Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-12-2023
03:35 AM
I have two different logs where the error is capturing in different fields in each log message...(error_message and error_response) I have to capture the error_message and error_response without d...
See more...
I have two different logs where the error is capturing in different fields in each log message...(error_message and error_response) I have to capture the error_message and error_response without dropping the other logs.? Log 1 : message:"Lambda execution: exit with failure", message_type:"ERROR", error_message:"error reason update" Log 2 : message:"Lambda execution: exit with failure", message_type:"ERROR", error_response:"updated error reason" Expected Output : Error count 1. error reason update 1 2. updated error reason 1
Labels
- Labels:
-
stats
12-12-2023
03:26 AM
Hi I want to execute different SPL query in Dashboard studio panel on the basis of dropdown value. Drop down have two item only, if we select "Item1" in dropdown then in particular panel of Dashboa...
See more...
Hi I want to execute different SPL query in Dashboard studio panel on the basis of dropdown value. Drop down have two item only, if we select "Item1" in dropdown then in particular panel of Dashboard should execute "Query1" if selected "item2" in dropdown then in same panel of Dashboard studio should execute "Query2" item1 = "Aruba NetWorks" Item2 = "Cisco" Query1 = index=dot1x_index sourcetype=cisco_failed_src OR sourcetype=aruba_failed_src| | eval node= if(isnotnull(node_vendor),"Cisco","Aruba NetWorks")| search node = $<dropdown token>$ | table node_dns node_ip region Query2 = index=dot1x_index sourcetype=cisco_failed_src OR sourcetype=aruba_failed_src| eval node= if(isnotnull(node_vendor),"Cisco","Aruba NetWorks")| search node = $<dropdown token>$ | table Name Kindly Guide. Thanks Abhineet Kumar
Labels
- Labels:
-
Dashboard Studio
12-12-2023
03:12 AM
When i'm in the dashboard panel I can't seem to find a download button anywhere so I'm not sure if i can download the results
12-12-2023
03:10 AM
Rather than exporting the dashboard, can you download the results from the panel?
12-12-2023
03:05 AM
I have a dashboard with the event feeds of these browser tests but when I try to export the dashboard it exports as a json file and I need it as a csv or another file that shows the results of the te...
See more...
I have a dashboard with the event feeds of these browser tests but when I try to export the dashboard it exports as a json file and I need it as a csv or another file that shows the results of the test.
12-12-2023
03:04 AM
1 Karma
| mvexpand latest
| eval diff=now - latest
12-12-2023
03:02 AM
Do you have a dashboard or report with these results in?
12-12-2023
02:58 AM
You can't use the time range filter on loadjob savedsearch for this purpose. The time range filter on the loadjob command applies to when the saved search was executed (and its results saved). It is ...
See more...
You can't use the time range filter on loadjob savedsearch for this purpose. The time range filter on the loadjob command applies to when the saved search was executed (and its results saved). It is not applied to the results themselves. For this you would have to use a where command (as you already have), and for time ranges, you should parse your timestamp field into and epoch time (using the strptime() function) so that it can be compared with other epoch time values e.g. the start and end of your desired time range.
12-12-2023
02:52 AM
Hi @FlorianScho, as a workaround, we have added the IP addresses of our Splunk instances in the TLS certificates as SAN and also included them in the server.conf in the sslAltNameToCheck parameter. ...
See more...
Hi @FlorianScho, as a workaround, we have added the IP addresses of our Splunk instances in the TLS certificates as SAN and also included them in the server.conf in the sslAltNameToCheck parameter. Best regards
12-12-2023
02:47 AM
Hi, I'm using: loadjob savedsearch because my query is big and it takes time to load. I have some multi-select filters and i want to add input time range filter. (| loadjob savedsearch="mp:search:...
See more...
Hi, I'm using: loadjob savedsearch because my query is big and it takes time to load. I have some multi-select filters and i want to add input time range filter. (| loadjob savedsearch="mp:search:queryName" | where $pc$ AND $Version$ ) I'm not sure how to do that because i need to use a field called: Timestamp (i get it in my query, this is the time the event is written to the json file ) and not the _time field. In addition, I don't know how to use loadjob savedsearch with time range filter Can you help me, please? Thank, Maayan
Labels
- Labels:
-
dashboard
12-12-2023
02:25 AM
I have gone through a few questions which are related to lookup file changes. I tried to use the same query to get the internal logs regarding my lookup file changes but I am unable to fetch any logs...
