All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Your where clause is wrong - it does not support the IN construct, like search. You could do it with | where in(UserId,125,999,418,208) or using search IN. As @gcusello says, using join and subsear... See more...
Your where clause is wrong - it does not support the IN construct, like search. You could do it with | where in(UserId,125,999,418,208) or using search IN. As @gcusello says, using join and subsearches is not a good habit, using stats can normall do the same and does not have limitations that join/subsearch has, e.g. this is an example of using stats. index=customer (name IN (gate-green, gate-blue) msg="*First time: *") OR (name IN (cust-blue, cust-green) msg="*COMPLETED *") | rex field=msg "First time: (?<UserId>\d+)" | eval FirstRequest = if(isnotnull(UserId),1,null()) | rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})" | spath input=json path=infoId output=CompletedUserId | eval Completed = if(isnotnull(CompletedUserId), 1, null()) | eval UserId=coalesce(UserId, CompletedUserId) | stats values(Completed) as Completed by UserId | search UserId IN (125,999,418,208)
Your Earliest statement is wrong, if you just want yesterday, do this index=WinEventLog* EventID=4625 earliest=-d@d latest=@d | stats count by user, _time, action, subject, message which will give ... See more...
Your Earliest statement is wrong, if you just want yesterday, do this index=WinEventLog* EventID=4625 earliest=-d@d latest=@d | stats count by user, _time, action, subject, message which will give you a list of the failed logins - do you really want to group by _time as well or do you want to show the first or last time of the failed login?  
You can't do it with a single value viz, but I suggest using Chris Younger's excellent number display viz - https://splunkbase.splunk.com/app/4537   See this example that shows you how you can ... See more...
You can't do it with a single value viz, but I suggest using Chris Younger's excellent number display viz - https://splunkbase.splunk.com/app/4537   See this example that shows you how you can do it <dashboard> <label>single</label> <row> <panel> <viz type="number_display_viz.number_display_viz"> <search> <query>| makeresults | eval title="Score" | eval value=7 | eval subtitle="67%" | fields - _time</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="number_display_viz.number_display_viz.bordercolor">#ffffff</option> <option name="number_display_viz.number_display_viz.bordersize">2</option> <option name="number_display_viz.number_display_viz.colorprimary">#000000</option> <option name="number_display_viz.number_display_viz.colorprimarymode">auto</option> <option name="number_display_viz.number_display_viz.colorsecondary">#000000</option> <option name="number_display_viz.number_display_viz.colorsecondarymode">darker1</option> <option name="number_display_viz.number_display_viz.max">100</option> <option name="number_display_viz.number_display_viz.min">0</option> <option name="number_display_viz.number_display_viz.nodatacolor">#0178c7</option> <option name="number_display_viz.number_display_viz.padding">10</option> <option name="number_display_viz.number_display_viz.pulserate">4</option> <option name="number_display_viz.number_display_viz.shadowcolor">#F2F4F5</option> <option name="number_display_viz.number_display_viz.shapebordercolor">#FFFFFF</option> <option name="number_display_viz.number_display_viz.shapebordercolormode">static</option> <option name="number_display_viz.number_display_viz.shapebordersize">1</option> <option name="number_display_viz.number_display_viz.shapedropcolor">#ffffff</option> <option name="number_display_viz.number_display_viz.shapeshadow">yes</option> <option name="number_display_viz.number_display_viz.shapetexture">solid</option> <option name="number_display_viz.number_display_viz.sparkHeight">30</option> <option name="number_display_viz.number_display_viz.sparkWidth">90</option> <option name="number_display_viz.number_display_viz.sparkalign">5</option> <option name="number_display_viz.number_display_viz.sparkalignv">70</option> <option name="number_display_viz.number_display_viz.sparkcolorfill">#009DD9</option> <option name="number_display_viz.number_display_viz.sparkcolorline">#0178c7</option> <option name="number_display_viz.number_display_viz.sparkcolormodefill">auto</option> <option name="number_display_viz.number_display_viz.sparkcolormodeline">auto</option> <option name="number_display_viz.number_display_viz.sparkmin">0</option> <option name="number_display_viz.number_display_viz.sparknulls">gaps</option> <option