Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-14-2023
07:22 AM
Looks like below https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-host-value-from-INDEXED-EXTRACTIONS-json/m-p/577392
11-14-2023
07:22 AM
Hi! Faced with a very specific problem. We use splunk enterprise 7.3.0. We have ru_RU written in the address bar instead of en-US. In the file /opt/splunk/etc/system/local/times.conf, we changed th...
See more...
Hi! Faced with a very specific problem. We use splunk enterprise 7.3.0. We have ru_RU written in the address bar instead of en-US. In the file /opt/splunk/etc/system/local/times.conf, we changed the display language of the time input to Russian. When the Date & Time Range item is selected in the time input and the period is set in it by the Between button, the data is applied, but the input itself disappears from the dashboard. An error appears in the console: moment().splunkFormat() does not support the locale ru. If you use en_US instead of ru_RU in the address bar, the error does not occur, but it does not suit us. I tried adding the file ru.js to the locale folder, then splunk stops working. Please tell me how you can fix this error. Thanks!
Labels
11-14-2023
07:18 AM
no luck - still getting $app_query$ as a string in the query as before. here's the updated dashboard xml: <form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These ...
See more...
no luck - still getting $app_query$ as a string in the query as before. here's the updated dashboard xml: <form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">case($click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",$click.value$=="SecurePackageDelivery", "(source="ivssspd")",$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",$click.value$=="KmsService", "(SourceName="KmsService")",$click.value$=="AutoSigner", "(SourceName="AutoSigner")",$click.value$=="DebugToken", "(SourceName="DebugToken")",$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",$click.value$=="KeyBundler", "(SourceName="KeyBundler")",$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",$click.value$=="SecureRekey", "(SourceName="SecureRekey")",$click.value$=="SecureSigner", "(SourceName="SecureSigner")",$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",$click.value$=="TRON", "(SourceName="TRON")",$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",$click.value$=="MMU", "(SourceName="MMU")")</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
11-14-2023
07:15 AM
@AL3Z Can you may be run btool to check the full configuration?
11-14-2023
07:09 AM
The case function in the token evaluation has to be all on one line.
11-14-2023
06:45 AM
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
...
See more...
<form version="1.1" theme="dark">
<label>Error Overview</label>
<description>These charts only show apps having errors in the selected time frame</description>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Across Time</title>
<chart>
<search>
<query>(index=ivss OR index=hec_18399_na_prod)
NOT "*ivss-test*"
NOT (SourceName=Microsoft-Windows-CAPI2)
NOT (SourceName=Microsoft-Windows-DistributedCOM)
NOT (SourceName="Microsoft WSE 3.0")
NOT (SourceName=Microsoft-Windows-GroupPolicy)
NOT (SourceName=Microsoft-Windows-Eventlog)
NOT (SourceName=Logging)
NOT (SourceName=ADFSAuth)
NOT (SourceName=Schannel)
NOT "*PackageExtractor.exe*"
NOT "*w3wp.exe*"
NOT "*openssl.exe*"
(Type="Error" OR Level="Error")
| eval AppName = case(
(SourceName="KmsService" AND Message="*Mailer(*"), "Mailer",
(SourceName="KmsService" AND Message="*SPackager(*"), "SPackager",
(SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock",
(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth",
(source="Cloud.SecurePnC"), "Cloud_SecurePnC",
(source="ivssspd"), "SecurePackageDelivery",
(sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts",
(source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect",
(source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage",
(source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage",
(SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect",
(SourceName="KmsService"), "KmsService",
(SourceName="AutoSigner"), "AutoSigner",
(SourceName="DebugToken"), "DebugToken",
(SourceName="FlashbackCache"), "FlashbackCache",
(SourceName="KeyBundler"), "KeyBundler",
(SourceName="SecureModuleCore"), "SecureModuleCore",
(SourceName="SecureOTACore"), "SecureOTACore",
(SourceName="SecurePaaK"), "SecurePaaK",
