Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-08-2023
12:09 AM
Hi @gcusello - I am not sure if I can schedule Splunk Report to run every 10 seconds? I added this cron expression in Report Schedule but it says "Invalid Cron" 0/10 0 0 ? * * *
12-08-2023
12:00 AM
Hi, I have data like these entries link id parent name ---- --- -------- --------- link1 311 ...
See more...
Hi, I have data like these entries link id parent name ---- --- -------- --------- link1 311 email.eml link1 312 311 abc.rar link2 315 312 xyz.exe that I want to combine into this link id parent name ---- --- -------- --------- link1, link2 315, 312, 311 312, 311 xyz.exe, abc.rar, email.eml Combining condition is based on id and parent. 311 is the parent, 312 is child of 311, 315 is child of 312 ('grandchild' of 311) Thank you in advance for your help!
Labels
- Labels:
-
stats
12-07-2023
11:43 PM
thanks @gcusello - I will give it a try and will update result/query here. Thank you.
12-07-2023
11:29 PM
Hi I'm upgrading and migrating my Splunk enterprise 8.1.1 running on windows server 2012 R2. Anyone have a recommended path for this? Upgrade first, or migrate first? Usually I would prefer to upgra...
See more...
Hi I'm upgrading and migrating my Splunk enterprise 8.1.1 running on windows server 2012 R2. Anyone have a recommended path for this? Upgrade first, or migrate first? Usually I would prefer to upgrade first, but I see that 8.2 is not supported on windows server 2012 R2.
12-07-2023
11:21 PM
Hi @madhav_dholakia, if you have a real time dashboard continously used by many users you kill your system. In this case, use a different approach: create a report containing the information to di...
See more...
Hi @madhav_dholakia, if you have a real time dashboard continously used by many users you kill your system. In this case, use a different approach: create a report containing the information to display and then in the dashboard display the report using loadjob (https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchReference/Loadjob). this is an old post but the solution is still valid: https://community.splunk.com/t5/Dashboards-Visualizations/What-can-we-use-to-replace-loadjob-based-dashboards-that-work/td-p/183897?_ga=2.241490241.231839313.1701675686-357223955.1700808457&_gl=1*f7uctl*_ga*MzU3MjIzOTU1LjE3MDA4MDg0NTc.*_ga_GS7YF8S63Y*MTcwMjAxOTY5OC42NC4xLjE3MDIwMTk4OTYuNTQuMC4w*_ga_5EPM2P39FV*MTcwMjAxOTY2NS42Ny4xLjE3MDIwMTk5MDUuNDMuMC4whttps://community.splunk.com/t5/Dashboards-Visualizations/Add-reports-to-dashboards/m-p/9392 Ciao. Giuseppe
12-07-2023
11:12 PM
Hi Team, We are new to Splunk SIEM, Need to create real time use cases based on MITRE Framework for Linux and Palo Alto log sources in customer environment. Kindly help on this.
Labels
- Labels:
-
splunk-assist
12-07-2023
10:53 PM
1 Karma
That would be as easy as add values to the stats. | inputlookup ABC.csv
| eval lookup="ABC.csv"
| fields Firewall_Name lookup
| append [ | inputlookup XYZ.csv | eval lookup="XYZ.csv" | rename Fir...
See more...
That would be as easy as add values to the stats. | inputlookup ABC.csv
| eval lookup="ABC.csv"
| fields Firewall_Name lookup
| append [ | inputlookup XYZ.csv | eval lookup="XYZ.csv" | rename Firewall_Hostname AS Firewall_Name | fields Firewall_Name lookup ]
| stats values(lookup) as lookup by Firewall_Name
| eval lookup = case(mvcount(lookup) > 1, mvjoin(lookup, " + "), lookup == "XYZ.csv", lookup . " only", true(), null())
| stats count values(Firewall_Name) as Firewall by lookup
| eval Firewall = if(lookup == "ABC.csv + XYZ.csv", null(), lookup) Even though the above removes matching firewall names, you still want to consider how practical it is to show all non-matching names.
12-07-2023
10:48 PM
1 Karma
You can refer for size limit of Correlation name https://docs.splunk.com/Documentation/ES/7.2.0/Tutorials/NewCorrelationSearch#:~:text=However%2C%20if%20you%20include%20the,string%20suffix%20%22%...
See more...
