Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-01-2023
08:53 AM
Same here. Two environments upgraded from 9.05 to 9.1.0.1, 9.1.0.2, 9.1.1 and had the same issue on both ? Anyone found a solution yet ?
11-01-2023
08:49 AM
The typical approach to such case is to use streamstats to find last occurrence of different state than it is at given moment (using reset_on_change=t or reset_before/reset_after). That's probably y...
See more...
The typical approach to such case is to use streamstats to find last occurrence of different state than it is at given moment (using reset_on_change=t or reset_before/reset_after). That's probably your only reasonable approach since you need to "carry over" information from some events into other ones and this (along with the autoregress) is the command to do so.
11-01-2023
08:43 AM
Hi @Roy_9 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
11-01-2023
08:42 AM
Can you provide details on how you did this please? I'm having the same issue, but I'm unsure of what your solution was.
11-01-2023
08:37 AM
11-01-2023
08:36 AM
Error was being caused by the OpenTelemetry Collector service, which is separate from the Splunk UF service. I stopped the service and errors are no longer being logged in Event Viewer.
11-01-2023
08:10 AM
2 Karma
| makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5
| rename aa*x as xaa*x
| fields - aa*
| rename xaa*x as aa*x
11-01-2023
08:05 AM
While this is possible, there are a lot of b's in the real search and I am looking for a way to not have to write those out individually. - I would like a negative formulation if possible
11-01-2023
08:03 AM
1 Karma
Hi @Roy_9, if the field name in the lookup is "service team", try this: | tstats count latest(_time) AS latest WHERE index=_internal BY host
| append [
| inputlookup 123.csv
| rename title ...
See more...
Hi @Roy_9, if the field name in the lookup is "service team", try this: | tstats count latest(_time) AS latest WHERE index=_internal BY host
| append [
| inputlookup 123.csv
| rename title AS host
| eval count=0
| fields host "service team" count
]
| stats
sum(count) AS total
value(latest) AS latest
values("service team") AS "service team"
BY host
| where now()-latest>900 OR total=0
| eval
latest=strftime(latest,"%Y-%m-%d %H:%M:%S"),
status=if(total=0,"Never sent","Last event: ".latest)
| table host "service team" status If the field name in the lookup is different, correct my search. Ciao. Giuseppe
11-01-2023
07:59 AM
1 Karma
Have you tried this? | makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5
| fields + aa*x b
11-01-2023
07:38 AM
@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. If you open the code block settings and expand the Advanced dr...
See more...
@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work.
11-01-2023
07:30 AM
Basically I have a search with a lot of fields, similar to this example: | makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 from this I would basically like to keep everything excep...
See more...
Basically I have a search with a lot of fields, similar to this example: | makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried | fields -aa* aa*x as well as similar approaches, but they do not work: 1) either deleting all aa* (including aa*x) 2) not keeping b or 3)not deleting aa* at all. I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here: https://regex101.com/r/JfVHCJ/latest Is there any SPL equivalent?
Labels
- Labels:
-
fields
11-01-2023
07:26 AM
1 Karma
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip
11-01-2023
07:20 AM
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vu...
See more...
Hello, How to calculate distinct count with condition? How to calculate unique vuln that has score >0, group by ip? Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vuln1 0 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln3 7 1.1.1.1 vuln3 7 2.2.2.2 vuln1 0 2.2.2.2 vuln4 0 2.2.2.2 vuln5 5 2.2.2.2 vuln5 5 After calculation ip dc(vuln) dc(vuln) score > 0 1.1.1.1 3 2 2.2.2.2 3 1 Thank you so much
Labels
- Labels:
-
stats
11-01-2023
07:14 AM
@gcusello field name is service team and value is Network. I didn't get this part. count is at the end of the previous row, not in a new row. Can you please send me the updated search, that wou...
See more...
@gcusello field name is service team and value is Network. I didn't get this part. count is at the end of the previous row, not in a new row. Can you please send me the updated search, that would be highly helpful. Thanks in advance.
11-01-2023
07:01 AM
Hi @Roy_9 , count is at the end of the previous row, not in a new row. About Team, what's ne field name that you have in the lookup? add it instead Team in the search. Ciao. Giuseppe
11-01-2023
06:59 AM
Hi @delly_fofie , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
11-01-2023
06:51 AM
Its the second one, but no streamstats solution provided will work that I have seen. lets say I have between 40 and 1000 events, any ratio can be good vs bad, with no correlation on how often each g...
See more...
Its the second one, but no streamstats solution provided will work that I have seen. lets say I have between 40 and 1000 events, any ratio can be good vs bad, with no correlation on how often each good vs bad occurs on a time basis and no set amount that occurs before a transition happens for each host. That is the problem I have not seen anyone be able to solve.
11-01-2023
06:50 AM
Thank you, @phanTom a code block to check it and then outputs the relevant parameter did it. but now I have another problem- when I try to connect two blocks that are separated with a decision bl...
See more...
Thank you, @phanTom a code block to check it and then outputs the relevant parameter did it. but now I have another problem- when I try to connect two blocks that are separated with a decision block, to the same prompt block or decision block, it doesn’t work. for one case it goes well, but for the second case the debug shows “join_ <block name> called”, but the playbook ends there. Why does it happen?
11-01-2023
06:48 AM
@gcusello I am getting the error Unknown search command 'count' and also if i want to obtain the values for only particular team, let' s say "Network team", where can i add this?
