Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-06-2023
12:13 PM
1 Karma
Yes, it can be used with a table and all other visualizations. When you say "it is giving no results" does that mean the where command is not filtering as expected or you are getting nothing at all ...
See more...
Yes, it can be used with a table and all other visualizations. When you say "it is giving no results" does that mean the where command is not filtering as expected or you are getting nothing at all from the query? If the former, then it's possible the userAgent field is all spaces so the filter should be modified to handle that. For the latter, try renaming the fields to eliminate dots. index=azure sourcetype="azure:monitor:aad" action=*
| rename properties.* as *
| where isnotnull(userAgent) AND userAgent!=""
|table _time user deviceDetail.displayName userAgent action
|sort -_time
12-06-2023
11:59 AM
I'm going crazy trying to troubleshoot this error with eventlog. I'm only using one mvfile replacement type and it is not working. The SA-Eventgen logs tell me this: time="2023-12-06T19:42:...
See more...
I'm going crazy trying to troubleshoot this error with eventlog. I'm only using one mvfile replacement type and it is not working. The SA-Eventgen logs tell me this: time="2023-12-06T19:42:32Z" level=warning msg="No srcField provided for mvfile replacement: " In my $SPLUNK_HOME/etc/apps/<app>/default/eventgen.conf file, I have: ...
token.2.token = "(\$customer_name\$)"
token.2.replacementType = mvfile
token.2.replacement = $SPLUNK_HOME/etc/apps/eventgen_yogaStudio/samples/customer_info.txt:1
... My customer_info.txt:1 file contains: JoeSmith,43,Wisconsin,Pisces
JaneDoe,25,Kentucky,Gemini
... I'm getting JSON-formatted events but for customer_name, it's just blank: {
membership: gold
customer_name:
item: 30-day-pass
quantity: 4
ts: 1701892130
} I've tried the following sample file names: customer_info.txt customer_info.sample customer_info.csv Nothing seems to work. I'm going crazy!
- Tags:
- eventgen
- sa-eventgen
Labels
- Labels:
-
troubleshooting
12-06-2023
11:43 AM
Can this be used with a table? This is my command but it is giving no results. index=azure sourcetype="azure:monitor:aad" action=* | where isnotnull(properties.userAgent) AND properties.userAge...
See more...
Can this be used with a table? This is my command but it is giving no results. index=azure sourcetype="azure:monitor:aad" action=* | where isnotnull(properties.userAgent) AND properties.userAgent!="" |table _time user properties.deviceDetail.displayName properties.userAgent action |sort -_time
12-06-2023
11:23 AM
Hi all, I published my new version of app : https://splunkbase.splunk.com/app/7087, version 1.2.0 (invisible for now because below issue) When I tried to install it on my cloud instance through spl...
See more...
Hi all, I published my new version of app : https://splunkbase.splunk.com/app/7087, version 1.2.0 (invisible for now because below issue) When I tried to install it on my cloud instance through splunkbase, I face below errors X509 certificate (CN=splunkbase.splunk.com,O=Splunk Inc.,L=San Francisco,ST=California,C=US) common name (splunkbase.splunk.com) did not match any allowed names (apps.splunk.com,cdn.apps.splunk.com) That's werid because I did not change anything about certification or the package process... Just fixed one more bug in the app about data missing and bump the app version. Tried other apps on Splunkbase and the old version of my app, they are all works fine... Anyone has idea what happened to my 1.2.0 app? Your help will be appreciated very much!
Labels
- Labels:
-
development
-
using Splunk Cloud
12-06-2023
11:18 AM
Does the account running Splunk have permission to delete the files? Are there any messages in splunkd.log about the files?
12-06-2023
11:11 AM
Hi, I have a problem excluding or including only entries that contain specific String values in the msg field. For example, there are two (maybe more) definite String values contained in the msg fie...
See more...
