All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults | eval ... See more...
Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults | eval User="John", ID="AD" | append [| makeresults | eval User="John", ID="AY9"] | append [| makeresults | eval User="Riya", ID="AD"] | append [| makeresults | eval User="Toby", ID="AR9"] | append [| makeresults | eval User="Nathan", ID="AD"] | append [| makeresults | eval User="Nathan", ID="AR9"] | append [| makeresults | eval User="Sam", ID="AD"] | append [| makeresults | eval User="Sam", ID="AR9"] | fields - _time | table User ID | stats values(ID) as ID by User | mvcombine ID delim="" | eval match=if(match(ID,"AD AR9"),1,0) | search match="1"   Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated.
Try something like this | makeresults format=csv data="A,B,C,D,E,F 0.1,b1,0.1,d1,0.1,f1 0.11,b2,0.2,d2,0.35,f2 0.2,b3,0.3,d3,0.9,f3 0.22,b4,,,1.0,f4 0.4,b5 0.5,b6 0.55,b7 0.9,b8" | table A B C D E F... See more...
Try something like this | makeresults format=csv data="A,B,C,D,E,F 0.1,b1,0.1,d1,0.1,f1 0.11,b2,0.2,d2,0.35,f2 0.2,b3,0.3,d3,0.9,f3 0.22,b4,,,1.0,f4 0.4,b5 0.5,b6 0.55,b7 0.9,b8" | table A B C D E F ``` The lines above create dummy event data in line with your example (it is often helpful if you had provided this yourself) ``` | appendpipe [| rename A as a | rename B as b | eval C=null() | eval D=null() | eval E=null() | eval F=null()] | fields - A B | appendpipe [| where isnotnull(C) | eval A=null() | eval B=null() | eval a=C | rename C as c | rename D as d | eval E=null() | eval F=null()] | fields - C D | appendpipe [| where isnotnull(E) | eval A=null() | eval B=null() | eval C=null() | eval D=null() | eval a=E | rename E as e | rename F as f] | fields - E F | where isnotnull(a) | stats values(*) as * by a | rename a as A | rename b as B | rename c as C | rename d as D | rename e as E | rename f as F
Yeah I got it  Thanks @gcusello 
I added specifically the index, still having same issue I noticed the below as well ""App configuration The "Splunk Common Information Model" app has not been fully configured yet.This app has con... See more...
I added specifically the index, still having same issue I noticed the below as well ""App configuration The "Splunk Common Information Model" app has not been fully configured yet.This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required."" but not sure how to proceed already index was added and some data models were accelerated, i only have same button not a next or proceed button  
but I have 2 fields, and I want to color the first field according to the value of the second field- if true then color it red. the fields are defined as eval in query.  thank you
We have a situation where the application sends the logs in syslog format. But we don't have a Syslog server to receive it. Instead, can we make the UF (installed in the same app server) receive tho... See more...
We have a situation where the application sends the logs in syslog format. But we don't have a Syslog server to receive it. Instead, can we make the UF (installed in the same app server) receive those syslog events and forward them to Splunk Cloud? Note: We don't have the physical location of the logs in the app server to monitor using UF
Hey @SplunkExplorer, It seems that a few hosts are sending in classical text format and not in XML format. And yes, you can run the btool command to identify the parameter setting. Below is the btoo... See more...
Hey @SplunkExplorer, It seems that a few hosts are sending in classical text format and not in XML format. And yes, you can run the btool command to identify the parameter setting. Below is the btool command for your reference: $SPLUNK_HOME/bin/splunk btool inputs list WinEventLog://Security --debug | grep renderXml  
Hi, I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users... See more...
Hi, I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD  USER  ID John AD John AY9 Riya AD Toby AR9 Nathan AD Nathan AR9 Sam AD Sam AR9   Thanks!  
solved it by changing to stats. thanks
at the same time i have a message The search "Network - Traffic Volume Per 30m - Model Gen" is related to the correlation search "Network - Unusual Volume of Network Activity - Rule" but it is not e... See more...
at the same time i have a message The search "Network - Traffic Volume Per 30m - Model Gen" is related to the correlation search "Network - Unusual Volume of Network Activity - Rule" but it is not enabled even though the correlation search is; this will cause the correlation to fail  
so what sould i do ? replacing it with timechart returns also no results
Hi @ITWhisperer , Actually I created the data by hand to kind of simplify the actual situation. Data is unfortunately sensitive and I cannot show too much. I did not use any appendcol for the actual... See more...
Hi @ITWhisperer , Actually I created the data by hand to kind of simplify the actual situation. Data is unfortunately sensitive and I cannot show too much. I did not use any appendcol for the actual data but eval with if conditions. Thanks.    
Sorry, I missed the chart command on your first line. This is the command which is removing the timestamps.
It looks like your sample data has been created with a couple of appendcols. If this is the case, perhaps it would be easier to go back a step and try and create your desired output from the original... See more...
It looks like your sample data has been created with a couple of appendcols. If this is the case, perhaps it would be easier to go back a step and try and create your desired output from the original searches?
Hi All,   I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, ... See more...
Hi All,   I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, and alerts found'. This couldn't be the case of visibilty as the configuration isn't set in the conf file. These are the set specs in the conf file, attched below for reference. I have also attached the metadata file as there is no access control information set for the specific saved search. There are 6 more savedsearches which I can see when I filter using Report, but not this sepcific one.   No clue how the report is not found during the filter.   Thanks in advance.   Pravin
Here is the suggestion for best performance with no issues for your case. https://splunkbase.splunk.com/app/7130    Give me a like if that solves yours https://splunkbase.splunk.com/app/7130
Here is the suggestion for best performance with no issues for your case. https://splunkbase.splunk.com/app/7130    Give me a like if that solves yours https://splunkbase.splunk.com/app/7130
\"message\": \"Invalid Application ID\", \"messages\": null, \"error_response\": null, Need to extract the above message field without dropping other log messages. Like Nodrop option 
Here is the suggestion for best performance with no issues for your case. https://splunkbase.splunk.com/app/7130    Give me a like if that solves yours https://splunkbase.splunk.com/app/7130
the addon you mentioned having multiple issues more than you faced. I suggest you to use another addon which is working perfectly for me.  https://splunkbase.splunk.com/app/7130    Give me a like ... See more...
the addon you mentioned having multiple issues more than you faced. I suggest you to use another addon which is working perfectly for me.  https://splunkbase.splunk.com/app/7130    Give me a like if that solves yours https://splunkbase.splunk.com/app/7130