All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Why is moment.js not available in splunk 9.1.x+?

by in Splunk Enterprise
‎11-06-2023 08:22 AM
‎11-06-2023 08:22 AM
Hello, First of all, I'm far far away from Java scripting. But maybe those who know this could help: Seems to me Splunk removed the moment.js after the update. For me, it's still can be found in  /... See more...
Hello, First of all, I'm far far away from Java scripting. But maybe those who know this could help: Seems to me Splunk removed the moment.js after the update. For me, it's still can be found in  /opt/splunk/quarantined_files/share/splunk/search_mrsparkle/exposed/js/contrib/ folder. The new(?) version is supposed to be here: /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment/lang/ , but it seems now "localised" Or I'm totally wrong Please share your thoughts, I faced the same issue with Cisco Cloud Security App   Regards, Norbert

Re: How can I reset the Saas service root admin password?

by Community Manager in Splunk AppDynamics
‎11-06-2023 08:13 AM
‎11-06-2023 08:13 AM
Hello @bora.min, Let me reach out to the Accounts team and see what we can do for you here. I'll be in touch.

Re: Query Pivot multiple columns

by SplunkTrust in Splunk Search
‎11-06-2023 08:13 AM
‎11-06-2023 08:13 AM
How is NewColumn derived, especially since you haven't included CareCnts, CoverCnts and NonCoverCnts in your first table command?

Re: Gradle build configuration cache fails with AppD plugin

by Community Manager in Splunk AppDynamics
‎11-06-2023 08:10 AM
‎11-06-2023 08:10 AM
Hello @Guilherme.Drehmer, Thanks for sharing this. Are you intending to share this as a feature request? 

Re: How to fully delete trial account ?

by Community Manager in Splunk AppDynamics
‎11-06-2023 08:06 AM
‎11-06-2023 08:06 AM
Hello @Jian.Zhang, I will reach out to the Accounts team and get this handled. Do you want all your AppD Account Data deleted (this includes your Community account. Meaning you will not be able to... See more...
Hello @Jian.Zhang, I will reach out to the Accounts team and get this handled. Do you want all your AppD Account Data deleted (this includes your Community account. Meaning you will not be able to sign back in here). Please let me know.

Re: Join data from 2 indexes

by SplunkTrust in Splunk Search
‎11-06-2023 08:02 AM
‎11-06-2023 08:02 AM
Hi @sekhar463 , let me understand: do you want only hosts present in both searches or what's the rule? if present in both searches: index=_internal sourcetype=splunkd source="/opt/splunk/var/log/s... See more...
Hi @sekhar463 , let me understand: do you want only hosts present in both searches or what's the rule? if present in both searches: index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections [ search index="index1" \ (puppet-agent OR puppet)) AND *Error* AND "/Stage[" | rename host AS hostname | fields hostname ] | table hostname sourceIp | dedup hostname Ths search runs if results are less than 50,000, if they are more than 50,000 you need a different approach: (index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections) OR (index="index1" \ (puppet-agent OR puppet)) AND *Error* AND "/Stage[") | eval hostname=coalesce(hostname,host) | stats values(sourceIp) AS sourceIp dc(index) AS index_count BY hostname | where index_count=2 | fields - index_count Ciao. Giuseppe

Re: 4xx Client Error while executing the synthetic jobs

by Community Manager in Splunk AppDynamics
‎11-06-2023 08:01 AM
‎11-06-2023 08:01 AM
Hi @Taruna.Gupta, Since this post is multiple years old, I would recommend re-asking this question on the Community forums.

Query Pivot multiple columns

by in Splunk Search
‎11-06-2023 07:56 AM
‎11-06-2023 07:56 AM
Hello, I have the below code. I'm trying to create a new column that extracts and pivots CareCnts, CoverCnts, NonCoverCnts, etc... (There are more but I have simplified). These |eval are related to t... See more...
Hello, I have the below code. I'm trying to create a new column that extracts and pivots CareCnts, CoverCnts, NonCoverCnts, etc... (There are more but I have simplified). These |eval are related to their corresponding `| evals`.  New Columns = ResourceCounts How would one accomplish this?  index=red msg="*COMPLETED Red*" | spath output=logMessage path=msg | eval Care=spath(json, "Info.Care.elapsedTime") | eval CareCnts=spath(json, "Info.Care.Redcount") | eval Cover=spath(json, "Info.Cover.elapsedTime") | eval CoverCnts=spath(json, "Info.Cover.Redcount") | eval NonCover=spath(json, "Info.NonCover.elapsedTime") | eval NonCoverCnts=spath(json, "Info.NonCover.Redcount") | eval Category = "Red" | table _time, Care, Cover, NonCover, Category | eval SysTime = Category + ":" + _time | fields - Category | untable SysTime Resource CurValue | eval Category = mvindex(split(SysTime, ":"), 0) | eval _time = mvindex(split(SysTime, ":"), 1) | fields - SysTime | table _time, Resource, CurValue, Category Example output: _time Resource CurValue Category *NewColumn 2023-11-06 Care 14.20 Red 10 2023-11-06  Cover 3.4 Red 3 2023-11-06  NonCover 5.5 Red 8  
Labels

Re: Create a dashboard with timepicker for a field with date/time

by SplunkTrust in Splunk Search
‎11-06-2023 07:54 AM
1 Karma
‎11-06-2023 07:54 AM
1 Karma
|eval reltimeearl = if(isnum($time.earliest$),$time.earliest$,relative_time(now(),"$time.earliest$")) |eval reltimelate = if(isnum($time.latest$),$time.latest$,if("$time.latest$"=="now",now(),relativ... See more...
|eval reltimeearl = if(isnum($time.earliest$),$time.earliest$,relative_time(now(),"$time.earliest$")) |eval reltimelate = if(isnum($time.latest$),$time.latest$,if("$time.latest$"=="now",now(),relative_time(now(),"$time.latest$")))

