All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm sorry, but maybe I have the wrong understanding of what a multi-line event is. I expect that any event that has more than one line is a multi-line event. The event that I posted in the OP had m... See more...
I'm sorry, but maybe I have the wrong understanding of what a multi-line event is. I expect that any event that has more than one line is a multi-line event. The event that I posted in the OP had more than one line, and what is more important, more than one timestamp. I expected that Splunk must have broken such an event by each "\r\n". P.S: I attached another screenshot with the linecount field.
1. The default ([\r\n]+) includes your (\n+), so you don't have to specify that alternative (I'm not sure how it would behave since LINE_BREAKER is supposed to contain one capture group anyway). 2. ... See more...
1. The default ([\r\n]+) includes your (\n+), so you don't have to specify that alternative (I'm not sure how it would behave since LINE_BREAKER is supposed to contain one capture group anyway). 2. How are you getting your events? Sent by syslog? Written to a file and read with a UF? 3. Just to be on the safe side - you're not expecting already ingested events to be re-broken, right?
@ITWhisperer  I have 60 events but I want when I select last 7 days from date drop down It should display only 7 results If I select last 30 days it should display only 30 results. current query ... See more...
@ITWhisperer  I have 60 events but I want when I select last 7 days from date drop down It should display only 7 results If I select last 30 days it should display only 30 results. current query index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True @ITWhisperer  can you please guide
I think you are mixing up rows and columns - you have 60 rows and 2 columns What result are you expecting?
I agree with #1. As for #2, I believe it's the other way around.  CIM is what makes datamodels work.  Once the data has been normalized to use CIM field names, the tags and eventtypes used by the DM... See more...
I agree with #1. As for #2, I believe it's the other way around.  CIM is what makes datamodels work.  Once the data has been normalized to use CIM field names, the tags and eventtypes used by the DMs become effective.
Yes, it's possible.  It's just text and text can be manipulated. Please describe what you mean by "it doesn't work".  I need something to work with.  What is the full query you tested?  What results... See more...
Yes, it's possible.  It's just text and text can be manipulated. Please describe what you mean by "it doesn't work".  I need something to work with.  What is the full query you tested?  What results do you get? Other things to try: The replace command | replace "rawjson=" with "" in _raw the replace function | eval _raw=replace(_raw, "rawjson=", "")  
@ITWhisperer  I want two columns only but currently when I am selecting last 7 days its coming more that 7. If I used dedup command its showing only 1 I want when I select last 7 days it should sh... See more...
@ITWhisperer  I want two columns only but currently when I am selecting last 7 days its coming more that 7. If I used dedup command its showing only 1 I want when I select last 7 days it should show only last 7 days I am selecting last 7 days its showing 60 statistics . query index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True   PFA attached screenshot.  
Are you sure they're multi-line events?  Both screenshots in the OP showed only single-line events.  If you can, please post a screenshot of the multi-line events in Splunk.
Wait a second. /opt/app/splunk/var/lib/splunk/os/db - is this the location of your index data? Why is it not empty on a component not being an indexer? Properly set up environment should forward all... See more...
Wait a second. /opt/app/splunk/var/lib/splunk/os/db - is this the location of your index data? Why is it not empty on a component not being an indexer? Properly set up environment should forward all logs to indexers, no other components should store events locally. That's first thing. Another thing is that if you want to get rid of old data, the proper way to do so would be to lower the retention limits (retention period or size limit) and let splunk roll out buckets to frozen naturally.
It's a rough estimate. It's just an assumption that 50 clients should not generate such load on the DS that it would interfere with other functionalities. I must say though that combining a HF and D... See more...
It's a rough estimate. It's just an assumption that 50 clients should not generate such load on the DS that it would interfere with other functionalities. I must say though that combining a HF and DS is a very unusual architecture choice. Also - why do you want to set up a HF here? If you absolutely need an intermediate forwarder (with the traditional remarks about load-balancing or rather lack thereof), why not an UF? Remember that HF will parse your events and send the data as parsed which multiplies the needed bandwidth.
Your search restrict the output to just two columns regardless of the timeframe. Please provide an example of your expected output.
Thanks @gcusello  Perfect, thanks, it worked Have a nice day
Hi Team, I am using below query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" |... See more...
Hi Team, I am using below query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True when I selecting last 7 days its showing multiple columns . I want the value to be displayed according to drop down selected like last 7 days last 30 days. Can someone please guide me here
Try something like this | sort 0 _time | streamstats time_window=5m dc(user) as unique_users | timechart max(unique_users) as users span=1m
Hi @danspav/ @bowesmana  ,    Thanks for your response,    I has tried this way, still getting different values in URL Here is my URL after selection of pie chart,    &%26form.office_filter%3DF... See more...
Hi @danspav/ @bowesmana  ,    Thanks for your response,    I has tried this way, still getting different values in URL Here is my URL after selection of pie chart,    &%26form.office_filter%3DFront%20Office=& I'm getting %26, %3D instead for =  , %20 instead of space i had tried this way in actual info, <input type="multiselect" token="office_filter" searchWhenChanged="true"> <label>Front/Back office</label> <choice value="Front Office">Front Office</choice> <choice value="Back Office">Back Office</choice> <default>Front Office</default> <prefix>(</prefix> <suffix>)</suffix> <initialValue>Front Office</initialValue> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>,</delimiter> <change> <eval token="office_filter_drilldown">replace($form.office_filter$ + "","([^,]+),?","&amp;form.office_filter=$1")</eval> </change> </input> <drilldown> <link target="_blank">/app/antivirus_details?form.compliance_filter=$click.value$&amp;$office_filter_drilldown$&amp;form.machine=$machine$&amp;form.origin=$origin$&amp;form.country=$country$&amp;form.cacp=$cacp$&amp;form.scope=$scope$</link> </drilldown> Can you please ensure this! Thanks! Manoj Kumar S
Hi @duesser , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
hi yuanliu, Do you have any updates? We need filter out events where a user has only Eventcode=4776 over a while, and exclude events where 4770 or 4768, or 4624 precede 4776, because we think that ... See more...
hi yuanliu, Do you have any updates? We need filter out events where a user has only Eventcode=4776 over a while, and exclude events where 4770 or 4768, or 4624 precede 4776, because we think that this situation is reasonable and that only the presence of 4776 alone is illegal.
Wait a second. Whenever I see "compare" and "appendcols" in the same sentence I raise my brow questioningly. Remember that appendcols doesn't preserve any order between the two searches. I'd probabl... See more...
Wait a second. