All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That error message is specific to the _time field.  It's listing the only aggregation functions that can be used in tstats with that field; others, like sum, avg, etc., will produce this message. To... See more...
That error message is specific to the _time field.  It's listing the only aggregation functions that can be used in tstats with that field; others, like sum, avg, etc., will produce this message. To see which fields can be used by the tstats command, use walklex. | walklex type=field index=foo
This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations.  Does the lookup file contain data that can be used to search the index?  If not,... See more...
This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations.  Does the lookup file contain data that can be used to search the index?  If not, can it be modified or can the search modify a lookup field into something that's in the index?
I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different l... See more...
I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different logic  @richgalloway 
That's exactly what I needed. Thanks for the help!
If the string ends with a space then you can extract it using this command | rex "invalid user (?<invaliduser>\S+)"   If it ends with a comma or other character not part of the string then this co... See more...
If the string ends with a space then you can extract it using this command | rex "invalid user (?<invaliduser>\S+)"   If it ends with a comma or other character not part of the string then this command should do it | rex "invalid user (?<invaliduser>[^,]+)"
Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an ... See more...
Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an example, it could be any word or character)  invalid user abc invalid user abc@def invalid user $abc invalid user abc\def invalid user abc-def If I run the below, I am able to successfully extract the invaliduser if it is a word. But this does not work if there is a special character base search | rex "invalid user (?<invaliduser>\w+) " I have figured out how to extract if there is a leading special character (W+\w+) or a special character in the middle (w+\W+\w+) but those aren't exactly what I'm looking for. Is there a single rex command I can use to capture all possible results? 
hello I am pretty new using Splunk and I am being tasked to generate multiple of these kinds of reports in Splunk (original reports were from a SQL tool)  I really need help in finding the right que... See more...
hello I am pretty new using Splunk and I am being tasked to generate multiple of these kinds of reports in Splunk (original reports were from a SQL tool)  I really need help in finding the right query for this. Especially how to include certain users and exclude others.  your help is greatly appreciated!! ————- * Collect all available log sources. * Generate a report that shows Changes to System Sec Config events occurred on the previous day, grouped by source users.    • Format: .csv, List of events , table with subset of fields (User, Date/Time, Event, Group, oHost, Host (Impacted), oLogin, VendorMsgID, Domain Impacted), Grouped by User • Schedule: daily • Search window: -24 hours • Expiration: 30 days   # Technical Context The following events are of interest Vendor Message IDs - 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631 AND User is NOT xxx, system, xxx, xxxx, xxxxx,  AND User (Impacted) IS NOT (res group name)  AND Host (Impacted) IS NOT %sc% (SQL PATTERN), %sd% (SQL PATTERN), ^sc.+, ^sd.+
Hello,  I know that  mvsort command sort values lexicographically. But I want the output as below: 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 119.0.6.159 @ITWhisperer 
Will give it try and let you know how it goes.
Use the eval command to add a field ("column").  The match function will compare a field to a string/regular expression. base search | rex field User | rex field Folder | rex field File | eval Cons... See more...
Use the eval command to add a field ("column").  The match function will compare a field to a string/regular expression. base search | rex field User | rex field Folder | rex field File | eval Consumer = if(match(File, "^xyz"), "Core", "") | table User Folder File Consumer  
Hmmm yeah. Your example is actually working.  I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Searc... See more...
Hmmm yeah. Your example is actually working.  I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Search" on Splunk Dashboard Studio, it does work. However somehow it does not work on the dashboard itself. Any possible pointers on this?
Use a subsearch to exclude the lookup file from the index results. index=abc host=def_inven NOT [ | inputlookup something | fields <a field from the lookup that identifies a server> | rename <field>... See more...
Use a subsearch to exclude the lookup file from the index results. index=abc host=def_inven NOT [ | inputlookup something | fields <a field from the lookup that identifies a server> | rename <field> as <some field name in Dataset A> ]
Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/
Hi,  I have two datasets for example – 1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and 2.lookup = something, consider as Dataset B (monitored in Splunk with 80 s... See more...
Hi,  I have two datasets for example – 1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and 2.lookup = something, consider as Dataset B (monitored in Splunk with 80 servers). How can I identify the 20 servers missing ? 
Hi, If I have process Events like PID | ProcessName |  CommandLine | SpawnedByPID 100 | process_1 | process_1_commandLine | 99 101 | process_2 | process_2_commandLine | 100 200 | process_3 |  ... See more...
Hi, If I have process Events like PID | ProcessName |  CommandLine | SpawnedByPID 100 | process_1 | process_1_commandLine | 99 101 | process_2 | process_2_commandLine | 100 200 | process_3 |  process_3_commandLine | 199 201 |  process_4 |  process_4_commandLine | 200 Is there any Viz that will map processes in some Folder/EDR like tree (where I can also click on node and get mora info). For example, final results are based on PID but Viz looks like something like | -> process_name_99 |----> process_1 (on hower or Click will get token process_1_commandLine) |--------> process_2 | -> process_name_99 |----> process_3 |-------->process_4 Something like psTree just more advanced and connected by PID not names.
Hi! Is it possible to report errors without throwing an exception / crashing the app? I'd like to report some custom user data for certain events like here described, without throwing an exception h... See more...
Hi! Is it possible to report errors without throwing an exception / crashing the app? I'd like to report some custom user data for certain events like here described, without throwing an exception https://docs.appdynamics.com/appd/23.x/23.6/en/end-user-monitoring/mobile-real-user-monitoring/instrument-android-applications/customize-the-android-instrumentation#id-.CustomizetheAndroidInstrumentationv23.2-user-dataCustomUserData  I tried the following, but it wasn't reported, nor I could watch it in crashes view Instrumentation.setUserData("Custom_event_key", "Some event happened"); Instrumentation.reportError(e, ErrorSeverityLevel.CRITICAL); If this is possible, where can I monitor that data in AppDynamics? Or is this just extra data which will only be added to crash reports?
Hello, we have a requirement for this as well. Is there any update to this discussion? We have a need to integrate data sourced from ThreatResponse into our splunk solution.
That message appears when a query uses a token that has no value.  Check all tokens in the dashboard to make sure they are defined before the query executes.  Perhaps there is a spelling error somewh... See more...
That message appears when a query uses a token that has no value.  Check all tokens in the dashboard to make sure they are defined before the query executes.  Perhaps there is a spelling error somewhere.
Hello @yuanliu  addcoltotals will show up at the end of the row, so if I have multipages, it will now show on the first page In the real data, I  have more than 10, so addcoltotals will not show ... See more...
Hello @yuanliu  addcoltotals will show up at the end of the row, so if I have multipages, it will now show on the first page In the real data, I  have more than 10, so addcoltotals will not show up on the front page Why  did Splunk get 1129.3600000000001, not 1129.36? Thanks
Hello @bowesmana  addcoltotals will show up at the end of the row, so if i have multipages, it will now show on the first page Why  Splunk get 1129.3600000000001 from? The correct total should be ... See more...
Hello @bowesmana  addcoltotals will show up at the end of the row, so if i have multipages, it will now show on the first page Why  Splunk get 1129.3600000000001 from? The correct total should be 1129.36 Thanks