All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is what worked for me. I added a TimeBucket dropdown box and created a token.  | search cat IN ($t_endpoint$) AND Car IN ($t_car$) |bin _time span=$t_bin$ | stats limit=15 sum(Numbercat) as Num... See more...
This is what worked for me. I added a TimeBucket dropdown box and created a token.  | search cat IN ($t_endpoint$) AND Car IN ($t_car$) |bin _time span=$t_bin$ | stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by _time, Car, cat | eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p") |fields - _time |fields Time, Numbercat
Thank you @ITWhisperer for your prompt help.
The issue is that in Splunk Enterpries 8.2.12 "ui-pref.conf" is not used anymore!!! ... and for our users this is a big problem!!! This is a thread where the issue is described, and solved, http... See more...
The issue is that in Splunk Enterpries 8.2.12 "ui-pref.conf" is not used anymore!!! ... and for our users this is a big problem!!! This is a thread where the issue is described, and solved, https://community.splunk.com/t5/Splunk-Enterprise/quot-ui-prefs-conf-quot-no-more-working-from-Version-7-to/m-p/669303#M17896 .
Dear Team, I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings now i am stuck for UF technology add-on, from where i can find it? no op... See more...
Dear Team, I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings now i am stuck for UF technology add-on, from where i can find it? no option from the ES interface and i can't find it on splunkbase portal I tried multiple search keyword on splunkbase with no luck
Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If... See more...
Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If so, what do you have so far?
where do I find this as Im using defaults coming out of the Windows TA
I would use split and mvindex instead of rex: | eval sourcePort=if(group=one,mvindex(split(sourcePort,"."),0),sourcePort)
Sorry about that.  Try this SEDCMD, instead.  It does, however, make some assumptions about the order of fields. SEDCMD-rm-geo_protection = s/(.*\|action=Accept\|)(.*?)\|protection_type=geo_protecti... See more...
Sorry about that.  Try this SEDCMD, instead.  It does, however, make some assumptions about the order of fields. SEDCMD-rm-geo_protection = s/(.*\|action=Accept\|)(.*?)\|protection_type=geo_protection\|(.*?)(\|service=23.*)/\1\2|---|\3\4/  
What pattern represents the valid user ids? (?<userid>[^\"]+@[^\"]+) https://regex101.com/r/sn0WLe/1  
| rex field=fieldA "xxx[\_\w]+:(?<res>[a-z_]+)"
Hi @jcgever , UFs can send logs ony to a Splunk HF or to an Indexer, it isn't possible to send logs to a DLP to mask them and then to an HF. If you want to mask your data before indexing, you can d... See more...
Hi @jcgever , UFs can send logs ony to a Splunk HF or to an Indexer, it isn't possible to send logs to a DLP to mask them and then to an HF. If you want to mask your data before indexing, you can do this in the HF, following the instruction at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Anonymizedata Ciao. Giuseppe
Hi, I'm uncertain which Process name—CreatorProcessName, ParentProcessName, or NewProcessName—is the appropriate one to apply windows events blacklisting in this context. Thanks..
Hi @NeharikaVats , you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send... See more...
Hi @NeharikaVats , you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure. Ciao. Giuseppe
Hi @gwen , as you like, but masking the information I don't think that you reveal your confidential information. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @gwen , as you like, but masking the information I don't think that you reveal your confidential information. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @Splunkerninja , launching the url from your browser, does it reach the image or not? Ciao. Giuseppe
I thank you but I can not share much information because confidential. It’s better to close the post. Thanks for your help. Excuse me for being upset.
Hi @AL3Z , as I said, does your regex match the string to search or not? if matches it's correct, if not, it isn't! Ciao. Giuseppe
Hello @ITWhisperer, Thank you for your response.  Can you please help with example of how to write the code? |inputlookup myTable.csv |where _time=relative_time(now(),"-1d@d") Now I need to apply... See more...
Hello @ITWhisperer, Thank you for your response.  Can you please help with example of how to write the code? |inputlookup myTable.csv |where _time=relative_time(now(),"-1d@d") Now I need to apply the regular expression on fieldA and store the extracted data from each row in field: res. It would be very helpful if you could help. Thank you
Hi,  I script something by myself and I want to share it with you.   https://github.com/Gotarr/Splunkbase-Download-script  (python-script) My Inspiration is from @tfrederick74656  but his script... See more...
Hi,  I script something by myself and I want to share it with you.   https://github.com/Gotarr/Splunkbase-Download-script  (python-script) My Inspiration is from @tfrederick74656  but his script dosnt work for me very well.   Happy splunking and let me know if something dosnt work.  
@yuanliu  Your suggestion worked for me, but is there a way to put comments with Carriage Return in multiple lines? See below.. Thanks { "visualizations": { "viz_OQMhku6K": { "type": "splu... See more...
@yuanliu  Your suggestion worked for me, but is there a way to put comments with Carriage Return in multiple lines? See below.. Thanks { "visualizations": { "viz_OQMhku6K": { "type": "splunk.ellipse", "_comment": " ================================== This is created by Person1 on 1/1/2023 @companyb On 2/1/2023 - added base search On 2/5/203 - added dropdown box " } },