All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| rest splunk_server=local /servicesNS/nobody/splunk_app_db_connect/configs/conf-identities
Try converting matching to a multivalue field index="source*" | where matching LIKE "%mobileNumber%" AND matching LIKE "%countryCode%" | eval matching=split(matching,",") | stats count by matching... See more...
Try converting matching to a multivalue field index="source*" | where matching LIKE "%mobileNumber%" AND matching LIKE "%countryCode%" | eval matching=split(matching,",") | stats count by matching | table count matching
Please share your dashboard code in a code block to preserve original formatting.
Hello.  I have logs which contains field "matching" which is a String type. This field contains this kind of information: [firstName, lastName, mobileNumber, town, ipAddress, dateOfBirth, emailAddr... See more...
Hello.  I have logs which contains field "matching" which is a String type. This field contains this kind of information: [firstName, lastName, mobileNumber, town, ipAddress, dateOfBirth, emailAddress, countryCode, fullAddress, postCode, etc]. What I want to do is to compose a query that will return count of a specific search, such as [mobileNumber, countryCode] and display only the fields that contain the above words. I tried this query: index="source*" | where matching LIKE "%mobileNumber%" AND matchingLIKE "%countryCode%" | stats count by matching | table count matching But the answer returns all the possible variants that also contains [mobileNumber, countryCode]. What I want is a count only for all this results   Also I want to create a table with all specific searches I do. I know how to use append, but result is like a stairs, what other solution can be used? Than you!  
9.0.5.1 apparently, it had something to do w/ what I was originally trying.  target blank is working now, but the token isn't. <form version="1.1" theme="dark"> <label>Error Overview</label> ... See more...
9.0.5.1 apparently, it had something to do w/ what I was originally trying.  target blank is working now, but the token isn't. <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query"> case( $click.value$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)", $click.value$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)", $click.value$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)", $click.value$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)", $click.value$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)", $click.value$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)", $click.value$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)", $click.value$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)", $click.value$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)", $click.value$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)", $click.value$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)", $click.value$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)", $click.value$=="KmsService", "(SourceName=&quot;KmsService&quot;)", $click.value$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)", $click.value$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)", $click.value$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)", $click.value$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)", $click.value$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)", $click.value$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)", $click.value$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)", $click.value$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)", $click.value$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)", $click.value$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)", $click.value$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)", $click.value$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)", $click.value$=="TRON", "(SourceName=&quot;TRON&quot;)", $click.value$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)", $click.value$=="MMU", "(SourceName=&quot;MMU&quot;)" ) </eval> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form> that xml ends up w/ the token not getting turned into the token's value in the search window - it remains "$app_query$", like this: (index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") $app_query$
It should do - which version of Splunk are you using?
Thank you for your help.  Your suggestion did work but I had to add an eval command to make it work: | eval temp_date = strftime(_time, "%Y-%m-%d") | eventstats count as failed_count by IONS,temp_d... See more...
Thank you for your help.  Your suggestion did work but I had to add an eval command to make it work: | eval temp_date = strftime(_time, "%Y-%m-%d") | eventstats count as failed_count by IONS,temp_date | where failed_count>=10 | timechart dc(IONS) as IONS span=1d
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart.  I ... See more...
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart.  I have tried many things but all have failed.  If annotations are supported in Studio, you could try there.  That is my next step, but I don't know Studio so don't know if I will try or how long it would take.  The next best thing to do is make the "annotation_category" set to the value of the split-by field for the Trellis so that a hover makes it clear which ones are for which trellis panel.
The syntax is incorrect.  A blacklist must be a comma-separated list of event IDs or pairs of key=regex specifiers.  Try this blacklist3 = 5145,5156,4658,4690,5158
Thank you for your help.  You got me on the right track.  While searching using that command I found another way to get what I was looking for by using the search command which I could then use wildc... See more...
Thank you for your help.  You got me on the right track.  While searching using that command I found another way to get what I was looking for by using the search command which I could then use wildcards to filter out what I need or don't need.     This gave me all Windows devices: |search Device=*DESKTOP* OR *laptop* OR *lenovo* OR *dell* OR *HP*| stats dc("IONS") as total_users This listed all devices besides what I was looking for: | search NOT Device IN (*LAPTOP*,*Desktop*,*lenovo*,*dell*,*HP*,*MAC*,*Ipad*,) | stats dc("IONS") as total_users  
excellent!  I'll try that.  any idea why clicking on a line in a line chart won't open in a new window?  
Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name. <drilldown> <eval token="app_query">case($click.value$=="Mailer",... See more...
Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name. <drilldown> <eval token="app_query">case($click.value$=="Mailer","(SourceName=&quot;KmsService&quot; AND ...  
UDP. The picture is UDP. I am sendings logs via Syslog on port UDP:9004. I only opened TCP:9008 for testing purposes. Everything works on TCP as expected.  I want to fix UDP.
apparently, the line chart drill down also isn't opening in a new window/tab, in spite of  target="_blank"
Hi @law175, are you receiving UDP logs or TCP logs? Ciao. Giuseppe
this is a portion of my dashboard xml, due to the 20k character limit.
Hi @sekhar463, please try this regex: | rex field=hostname "(?<host_name>[^\.]+)\." Ciao. Giuseppe
For now just one. All logs are being forwarded to a logging server (VMware vRealize Log Insight). Then I am sending logs via syslog from that appliance to Splunk. All logs should come from that 192.... See more...
For now just one. All logs are being forwarded to a logging server (VMware vRealize Log Insight). Then I am sending logs via syslog from that appliance to Splunk. All logs should come from that 192.168.79.1 on either UDP:9004 or TCP:9008, depending on what I choose.  
<form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> ... See more...
<form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <condition match="$click.value$=&quot;Mailer&quot;"> <set token="app_query">(SourceName="KmsService" AND Message="*Mailer(*")</set> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&amp;earliest=$start_time$&amp;latest=$end_time$</link> </condition> <condition match="$click.value$=&quot;SPackager&quot;"> <set token="app_query">(SourceName="KmsService" AND Message="*SPackager(*")</set> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&amp;earliest=$start_time$&amp;latest=$end_time$</link> </condition> <condition match="$click.value$=&quot;Hancock&quot;"> <set token="app_query">(SourceName="KmsService" AND Message="*Hancock(Ver:*")</set> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$%0A&amp;earliest=$start_time$&amp;latest=$end_time$</link> </condition> </drilldown> </chart> </panel> </row> </form>
Hello  We are trying to change the below blacklists:  blacklist3 = EventCode="4690"  blacklist4 = EventCode="5145" blacklist5 = EventCode="5156" blacklist6 = EventCode="4658" blacklist7 = Eve... See more...
Hello  We are trying to change the below blacklists:  blacklist3 = EventCode="4690"  blacklist4 = EventCode="5145" blacklist5 = EventCode="5156" blacklist6 = EventCode="4658" blacklist7 = EventCode="5158" To a single blacklist with multiple eventcodes. We have tried: blacklist3 = EventCode=5145,5156,4658,4690,5158 and blacklist3 = EventCode="5145" OR "5156" OR "4658" OR "4690" OR "5158" And none of these are applying and blocking out the event codes.    Any recommendations on how to get this to work?