Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-15-2023
03:56 PM
Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below. the easiest one is the split command: | makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/...
See more...
Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below. the easiest one is the split command: | makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| eval temp=split(field_id,"/") | eval field_key1=mvindex(temp,2) | eval field_key2=mvindex(temp,4)
| table field_id field_key1 field_key2
11-15-2023
03:38 PM
Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks. | makeresu...
See more...
Hi Splunk Gurus... As you can see, non English words length function not working as expected. checked the old posts, documentations, but no luck. any suggestions please. thanks. | makeresults
| eval _raw="இடும்பைக்கு"
| eval length=len(_raw) | table _raw length
this produces:
_raw length
இடும்பைக்கு 11
(that word இடும்பைக்கு is actually 6 charactors, not 11)
Labels
- Labels:
-
eval
11-15-2023
03:35 PM
Thank you both ITWhisperer and bowesmana!!! Will try these out
11-15-2023
03:35 PM
Hi @iamsplunker ... pls suggest if you have HF or UF and indexer. also pls suggest us if you have had a chance to look at this doc... pls copy paste your current props/transforms https://docs.splun...
See more...
Hi @iamsplunker ... pls suggest if you have HF or UF and indexer. also pls suggest us if you have had a chance to look at this doc... pls copy paste your current props/transforms https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Anonymizedata
11-15-2023
03:25 PM
Hi @richgalloway , Could you pls write the sed command to remove the space between the field names. Thanks..
11-15-2023
02:02 PM
1 Karma
Use timechart index=windows_perfmon eventtype="perfmon_windows" Host="XXXX" object="LogicalDisk" counter="% Disk Write Time" instance="*" AND NOT instance=_Total AND NOT instance=Hard*
| timechart ...
See more...
Use timechart index=windows_perfmon eventtype="perfmon_windows" Host="XXXX" object="LogicalDisk" counter="% Disk Write Time" instance="*" AND NOT instance=_Total AND NOT instance=Hard*
| timechart latest(Value) as Value by instance
| foreach * [ eval "<<FIELD>>"=round('<<FIELD>>', 2) ]
11-15-2023
01:59 PM
1 Karma
Your where clause is wrong - it does not support the IN construct, like search. You could do it with | where in(UserId,125,999,418,208) or using search IN. As @gcusello says, using join and subsear...
See more...
Your where clause is wrong - it does not support the IN construct, like search. You could do it with | where in(UserId,125,999,418,208) or using search IN. As @gcusello says, using join and subsearches is not a good habit, using stats can normall do the same and does not have limitations that join/subsearch has, e.g. this is an example of using stats. index=customer (name IN (gate-green, gate-blue) msg="*First time: *") OR (name IN (cust-blue, cust-green) msg="*COMPLETED *")
| rex field=msg "First time: (?<UserId>\d+)"
| eval FirstRequest = if(isnotnull(UserId),1,null())
| rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})"
| spath input=json path=infoId output=CompletedUserId
| eval Completed = if(isnotnull(CompletedUserId), 1, null())
| eval UserId=coalesce(UserId, CompletedUserId)
| stats values(Completed) as Completed by UserId
| search UserId IN (125,999,418,208)
Your Earliest statement is wrong, if you just want yesterday, do this index=WinEventLog* EventID=4625 earliest=-d@d latest=@d
| stats count by user, _time, action, subject, message which will give ...
See more...
Your Earliest statement is wrong, if you just want yesterday, do this index=WinEventLog* EventID=4625 earliest=-d@d latest=@d
| stats count by user, _time, action, subject, message which will give you a list of the failed logins - do you really want to group by _time as well or do you want to show the first or last time of the failed login?
11-15-2023
01:39 PM
1 Karma
You can't do it with a single value viz, but I suggest using Chris Younger's excellent number display viz - https://splunkbase.splunk.com/app/4537 See this example that shows you how you can ...
See more...