See more...
I have gone through a few questions which are related to lookup file changes. I tried to use the same query to get the internal logs regarding my lookup file changes but I am unable to fetch any logs. I would like to know where can I find the information about the changes made to my lookup file. The information is more related to the user who modified and the respective time. I tried to search in _audit index, but I am unable to find the exact logs (may be the way of my searching is wrong) Could anyone please help me in finding the history of modification/changes made to any lookup file?
- Tags:
- lookup
Labels
- Labels:
-
search
Hi @gcusello | rename "response_details.response_payload.entities{}.onlineStatus" as status | stats count BY status | append [ | makeresults | eval name=xxxx, count=0 | fields name ] | stats sum...
See more...
Hi @gcusello | rename "response_details.response_payload.entities{}.onlineStatus" as status | stats count BY status | append [ | makeresults | eval name=xxxx, count=0 | fields name ] | stats sum(count) AS total BY status | eval status=if(total=0,"OFFLINE",status) | search status="ONLINE" OR status="OFFLINE" | table status I getting result is "ONLINE" How it will works on the alert ? How can I set in the alert? Can you please guide me
12-12-2023
02:22 AM
@inventsekar Could you please suggest on this. We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework o...
See more...
@inventsekar Could you please suggest on this. We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework or any attack pattern use cases, as we don't have that much knowledge to create SPL use cases.
12-12-2023
02:19 AM
Hi, I want to export browser test results in some sort of csv or any file where I can see the performance of a browser test for the past year or month. How can this be possible?
Hi @parthiban, status = "OFFLINE" please try this: index=your_index
| stats count BY device status
| append [ | inputlookup perimeter.csv | eval count=0 | fields device count ]
| stats sum(count)...
See more...
Hi @parthiban, status = "OFFLINE" please try this: index=your_index
| stats count BY device status
| append [ | inputlookup perimeter.csv | eval count=0 | fields device count ]
| stats sum(count) AS total BY device status
| eval status=if(total=0,"down",status)
| search status="recovery" OR status="offline" OR status="down"
| table device status Ciao. Giuseppe
12-12-2023
01:16 AM
How to get difference of lastest value with now i have multiple values in latest column and only one value in now column i want output as difference latest now 1701973800.000000 170145...
See more...
How to get difference of lastest value with now i have multiple values in latest column and only one value in now column i want output as difference latest now 1701973800.000000 1701455400.000000 1701455400.000000 1700418600.000000 1700418600.000000 1702372339 1701973800.000000- 1702372339 = 1701455400.000000- 1702372339= like this
Labels
- Labels:
-
fields
12-12-2023
01:03 AM
Hi @nehamvinchankar, does the regex extract only one value or doesn't it extract any value? if only one value, plese try this: | rex max_match=0 "(?ms)\"API_NAME\": \"(?<API_NAME>[^\"]+)\",\n\"DEP...
See more...
Hi @nehamvinchankar, does the regex extract only one value or doesn't it extract any value? if only one value, plese try this: | rex max_match=0 "(?ms)\"API_NAME\": \"(?<API_NAME>[^\"]+)\",\n\"DEP_DATE\": \"(?<DEP_DATE>[^\"]+)\"" if no values, please check the source, because using the source you shared the regex extracts all the values, as you can test in regex101 Ciao. Giuseppe
12-12-2023
12:56 AM
not working fields are not getting extracted
Hi @parthiban, ok, but how can the device send a status if it's offline? if it continue to send logs even if it's offline, you can add this condition to the search, but, as I suppose, it doesnt sen...
See more...
Hi @parthiban, ok, but how can the device send a status if it's offline? if it continue to send logs even if it's offline, you can add this condition to the search, but, as I suppose, it doesnt sends logs when offline, you can use my search. Ciao. Giuseppe
