Hi @Muthu_Vinith , if you have only four statuses you can run something like this to be sure to have all the statuses even if there aren't values for someone of them: <Your_search>
| stats count BY...
See more...
Hi @Muthu_Vinith , if you have only four statuses you can run something like this to be sure to have all the statuses even if there aren't values for someone of them: <Your_search>
| stats count BY status
| append [ | makeresults | eval status="Not Started", count=0 | fields status count ]
| append [ | makeresults | eval status="Progress", count=0 | fields status count ]
| append [ | makeresults | eval status="Wip Progress", count=0 | fields status count ]
| append [ | makeresults | eval status="Completed", count=0 | fields status count ]
| stats sum(count) AS total BY status If the statuses can be more, you can also use a lookup to list all of them. Ciao. Giuseppe
Hi @maede_yavari , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma...
See more...
Hi @maede_yavari , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @rolypolytoyy , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma...
See more...
Hi @rolypolytoyy , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message You could very simply do this | rex "\]:\s(?<error_message>.*)" ...
See more...
What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message You could very simply do this | rex "\]:\s(?<error_message>.*)" which would take everything after the ]: to the end of the event
Hi, I'm trying to setup a way to automatically assign notables to the analysts, and evenly. The "default owner" in the notable adaptive response wouldn't help as it will keep on assigning the same r...
See more...
Hi, I'm trying to setup a way to automatically assign notables to the analysts, and evenly. The "default owner" in the notable adaptive response wouldn't help as it will keep on assigning the same rule to the same person. Is there a way to shuffle the assignees automatically?
The starting point for correlating two datasets together is to combine them into a single search then uses stats to combine them through a common field. So, you should start with this approach ...s...
See more...
The starting point for correlating two datasets together is to combine them into a single search then uses stats to combine them through a common field. So, you should start with this approach ...search...
| table _time os host user clientName clientAddress signature logonType
| convert mktime(_time) as epoch
| sort -_time
| inputlookup append=t Request_admin_access.csv
... now use eval+stats to join and collapse the data events and the lookup events together, e.g.
| stats values(*) as * by host You seem to have host in both data and lookup Map is certainly not the right tool for this job.
Can you share an example of the data where you have each type of status - if status values are being extracted for some events, but not others, it would indicate your data is not in a standard format...
See more...
Can you share an example of the data where you have each type of status - if status values are being extracted for some events, but not others, it would indicate your data is not in a standard format. Where is your data coming from and perhaps you can share an anonymised version of it.
You need to use your result tokens, not just some name out of the blue. https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens
@nickhills Just came across your comment, which made me chuckle, that the appinspect process encourages us to use definitions - while I agree with the principle of using definitions, I would say that...
See more...
@nickhills Just came across your comment, which made me chuckle, that the appinspect process encourages us to use definitions - while I agree with the principle of using definitions, I would say that a hard failure is not exactly an encouragement - it's a pointblank computer say NO
im getting this error from connection in DB connect "There was an error processing your request. It has been logged (ID xxxx)" . I've done manually copy query in db_inputs.conf but doesnt worxs. ca...
See more...
im getting this error from connection in DB connect "There was an error processing your request. It has been logged (ID xxxx)" . I've done manually copy query in db_inputs.conf but doesnt worxs. can help me?
Hi I am trying to set up an alert with the following query for the tickets that is not assigned to someone after 10 mins. I wanted the ticket number to get populated in the mail but I am not gettin...
See more...
Hi I am trying to set up an alert with the following query for the tickets that is not assigned to someone after 10 mins. I wanted the ticket number to get populated in the mail but I am not getting the same rather the mail is without the ticket number. index="servicenow" sourcetype=":incident" |where assigned_to = "" | eval age = now() - _time |where age>600 |table ticket_number, age, assignment_group, team | lookup team_details.csv team as team OUTPUTNEW alert_email, enable_alert | where enable_alert = Y | sendemail to="$alert_email$" subject="Incident no. "$ticket_number$" is not assigned for more than 10 mins - Please take immediate action" message=" Hi Team, This is to notify you that the ticket: "$ticket_number$" is not assigned for more than 10 mins. Please take necessary action on priority"
Hi, I noticed that ingestion latency health check is turning yellow for indexers. Even there is a delay in searching for the data. The index queues shows blocked while checking the internal logs of ...
See more...
Hi, I noticed that ingestion latency health check is turning yellow for indexers. Even there is a delay in searching for the data. The index queues shows blocked while checking the internal logs of heavy forwarders. Could performing a rolling restart of indexers help since it has been a very long time now doing that.