You can't do it with a single value viz, but I suggest using Chris Younger's excellent number display viz - https://splunkbase.splunk.com/app/4537 See this example that shows you how you can do it <dashboard>
<label>single</label>
<row>
<panel>
<viz type="number_display_viz.number_display_viz">
<search>
<query>| makeresults
| eval title="Score"
| eval value=7
| eval subtitle="67%"
| fields - _time</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="number_display_viz.number_display_viz.bordercolor">#ffffff</option>
<option name="number_display_viz.number_display_viz.bordersize">2</option>
<option name="number_display_viz.number_display_viz.colorprimary">#000000</option>
<option name="number_display_viz.number_display_viz.colorprimarymode">auto</option>
<option name="number_display_viz.number_display_viz.colorsecondary">#000000</option>
<option name="number_display_viz.number_display_viz.colorsecondarymode">darker1</option>
<option name="number_display_viz.number_display_viz.max">100</option>
<option name="number_display_viz.number_display_viz.min">0</option>
<option name="number_display_viz.number_display_viz.nodatacolor">#0178c7</option>
<option name="number_display_viz.number_display_viz.padding">10</option>
<option name="number_display_viz.number_display_viz.pulserate">4</option>
<option name="number_display_viz.number_display_viz.shadowcolor">#F2F4F5</option>
<option name="number_display_viz.number_display_viz.shapebordercolor">#FFFFFF</option>
<option name="number_display_viz.number_display_viz.shapebordercolormode">static</option>
<option name="number_display_viz.number_display_viz.shapebordersize">1</option>
<option name="number_display_viz.number_display_viz.shapedropcolor">#ffffff</option>
<option name="number_display_viz.number_display_viz.shapeshadow">yes</option>
<option name="number_display_viz.number_display_viz.shapetexture">solid</option>
<option name="number_display_viz.number_display_viz.sparkHeight">30</option>
<option name="number_display_viz.number_display_viz.sparkWidth">90</option>
<option name="number_display_viz.number_display_viz.sparkalign">5</option>
<option name="number_display_viz.number_display_viz.sparkalignv">70</option>
<option name="number_display_viz.number_display_viz.sparkcolorfill">#009DD9</option>
<option name="number_display_viz.number_display_viz.sparkcolorline">#0178c7</option>
<option name="number_display_viz.number_display_viz.sparkcolormodefill">auto</option>
<option name="number_display_viz.number_display_viz.sparkcolormodeline">auto</option>
<option name="number_display_viz.number_display_viz.sparkmin">0</option>
<option name="number_display_viz.number_display_viz.sparknulls">gaps</option>
<option name="number_display_viz.number_display_viz.sparkorder">bg</option>
<option name="number_display_viz.number_display_viz.sparkstyle">area</option>
<option name="number_display_viz.number_display_viz.spinnerspeedmax">20</option>
<option name="number_display_viz.number_display_viz.spinnerspeedmin">1</option>
<option name="number_display_viz.number_display_viz.style">a7</option>
<option name="number_display_viz.number_display_viz.subtitlealign">center</option>
<option name="number_display_viz.number_display_viz.subtitlealignv">70</option>
<option name="number_display_viz.number_display_viz.subtitlecolor">#5C6773</option>
<option name="number_display_viz.number_display_viz.subtitlecolormode">static</option>
<option name="number_display_viz.number_display_viz.subtitledrop">yes</option>
<option name="number_display_viz.number_display_viz.subtitledropcolor">#ffffff</option>
<option name="number_display_viz.number_display_viz.subtitlesize">40</option>
<option name="number_display_viz.number_display_viz.textalign">center</option>
<option name="number_display_viz.number_display_viz.textalignv">50</option>
<option name="number_display_viz.number_display_viz.textcolor">#000000</option>
<option name="number_display_viz.number_display_viz.textdrop">yes</option>
<option name="number_display_viz.number_display_viz.textdropcolor">#ffffff</option>
<option name="number_display_viz.number_display_viz.textduration">300</option>
<option name="number_display_viz.number_display_viz.textmode">static</option>
<option name="number_display_viz.number_display_viz.textprecision">1</option>
<option name="number_display_viz.number_display_viz.textsize">100</option>
<option name="number_display_viz.number_display_viz.textunitposition">after</option>
<option name="number_display_viz.number_display_viz.textunitsize">50</option>
<option name="number_display_viz.number_display_viz.thickness">50</option>
<option name="number_display_viz.number_display_viz.thresholdcol1">#1a9035</option>
<option name="number_display_viz.number_display_viz.thresholdcol2">#d16f18</option>
<option name="number_display_viz.number_display_viz.thresholdcol3">#b22b32</option>
<option name="number_display_viz.number_display_viz.thresholdcol4">#ffffff</option>
<option name="number_display_viz.number_display_viz.thresholdcol5">#ffffff</option>
<option name="number_display_viz.number_display_viz.thresholdcol6">#ffffff</option>
<option name="number_display_viz.number_display_viz.thresholdsize">20</option>
<option name="number_display_viz.number_display_viz.thresholdval2">70</option>
<option name="number_display_viz.number_display_viz.thresholdval3">90</option>
<option name="number_display_viz.number_display_viz.titlealign">center</option>
<option name="number_display_viz.number_display_viz.titlealignv">30</option>
<option name="number_display_viz.number_display_viz.titlecolor">#5C6773</option>
<option name="number_display_viz.number_display_viz.titlecolormode">static</option>
<option name="number_display_viz.number_display_viz.titledrop">yes</option>
<option name="number_display_viz.number_display_viz.titledropcolor">#ffffff</option>
<option name="number_display_viz.number_display_viz.titlesize">45</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</viz>
</panel>
</row>
</dashboard>
11-15-2023
01:30 PM
See my earlier message that suggested you change the earliest and latest times to reflect the cron interval and allowing for a short time in the past to make sure the events have arrived.
