All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I would also advise to externalise the conifg (the list of wanted  containers) from the search itself. So I'd simply create a lookup (let's call it containers.csv) with just one column called "name"... See more...
I would also advise to externalise the conifg (the list of wanted  containers) from the search itself. So I'd simply create a lookup (let's call it containers.csv) with just one column called "name" containing all the containers you expect and then do   index=* Initialised xxxxxxxxxxxx xxxxxx|rex "\{consumerName\=\'(MY REGEX)"|chart count AS Connections by name | append [| inputlookup containers.csv ] | stats count by name | where count < 2    This way if your list of containers changes it's easy to just update the lookup instead of rewriting the search.
OK. First things first. 1) Do you have _anything_ ingested from this forwarder? Check your _internal index for any logs coming from this UF 2) If you didn't specify a destination index, the forward... See more...
OK. First things first. 1) Do you have _anything_ ingested from this forwarder? Check your _internal index for any logs coming from this UF 2) If you didn't specify a destination index, the forwarder will be trying to send the data to the default "main" index - it's not the best idea. 3) Check the output of splunk list inputstatus and splunk list monitor And verify if that file is being read by your forwarder
Try something like this   | rex mode=sed field=Test "s/[^0-9a-zA-Z\.\-]//g" | eval Test=lower(Test)  
Depending on the size of your searches, you could try this <search A> | stats count as total | append [search <search B> | stats count as error] | stats values(total) as total, values(error... See more...
Depending on the size of your searches, you could try this <search A> | stats count as total | append [search <search B> | stats count as error] | stats values(total) as total, values(error) as error | eval difference=total - error
Again, your requirement is a bit unclear. While there is a possibility of use eventstats in general case as @ITWhisperer showed, the command might be quite resource-intensive, especially over a big d... See more...
Again, your requirement is a bit unclear. While there is a possibility of use eventstats in general case as @ITWhisperer showed, the command might be quite resource-intensive, especially over a big data set so you might want to rethink what you really need because sometimes it's better to calculate some partial sums and creatively aggregate them to get what you need - this approach may in many cases prove to be way way more efficient.
Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file. [aide] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true TIME_PREFIX = Mtime... See more...
Still trying to get the right configuration to read the aide.log file, this is what I have written in the inputs.conf file. [aide] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true TIME_PREFIX = Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s BREAK_ONLY_BEFORE = ((File:|Directory:)) CHARSET = UTF-8 EXTRACT-mtime = (Mtime\s{4}:\s\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s{14},\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})) EXTRACT-ctime = (Ctime\s{4}:\s(?\d{4,}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})) EXTRACT-file = File:\s(?P[\/]{1,}(\w|.)+) EXTRACT-directory = Directory:\s(?P[\/]{1,}(\w|.)+)
Hi @LearningGuy , sorry "it runs" I meant that I cannot test your search because if I take the values from your page it runs You have to try to use nomv and mvexpand. Ciao. Giuseppe
You're again digging into the issue we're tackling in this thread: https://community.splunk.com/t5/Reporting/summary-index-merges-multiple-line-values-into-one-row/m-p/666626#M12263 Due to how mult... See more...
You're again digging into the issue we're tackling in this thread: https://community.splunk.com/t5/Reporting/summary-index-merges-multiple-line-values-into-one-row/m-p/666626#M12263 Due to how multivalued fields are "flattened" when collected to a stash sourcetype, your summarized events really do have the values of "companyA companyA" and "companyB companyB companyB".  
Hi @gcusello , What do you mean by "iy runs using values from a text page"? So, values won't work if "\" gets merged into one line and I should use mvexpand to fix this? Any idea on the root... See more...
Hi @gcusello , What do you mean by "iy runs using values from a text page"? So, values won't work if "\" gets merged into one line and I should use mvexpand to fix this? Any idea on the root cause why it happened after summary index? Thanks
How should I join both two queries.
Have your dynamic search return two fields, one with the float in as the label field, and the other with a string of the where command.
| eventstats count as total | stats count as error values(total) as total | eval difference=total-error
For those who don't like the idea of a lookup file, due to maintenance,  I created a SQL query, which will calculate the date values (see below). NOTE:  This SQL is written for Oracle, and may need ... See more...
