All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 | rename aa*x as xaa*x | fields - aa* | rename xaa*x as aa*x
While this is possible, there are a lot of b's in the real search and I am looking for a way to not have to write those out individually. - I would like a negative formulation if possible
Hi @Roy_9, if the field name in the lookup is "service team", try this: | tstats count latest(_time) AS latest WHERE index=_internal BY host | append [ | inputlookup 123.csv | rename title ... See more...
Hi @Roy_9, if the field name in the lookup is "service team", try this: | tstats count latest(_time) AS latest WHERE index=_internal BY host | append [ | inputlookup 123.csv | rename title AS host | eval count=0 | fields host "service team" count ] | stats sum(count) AS total value(latest) AS latest values("service team") AS "service team" BY host | where now()-latest>900 OR total=0 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S"), status=if(total=0,"Never sent","Last event: ".latest) | table host "service team" status If the field name in the lookup is different, correct my search. Ciao. Giuseppe
Have you tried this? | makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 | fields + aa*x b
@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete.  If you open the code block settings and expand the Advanced dr... See more...
@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete.  If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 
Basically I have a search with a lot of fields, similar to this example:     | makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5     from this I would basically like to keep everything excep... See more...
Basically I have a search with a lot of fields, similar to this example:     | makeresults | eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5     from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried     | fields -aa* aa*x     as well as similar approaches, but they do not work: 1) either deleting all aa* (including aa*x) 2) not keeping b or 3)not deleting aa* at all. I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here: https://regex101.com/r/JfVHCJ/latest Is there any SPL equivalent?
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vu... See more...
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vuln1 0 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln3 7 1.1.1.1 vuln3 7 2.2.2.2 vuln1 0 2.2.2.2 vuln4 0 2.2.2.2 vuln5 5 2.2.2.2 vuln5 5 After calculation ip dc(vuln) dc(vuln) score > 0 1.1.1.1 3 2 2.2.2.2 3 1 Thank you so much
@gcusello field name is service team and value is Network. I didn't get this part. count is at the end of the previous row, not in a new row. Can you please send me the updated search, that wou... See more...
@gcusello field name is service team and value is Network. I didn't get this part. count is at the end of the previous row, not in a new row. Can you please send me the updated search, that would be highly helpful. Thanks in advance.    
Hi @Roy_9 , count is at the end of the previous row, not in a new row. About Team, what's ne field name that you have in the lookup? add it instead Team in the search. Ciao. Giuseppe
Hi @delly_fofie , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Its the second one, but no streamstats solution provided will work that I have seen.  lets say I have between 40 and 1000 events, any ratio can be good vs bad, with no correlation on how often each g... See more...
Its the second one, but no streamstats solution provided will work that I have seen.  lets say I have between 40 and 1000 events, any ratio can be good vs bad, with no correlation on how often each good vs bad occurs on a time basis and no set amount that occurs before a transition happens for each host. That is the problem I have not seen anyone be able to solve.
Thank you, @phanTom  a code block to check it and then outputs the relevant parameter did it. but now I have another problem- when I  try to connect two blocks that are separated with a decision bl... See more...
Thank you, @phanTom  a code block to check it and then outputs the relevant parameter did it. but now I have another problem- when I  try to connect two blocks that are separated with a decision block, to the same prompt block or decision block, it doesn’t work. for one case it goes well, but for the second case the debug shows “join_ <block name> called”, but the playbook ends there. Why does it happen?
@gcusello  I am getting the error Unknown search command 'count' and also if i want to obtain the values for only particular team, let' s say "Network team", where can i add this?
Hi @Roy_9, you have to rename the title field in host and add the Team field to display it, something like this: | tstats count latest(_time) AS latest WHERE index=_internal BY host | append [ | in... See more...
Hi @Roy_9, you have to rename the title field in host and add the Team field to display it, something like this: | tstats count latest(_time) AS latest WHERE index=_internal BY host | append [ | inputlookup 123.csv | rename title AS host | count=0 | fields host Team count ] | stats sum(count) AS total value(latest) AS latest values(Team) AS Team BY host | where now()-latest>900 OR total=0 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S"), status=if(total=0,"Never sent","Last event: ".latest) | table host Team status Ciao. Giuseppe
Thanks @gcusello, yes i already have a lookup in the name of 123.csv where the host's are listed under column called "title" and different team names are listed under column Teams. Can you please ad... See more...
Thanks @gcusello, yes i already have a lookup in the name of 123.csv where the host's are listed under column called "title" and different team names are listed under column Teams. Can you please advise how do i need to append these two fields Title and Teams to the above search?
Hi @delly_fofie , the only way to avoid to index twice a log, is to run an SQl query that checks is data i duplicated before index them. This action can be performed on SQL, not in Splunk. In Splu... See more...
Hi @delly_fofie , the only way to avoid to index twice a log, is to run an SQl query that checks is data i duplicated before index them. This action can be performed on SQL, not in Splunk. In Splunk you could ingest also duplicated events and then, using Splunk Search Programming Language (SPL), remove duplicates in search results, but not in indexing. In other words, it isn't possible to check if a data is already indexed before index it, the only way to do this is in the generating SQL query that you use to extract events suing DB-Connect. Ciao. Giuseppe
Hello @gcusello Lets assume I would go with your idea. But still if on the day 1 I manage to only get unique in the indexing, the next day I will have new entries and already existing entries in Spl... See more...
Hello @gcusello Lets assume I would go with your idea. But still if on the day 1 I manage to only get unique in the indexing, the next day I will have new entries and already existing entries in Splunk and will still create duplicate data in Splunk.
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just trie... See more...
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just tried and if don't put nothing it works, but if i put any path it brokes everything. Behind this problem there is that after writing the configurations files (i followed the splunk documentation strictly so...) the connection doesnt't work when i try to troubleshoot. I will post my files here so i hope it should be more clear what i did: inputs.conf on the index: [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /path/to/mycervercombinedfile.pem sslPassword = mypass requireClientCert = false outputs.conf on the forwarders : [tcpout] defaultGroup = mygroup [tcpout:mygroup] server = index ip:9997 sslCertPath = path/to/my combinedservercert.pem sslPassword = mypass sslVerifyServerCert = true useClientSSLCompression = true server.conf on both index and forwarder: [sslConfig] sslPassword = mypass sslRootCAPath = path/to/myCertAuthCertificate.pem to putting something on web.conf i'm waiting to solve these internals problems before. I almost forgot to say that i do not think there is a problem with how i created the certificates, i repeated the process n times already and i followed the instructions; TheCaRootCert is the same that I shared with forwarders and index, then i created from this certificate, a separate one for all the servers involved and then i concatened them in one. Thank so much for reading and i would appreciate receiving some advices on hot to proceed further, I'm going insane.  P.S: Sorry for my english but i'm not a native speaker.  
Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: ... See more...
Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: base search <search id="base"> <query> index=testindex | fields company ip id AvgScore </query> </search> Panel 1 (without id field): <search base="base"> <query> index=testindex | table company ip AvgScore </query> </search> Panel 2 (with id field): <search base="base"> <query> | lookup example.csv id OUTPUTNEW id location | table company id ip AvgScore location </query> </search> Ciao. Giuseppe