Look up file name is TransctionDetails.csv if look at my initial post I have another query of stats to which I need to append stats count(Tran) as count , Avg( responstime) as avgrt by Tran where T...
See more...
Look up file name is TransctionDetails.csv if look at my initial post I have another query of stats to which I need to append stats count(Tran) as count , Avg( responstime) as avgrt by Tran where Tran_lookup matches with Tran in index. Expected output is ( Corresponding Transaction Details should be added to stats output). Count ,Tran, Transaction_Details, avgrt
Assuming each event contains the timestamp line, followed by a header line, then lines for each process, you could try something like this | eval process=mvindex(split(_raw,"
"),2,-1)
| mvexpand ...
See more...
Assuming each event contains the timestamp line, followed by a header line, then lines for each process, you could try something like this | eval process=mvindex(split(_raw,"
"),2,-1)
| mvexpand process
| rex field=process "(?<USER>[^\s]+)\s+(?<PID>[^\s]+)\s+(?<CPU>[^\s]+)\s+(?<MEM>[^\s]+)\s+(?<VSZ>[^\s]+)\s+(?<RSS>[^\s]+)\s+(?<TTY>[^\s]+)\s+(?<STAT>[^\s]+)\s+(?<START>[^\s]+)\s+(?<TIME>[^\s]+)\s+(?<COMMAND>.*)"
| chart max(CPU) max(MEM) by _time PID
With the lookup command I mentioned in my first reply you can do so. You have to replace "<lookup_name>" with the name of your lookup. If the field names you mentioned are correct then the query sho...
See more...
With the lookup command I mentioned in my first reply you can do so. You have to replace "<lookup_name>" with the name of your lookup. If the field names you mentioned are correct then the query should work. Just add the line after the current result. If it still doesnt work pls provide more information like the name of the lookup file, the exact names of the fields in the result and the exact names of the fields in the lookup file.
Hi all, I am trying to set up SAML with my Custom IDP but Splunk is returning an Unsupported algorithm error even if the algorithm type is correct in the SAML response. Can you kindly help/guide m...
See more...
Hi all, I am trying to set up SAML with my Custom IDP but Splunk is returning an Unsupported algorithm error even if the algorithm type is correct in the SAML response. Can you kindly help/guide me regarding how to troubleshoot this issue? I have attached my SAML response and SAML configuration settings in this Post. Error from Splunk Cloud: SAML configurations in Splunk Cloud Saml response <ns2:SignedInfo>
8 <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
9 <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
10 <ns2:Reference URI="#id-S7lv9JFItlthO8Lzr">
11 <ns2:Transforms>
12 <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
13 <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
14 </ns2:Transforms>
15 <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
16 <ns2:DigestValue>
17 Kq/4Vh3rMrw0H/yFvAnmr0KH8qrAbqYrU+stI/WODZY=18 </ns2:DigestValue>
19 </ns2:Reference>
20 </ns2:SignedInfo> Thanks
hello, how can we combine stats and lookup on comparison of Tran and Look_Tran. Current Results: Tran Count avgrt Required Results (Matching Transaction_Details to be pulled based on Tra...
See more...
hello, how can we combine stats and lookup on comparison of Tran and Look_Tran. Current Results: Tran Count avgrt Required Results (Matching Transaction_Details to be pulled based on Tran from lookup) Tran Transaction_Details Count avgrt
If the search indexes are based on roles, then the search query should behave in same way with or without any commands (like statistical command, chart commands or any other functions). In my case, ...
See more...
If the search indexes are based on roles, then the search query should behave in same way with or without any commands (like statistical command, chart commands or any other functions). In my case, I am getting the empty logs whenever I run any of the below queries host=abc sourcetype=xyz |stats count
(or)
host=abc sourcetype=xyz |timechart count whereas, with the below query (without mentioning index) I am able to see the log events successfully. host=abc sourcetype=xyz
Sorry for the 4 year resurrection of the thread, but I was wondering if this lead anywhere. Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies w...