11-15-2023
01:16 PM
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script ...
See more...
Hi I wanted to remove unwanted events from my data, To ingest as cleanest as possible and for better line breaking etc. These events are not like regular logs. Since these are generated by a script which runs everyday at 12 am and log file rotates and gets renamed as logfile.log.<date> Here is the pattern that I wanted to remove using SEDCMD and apply it in props.conf [09/13/2023 00:00:00] <Event was scheduled based on job definition.> [10/12/2023 23:58:01] <Executing at CA_AGENT> [11/12/2023 23:58:01] ----------------------------------------
Labels
- Labels:
-
data
-
Linux
-
scripted input
-
sourcetype
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far: ...
See more...
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far: index=WinEventLog* EventID=4625 Earliest=-24 | stats count by user, _time, action, subject, message
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far: ...
See more...
Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far: index=wineventlog* eventid=4625 earliest=-24 | stats count by user, _time, action, subject, message
11-15-2023
12:41 PM
@niketn wrote: @badoomi, optimizing lookup search may not be straight-forward without knowing your SPL and Splunk Infra ( as to how many Indexers you have got). However you can refer to following...
See more...
@niketn wrote: @badoomi, optimizing lookup search may not be straight-forward without knowing your SPL and Splunk Infra ( as to how many Indexers you have got). However you can refer to following Splunk Documentation for one of tip to optimize lookup By default lookup command runs with argument local=true which means it is executed on Search Peer not on Search Head. If you have multiple indexers and your SPL till the lookup command have only streaming commands then there would be an advantage of this otherwise not. In essence you would need to test out stats first then lookup vs lookup first and stats next. Do share your current SPL for community members to assist you better with your use case. I think there may have been a typo this this original answer as the lookup command has local=false set by default - source: https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Lookup local Syntax: local=<bool> Description: If local=true, forces the lookup to run on the search head and not on any remote peers. Default: false
11-15-2023
12:39 PM
Hi Guiseppe, Yes to all you mention. The data gets into splunk but ONLY the log aggregator shows up as a host on the search window on the left. I need all the hosts showing up. If I search using th...
See more...
Hi Guiseppe, Yes to all you mention. The data gets into splunk but ONLY the log aggregator shows up as a host on the search window on the left. I need all the hosts showing up. If I search using the other hostnames I can see the logfile from that host - just doesn't show as a host on the left. Make sense?
11-15-2023
12:32 PM
1 Karma
That's an intriguing idea. I think it would work except for the matter of the cs4Label value contains embedded spaces. Field names with spaces can be a problem in Splunk.
11-15-2023
12:27 PM
It may be possible. Does the aggregated log contain a field that tells what the original host was? If so, the HF could be configured to extract that field as the host field.
11-15-2023
10:38 AM
3 Karma
Just make sure you use single quotes around the encrypted password. /opt/splunk/bin/splunk show-decrypted --value '<your encrypted password>'
11-15-2023
10:19 AM
Hello @gcusello I managed to not use the join command, the above feedback helped. I decided to go with Union this seems to be working, what do you think? index=customer ((name IN (gate-green...
See more...
Hello @gcusello I managed to not use the join command, the above feedback helped. I decided to go with Union this seems to be working, what do you think? index=customer ((name IN (gate-green, gate-blue) msg="*First time: *")
| rex field=msg "First time: (?<UserId>\d+)"
| eval FirtRequest = 1
|union
[ search index name IN (cust-blue, cust-green) msg="*COMPLETED *")
| rex field=msg "Message\|[^\t\{]*(?<json>{[^\t]+})"
| spath input=json path=infoId output=UserId
| eval Completed = 1]
| stats max(FirstRequest) AS FirstRequest max(Completed) BY UserId
11-15-2023
10:10 AM
1 Karma
| transpose 0 column_name=score
