Note: The 10 result limit for map is a soft limit, you can go more with the maxsearches=X setting, but again, map is rarely useful. Glad you got a working solution.
Is your data JSON? If so, Splunk will only extract the first 5K of the JSON object in an event. I'm not totally sure if it has that 5k limit for other auto kv field extraction.
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false
| untable ...
See more...
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false
| untable _time USER Mem_Used_GB
| where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256
| sort Mem_Used_GB desc
| head 20
Hi @jialiu907 Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous ...
See more...
Hi @jialiu907 Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous stats block? | stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am getting an error with the stats command after trying your query. Error in 'stats' command: The argument 'eval((sum(RSZ_KB)/1024/1024))' is invalid.
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent install...
See more...
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent installed with each of the hosts source IP. if I could get a true and false statement saying no crowdstrike agent is installed on the list that would be great. But sadly im not that versed at Splunkfu.
I'm having issues getting this to work. I posted my search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not ...
See more...
I'm having issues getting this to work. I posted my search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not working. What am I doing wrong? Please help. thanks
Hi @Ghost Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it? Did ...
See more...
Hi @Ghost Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it? Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @jialiu907 After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart...
See more...
Hi @jialiu907 After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart" you would get the "Mem_Used_GB" column however you wont get the _time element in. It isnt clear what your usecase is but if you use bin and stats you might get the desired outcome? index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| bin span=1m _time
| stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER
| where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256
| sort Mem_Used_GB desc
| head 20 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches. Ive used the following "CSFalconservice.exe | stats count by ho...
See more...
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches. Ive used the following "CSFalconservice.exe | stats count by host" & "index=*sourcetype="crowdstrike:events:sensor" | stats count by host" but its not giving me the information per each individual hosts. V/r Ghost
I am looking for a range of number within my results of my search query but I am getting no results back after adding in a where clause. This is my original search query. index=os sourcetype=ps...
See more...
I am looking for a range of number within my results of my search query but I am getting no results back after adding in a where clause. This is my original search query. index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=no
| sort Mem_Used_GB desc
| head 20 This is some of the results. This is the new search where I am looking for a range of data between 128 and 256 and I am getting no results back, even with events matched. I have also played with time line and range of the where clause and still nothing. index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=no
| where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256
| sort Mem_Used_GB desc
| head 20
Hi Ive just tried and it downloaded without an issue for me, see below: Is there a firewall between your machine and the Splunk download website? Im wondering if this could be causi...
See more...
Hi Ive just tried and it downloaded without an issue for me, see below: Is there a firewall between your machine and the Splunk download website? Im wondering if this could be causing issues? Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing @Waitomo
I'm trying to download Splunk using "wget -O splunk-9.4.2-e9664af3d956.x86_64.rpm "https://download.splunk.com/products/splunk/releases/9.4.2/linux/splunk-9.4.2-e9664af3d956.x86_64.rpm"" and it's han...
See more...
I'm trying to download Splunk using "wget -O splunk-9.4.2-e9664af3d956.x86_64.rpm "https://download.splunk.com/products/splunk/releases/9.4.2/linux/splunk-9.4.2-e9664af3d956.x86_64.rpm"" and it's hanging at 35%. Was wondering if this is known issue.
Same issue here few weeks ago, but already solved. After spending considerable time on this issue, as I believe there is a documentation gap. To maintain a consistent documentation path within the S...
See more...
Same issue here few weeks ago, but already solved. After spending considerable time on this issue, as I believe there is a documentation gap. To maintain a consistent documentation path within the Splunk 9.4.1 upgrade process, I suggested adding the following link as a reference for Deployment Server: https://docs.splunk.com/Documentation/Splunk/9.4.1/Updating/Upgradepre-9.2deploymentservers This should be included under the READTHISFIRST section for versions later than 9.2: https://docs.splunk.com/Documentation/Splunk/9.4.1/Installation/AboutupgradingREADTHISFIRST
So in terms of "the sourcetype mydevice:clone is also indexed on my local indexer" - you have cloned it but because it still has _TCP_ROUTING=local_indexers it will also index on the local indexers. ...
See more...
So in terms of "the sourcetype mydevice:clone is also indexed on my local indexer" - you have cloned it but because it still has _TCP_ROUTING=local_indexers it will also index on the local indexers. How come are you are a secondary Splunk server via syslog instead of Splunk2Splunk? If you dont want to send the cloned sourcetype to local indexers then you need to use another transform to set "_TCP_ROUTING=" (No value) as well as setting your syslog routing in the other transforms.c Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @yuanliu , can you please check, what you suggested. IT is different from what i am looking for :-). I have put your code and checked to be sure, maybe i missed something. for example in filter ...
See more...
Hi @yuanliu , can you please check, what you suggested. IT is different from what i am looking for :-). I have put your code and checked to be sure, maybe i missed something. for example in filter try to select all values with "bundle". So, we have four matched values. How can i select these four values by one click?