All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Perhaps if you shared your actual raw unformatted events (anonymised as appropriate) in a code block to preserve any formatting there might be in the event, we might be able to suggest something that... See more...
Perhaps if you shared your actual raw unformatted events (anonymised as appropriate) in a code block to preserve any formatting there might be in the event, we might be able to suggest something that might work with your data.
Thank you, but it doesn't work by some reason... ... ... | eval output1=json(output) | eval output3 = json_extract(output1, "data.affected_items{}.id") | table output3   - works fine, but the ... See more...
Thank you, but it doesn't work by some reason... ... ... | eval output1=json(output) | eval output3 = json_extract(output1, "data.affected_items{}.id") | table output3   - works fine, but the result in the one row   ... | eval output1=json(output) | spath input=output1 path="data.affected_items{}.id{}" output=output3 | mvexpand output3 | table output3   - shows "No results found."
OK so how do you want them combined e.g. do you want the times from the "unique objectIds" message and "data retrieved for Ids" message to be in the same row by object id? | spath uniqObjectIds{} ou... See more...
OK so how do you want them combined e.g. do you want the times from the "unique objectIds" message and "data retrieved for Ids" message to be in the same row by object id? | spath uniqObjectIds{} output=uniqObjectIds | spath uniqueRetrievedIds{} output=uniqueRetrievedIds | spath eventBody.objectIds{} output=eventBodyObjectIds | eval eventBodyObjectIds=if(eventBodyObjectIds=="",null(),eventBodyObjectIds) | eval objectId=coalesce(eventBodyObjectIds,coalesce(uniqueRetrievedIds,uniqObjectIds)) | eval retrievedTime=if(msg=="data retrieved for Ids",time,null()) | eval uniqueTime=if(msg=="unique objectIds",time,null()) | stats values(retrievedTime) as retrievedTime values(uniqueTime) as uniqueTime by objectId
I have a field called environment which has values like dev,prod,uat,sit. Now I want to create a new_field which all the field values of environment field. Example: (4 field values) environment ... See more...
I have a field called environment which has values like dev,prod,uat,sit. Now I want to create a new_field which all the field values of environment field. Example: (4 field values) environment  dev prod uat sit After query: ( 1 field value, separated by any string) merge_environment= dev | prod | uat | sit How to achieve this?
Happy 12th Birthday, posting #107735 ! You're a tween now! Why, it seems like only yesterday we were commenting on how decade-old authentication code for Yum repo consumers makes the current auth wall... See more...
Happy 12th Birthday, posting #107735 ! You're a tween now! Why, it seems like only yesterday we were commenting on how decade-old authentication code for Yum repo consumers makes the current auth wall completely pointless, and how easy it would be to set up a simple yum repo to make enterprise update staging and testing on-premise such a trivial thing. Now it's TWO decades old! Yay! Oh, how you've grown as the technology has aged. Remember all the times we've been told "we're just sorting it with [another group]" and progress went absolutely nowhere? Remember how we sadly pointed out the delayed development against its peers in that regard -- which is still a developmental delay today? This is your year, kiddo. Go on and be adequate!
Thanks both of you guys!
Hi @ITWhisperer  Below are the raw events  which are need to be displayed in table format in a single row for below events with no common key value {"name":"","awsRequestId":"","hostname":"","pid":... See more...
Hi @ITWhisperer  Below are the raw events  which are need to be displayed in table format in a single row for below events with no common key value {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqObjectIds":["275649"],"uniqObjectIdsCount":1,"msg":"unique objectIds","time":"2023-11-03T19:26:43.672Z","v":0} {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqueRetrievedIds":["275649"],"msg":"data retrieved for Ids","time":"2023-11-06T22:48:03.594Z","v":0} {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"eventBody":{"objectType":"material","objectIds":["275649","108795","1234567","1234568","99999999","888888888"],"version":"all"},"msg":"request body","time":"2023-11-03T05:25:33.508Z","v":0}
Hi,  I am trying to upload the dSYM files automatically in the pipeline by hitting the Appdynamics REST APIs. Would like to know, how can I do it using API tokens?  1. I want to generate the token ... See more...