Hi, I have a problem excluding or including only entries that contain specific String values in the msg field. For example, there are two (maybe more) definite String values contained in the msg field: 1. "GET /ecc/v1/content/preLoginBanners HTTP/1.0" 2. "GET /ecc/v1/content/category/LegalTerms HTTP/1.0" I need 3 statements like the following: 1. Include ONLY 1 above in the msg field. 2. Include ONLY 2 above in the msg field. 3. Exclude 1 and 2 above to determine if there are more unknown values in the msg field. I imagine I will be using thistype of logic more on other output fields as time goes on. I am new to this and I am using the XML-based AdHoc Search input/output form. Any help is greatly appreciated!
Labels
- Labels:
-
field extraction
12-06-2023
11:10 AM
Use the where command to filter out results with empty fields. | where isnotnull(user_agent) AND user_agent!=""
12-06-2023
10:37 AM
Hello, I am trying to find a command that will allow me to create a table and only display values. when using the user agent field in my table, there are some values that are null. I only want value...
See more...
Hello, I am trying to find a command that will allow me to create a table and only display values. when using the user agent field in my table, there are some values that are null. I only want values to display.
Labels
- Labels:
-
table
12-06-2023
10:22 AM
The datetime_udp.xml file doesn't exist on the indexer(s). Double-check the add-on. Consider re-installing it. If it's still a problem, contact Splunk Cloud support or the add-on vendor.
Hi @isoutamo and others, There is some additional information about the vulnerabilities posted above. We are utilizing docker splunk for our docker http event collector, so that we can send logs fro...
See more...
Hi @isoutamo and others, There is some additional information about the vulnerabilities posted above. We are utilizing docker splunk for our docker http event collector, so that we can send logs from our Kubernetes clusters to splunk Within that docker image, we are pulling in [1] 8.2.5 or [2] 9.0.5. We use twistlock to report vulnerabilities from our image and all of those vulnerabilities are being pulled from the docker splunk image tags mentioned below. We were wondering is there a process for Splunk to fix those vulnerabilities that were mentioned? If there is a process, can you take us through how that process works? Thanks and we look forward to talking with you. [1] https://github.com/splunk/docker-splunk/tree/8.2.5 [2] https://github.com/splunk/docker-splunk/tree/9.0.5
12-06-2023
10:11 AM
Hello @hyeji , have you been able to evolve this issue? I'm also having the same problem, obviously, I'm trying to run this add-on on version 9.2 of Splunk, I applied python future to the code and m...
See more...
Hello @hyeji , have you been able to evolve this issue? I'm also having the same problem, obviously, I'm trying to run this add-on on version 9.2 of Splunk, I applied python future to the code and managed to overcome several compatibility issues between python 2 and 3, but I still couldn't run the add-on. If you have any status of this you will be very welcome.
12-06-2023
09:51 AM
Hi, I have seen a aggregration issue for one of my source type cisco, how can I fix this issue in my splunk cloud ? 12-06-2023 17:42:27.004 +0000 ERROR AggregatorMiningProcessor [82698 merging_0...
See more...
Hi, I have seen a aggregration issue for one of my source type cisco, how can I fix this issue in my splunk cloud ? 12-06-2023 17:42:27.004 +0000 ERROR AggregatorMiningProcessor [82698 merging_0] - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/peer-apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/syslog/nac/ise.log", data_host="ise-xx", data_sourcetype="cisco:ise:syslog" Thanks...
Labels
12-06-2023
09:41 AM
Thanks a lot for the response, I tried multiple options, but none of them is working.
12-06-2023
09:40 AM
Thank you very much, working perfect as intended
12-06-2023
09:38 AM
Hi, Can you help me with where I can download the Splunk forwarder 6.3 rpm package.
12-06-2023
09:35 AM
@ITWhisperer I have included _time in my search, and the results are still the same.
12-06-2023
09:35 AM
| stats count by fieldX
| where count > 10 Set your alert to run over the past 60 minutes e.g. earliest=-60m then trigger if there are any results.
12-06-2023
09:33 AM
2 Karma
Chained search simply operate on the events in the pipeline left from the previous search in the chain.
