Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-08-2023
04:48 AM
I am a beginner in Splunk queries. I might would be asking for some simple query but I am not able to construct it after searching a lot. Below is my sample event from message field REPORT Reque...
See more...
I am a beginner in Splunk queries. I might would be asking for some simple query but I am not able to construct it after searching a lot. Below is my sample event from message field REPORT RequestId: 288f34e9-5572-4816-d21e-9fcf5965fad0 Duration: 206.64 ms .. I can get all events matching this criteria, but I want to do average, min and max of value present in duration in millisecond. Any help on this would be appreciated.
Labels
- Labels:
-
eval
-
field extraction
-
regex
11-08-2023
04:42 AM
The only way to reset the situation, is to manually edit the "etc/users/user/app/local/eventtypes.conf & tags.conf" "etc/apps/app/local/eventtypes.conf & tags.conf" "etc/apps/app/metadata/local.me...
See more...
The only way to reset the situation, is to manually edit the "etc/users/user/app/local/eventtypes.conf & tags.conf" "etc/apps/app/local/eventtypes.conf & tags.conf" "etc/apps/app/metadata/local.meta" and delete the objects there. And restart the Splunkd. But if you are inside a cluster, it's not much comfortable
11-08-2023
04:42 AM
In case @PickleRick 's suggestion wasn't clear, you can do this: | makeresults count=5
| eval n=(random() % 10)
| eval sourcetype="something" . n
| fields - n
| collect index=your_summary_index outp...
See more...
In case @PickleRick 's suggestion wasn't clear, you can do this: | makeresults count=5
| eval n=(random() % 10)
| eval sourcetype="something" . n
| fields - n
| collect index=your_summary_index output_format=hec It will respect the sourcetype set, in this case a value between something0 to something9
11-08-2023
04:39 AM
Hi @richgalloway , Can we edit custom app props.conf using conf editor ?
11-08-2023
04:38 AM
The fact that you are using eval is expected but does not help identify where the problem is, please share your data (anonymised where appropriate).
11-08-2023
04:35 AM
Your issue is to do with the chart command, it only really supports two dimensions, in your case these appear to be work_queue and range, when you need three dimensions, work_queue, range and current...
See more...
Your issue is to do with the chart command, it only really supports two dimensions, in your case these appear to be work_queue and range, when you need three dimensions, work_queue, range and current_ticket_state. This means you will have to use a stats command, then combine the work_queue and current_ticket_state into a single field, then chart using the combined field and range, then split the combined field back into two fields. Try something like this | stats count by work_queue current_ticket_state range
| eval combined=work_queue."|".range
| chart max(count) by combined range
| eval work_queue=mvindex(split(combined,"|"),0)
| eval current_ticket_state=mvindex(split(combined,"|"),1)
| fields - combined
11-08-2023
04:26 AM
Hallo. Don't know if it's a bug or not, but... SPLUNK 8.2.12... 1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log" 2. The ...
See more...
Hallo. Don't know if it's a bug or not, but... SPLUNK 8.2.12... 1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log" 2. The EventType and Tag are created OK 3. Change the permission to share EventType in App for */RW 4. ALL IS OK NOW, delete both the objects, System is now empty. 1. ReCreate a simple EventType for "MYTEST" with tag "MYTEST", as before 2. The EventType and Tag are created OK 3. Change the permission to share EventType in App for */RW 4. NOW WE GET "Splunk could not update permissions for resource saved/eventtypes [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]" 5. We can only CANCEL and get back, where the EventType is shared in App, BUT WITH NO TAG ASSOCIATED! 5. Now we edit the EventType and add the Tag 6. From now on we have a double Tag and need to leave it so to preserve the shared Tag/EventType Is this behavious normal??? Thanks.
Labels
- Labels:
-
Linux
11-08-2023
04:25 AM
Iam trying to replicate reference table attached previously My "work_queue" field contains (BROKERPORTAL_L2SUPPORT, CONSUMERPORTAL_L2SUPPORT, EMPLOYERPORTAL_L2SUPPORT, MARKETINGCLOUD_L2SUPPORT, M...
