All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Do you mean this:     index=dev | rex field=_raw "\b(?(java|javax).[\w.]+Exception)" | timechart span=30d count by exception_type   for graphics choose "Visualisations"  
Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions ... See more...
Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions every 30 days. I have been using this query but it didnt work. Iam new to splunk so please help me to find out index=dev | rex field=_raw "\b(?(java|javax).[\w.]+Exception)" | chart count by exception_type
Thank you so much for your assistance.
I tested your suggestion and it worked. I accepted this as solution. I appreciate your help. Thank you so much. So, it's not possible in Splunk to make it only with 1 stats, correct?
Thanks @gcusello  I will try to disable and then remove the app and see if it throws any messages from my end
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s... See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.
I have build such customized search page by Advance XML before.  The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. ... See more...
I have build such customized search page by Advance XML before.  The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. Our users love this!!  and this is why we couldn't  upgrade our Splunk to the latest version ( which is not support the Advance XML ) Is there anyway that I could customized the search page by Simple XML Dashboard?  
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s... See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.  
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves o... See more...
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again. I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit.  index=prd_example sourcetype=LogSource "host=Host* | transaction UserID EventDescription maxspan=4h | table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount | where eventcount >= 3 | sort -_time Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down ... See more...
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down terminated 2. ACM Cert events: ACM Certificate Approaching Expiration event ACM Certificate Expired event ACM Certificate Available event ACM Certificate Renewal Action Required event
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex... See more...
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex" AND host="MyHost" AND (*string1* OR "*string2*" OR "*string3*") | dedup user | table user user_results user.name1 user.name2 user.name3 using those results: | inputlookup ACBounceList_a-c.csv | inputlookup append=t ACBounceList_d-g.csv | inputlookup append=t ACBounceList_h-l.csv | inputlookup append=t ACBounceList_m-q.csv | inputlookup append=t ACBounceList_r-s.csv | inputlookup append=t ACBounceList_t-v.csv | inputlookup append=t ACBounceList_w-z.csv | stats count by field_stats_wanted | where inputlookup_user = user_results   resulting in: field_stats_wanted                     count value1                                                     30 value2                                                     35 etc                                                            etc   Any assistance with this would be greatly appreciated.
Hello, by any chance, did you find a solution for this? I got the same issue right now.
| stats values(score) as score sum(score) as vuln_score count by ip vuln | stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score sum(vuln_score) as vuln_sc... See more...
| stats values(score) as score sum(score) as vuln_score count by ip vuln | stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score sum(vuln_score) as vuln_score sum(count) as count by ip
Do you have any docs/references for point 2? >> With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions. 
Hi @briancronrath, Surprisingly, there are no documentations about this "total_slices" in Splunk docs.  As I checked the audit logs, I could see there are two fields with the word "slices"...  tot... See more...
Hi @briancronrath, Surprisingly, there are no documentations about this "total_slices" in Splunk docs.  As I checked the audit logs, I could see there are two fields with the word "slices"...  total_slices and decompressed_slices    index="_audit" | fields total_slices decompressed_slices | stats count by total_slices decompressed_slices index="_audit" total_slices | fields user total_slices decompressed_slices | stats count by total_slices decompressed_slices user    these two searches may give you some ideas. (but maynot give much i hope). maybe lets wait for Splunk Guru's reply, thanks. 
https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Alert/AlertTriggerConditions   Per the documentation, you can't control the ability to trigger via permissions.    
The trick is I don't see any capability or other setting per role or user that would limit this option so that really seems unusual. If you have a realtime alert, you indeed have only the "per each r... See more...
The trick is I don't see any capability or other setting per role or user that would limit this option so that really seems unusual. If you have a realtime alert, you indeed have only the "per each result" option available but in this case it makes sense since you're constantly monitoring the incoming events and don't have a "full" result set. But with a scheduled alert you normally should have two options. At least I have never seen the "once" option being unavailable. I'm at 9.1.1 at the moment. EDIT: Ok, wait a second. Do a screenshot from your report definition screen where you have this once/each result part.
@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked. It took me a while to understand that I need to wrap it not in the main query but in my additional part when ... See more...
@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked. It took me a while to understand that I need to wrap it not in the main query but in my additional part when I'm trying to pass the token to other components.
| rename 'old field name' as "new field name" or, change the field values before the timechart | eval connectionType=case(connectionType=="old field value 1","new field value 1", connectionType=="o... See more...
| rename 'old field name' as "new field name" or, change the field values before the timechart | eval connectionType=case(connectionType=="old field value 1","new field value 1", connectionType=="old field value 2", "new field value 2", true(), connectionType)
Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable th... See more...
Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable that option. Just to confirm, you have that option and what version are you running? Also, Thank you so much for your help!!