name="number_display_viz.number_display_viz.sparkorder">bg</option> <option name="number_display_viz.number_display_viz.sparkstyle">area</option> <option name="number_display_viz.number_display_viz.spinnerspeedmax">20</option> <option name="number_display_viz.number_display_viz.spinnerspeedmin">1</option> <option name="number_display_viz.number_display_viz.style">a7</option> <option name="number_display_viz.number_display_viz.subtitlealign">center</option> <option name="number_display_viz.number_display_viz.subtitlealignv">70</option> <option name="number_display_viz.number_display_viz.subtitlecolor">#5C6773</option> <option name="number_display_viz.number_display_viz.subtitlecolormode">static</option> <option name="number_display_viz.number_display_viz.subtitledrop">yes</option> <option name="number_display_viz.number_display_viz.subtitledropcolor">#ffffff</option> <option name="number_display_viz.number_display_viz.subtitlesize">40</option> <option name="number_display_viz.number_display_viz.textalign">center</option> <option name="number_display_viz.number_display_viz.textalignv">50</option> <option name="number_display_viz.number_display_viz.textcolor">#000000</option> <option name="number_display_viz.number_display_viz.textdrop">yes</option> <option name="number_display_viz.number_display_viz.textdropcolor">#ffffff</option> <option name="number_display_viz.number_display_viz.textduration">300</option> <option name="number_display_viz.number_display_viz.textmode">static</option> <option name="number_display_viz.number_display_viz.textprecision">1</option> <option name="number_display_viz.number_display_viz.textsize">100</option> <option name="number_display_viz.number_display_viz.textunitposition">after</option> <option name="number_display_viz.number_display_viz.textunitsize">50</option> <option name="number_display_viz.number_display_viz.thickness">50</option> <option name="number_display_viz.number_display_viz.thresholdcol1">#1a9035</option> <option name="number_display_viz.number_display_viz.thresholdcol2">#d16f18</option> <option name="number_display_viz.number_display_viz.thresholdcol3">#b22b32</option> <option name="number_display_viz.number_display_viz.thresholdcol4">#ffffff</option> <option name="number_display_viz.number_display_viz.thresholdcol5">#ffffff</option> <option name="number_display_viz.number_display_viz.thresholdcol6">#ffffff</option> <option name="number_display_viz.number_display_viz.thresholdsize">20</option> <option name="number_display_viz.number_display_viz.thresholdval2">70</option> <option name="number_display_viz.number_display_viz.thresholdval3">90</option> <option name="number_display_viz.number_display_viz.titlealign">center</option> <option name="number_display_viz.number_display_viz.titlealignv">30</option> <option name="number_display_viz.number_display_viz.titlecolor">#5C6773</option> <option name="number_display_viz.number_display_viz.titlecolormode">static</option> <option name="number_display_viz.number_display_viz.titledrop">yes</option> <option name="number_display_viz.number_display_viz.titledropcolor">#ffffff</option> <option name="number_display_viz.number_display_viz.titlesize">45</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </viz> </panel> </row> </dashboard>  
See my earlier message that suggested you change the earliest and latest times to reflect the cron interval and allowing for a short time in the past to make sure the events have arrived.
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script ... See more...
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script which runs everyday at 12 am and log file rotates and gets renamed as logfile.log.<date> Here is the pattern that I wanted to remove using SEDCMD and apply it in props.conf [09/13/2023 00:00:00]       <Event was scheduled based on job definition.> [10/12/2023 23:58:01]       <Executing at CA_AGENT> [11/12/2023 23:58:01]        ----------------------------------------
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far: ... See more...
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far:    index=WinEventLog* EventID=4625 Earliest=-24 | stats count by user, _time, action, subject, message
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far:   ... See more...
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far:    index=wineventlog* eventid=4625 earliest=-24 | stats count by user, _time, action, subject, message
@niketn wrote: @badoomi, optimizing lookup search may not be straight-forward without knowing your SPL and Splunk Infra ( as to how many Indexers you have got). However you can refer to following... See more...