Hi,  I am trying to upload the dSYM files automatically in the pipeline by hitting the Appdynamics REST APIs. Would like to know, how can I do it using API tokens?  1. I want to generate the token using Appdynamics REST API.   The token generation API requires both an authentication header with username and password as well as the oAuth request body to successfully request a token. We use only SAML login. Do I need to create a local account for this purpose? Then, how long the API token can live? 2. API Clients (appdynamics.com) When I generate the token via Admin UI, it shows the max is 30days. Then it needs to be regenerated.  Any comments on it? Appreciate your inputs on this.  Thanks,  Viji
After installing the latest UF 9.1.1 on a linux i tried to  connect it to the deployment server ./splunk set deploy-poll <host name or ip address>:<management port> i get an "error" with allowRemote... See more...
After installing the latest UF 9.1.1 on a linux i tried to  connect it to the deployment server ./splunk set deploy-poll <host name or ip address>:<management port> i get an "error" with allowRemoteLogin and the deployment.con  is not created  after i added the following entry in the server.conf, the command added successfuly the string to connect to the deployment server allowRemoteLogin = always anyone experiencing the same issue?
Since these come from the same raw event(?) you could regather the fields with a stats command | stats values(*) as * by _raw You may need to add _raw to your list of fields in the table command or... See more...
Since these come from the same raw event(?) you could regather the fields with a stats command | stats values(*) as * by _raw You may need to add _raw to your list of fields in the table command or use another field which is unique to the original event, e.g. _time
Please share the raw unformatted sample event in a code block </> to preserve the original formatting.
I'm not familiar with conf editor.  I recommend making Splunk Cloud config changes locally and then uploading an app.  That means you always have a copy of your configs locally.
This appears to work for me on 9.1.1.  Please can you try cutting down your dashboard to isolate the issue, then post the source code.
Yes, you can.  Please read inputs.conf.spec.
What is your way of sorting, groupping, ordering and so on is up to you. "My" part only did the limiting.
Great Solution! But there was a typo and it disregarded the amount of count. Added a sort to your solution. <your_search> | stats count by user | sort - count | eventstats count as total | streams... See more...
Great Solution! But there was a typo and it disregarded the amount of count. Added a sort to your solution. <your_search> | stats count by user | sort - count | eventstats count as total | streamstats count as current | where current<=0.15*total
Thanks @ITWhisperer the above spath query which worked and was able to form a table view without duplicate. How can i combine two events results in a single row rather than display in two rows ,ther... See more...
Thanks @ITWhisperer the above spath query which worked and was able to form a table view without duplicate. How can i combine two events results in a single row rather than display in two rows ,there is no common key to do stats by it has same source and index only the msg. is different 1.Currently uniqObjectIds,uniqueRetrievedIds are displayed in two rows in a table view,wanted as a single row 2.How to combine multiple event in a single query if there is no common key .   index= "" source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | spath output=uniqObjectIds path=uniqObjectIds{} | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount,uniqObjectIds,uniqueRetrievedIds | sort _time desc     
<yoursearch> | evenstats count as total | streamstats count as current | where current<=0.15*total
I know that but with your solution I can only use integers such as 5,1,10 etc. I want to limit the results to a certain percentage of all possible results.
Hi @gcusello @ITWhisperer  I have same source and index for below two events first event: { [-]    awsRequestId:     hostname:     level: 30    msg: data retrieved for Ids    name:     pid: ... See more...
Hi @gcusello @ITWhisperer  I have same source and index for below two events first event: { [-]    awsRequestId:     hostname:     level: 30    msg: data retrieved for Ids    name:     pid: 8    time:     uniqueRetrievedIds: [ [-    275649    ]    v: 0 } second event: { [-]    awsRequestId:     hostname:     level: 30    msg: unique objectIds    name:     pid: 8    time:     uniqObjectIds: [ [-]      275649    ]    uniqObjectIdsCount: 1    v: 0 } There is no common key in these two events,but want to have in table view 1.Currently uniqObjectIds,uniqueRetrievedIds are displayed in two rows in a table view,wanted as a single row 2.How to combine multiple event in a single query if there is no common key .   index= "" source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | spath output=uniqObjectIds path=uniqObjectIds{} | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount,uniqObjectIds,uniqueRetrievedIds | sort _time desc