Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-08-2023
12:00 PM
1 Karma
Why did Splunk get 1129.3600000000001, not 1129.36? As I already said, floating point arithmetics is messy on digital computers. But Splunk is also known to be quirkier. You can report this as ...
See more...
Why did Splunk get 1129.3600000000001, not 1129.36? As I already said, floating point arithmetics is messy on digital computers. But Splunk is also known to be quirkier. You can report this as a bug. In the real data, I have more than 10, so addcoltotals will not show up on the front page Given that Summary has that bug, you can decide whether to use addcoltotals as a workaround, or live with 1129.3600000000001. SPL doesn't control pagenation. Also, I don't believe Summary offers rounding.
12-08-2023
11:52 AM
Using split in your emulation kind of obscures characteristics of the real data, how real data becomes multivalued, etc. But working from this - please post test code/mock code in text, not screensh...
See more...
Using split in your emulation kind of obscures characteristics of the real data, how real data becomes multivalued, etc. But working from this - please post test code/mock code in text, not screenshot, there is a potential way to leverage sort command that automatically recognizes IPv4 format. | makeresults
| eval ip = split("119.0.6.159,62.0.3.75,63.0.3.84,75.0.3.80,92.0.4.159", ",")
| mvexpand ip
| sort ip
| stats values(ip) as ip list(ip) as sorted_ip This gives you ip sorted_ip 119.0.6.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 119.0.6.159 mvexpand can be expensive. list can be memory hungry. So, think of data strategy if performance is a concern. Do you have to present results in multivalue format?
12-08-2023
11:34 AM
I'm not sure if I get the idea. Do you mean to use this? base = lower(type)
exe=base.".exe" What is the intention of the curly brackets? (No, {base} is not a valid expression.)
12-08-2023
11:14 AM
Hi, I need help on below SPL query. | eval ci= if (isnull(ci),host,ci), As per current logic, if there is no value available in ci then it will take host name as ci. Here host value is Splunk HF. ...
See more...
Hi, I need help on below SPL query. | eval ci= if (isnull(ci),host,ci), As per current logic, if there is no value available in ci then it will take host name as ci. Here host value is Splunk HF. I want should pick up server name or application name from the URL part instead of picking Splunk HF as host in ci filed. How to change server name or application name from the URL part instead of picking Splunk HF as host in ci filed. URL Examples : http://abcdflpqr0012.abcd.xyz.com:5050/abcd/intro.html http://prod-abcd.xyz.com:14000/identity Can you please help me here. Thank you.
Labels
- Labels:
-
alert action
-
alert condition
-
email
12-08-2023
11:13 AM
Apologies if this is a repetitive question, but I couldn't find information anywhere. We have the Spunk OnCall (VictorOps) Slack integration setup, but when an oncall change happens, it doesn't actu...
See more...
Apologies if this is a repetitive question, but I couldn't find information anywhere. We have the Spunk OnCall (VictorOps) Slack integration setup, but when an oncall change happens, it doesn't actually notify the user in slack, even when the slack user is linked to their VictorOps account. Instead, just a message appears in the relevant channel with their VictorOps username. Am I missing a place where this can be configured properly?
Labels
- Labels:
-
configuration
12-08-2023
10:59 AM
I have Linux audit records that have a field called type and fields with the naming convention lower(type).field. I want to be able to combine type, as a prefix, and a set of suffixes to create new ...
See more...
I have Linux audit records that have a field called type and fields with the naming convention lower(type).field. I want to be able to combine type, as a prefix, and a set of suffixes to create new field names that exist in the data. For example, I have a type called FILE_WATCH and fields called file_watch.exe, file_watch.egid, file_watch.comm, etc. I want to develop a dashboard table by type and suffix in Splunk to show if a particular field exists for a type. So going back to my example using type=FILE_WATCH, how can I create a new field name along these lines? base = lower(type) exe={base}.".exe" # does not work, but you get the idea. with exe now equal to the field name, I want to be able to de-reference the new field name to see if it exists.
12-08-2023
10:20 AM
1 Karma
That error message is specific to the _time field. It's listing the only aggregation functions that can be used in tstats with that field; others, like sum, avg, etc., will produce this message. To...
See more...
That error message is specific to the _time field. It's listing the only aggregation functions that can be used in tstats with that field; others, like sum, avg, etc., will produce this message. To see which fields can be used by the tstats command, use walklex. | walklex type=field index=foo
12-08-2023
09:52 AM
This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations. Does the lookup file contain data that can be used to search the index? If not,...