You can refer for size limit of Correlation name https://docs.splunk.com/Documentation/ES/7.2.0/Tutorials/NewCorrelationSearch#:~:text=However%2C%20if%20you%20include%20the,string%20suffix%20%22%2DRule%22.
12-07-2023
10:47 PM
No, it's like keeping your shopping list when you move between store aisles. In dashboards, information stays even if you switch views, so you don't lose any details during your search journey.
12-07-2023
10:46 PM
Hello, I am creating a Simple XML dashboard (with panels refreshing every 10 or 30 seconds), replicating a Live Telephony System Dashboard (which refreshes every 5 seconds). A python script is fetc...
See more...
Hello, I am creating a Simple XML dashboard (with panels refreshing every 10 or 30 seconds), replicating a Live Telephony System Dashboard (which refreshes every 5 seconds). A python script is fetching data from Telephony System using RestAPI every 10 seconds and pushes to Splunk using HEC. Panles on Splunk Dashboard works ok most of the times, unless there are multiple live calls going on at a time or multiple users are accessing this dashboard. In later case, searches are taking long to complete (because they are in queue due to multiple users seeing the dashboard at the same time?). What is the best way to handle this scenario? Thank you.
Labels
- Labels:
-
dashboard
-
simple XML
12-07-2023
10:01 PM
Hi, I have some old splunk indexed data ( splunk buckets ) in version 6.6. Can I just copy them to another splunk server, which is version 8.2? Is there will be any issue of compatibility?
Labels
- Labels:
-
administration
12-07-2023
08:24 PM
It work!!! Thank you for your help
12-07-2023
05:53 PM
addcoltotals will show up at the end of the row, so if i have multipages, it will now show on the first page Why Splunk get 1129.3600000000001 from? The correct total should be 1129.36 Thanks
12-07-2023
04:56 PM
@bowesmana You are correct. I did have to change my index to point at 0 instead of 1
12-07-2023
04:11 PM
1 Karma
I don't know if it's possible, but you can add your own totals by appending | addcoltotals
12-07-2023
04:07 PM
You can do some great stuff with eval in drilldown, but be mindful that there are some bugs with using more than one multivalue eval statements, e.g. this one fails <eval token="k1">mvindex($row.key...
See more...
You can do some great stuff with eval in drilldown, but be mindful that there are some bugs with using more than one multivalue eval statements, e.g. this one fails <eval token="k1">mvindex($row.key$, mvfind($row.name$, $click.value2$))</eval> as it fails trying to call mvindex with the result of the mvfind. Note also that the first element is element 0, not 1 if that was your intention.
12-07-2023
04:02 PM
1 Karma
You can do this if you have the date_wday field in your data index="someindex" date_wday IN ("monday","tuesday","wednesday","thursday","friday") date_hour>=18 date_hour<20
| dedup eventid
| timechar...
See more...
You can do this if you have the date_wday field in your data index="someindex" date_wday IN ("monday","tuesday","wednesday","thursday","friday") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m If you don't have those fields you can do index="someindex"
| eval date_wday=strftime(_time, "%a")
| eval date_hour=strftime(_time, "%H")
| search date_wday IN ("mon","tue","wed","thu","fri") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m
12-07-2023
03:55 PM
1 Karma
From your SPL, it looks like you're trying to access the first line after At as the message type Have you tried extracting Message type with | rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<...
See more...
From your SPL, it looks like you're trying to access the first line after At as the message type Have you tried extracting Message type with | rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?<message_type>\w+):" where the .. will match the line feed (you may only need a single dot, depends on the data.
12-07-2023
03:33 PM
1 Karma
If you think of the data that is needed for a pie chart, you need Service Success Fail
service 1 200 2
service 2 400 17
service 3 600 ...
See more...
If you think of the data that is needed for a pie chart, you need Service Success Fail
service 1 200 2
service 2 400 17
service 3 600 44 so the pie chart will only show 3 segments for Success, service 1 is approx 16% of the pie, service 2 is 33% and service 3 is 50% So, if you put Failures into the pie, how are you expecting to visualise that, as you would then get 6 segments, 2 for each service, one large one with successes and one small one with failures. Now Success is just a column of numbers and Service 1 failures is (2/1263*100), so approx 0.15% which is too small a slice to show on the pie chart. Splunk by default will aggregate small slices. You can mangle data in any way you want in Splunk to get where you want to get to.