(SourceName="SecurePayloadCore"), "SecurePayloadCore",
(SourceName="SecurePnCCore"), "SecurePnCCore",
(SourceName="SecureRekey"), "SecureRekey",
(SourceName="SecureSigner"), "SecureSigner",
(SourceName="SupplierFeed"), "SupplierFeed",
(SourceName="TRON"), "TRON",
(SourceName="WSLAgent5"), "WSLAgent5",
(SourceName="MMU"), "MMU",
1==1, "Other")
| timechart usenull=f useother=f limit=0 span=1h count by AppName</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
<option name="height">500</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<eval token="app_query">
case(
$click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")",
$click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")",
$click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")",
$click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")",
$click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")",
$click.value$=="SecurePackageDelivery", "(source="ivssspd")",
$click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)",
$click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")",
$click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")",
$click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")",
$click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")",
$click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")",
$click.value$=="KmsService", "(SourceName="KmsService")",
$click.value$=="AutoSigner", "(SourceName="AutoSigner")",
$click.value$=="DebugToken", "(SourceName="DebugToken")",
$click.value$=="FlashbackCache", "(SourceName="FlashbackCache")",
$click.value$=="KeyBundler", "(SourceName="KeyBundler")",
$click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")",
$click.value$=="SecureOTACore", "(SourceName="SecureOTACore")",
$click.value$=="SecurePaaK", "(SourceName="SecurePaaK")",
$click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")",
$click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")",
$click.value$=="SecureRekey", "(SourceName="SecureRekey")",
$click.value$=="SecureSigner", "(SourceName="SecureSigner")",
$click.value$=="SupplierFeed", "(SourceName="SupplierFeed")",
$click.value$=="TRON", "(SourceName="TRON")",
$click.value$=="WSLAgent5", "(SourceName="WSLAgent5")",
$click.value$=="MMU", "(SourceName="MMU")"
)
</eval>
<eval token="start_time">$row._time$</eval>
<eval token="end_time">$row._time$ + $row._span$</eval>
<link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
11-14-2023
06:43 AM
| rest splunk_server=local /servicesNS/nobody/splunk_app_db_connect/configs/conf-identities
11-14-2023
06:40 AM
1 Karma
Try converting matching to a multivalue field index="source*" | where matching LIKE "%mobileNumber%" AND matching LIKE "%countryCode%"
| eval matching=split(matching,",")
| stats count by matching...
See more...
Try converting matching to a multivalue field index="source*" | where matching LIKE "%mobileNumber%" AND matching LIKE "%countryCode%"
| eval matching=split(matching,",")
| stats count by matching | table count matching
11-14-2023
06:37 AM
Please share your dashboard code in a code block to preserve original formatting.
11-14-2023
06:36 AM
Hello.
I have logs which contains field "matching" which is a String type. This field contains this kind of information: [firstName, lastName, mobileNumber, town, ipAddress, dateOfBirth, emailAddr...
See more...
Hello.
I have logs which contains field "matching" which is a String type. This field contains this kind of information: [firstName, lastName, mobileNumber, town, ipAddress, dateOfBirth, emailAddress, countryCode, fullAddress, postCode, etc]. What I want to do is to compose a query that will return count of a specific search, such as [mobileNumber, countryCode] and display only the fields that contain the above words.
I tried this query:
index="source*" | where matching LIKE "%mobileNumber%" AND matchingLIKE "%countryCode%" | stats count by matching | table count matching
But the answer returns all the possible variants that also contains [mobileNumber, countryCode].
What I want is a count only for all this results
Also I want to create a table with all specific searches I do. I know how to use append, but result is like a stairs, what other solution can be used?
Than you!
11-14-2023
06:33 AM
9.0.5.1 apparently, it had something to do w/ what I was originally trying. target blank is working now, but the token isn't. <form version="1.1" theme="dark"> <label>Error Overview</label> ...
See more...