See more...
Iam trying to replicate reference table attached previously My "work_queue" field contains (BROKERPORTAL_L2SUPPORT, CONSUMERPORTAL_L2SUPPORT, EMPLOYERPORTAL_L2SUPPORT, MARKETINGCLOUD_L2SUPPORT, MEMBERPORTAL_L2SUPPORT, PROVIDERPORTAL_L2SUPPORT, SALESCLOUD_L2SUPPORT, SERVICECLOUD_L2SUPPORT). "Ageing Lookup" field contains (In Progress,Resolved,Awaiting Resolution Confirmation,Awaiting User Information,Dependent System,Awaiting Change,Cancelled,Reopen) I want to divide every work_queue field value further based on "Ageing lookup".
11-08-2023
04:21 AM
1 Karma
The Default index in the Splunk is the main index. The Definition is located in the indexes.conf. defaultDatabase = <database name> Additionally every User Role can have a custom default index a...
See more...
The Default index in the Splunk is the main index. The Definition is located in the indexes.conf. defaultDatabase = <database name> Additionally every User Role can have a custom default index assigned. You can check the default index for a user role by going into Settings -> Roles -> Your Role -> 3. Indexes Check if the default for the environment or your user role is the same as the index which the data is shown from when you search without an index. Regarding the missing fields I currently have no lead.
11-08-2023
04:18 AM
Hello!
Could you advise, please, how can I compare results of 2 searches, which returns results in a different format?
First search:
...
<first part of the search>
...
| eval output3 = js...
See more...
Hello!
Could you advise, please, how can I compare results of 2 searches, which returns results in a different format?
First search:
...
<first part of the search>
...
| eval output3 = json_extract(output1, "data.affected_items{}.id")
| table output3
The result of this search looks like that:
["112","114","267","456"] (ony one row)
Second search:
...
<first part of the search>
...
| table id
The result of this search looks like that:
id (header)
111 (first row)
112 (second row)
255 (third row)
etc.
The number of elements in results of the first and the second searches is different. I need to combine this searches in the one search that will have in the result common elements in both searches.
For example, if the first search has the following output:
["112","114","267","456"]
And the second search has the following output:
id (header)
111 (first row)
112 (second row)
255 (third row)
I need to have the following result:
id (header)
112 (first row)
Which Splunk functions or tools could you recommend for this purpose? The Splunk version is 8, so some new functionality from version 9 does not work.
Thank you.
Best regards,
11-08-2023
04:17 AM
Iam trying to replicate reference table attached previously My "work_queue" field contains (BROKERPORTAL_L2SUPPORT, CONSUMERPORTAL_L2SUPPORT, EMPLOYERPORTAL_L2SUPPORT, MARKETINGCLOUD_L2SUPPORT, MEM...
See more...
Iam trying to replicate reference table attached previously My "work_queue" field contains (BROKERPORTAL_L2SUPPORT, CONSUMERPORTAL_L2SUPPORT, EMPLOYERPORTAL_L2SUPPORT, MARKETINGCLOUD_L2SUPPORT, MEMBERPORTAL_L2SUPPORT, PROVIDERPORTAL_L2SUPPORT, SALESCLOUD_L2SUPPORT, SERVICECLOUD_L2SUPPORT). "Ageing Lookup" field contains (In Progress,Resolved,Awaiting Resolution Confirmation,Awaiting User Information,Dependent System,Awaiting Change,Cancelled,Reopen) I want to divide work_queue field values further based on "Ageing lookup".
11-08-2023
04:15 AM
1 Karma
Hi @pmerlin1 , Can you please elaborate any specific file changes which are not getting replicated ? There could be a possibility that those changes might have been changed at run time, hence th...
See more...
Hi @pmerlin1 , Can you please elaborate any specific file changes which are not getting replicated ? There could be a possibility that those changes might have been changed at run time, hence they are not getting updated from deployer ? Refer below document for more details. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges
11-08-2023
04:14 AM
The data is complete in my case, because they are evaluated fields. One thing to note is that The column age is in a float format and expectedAge is in int format (Atleast looks like that).