See more...
Sorry for the 4 year resurrection of the thread, but I was wondering if this lead anywhere. Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies with the way 'make_ip_cidr' operates. For ES population, I'm trying to use MV in KV stores of assets, as well as delimited csv lookups - but the cidr matching, make_ip_cidr and expandiprange and the lack of support of /32 is causing issues.
Try this: | rex field=_raw "(?<header>[^\n]+)"
| eval temp = split(_raw,"
")
| mvexpand temp
| regex temp="proc\d+"
| rex field=temp "(?<USER>[^\s]+)\s(?<PID>[^\s]+)\s(?<CPU>[^\s]+)\s(?<MEM>[^\s]...
See more...
Try this: | rex field=_raw "(?<header>[^\n]+)"
| eval temp = split(_raw,"
")
| mvexpand temp
| regex temp="proc\d+"
| rex field=temp "(?<USER>[^\s]+)\s(?<PID>[^\s]+)\s(?<CPU>[^\s]+)\s(?<MEM>[^\s]+)\s(?<VSZ>[^\s]+)\s(?<RSS>[^\s]+)\s(?<TTY>[^\s]+)\s(?<STAT>[^\s]+)\s(?<START>[^\s]+)\s(?<TIME>[^\s]+)\s(?<COMMAND>[^\s]+)"
| rename CPU as "%CPU" MEM as "%MEM"
| fields - temp You can then use transforming commands with the COMMAND field (procs). Also be careful to keep the new line in the query in the split command to split correctly. If that doesnt work try "\n" instead. EDIT: The Version from @ITWhisperer with mvindex is simpler...
| lookup <lookup_name> Tran_lookup as Tran OUTPUT Transaction_Details Its recommended to create a lookup definition for your lookup files. If you do so you replace the lookup name with the name of ...
See more...
| lookup <lookup_name> Tran_lookup as Tran OUTPUT Transaction_Details Its recommended to create a lookup definition for your lookup files. If you do so you replace the lookup name with the name of the lookup definition. Hope this helps!
Fair enough, even if I think that this capability that the user is asking for can be immediately clarified by an expert user of AppDynamics or some other technical guys which have worked for years on...
See more...
Fair enough, even if I think that this capability that the user is asking for can be immediately clarified by an expert user of AppDynamics or some other technical guys which have worked for years on the platform. Personally I would never contact support over some "can do" or "cannot do" question Best regards
Hi There is two options to get those into your lookup. Get those from you ldap query. This is obviously the best option as then those are absolutely correct. Unfortunately I haven't any suitable A...
See more...
Hi There is two options to get those into your lookup. Get those from you ldap query. This is obviously the best option as then those are absolutely correct. Unfortunately I haven't any suitable AD to look what fields those are and how you could get those. I'm quite trustful that those are there. Just ask from your AD admins and they probably help you. If you have standard how those are created based on other attributes then just regenerate those before you add entry to lookup. r. Ismo
Hi, I've got the email but this is not what I wanted. I want to set up my controller's account, username, and password. if I clicked my controller name(?), it prompts me to enter my account in...
See more...
Hi, I've got the email but this is not what I wanted. I want to set up my controller's account, username, and password. if I clicked my controller name(?), it prompts me to enter my account information.
you can see my screenshots for better understanding.
could you help me to reset them?
thank you in advance.
My bad. I forgot to add a time variable to the eventstats. By disregarding time the query checks whether a user has more than 10 failed logins over the entire search span. If your data already has a ...
See more...
My bad. I forgot to add a time variable to the eventstats. By disregarding time the query checks whether a user has more than 10 failed logins over the entire search span. If your data already has a date stamp then you can use that. Alternatively you could adjust the query like this: index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eval temp_date = strftime(_time, "%Y-%m-%d")
| eventstats count as failed_count by IONS,temp_date
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d
For whoever else that needs this: your search field IN ... will accept this multivalue token passed to it: $your_multivalue_select_tokenhere_that_also_accepts_*_as_default|s$