Join data from 2 indexes

by in Splunk Search
‎11-06-2023 07:50 AM
‎11-06-2023 07:50 AM
Hi All, i have 2 indexes having below 2 queries  host,hostname are common for both,  want to add sourceIp using 2nd search  How to join ? query 1 index="index1" \ (puppet-agent OR puppet))... See more...
Hi All, i have 2 indexes having below 2 queries  host,hostname are common for both,  want to add sourceIp using 2nd search  How to join ? query 1 index="index1" \ (puppet-agent OR puppet)) AND *Error* AND "/Stage[" | table host   query2; index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections | table hostname sourceIp | dedup hostname
Labels

Re: help correct eval command

by SplunkTrust in Splunk Search
‎11-06-2023 07:46 AM
‎11-06-2023 07:46 AM
Hi @olawalePS, rename computer_meta.serial index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime compute... See more...
Hi @olawalePS, rename computer_meta.serial index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime computer_meta.serial AS computer_meta_serial | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta_serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| rename computer_meta.serial AS computer_meta_serial | fields computer_meta_serial], "Yes", "No") | table computer_meta.name, installed or use single quotes ('). I prefer to rename fields, even if is longer. ciao. Giuseppe

Re: help correct eval command

by SplunkTrust in Splunk Search
‎11-06-2023 07:44 AM
‎11-06-2023 07:44 AM
Try something like this index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime | eval timestamp = strptime... See more...
Try something like this index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta.serial IN ([ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| stats count by computer_meta.serial | eval search="\"".'computer_meta.serial'."\"" | stats values(search) as search | eval search = mvjoin(search,",")]), "Yes", "No") | table computer_meta.name, installed

Re: Create a dashboard with timepicker for a field with date/time

by in Splunk Search
‎11-06-2023 07:42 AM
‎11-06-2023 07:42 AM
interestingly this works if i use the Last xxx option in presets, but nothing is shown when using a between option. The data from the token in the 'process' section does always give a time; 2023-10... See more...
interestingly this works if i use the Last xxx option in presets, but nothing is shown when using a between option. The data from the token in the 'process' section does always give a time; 2023-10-02T00:00:00.000+00:00 however, i cannot convert this to Epoch...

Re: how to find what commands in the search language are being used

by SplunkTrust in Splunk Search
‎11-06-2023 07:37 AM
1 Karma
‎11-06-2023 07:37 AM
1 Karma
You could start with something like this: index=_audit | rex max_match=0 field=search "\|\s*(?<command>\w+)" | stats count by command However, you may get some false results if pipes are used in th... See more...
You could start with something like this: index=_audit | rex max_match=0 field=search "\|\s*(?<command>\w+)" | stats count by command However, you may get some false results if pipes are used in the search where they are not delimiting commands. Also, you may find that macros hide the use of some commands.

help correct eval command

by in Splunk Search
‎11-06-2023 07:29 AM
‎11-06-2023 07:29 AM
Please help me correct the command below. It keeps returning all the devices as no even though the app is installed. index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_me... See more...
Please help me correct the command below. It keeps returning all the devices as no even though the app is installed. index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta.serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| fields computer_meta.serial], "Yes", "No") | table computer_meta.name, installed
Labels

Re: Need Help in creating dashboard

by SplunkTrust in Reporting
‎11-06-2023 07:23 AM
‎11-06-2023 07:23 AM
Your script is doing you a disservice.  For example, "Bob": 30, should possibly be "Name": "Bob", "count": 30 This would make the handling of the data easier in Splunk. Also, have you considered ex... See more...
Your script is doing you a disservice.  For example, "Bob": 30, should possibly be "Name": "Bob", "count": 30 This would make the handling of the data easier in Splunk. Also, have you considered extracting the data in Splunk using DBConnect, and building your dashboard directly from the data rather than trying to manipulate a report that your script has generated?

Re: Input on how to perform a search, field extraction and calculation ?

by SplunkTrust in Splunk Search
‎11-06-2023 07:17 AM
1 Karma
‎11-06-2023 07:17 AM
1 Karma
When the type field is extracted it becomes part of the event from which it was extracted and, therefore, associated with the user name.  Then it's just a matter of using stats dc(username) by type t... See more...
When the type field is extracted it becomes part of the event from which it was extracted and, therefore, associated with the user name.  Then it's just a matter of using stats dc(username) by type to get the results.

Re: Create a dashboard with timepicker for a field with date/time

by SplunkTrust in Splunk Search
‎11-06-2023 07:17 AM
1 Karma
‎11-06-2023 07:17 AM
1 Karma
The relative_time function doesn't appear to work with the string "now" so change this line to compensate |eval reltimelate = if("$time.latest$"=="now",now(),relative_time(now(),"$time.latest$"))

how to find what commands in the search language are being used

by in Splunk Search
‎11-06-2023 07:11 AM
‎11-06-2023 07:11 AM
I want to list what commands in the search language are being used.  I think its possible in the same _audit index and  I want to be able to do is count the number of times each command is used in se... See more...
I want to list what commands in the search language are being used.  I think its possible in the same _audit index and  I want to be able to do is count the number of times each command is used in search Example :  stats used 2 time eval used 5 times  rex used 7 time timechart used 10 time