9.0.5.1 apparently, it had something to do w/ what I was originally trying. target blank is working now, but the token isn't. <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query"> case( $click.value$=="Mailer", "(SourceName="KmsService" AND Message="*Mailer(*")", $click.value$=="SPackager", "(SourceName="KmsService" AND Message="*SPackager(*")", $click.value$=="Hancock", "(SourceName="KmsService" AND Message="*Hancock(Ver:*")", $click.value$=="GVMSAuth", "(SourceName="KmsService" AND Message="*GVMSAuth(Ver:*")", $click.value$=="Cloud_SecurePnC", "(source="Cloud.SecurePnC")", $click.value$=="SecurePackageDelivery", "(source="ivssspd")", $click.value$=="AppPool_Restarts", "(sourcetype="WinEventLog:System" AND EventCode=5074)", $click.value$=="Cloud_SecureConnect", "(source="ivsscs" AND Properties.Service="SecureConnect")", $click.value$=="Cloud_SecureMessage", "(source="ivsscs" AND Properties.Service="SecureMessage")", $click.value$=="Cloud_FPackager", "(source="ivsscs" AND Properties.Service="FPackager")", $click.value$=="SecureMessage", "(SourceName="IVSSCS" AND "*Service = SecureMessage*")", $click.value$=="SecureConnect", "(SourceName="IVSSCS" AND "*Service = SecureConnect*")", $click.value$=="KmsService", "(SourceName="KmsService")", $click.value$=="AutoSigner", "(SourceName="AutoSigner")", $click.value$=="DebugToken", "(SourceName="DebugToken")", $click.value$=="FlashbackCache", "(SourceName="FlashbackCache")", $click.value$=="KeyBundler", "(SourceName="KeyBundler")", $click.value$=="SecureModuleCore", "(SourceName="SecureModuleCore")", $click.value$=="SecureOTACore", "(SourceName="SecureOTACore")", $click.value$=="SecurePaaK", "(SourceName="SecurePaaK")", $click.value$=="SecurePayloadCore", "(SourceName="SecurePayloadCore")", $click.value$=="SecurePnCCore", "(SourceName="SecurePnCCore")", $click.value$=="SecureRekey", "(SourceName="SecureRekey")", $click.value$=="SecureSigner", "(SourceName="SecureSigner")", $click.value$=="SupplierFeed", "(SourceName="SupplierFeed")", $click.value$=="TRON", "(SourceName="TRON")", $click.value$=="WSLAgent5", "(SourceName="WSLAgent5")", $click.value$=="MMU", "(SourceName="MMU")" ) </eval> <eval token="start_time">$row._time$</eval> <eval token="end_time">$row._time$ + $row._span$</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query$&earliest=$start_time$&latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form> that xml ends up w/ the token not getting turned into the token's value in the search window - it remains "$app_query$", like this: (index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") $app_query$
11-14-2023
06:24 AM
It should do - which version of Splunk are you using?
11-14-2023
06:23 AM
Thank you for your help. Your suggestion did work but I had to add an eval command to make it work:
| eval temp_date = strftime(_time, "%Y-%m-%d")
| eventstats count as failed_count by IONS,temp_d...
See more...
Thank you for your help. Your suggestion did work but I had to add an eval command to make it work:
| eval temp_date = strftime(_time, "%Y-%m-%d")
| eventstats count as failed_count by IONS,temp_date
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d
11-14-2023
06:21 AM
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart. I ...
See more...
Splunk has the mechanism in place to make it work: $trellis.name$ and $trellis.value$, but instead of these being available for ALL searches, they are only available for the trellis search/chart. I have tried many things but all have failed. If annotations are supported in Studio, you could try there. That is my next step, but I don't know Studio so don't know if I will try or how long it would take. The next best thing to do is make the "annotation_category" set to the value of the split-by field for the Trellis so that a hover makes it clear which ones are for which trellis panel.
11-14-2023
06:17 AM
1 Karma
The syntax is incorrect. A blacklist must be a comma-separated list of event IDs or pairs of key=regex specifiers. Try this blacklist3 = 5145,5156,4658,4690,5158
11-14-2023
06:17 AM
1 Karma
Thank you for your help. You got me on the right track. While searching using that command I found another way to get what I was looking for by using the search command which I could then use wildc...
See more...
Thank you for your help. You got me on the right track. While searching using that command I found another way to get what I was looking for by using the search command which I could then use wildcards to filter out what I need or don't need.
This gave me all Windows devices:
|search Device=*DESKTOP* OR *laptop* OR *lenovo* OR *dell* OR *HP*| stats dc("IONS") as total_users
This listed all devices besides what I was looking for:
| search NOT Device IN (*LAPTOP*,*Desktop*,*lenovo*,*dell*,*HP*,*MAC*,*Ipad*,)
| stats dc("IONS") as total_users
11-14-2023
06:09 AM
excellent! I'll try that. any idea why clicking on a line in a line chart won't open in a new window?
11-14-2023
06:08 AM
Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name. <drilldown>
<eval token="app_query">case($click.value$=="Mailer",...
See more...
Rather than using condition in the drilldown, try using eval to set app_query using a case function with a case for each app name. <drilldown>
<eval token="app_query">case($click.value$=="Mailer","(SourceName="KmsService" AND ...
11-14-2023
05:59 AM
UDP. The picture is UDP. I am sendings logs via Syslog on port UDP:9004. I only opened TCP:9008 for testing purposes. Everything works on TCP as expected. I want to fix UDP.
11-14-2023
05:58 AM
apparently, the line chart drill down also isn't opening in a new window/tab, in spite of target="_blank"