For those who don't like the idea of a lookup file, due to maintenance,  I created a SQL query, which will calculate the date values (see below). NOTE:  This SQL is written for Oracle, and may need to be modified for your purposes.   select Holiday /* CALCULATE HOLIDAY VALUES ... RAW *********************************** */ ,to_char(date_val,'dd-Mon-yyyy') date_val ,to_char(date_val,'Dy') day_val /* CALCULATE FEDERAL HOLIDAY VALUES (IF SHIFTED TO ANOTHER DAY) ******* */ ,case when to_char(date_val, 'Dy') in ('Sat') then 'prev day' when to_char(date_val, 'Dy') in ('Sun') then 'next day' else '' end as fed_calc ,case when to_char(date_val, 'Dy') in ('Sat') then date_val-1 when to_char(date_val, 'Dy') in ('Sun') then date_val+1 else date_val end as fed_recog_date ,case when to_char(date_val, 'Dy') in ('Sat') then to_char(date_val-1,'Dy') when to_char(date_val, 'Dy') in ('Sun') then to_char(date_val+1,'Dy') else to_char(date_val, 'Dy') end as fed_recog_day from (/* CURRENT YEAR -2 ******************************************************************************************************************** */ SELECT 'New Years' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 0) + 0 as date_val FROM DUAL union SELECT 'M.L.K Jr.' as Holiday, NEXT_DAY( TRUNC(sysdate+(365*-2),'YYYY') - 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'President''s' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 1)- 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'Memorial' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 5)- 1,'MONDAY') - 7 as date_val FROM DUAL union SELECT 'Juneteenth' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 5)+18 as date_val FROM DUAL where sysdate+(365*-2) > '01-JAN-2022' union SELECT 'Independence' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 6) + 3 as date_val FROM DUAL union SELECT 'Labor' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 8)- 1,'MONDAY') as date_val FROM DUAL union SELECT 'Columbus' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'), 9)- 1,'MONDAY') + 7 as date_val FROM DUAL union SELECT 'Veterans' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'),10) +10 as date_val FROM DUAL union SELECT 'Thanksgiving' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'),10)- 1,'THURSDAY') +21 as date_val FROM DUAL union SELECT 'Christmas' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-2),'YYYY'),11) +24 as date_val FROM DUAL union /* CURRENT YEAR -1 ******************************************************************************************************************** */ SELECT 'New Years' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 0) + 0 as date_val FROM DUAL union SELECT 'M.L.K Jr.' as Holiday, NEXT_DAY( TRUNC(sysdate+(365*-1),'YYYY') - 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'President''s' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 1)- 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'Memorial' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 5)- 1,'MONDAY') - 7 as date_val FROM DUAL union SELECT 'Juneteenth' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 5)+18 as date_val FROM DUAL where sysdate+(365*-1) > '01-JAN-2022' union SELECT 'Independence' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 6) + 3 as date_val FROM DUAL union SELECT 'Labor' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 8)- 1,'MONDAY') as date_val FROM DUAL union SELECT 'Columbus' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'), 9)- 1,'MONDAY') + 7 as date_val FROM DUAL union SELECT 'Veterans' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'),10) +10 as date_val FROM DUAL union SELECT 'Thanksgiving' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'),10)- 1,'THURSDAY') +21 as date_val FROM DUAL union SELECT 'Christmas' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*-1),'YYYY'),11) +24 as date_val FROM DUAL union /* CURRENT YEAR -0 ******************************************************************************************************************** */ SELECT 'New Years' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 0) + 0 as date_val FROM DUAL union SELECT 'M.L.K Jr.' as Holiday, NEXT_DAY( TRUNC(sysdate+(365* 0),'YYYY') - 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'President''s' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 1)- 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'Memorial' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 5)- 1,'MONDAY') - 7 as date_val FROM DUAL union SELECT 'Juneteenth' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 5)+18 as date_val FROM DUAL where sysdate+(365* 0) > '01-JAN-2022' union SELECT 'Independence' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 6) + 3 as date_val FROM DUAL union SELECT 'Labor' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 8)- 1,'MONDAY') as date_val FROM DUAL union SELECT 'Columbus' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'), 9)- 1,'MONDAY') + 7 as date_val FROM DUAL union SELECT 'Veterans' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'),10) +10 as date_val FROM DUAL union SELECT 'Thanksgiving' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'),10)- 1,'THURSDAY') +21 as date_val FROM DUAL union SELECT 'Christmas' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365* 0),'YYYY'),11) +24 as date_val FROM DUAL union /* CURRENT YEAR +1 ******************************************************************************************************************** */ SELECT 'New Years' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 0) + 0 as date_val FROM DUAL union SELECT 'M.L.K Jr.' as Holiday, NEXT_DAY( TRUNC(sysdate+(365*+1),'YYYY') - 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'President''s' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 1)- 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'Memorial' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 