All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,  I am running a monthly report to show (unique users) logged in to the system (API) each month until the current time.  . . . . .  earliest=@mon latest=now | stats dc(CN)    But I have diffi... See more...
Hi,  I am running a monthly report to show (unique users) logged in to the system (API) each month until the current time.  . . . . .  earliest=@mon latest=now | stats dc(CN)    But I have difficulty in calculating the the number of new users who have logged in per month as a running total to show a trend of new users over time.  The Query should run as following example:  If 50 distinct users log in in October and none of the 50 has logged in before, the total is 50. If 75 distinct users log in in November but 50 of them are the same that logged in in October, the number of new users is 25. Combined with the total for October, the total for November becomes 75.    
I guess it's a Dashboard Studio issue ... Just updated from 8.2 to 9.1.1. I will try to see if that works.
Hello, I need to generate the below report, can someone help please? thank you!!   format: .csv  List of events: authentication failure activity, user logon failure : bad password, user logon fail... See more...
Hello, I need to generate the below report, can someone help please? thank you!!   format: .csv  List of events: authentication failure activity, user logon failure : bad password, user logon failure: bad username, table with subset of fields: user, date/time, VendorMsgID, account, class, process name, object, subject, logMsg) grouped by user schedule: daily search window: -24 hours Expiration= 30 days
Hi, we currently have our on prem Splunk infrastructure running on CentOS 7 servers.  CentOS 7 is going EOL in 2024.  We would like to migrate these servers to a supported Linux OS, preferably one wi... See more...
Hi, we currently have our on prem Splunk infrastructure running on CentOS 7 servers.  CentOS 7 is going EOL in 2024.  We would like to migrate these servers to a supported Linux OS, preferably one with long term support.  What do you recommend for this?  We are strongly considering RHEL 9.2.  Thank you!
@gcusello's answer should give you the desired output.  Is it possible that some events come out of order?  You can use sort to make sure events are in perfect revere time order.   | sort - _time |... See more...
@gcusello's answer should give you the desired output.  Is it possible that some events come out of order?  You can use sort to make sure events are in perfect revere time order.   | sort - _time | transaction Item startswith="Result=fail" endswith="Result=success" | eval EndTime = _time + duration | fieldformat EndTime = strftime(EndTime, "%F %T") | fieldformat duration = tostring(duration, "duration") | fields Item _time EndTime duration   Here you can rename _time as StartTime if you wish, then format it for display.  For large number of events, sort can be expensive.  This is one of the costs of transaction when raw events are not perfectly in order. Here is an emulation you can play with and compare with raw data   | makeresults | eval data = split("02:00:00 Item=A Result=success 02:00:05 Item=B Result=success 02:05:00 Item=A Result=fail 02:05:05 Item=B Result=success 02:10:00 Item=A Result=fail 02:10:05 Item=B Result=success 02:15:00 Item=A Result=success 02:15:05 Item=B Result=fail 02:20:00 Item=A Result=success 02:20:05 Item=B Result=fail 02:25:00 Item=A Result=success 02:25:05 Item=B Result=success 02:30:00 Item=A Result=success 02:30:05 Item=B Result=success 02:35:00 Item=A Result=success 02:35:05 Item=B Result=success 02:40:00 Item=A Result=success 02:40:05 Item=B Result=fail 02:45:00 Item=A Result=success 02:45:05 Item=B Result=success 02:50:00 Item=A Result=success 02:50:05 Item=B Result=success 02:55:00 Item=A Result=success 02:55:05 Item=B Result=success", " ") | mvexpand data | rename data as _raw | rex "^(?<_time>\S+)" | eval _time = strptime(_time, "%H:%M:%S") | extract ``` data emulation above ```   Combining the two, I get Item _time EndTime duration _raw B 2023-11-13 02:40:05 2023-11-13 02:45:05 00:05:00 02:40:05 Item=B Result=fail 02:45:05 Item=B Result=success B 2023-11-13 02:20:05 2023-11-13 02:25:05 00:05:00 02:20:05 Item=B Result=fail 02:25:05 Item=B Result=success B 2023-11-13 02:15:05 2023-11-13 02:30:05 00:15:00 02:15:05 Item=B Result=fail 02:30:05 Item=B Result=success A 2023-11-13 02:10:00 2023-11-13 02:15:00 00:05:00 02:10:00 Item=A Result=fail 02:15:00 Item=A Result=success A 2023-11-13 02:05:00 2023-11-13 02:20:00 00:15:00 02:05:00 Item=A Result=fail 02:20:00 Item=A Result=success
Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php... See more...
Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php-agent/php-supported-environments
Splunk and its apps do not handle networking directly.  There is no reason why they will not do the job if the destination is addressable by the operating system's networking stack, IPv6 or IPv4.
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated afte... See more...
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated after the upcoming 23.11.0 release to reflect this information. Does this help?
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert.... See more...
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert. It is like me asking you, why did my search fail?
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able... See more...
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able pull data from an MS-SQL DB once the protocol changes.
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my al... See more...
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my alert happened last Friday and why my alert has occurend once again today
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for ... See more...
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for the customer number ,I have to search whether 3 events meets logs available in the splunk log or not  Ex: index= 1 source type ="abc" "s1 event received" and "s2 event received" and "s3 event received"     When I search above query ,I will be getting like S1 received for 12345 customer S2 received for 12345 customer S3 received for 12345 customer   If for one customer,all 3 event are met,next i want to search "created" message available in the splunk for same customer (12345) Here "created" message index and source type is different If "created" message not available for 12345 customer no after 5 min once all 3 events meets,I need alert.pls help on this query.
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, ... See more...
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, every 24 hours, there will be an overlap of 1 hour. Having said that, it depends how quickly your data is indexed, real lag, and how far behind your timestamp field (_time) is to actual time, extended lag. In order to fashion a search which takes these factors into account, you need to understand your data, how it is indexed, when it is indexed, etc. When you know this, you might have a chance at eliminating events which you have (or may have) already looked at. Another way you might approach this is to copy the events you have looked at into a summary index and then ignore any events which are already in your summary index.
Understood.  Thanks again!
Have you an example to filter events that have already looked at? Is there any alert customization for doing that like throttle or expiration?
Your search has to be able to filter out the events you don't want, or have already looked at. This will depend on your search and your data.
* doesn't work (as a wildcard) for where only search
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an e... See more...
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an event outside the slot time specified? 2) How to customize the alert for being sure that it shows only new events and not events already shown?  It means that I need the alert occurs just one time when an event is detected thanks
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  An... See more...
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  Any idea why * didn't work? It seems like "where" is faster than "search"  Thank you
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where y... See more...
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where you found a source which matched the wildcard | append [| inputlookup pvs_source_list | table source] | stats count by source | where count < 2