Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-31-2023
04:49 AM
Where is CurDate set?
10-31-2023
04:47 AM
Try putting the field names in single quotes in the where command | where isnull('Ticket Number') OR 'Ticket Number'=""
10-31-2023
04:45 AM
Any solution for this? I would like to do the same
10-31-2023
04:36 AM
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no re...
See more...
I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly. My search: index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll*
| rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID"
| rex field=description "User:\s(?<user>.*?)\." | rename user as User
| rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description"
| rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description"
| rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group"
| rex field=description "template\s(?<Template>.*?)\s" | rename template as Template
| rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number"
| transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description" I have tried adding: | where isnull("Ticket Number") OR "Ticket Number"="" I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search? I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.
Labels
- Labels:
-
field extraction
-
regex
-
rex
10-31-2023
04:33 AM
Hi Experts, I am trying to convert a Splunk classic XML dashboard to Splunk Dashboard Studio. Below is my classic XML dashboard code. <fieldset autoRun="True" submitButton="false"> <input type=...
See more...
Hi Experts, I am trying to convert a Splunk classic XML dashboard to Splunk Dashboard Studio. Below is my classic XML dashboard code. <fieldset autoRun="True" submitButton="false"> <input type="text" token="SelectedDay" searchWhenChanged="true"> <label>Enter Date (MM/DD/YYYY)</label> <default>$CurDate$</default> </input> </fieldset> The above code got converted to Splunk Dashboard Studio code as shown below. But when the Dashboard is displayed, token SelectedDay is set to "$CurDate$" instead of current date. Could you please help me on this ? "inputs": { "input_9ejCAUHM": { "type": "input.text", "options": { "token": "SelectedDay", "selectFirstSearchResult": true, "defaultValue": "$CurDate$" }, "title": "Enter Date (MM/DD/YYYY)" } }, Thanks, Ravikumar
Labels
- Labels:
-
Dashboard Studio
10-31-2023
04:22 AM
@inventsekar @yuanliu , Need a query that can help us identify the threshold at which a single source IP address hits the domain the most number of times. Thanks
10-31-2023
03:49 AM
thankyou so much its works for me
10-31-2023
03:12 AM
Splunk UBA users not able to Login with Splunk when splunk is on SSO
Labels
- Labels:
-
development
10-31-2023
03:08 AM
1. Ther is no such thing as "non-routable" addresses or environment. Every packet can be routed. It can just be your policy that you don't route specific traffic. 2. You must have some form of conne...
See more...
1. Ther is no such thing as "non-routable" addresses or environment. Every packet can be routed. It can just be your policy that you don't route specific traffic. 2. You must have some form of connectivity between the sources and the destination Splunk installation. Depending on the details of the installation it can be a straight over-the-internet connection, it can be a local connection, it can be a VPN tunnel. But you must have some connectivity. Otherwise how do you want to provide Splunk with the data to index? Send on floppy disks?
10-31-2023
02:44 AM
Make sure you are in the lookup editor app context. If you`re using Splunk Cloud: https://<domain_name>.splunkcloud.com/en-GB/manager/lookup_editor/data/ui/views
10-31-2023
02:28 AM
The "summaryindex" command is just an alias for "collect" command (I told you you're using that command, didn't I? ) But seriously - yes, summary indexing is a way of producing synthetic events co...
See more...
The "summaryindex" command is just an alias for "collect" command (I told you you're using that command, didn't I? ) But seriously - yes, summary indexing is a way of producing synthetic events containing some pre-aggregated values so you can later rely on those values instead of calculating the statistics from the raw data. So the idea is that you produce some set of pre-calculated fields which will be stored in the summary index in a predefined format - that's why you use the stash sourcetype and that's why this sourcetype does not incur any additional license usage.
10-31-2023
02:12 AM
it was permission issue for eventtype
10-31-2023
01:55 AM
Good mornign All, I have several logs with fields which have sibfield. I would like to be able to extract the subfield and append it to the parent. The example should clarify my query. I have a log ...
See more...
Good mornign All, I have several logs with fields which have sibfield. I would like to be able to extract the subfield and append it to the parent. The example should clarify my query. I have a log of user modifications. The log would look something like that: Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 9/12/2023 7:30:15 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - I would like to be able to create a table which will have a column which will include the "parent" field: Changed Attributes as well as the child field, for example: CHanged Attributes: Password Last Set. Altenatively, I would also settle for a table with statically assigned column, lets call it changed data and a sa value have: Password Last Set: 9/12/2023 7:30:15 AM Another challenge I have (probably candidate for another question on the forum) is to add the value to a table column, only if it has value other than "-" to the right of it. The reason is that only one changed attribue (of all those in the list above) will have any value. I would like to report on what attribue for a user was changed. Thank you very much in advance for any direction. Kind Regards, Mike.
Labels
- Labels:
-
field extraction
10-31-2023
12:40 AM
Hi @shriramwasule, if you cannot open a connection with Internet for any system, the only solution is to have a Splunk infrastructure on premise in your segregated network. If instead you can open ...
See more...
Hi @shriramwasule, if you cannot open a connection with Internet for any system, the only solution is to have a Splunk infrastructure on premise in your segregated network. If instead you can open the Internet connection only for one system, you could use one Heavy Forwarder (a full Splunk instance that doesn't index data but forward all data to your Private Cloud Splunk Infrastructure) as a concentrator; in this way you can send data to Splunk limiting the Internet connections. It should be better to use two Heavy Forwarders to balance the load and avoid a Single Point of Failure. Ciao. Giuseppe
10-31-2023
12:36 AM
Hi, @inventsekar , Can you pls create a few fields so that I can create a remaining fields .. Thanks
10-31-2023
12:33 AM
1 Karma
Dashboards are a way of visualising data from searches. Alerts are a way of generating actions from scheduled searches. Alerts aren't generated from dashboards.
Hi @BTB , as @PickleRick highlighted, you have the "Once" choice: it's visible in your screenshot, why you aren't able to select it? If you cannot select it, I never saw this behaviour! If you rea...
See more...
Hi @BTB , as @PickleRick highlighted, you have the "Once" choice: it's visible in your screenshot, why you aren't able to select it? If you cannot select it, I never saw this behaviour! If you really aren't able to select "Once", open a ticket to Splunk Support. Ciao. Giuseppe
10-31-2023
12:30 AM
My trial got finished and expired almost, I don't want to keep my account, could you guide me how to fully delete account and all related info ? Even the controller GUI keeps showing 500 Internal Se...
See more...
My trial got finished and expired almost, I don't want to keep my account, could you guide me how to fully delete account and all related info ? Even the controller GUI keeps showing 500 Internal Server Error and wasn't resolved till now.
Labels
- Labels:
-
Accounts and Admin
10-31-2023
12:28 AM
1 Karma
Hi @Lax , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ...
See more...
Hi @Lax , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
10-31-2023
12:26 AM
Hi @RSS_STT , sorry! I was focused on the other fields and I forrgot the start of the string, please try this: \"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI...
See more...
Hi @RSS_STT , sorry! I was focused on the other fields and I forrgot the start of the string, please try this: \"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*) that you can test at https://regex101.com/r/fndJqR/3 Ciao. Giuseppe