11-08-2023
04:14 AM
You have [FALSE] in your process which is disrupting the match. Assuming this is optional, you could try this: | rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>(\[[^\]]*\]\s)?[...
See more...
You have [FALSE] in your process which is disrupting the match. Assuming this is optional, you could try this: | rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>(\[[^\]]*\]\s)?[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)" Also, you example doesn't have a date at the beginning which I assumed was a copy paste error. If not, you would have to change that part of the expression too
11-08-2023
04:04 AM
I have below query which shows values in line chart with up to 5 decimals and I want to limit it to max 2 decimals. search text .. | eval reqs = 1 | timechart span=24h per_hour(reqs) as AvgReqPer...
See more...
I have below query which shows values in line chart with up to 5 decimals and I want to limit it to max 2 decimals. search text .. | eval reqs = 1 | timechart span=24h per_hour(reqs) as AvgReqPerHour
Labels
- Labels:
-
timechart
11-08-2023
04:01 AM
It is not clear what you want - please share some sample events and a description of what you are trying to do, and your expected results.
11-08-2023
03:58 AM
My regular expression has been working fine.. but now theres data with "[]" and it is being skipped
here is the regex
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Proce...
See more...
My regular expression has been working fine.. but now theres data with "[]" and it is being skipped
here is the regex
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="ERROR"
this log entry is being skipped 13:42:21 [gaming-run-9999999-hit-99999991-step-6129] [[FALSE] Gaming Cans Gaming Redesigned API v.2.6.3] [Consolidated Card Refund Business Process (Gaminggaming)] [] GameTask [ERROR] Do I need to update my reg expression?
- Tags:
- regex
11-08-2023
03:52 AM
The where command should work assuming your data is consistent with the condition, i.e. both fields hold numerics. If it is still not working, please share your data (anonymised where appropriate).
11-08-2023
03:35 AM
reference table: My query: | eval time_period= "01-Nov-23" | eval time_period_epoc=strptime(time_period,"%d-%b-%y") |where epoc_time_submitted <= time_period_epoc |join max=0 type=left cu...
See more...
reference table: My query: | eval time_period= "01-Nov-23" | eval time_period_epoc=strptime(time_period,"%d-%b-%y") |where epoc_time_submitted <= time_period_epoc |join max=0 type=left current_ticket_state [|inputlookup monthly_status_state_mapping.csv|rename Status as current_ticket_state|table current_ticket_state "Ageing Lookup"] |eval age= Final_TAT_days |eval total_age=round(age,2) |rangemap field=total_age "0-10days"=0-11 "11-20 Days"=11.01-20.00 "21-30 Days"=20.01-30 "31-40 Days"=30.01-40 "41-50 Days"=40.01-50 "51-60 Days"=50.01-60 "61-70 Days"=60.01-70 "71-80 Days"=70.01-80 "81-90 Days"=80.01-90 "91-100 Days"=90.01-100 ">100 Days"=100.01-1000 |chart count as count1 over work_queue by range |rename work_queue as "Owner Group" |table "Owner Group" "11-20 Days" "21-30 Days" "31-40 Days" "41-50 Days" "51-60 Days" "61-70 Days" "71-80 Days" "81-90 Days" "91-100 Days" ">100 Days" |addtotals|addcoltotals |fillnull value="Grand Total" my result:
11-08-2023
03:30 AM
I am having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of...
See more...
I am having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of them worked. I just simply want to select the rows where age > expectedAge. Expected behaviour : Return rows where the above mentioned condition is met. Actual behaviour : Returns nothing. | eval age=bla..bla..bla
| lookup "expected_age_lookup" dummy_s as s OUTPUT expected_age
| fillnull value=777 expected_age
| rename expected_age as expectedAge
| search age > expectedAge
| convert ctime(dummy_Time)
| table age,s,dummy_Time,expectedAge If I remove the lines following (and including) the where/search clause, I see the results of the lookup. How can I achieve this correctly ?
Labels
- Labels:
-
lookup
