apps you like. If you want to see them in a normal Splunk Enterprise App, you have to configure it in [Settings > User Interface > Menu]. If instead you want to see these dashboard in ES, you have to go in [Confgure > General > Navigation]. Ciao. giuseppe
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC?  { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value":... See more...
Hi all, For this sort of json string, how can I extract KeyA, KeyB, KeyC?  { "KeyA": [ { "path": "/attibuteA", "op": "replace", "value": "hello" }, { "path": "/attibuteB", "op": "replace", "value": "hi" } ], "KeyB": [ { "path": "/attibuteA", "op": "replace", "value": "" }, { "path": "/attibuteC", "op": "replace", "value": "hey" }, { "path": "/attibuteD", "op": "replace", "value": "hello" } ], "KeyC": [ { "path": "/attibuteE", "op": "replace", "value": "" } ] }   My ideal output would look like: Key path op value KeyA attibuteA replace hello KeyA attibuteB replace hi KeyB attibuteA replace   KeyB attibuteC replace hey KeyB attibuteD replace hello Keyc attibuteE replace     Many thanks^
Hi @aguilard, this path isn't correct, check if you configured in serverclasses.conf the targetRepositoryLocation parameter that's used to  configure where to push apps, default is $SPLUNK_HOME/etc/... See more...
Hi @aguilard, this path isn't correct, check if you configured in serverclasses.conf the targetRepositoryLocation parameter that's used to  configure where to push apps, default is $SPLUNK_HOME/etc/apps. Ciao. Giuseppe
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lin... See more...
| table Status, timeval, CompanyCode, CN |appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN] these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool" , it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?  
Hello,   I am trying to create some dashboards in ES and some other apps.  For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someon... See more...
Hello,   I am trying to create some dashboards in ES and some other apps.  For convenience I would like to be able to access them from app drop-down menu, but I can`t find way to do so. Can someone tell me if this is even possible? If yes how!  P.S. We are using Splunk cloud deployment. 
Hello @gcusello , I do not have error messages on the Deployer. I have plenty of space in the disk of the Deployer, I already checked. The owner of the files is splunk and it's been installed and ... See more...
Hello @gcusello , I do not have error messages on the Deployer. I have plenty of space in the disk of the Deployer, I already checked. The owner of the files is splunk and it's been installed and ran with user Splunk. The thing that I noticed 20 minutes ago and I do not why is when the deployer pushes the ITSI apps to /opt/splunk/var/run/splunk/apps it adds at the of the folder the word "-local" and I just checked that in other installations that I manage it doesn't occur. Thanks for the response
Hi @parthiban , use the correct field for "status" and check if the conditions in the stats command are the correct ones. Ciao. Giuseppe
Hi @gcusello  If I remove the below search condition I get this result. | search condition="Offline" OR condition="Offline but newly online" | table condition    
Hi @aguilard, have you error messages on the Deployer? have you enough disk space on the Deployer? it's required some additional disk space on it. what's the owner of the folders and files? it mus... See more...
Hi @aguilard, have you error messages on the Deployer? have you enough disk space on the Deployer? it's required some additional disk space on it. what's the owner of the folders and files? it must be splunk. Which user are you using to install and run splunk? Ciao. Giuseppe
Hi @parthiban, I found an error in the eval definition, but it shouldn't be the issue: index="XXXX" "Genesys system is available" | rename "response_details.response_payload.entities{}.onlineStatus... See more...
Hi @parthiban, I found an error in the eval definition, but it shouldn't be the issue: index="XXXX" "Genesys system is available" | rename "response_details.response_payload.entities{}.onlineStatus" as status | where name="YYYY" | stats count(eval(status="offline")) AS offline_count count(eval(status="online")) AS online_count earliest(eval(if(status="offline",_time,""))) AS offline earliest(eval(if(status="online",_time,""))) AS online | fillnull value=0 offline_count | fillnull value=0 online_count | eval condition=case( offline_count=0 AND online_count>0,"Online", offline_count>0 AND online_count=0,"Offline", offline_count>0 AND online_count>0 AND online>offline, "Offline but newly online", offline_count>0 AND online_count>0 AND offline>online, "Offline", offline_count=0 AND online_count=0, "No data") | search condition="Offline" OR condition="Offline but newly online" | table condition Debug the search, to understand if the search conditions are verified or not: remove the search statement and see which values you have. Ciao. Giuseppe
Could anyone help me on this please?
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, _time, status etc. I need to create a metric index. Do I need to change field names in the csv file to align w... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, _time, status etc. I need to create a metric index. Do I need to change field names in the csv file to align with Splunk expectation or can I import data as it is? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
Hi, have a requests to restore 40weeks logs from dynamic data archive storage data for one of the index on splunk cloud.may i know process and best practices if any
Thanks @gcusello  The inclusive condition also worked...
The ssl is enabled and can not change when using Splunk Clound free trial, where I can find/download the certificate.
index="starshield" source="http-requests" "firewallSource" IN ("WAF","RATE_LIMIT") "botscore"<10 | stats count values(client.ip) as ip,values(firewallSource) by client.ip,clientRequest.httpHost
How can Splunk query which IPs have been requested continuously for more than 3 days? And there are multiple values in the firewallSource field, how can we know which IPs have both WAF and ATE in requ... See more...
How can Splunk query which IPs have been requested continuously for more than 3 days? And there are multiple values in the firewallSource field, how can we know which IPs have both WAF and ATE in requests during a certain time period_ LIMITED?