See more...
This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations. Does the lookup file contain data that can be used to search the index? If not, can it be modified or can the search modify a lookup field into something that's in the index?
12-08-2023
09:18 AM
I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different l...
See more...
I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different logic @richgalloway
12-08-2023
08:17 AM
1 Karma
That's exactly what I needed. Thanks for the help!
12-08-2023
08:14 AM
1 Karma
If the string ends with a space then you can extract it using this command | rex "invalid user (?<invaliduser>\S+)" If it ends with a comma or other character not part of the string then this co...
See more...
If the string ends with a space then you can extract it using this command | rex "invalid user (?<invaliduser>\S+)" If it ends with a comma or other character not part of the string then this command should do it | rex "invalid user (?<invaliduser>[^,]+)"
12-08-2023
07:58 AM
Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an ...
See more...
Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an example, it could be any word or character) invalid user abc invalid user abc@def invalid user $abc invalid user abc\def invalid user abc-def If I run the below, I am able to successfully extract the invaliduser if it is a word. But this does not work if there is a special character base search | rex "invalid user (?<invaliduser>\w+) " I have figured out how to extract if there is a leading special character (W+\w+) or a special character in the middle (w+\W+\w+) but those aren't exactly what I'm looking for. Is there a single rex command I can use to capture all possible results?
Labels
- Labels:
-
rex
12-08-2023
07:57 AM
hello I am pretty new using Splunk and I am being tasked to generate multiple of these kinds of reports in Splunk (original reports were from a SQL tool) I really need help in finding the right que...
See more...
hello I am pretty new using Splunk and I am being tasked to generate multiple of these kinds of reports in Splunk (original reports were from a SQL tool) I really need help in finding the right query for this. Especially how to include certain users and exclude others. your help is greatly appreciated!! ————- * Collect all available log sources. * Generate a report that shows Changes to System Sec Config events occurred on the previous day, grouped by source users. • Format: .csv, List of events , table with subset of fields (User, Date/Time, Event, Group, oHost, Host (Impacted), oLogin, VendorMsgID, Domain Impacted), Grouped by User • Schedule: daily • Search window: -24 hours • Expiration: 30 days # Technical Context The following events are of interest Vendor Message IDs - 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631 AND User is NOT xxx, system, xxx, xxxx, xxxxx, AND User (Impacted) IS NOT (res group name) AND Host (Impacted) IS NOT %sc% (SQL PATTERN), %sd% (SQL PATTERN), ^sc.+, ^sd.+
Labels
- Labels:
-
table
12-08-2023
07:35 AM
Will give it try and let you know how it goes.
12-08-2023
07:10 AM
Use the eval command to add a field ("column"). The match function will compare a field to a string/regular expression. base search
| rex field User | rex field Folder | rex field File
| eval Cons...
See more...
Use the eval command to add a field ("column"). The match function will compare a field to a string/regular expression. base search
| rex field User | rex field Folder | rex field File
| eval Consumer = if(match(File, "^xyz"), "Core", "")
| table User Folder File Consumer
12-08-2023
06:55 AM
Hmmm yeah. Your example is actually working. I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Searc...
See more...
Hmmm yeah. Your example is actually working. I pretty much just copy-paste the search from search screen to the splunk dashboard studio page. One weird thing is that when I clicked "Open In Search" on Splunk Dashboard Studio, it does work. However somehow it does not work on the dashboard itself. Any possible pointers on this?
12-08-2023
06:52 AM
Use a subsearch to exclude the lookup file from the index results. index=abc host=def_inven NOT [ | inputlookup something | fields <a field from the lookup that identifies a server> | rename <field>...
See more...
Use a subsearch to exclude the lookup file from the index results. index=abc host=def_inven NOT [ | inputlookup something | fields <a field from the lookup that identifies a server> | rename <field> as <some field name in Dataset A> ]
12-08-2023
06:48 AM
1 Karma
Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/
12-08-2023
06:42 AM
Hi, I have two datasets for example – 1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and 2.lookup = something, consider as Dataset B (monitored in Splunk with 80 s...
See more...
Hi, I have two datasets for example – 1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and 2.lookup = something, consider as Dataset B (monitored in Splunk with 80 servers). How can I identify the 20 servers missing ?
Labels
- Labels:
-
join