@niketn wrote: @badoomi, optimizing lookup search may not be straight-forward without knowing your SPL and Splunk Infra ( as to how many Indexers you have got). However you can refer to following Splunk Documentation for one of tip to optimize lookup By default lookup command runs with argument local=true which means it is executed on Search Peer not on Search Head. If you have multiple indexers and your SPL till the lookup command have only streaming commands then there would be an advantage of this otherwise not. In essence you would need to test out stats first then lookup vs lookup first and stats next. Do share your current SPL for community members to assist you better with your use case.   I think there may have been a typo this this original answer as the lookup command has local=false set by default - source: https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Lookup   local Syntax: local=<bool> Description: If local=true, forces the lookup to run on the search head and not on any remote peers. Default: false
Hi Guiseppe, Yes to all you mention. The data gets into splunk but ONLY the log aggregator shows up as a host on the search window on the left. I need all the hosts showing up.  If I search using th... See more...
Hi Guiseppe, Yes to all you mention. The data gets into splunk but ONLY the log aggregator shows up as a host on the search window on the left. I need all the hosts showing up.  If I search using the other hostnames I can see the logfile from that host - just doesn't show as a host on the left. Make sense? 
That's an intriguing idea.  I think it would work except for the matter of the cs4Label value contains embedded spaces.  Field names with spaces can be a problem in Splunk.
It may be possible.  Does the aggregated log contain a field that tells what the original host was?  If so, the HF could be configured to extract that field as the host field.
Just make sure you use single quotes around the encrypted password. /opt/splunk/bin/splunk show-decrypted --value '<your encrypted password>'
Hello @gcusello I managed to not use the join command, the above feedback helped.  I decided to go with Union this seems to be working, what do you think? index=customer ((name IN (gate-green... See more...
Hello @gcusello I managed to not use the join command, the above feedback helped.  I decided to go with Union this seems to be working, what do you think? index=customer ((name IN (gate-green, gate-blue) msg="*First time: *") | rex field=msg "First time: (?<UserId>\d+)" | eval FirtRequest = 1 |union [ search index name IN (cust-blue, cust-green) msg="*COMPLETED *") | rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})" | spath input=json path=infoId output=UserId | eval Completed = 1] | stats max(FirstRequest) AS FirstRequest max(Completed) BY UserId  
| transpose 0 column_name=score
@bowesmana  How do I display both the score and the percentRankInc in a "single value pane"  like below? Thanks  
Hi Can you share what file did you rename to fix the issue. I'm also getting the same issue.   Thank you
Thanks for the reply. Unfortunately that is not an option as we need to keep the logs from all the servers and they all live on giant RAMDISK's and when the system is shutdown it all goes away except... See more...
Thanks for the reply. Unfortunately that is not an option as we need to keep the logs from all the servers and they all live on giant RAMDISK's and when the system is shutdown it all goes away except for this one host. I was hoping that we can somehow massage the data (Heavy forwarder maybe?) on the log aggregator and push it to splunk with the correct hostname somehow?
How to display one row table in a pie chart? Thank you for your help. index=test ---- Score calculation ----- | table Score1, Score2, Score3, Score4 Score1 Score2 Score3 Score4 70 50... See more...
How to display one row table in a pie chart? Thank you for your help. index=test ---- Score calculation ----- | table Score1, Score2, Score3, Score4 Score1 Score2 Score3 Score4 70 50 60 90 My expected Pie Chart:       
Hi @Beshoy.Shaher, There is an existing Community post that seems to be talking about the same subject. Can you please check it out and see if it helps.  https://community.appdynamics.com/t5/Busi... See more...
Hi @Beshoy.Shaher, There is an existing Community post that seems to be talking about the same subject. Can you please check it out and see if it helps.  https://community.appdynamics.com/t5/Business-iQ-Analytics/Starting-Events-Service-cluster/m-p/44127
Hello Thank you, that indeed solved my issue. I also noticed that there are some screenshots in your documentation that are not up to date. It would be worth updating it for other users. Thank... See more...
Hello Thank you, that indeed solved my issue. I also noticed that there are some screenshots in your documentation that are not up to date. It would be worth updating it for other users. Thanks again for your response!