All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @doadams85 , sorry but it isn't clear, could you share some sample of your logs and the search you're using? Ciao. Giuseppe
Thank you @ITWhisperer   Can you also help me on how I can add another column  "Previous week Training Completion%"  So that I can compare what is the progress from previous week to present week Tra... See more...
Thank you @ITWhisperer   Can you also help me on how I can add another column  "Previous week Training Completion%"  So that I can compare what is the progress from previous week to present week Training completion.
Hi @MrJohn230 , I continue to prefer the solution I hinted because union is very similar to join and maintain the ame limit of 50,000 results like all the subsearches. If it solves your requirement... See more...
Hi @MrJohn230 , I continue to prefer the solution I hinted because union is very similar to join and maintain the ame limit of 50,000 results like all the subsearches. If it solves your requirement, use it, but I hint to tale practice using stats that's better and faster. did you solved the initial issue of the eval? Ciao. Giuseppe
@bowesmana  1. Should I download and install "Number Display Viz" app first in Splunk before applying your commands? 2. Will it work in Dashboard Studio?  It looks like your commands are XML format... See more...
@bowesmana  1. Should I download and install "Number Display Viz" app first in Splunk before applying your commands? 2. Will it work in Dashboard Studio?  It looks like your commands are XML format 3.  Also, I got this error when applying your solutions since the number of students are more than 100 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored. Please suggest.. I appreciate your help.. Thank you
Hello, Your suggestion worked. Thanks for your help. I accepted this as a solution Although the value field was labeled as "row 1". I was able to rename it as "value" field | rename "row 1" as val... See more...
Hello, Your suggestion worked. Thanks for your help. I accepted this as a solution Although the value field was labeled as "row 1". I was able to rename it as "value" field | rename "row 1" as value Please let me know if this is a good approach..  Thanks
@woodcock What is the best way to modify this script to support the API token approach?  I have tried a few different versions, but am unable to get it to work properly. So....something like:  curl... See more...
@woodcock What is the best way to modify this script to support the API token approach?  I have tried a few different versions, but am unable to get it to work properly. So....something like:  curl -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2......."
Works on windows to, thanks for the Tip, I was start to loose my mind
Hi@richgalloway , I've heard that the field name removal isn't feasible while we're receiving logs from the syslog server. Is that correct to your knowledge? Thanks
@LukeMurphey  I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app t... See more...
@LukeMurphey  I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app to use 3). I keep getting the same 3 errors in splunkd (copied from another post as my system is isolated): "09-18-2019 10:47:10.099 +0200 ERROR ModularInputs - Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified. 09-18-2019 10:47:10.356 +0200 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts 09-18-2019 10:47:10.356 +0200 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined in the app "file_meta_data": Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.." (Except it says Python3.exe instead of python). Other posts with these errors did not have python installed, or one said their path environment variable was incorrect but didn't elaborate. My path is set with the 2 default values from the installer if that matters.
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the  [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP... See more...
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the  [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP), I get exactly above without a link added, just text, no hyperlink.  Anybody who could help me figure out how I can get a hyperlink to show in the body of the send email action?  I am on version 5.3.2.88192 - I also tried the ,<a> tag with the href and that doesn't work either.
I don't have a SEDCMD that would do that well.  SEDCMD applies to _raw rather than individual fields so a regex would have to be very specific to avoid removing too many spaces or otherwise damaging ... See more...
I don't have a SEDCMD that would do that well.  SEDCMD applies to _raw rather than individual fields so a regex would have to be very specific to avoid removing too many spaces or otherwise damaging other fields.
@inventsekar It has been resolved- Thanks
>>> I developed a regex to stripe out the unwanted events. It's working as expected. so, may i know if your problem is resolved ah..  or do you some issues still, pls suggest, thanks.    Karma po... See more...
>>> I developed a regex to stripe out the unwanted events. It's working as expected. so, may i know if your problem is resolved ah..  or do you some issues still, pls suggest, thanks.    Karma points / upvotes are appreciated, thanks. 
@inventsekar Thanks for your response .We have UF and indexer, I developed a regex to stripe out the unwanted events. It's working as expected. SEDCMD-Remove1=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2... See more...
@inventsekar Thanks for your response .We have UF and indexer, I developed a regex to stripe out the unwanted events. It's working as expected. SEDCMD-Remove1=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+<Event was scheduled based on job definition.>// SEDCMD-Remove2=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+<Executing at CA_AGENT>// SEDCMD-Remove3=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+-+//
A common way to re-ingest data is by using the splunk add oneshot command.  Splunk will re-ingest everything in the file, however, without regard to events that were previously indexed.  To ingest on... See more...
A common way to re-ingest data is by using the splunk add oneshot command.  Splunk will re-ingest everything in the file, however, without regard to events that were previously indexed.  To ingest only missing events, I would copy the file and remove the events that you don't want to read in again.
Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below. the easiest one is the split command: | makeresults | eval field_id="/key1/value1/key2/value2/key3/value3/key4/... See more...
Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below. the easiest one is the split command: | makeresults | eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4" | eval temp=split(field_id,"/") | eval field_key1=mvindex(temp,2) | eval field_key2=mvindex(temp,4) | table field_id field_key1 field_key2      
  Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks.      | makeresu... See more...
  Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks.      | makeresults | eval _raw="இடும்பைக்கு" | eval length=len(_raw) | table _raw length this produces: _raw length இடும்பைக்கு 11 (that word இடும்பைக்கு is actually 6 charactors, not 11)      
Thank you both ITWhisperer and bowesmana!!!  Will try these out
Hi @iamsplunker ... pls suggest if you have HF or UF and indexer. also pls suggest us if you have had a chance to look at this doc... pls copy paste your current props/transforms https://docs.splun... See more...
Hi @iamsplunker ... pls suggest if you have HF or UF and indexer. also pls suggest us if you have had a chance to look at this doc... pls copy paste your current props/transforms https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Anonymizedata  
Hi @richgalloway , Could you pls write the sed command to remove the space between the field names. Thanks..