5)- 1,'MONDAY') - 7 as date_val FROM DUAL union SELECT 'Juneteenth' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 5)+18 as date_val FROM DUAL where sysdate+(365*+1) > '01-JAN-2022' union SELECT 'Independence' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 6) + 3 as date_val FROM DUAL union SELECT 'Labor' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 8)- 1,'MONDAY') as date_val FROM DUAL union SELECT 'Columbus' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'), 9)- 1,'MONDAY') + 7 as date_val FROM DUAL union SELECT 'Veterans' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'),10) +10 as date_val FROM DUAL union SELECT 'Thanksgiving' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'),10)- 1,'THURSDAY') +21 as date_val FROM DUAL union SELECT 'Christmas' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+1),'YYYY'),11) +24 as date_val FROM DUAL union /* CURRENT YEAR +2 ******************************************************************************************************************** */ SELECT 'New Years' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 0) + 0 as date_val FROM DUAL union SELECT 'M.L.K Jr.' as Holiday, NEXT_DAY( TRUNC(sysdate+(365*+2),'YYYY') - 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'President''s' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 1)- 1,'MONDAY') +14 as date_val FROM DUAL union SELECT 'Memorial' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 5)- 1,'MONDAY') - 7 as date_val FROM DUAL union SELECT 'Juneteenth' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 5)+18 as date_val FROM DUAL where sysdate+(365*+2) > '01-JAN-2022' union SELECT 'Independence' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 6) + 3 as date_val FROM DUAL union SELECT 'Labor' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 8)- 1,'MONDAY') as date_val FROM DUAL union SELECT 'Columbus' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'), 9)- 1,'MONDAY') + 7 as date_val FROM DUAL union SELECT 'Veterans' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'),10) +10 as date_val FROM DUAL union SELECT 'Thanksgiving' as Holiday, NEXT_DAY(ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'),10)- 1,'THURSDAY') +21 as date_val FROM DUAL union SELECT 'Christmas' as Holiday, ADD_MONTHS(TRUNC(sysdate+(365*+2),'YYYY'),11) +24 as date_val FROM DUAL ) calc order by date_val
Hi @LearningGuy , you should try to use mvexpand and nomv commands. I cannot test because iy runs using values from a text page. Ciao. Giuseppe
Hi Splunkers,    1) I wanted to remove all special characters from my field called "Test" other than "."(dot) and "-"(dash) 2) return the values in lower case. example field values for Test i4... See more...
Hi Splunkers,    1) I wanted to remove all special characters from my field called "Test" other than "."(dot) and "-"(dash) 2) return the values in lower case. example field values for Test i4455.mango.com qa (qa_a_ai_bi1_integration_d01) app-9999-bee-mysql-prod   please help
Hi all, I am using Splunk Enterprise Security and having trouble converting the indexes to CIM compliance. One of them is Cloudflare. The JSON data is being ingested via an AWS S3 bucket, and the v... See more...
Hi all, I am using Splunk Enterprise Security and having trouble converting the indexes to CIM compliance. One of them is Cloudflare. The JSON data is being ingested via an AWS S3 bucket, and the visualization works fine on the Cloudflare App. However, the CIM Validator doesn't recognize the events and is unable to be used in Splunk ES. Has anyone been able to successfully convert these events to be CIM compliant? Thanks,
Thank you but, I get position_select dynamically from a search with up to 1000 results. working through each position individually would be impractical. Is there another way?
Hi @gcusello , Sorry if I wasn't clear.    If you refer to the drawing I posted previously. The issue is actually the opposite.   After I moved the **commands/searches** into summary index, the ... See more...
Hi @gcusello , Sorry if I wasn't clear.    If you refer to the drawing I posted previously. The issue is actually the opposite.   After I moved the **commands/searches** into summary index, the data was merged into one row, so the values command did not give me unique values  I expected to get "companyA", but it gave me "companyA companyA" because of the Carriage Return ("\n") Values command did not work company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 values command worked company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 I also have a different post specifically discussed about why summary index caused this merge behavious https://community.splunk.com/t5/Reporting/summary-index-merges-multiple-line-values-into-one-row/m-p/666673#M12266 1) Why values command does not work if the data gets merged into one line? 2) Why does summary index cause merging into one row in the first place? Thank you so much for your help
Is there any way to merge query A  and Query B , Both these two queries are different . Query A  |stats count as total  result = 5 Query B  |stats count as error result=3  Now I want a dif... See more...
Is there any way to merge query A  and Query B , Both these two queries are different . Query A  |stats count as total  result = 5 Query B  |stats count as error result=3  Now I want a difference 5-3 =2  as success count
I'm in the install app from file section, and I've downloaded the security essentials, but I don't see a file to put in there. What is the exact name of it because I feel like I've tried all of them?... See more...
I'm in the install app from file section, and I've downloaded the security essentials, but I don't see a file to put in there. What is the exact name of it because I feel like I've tried all of them?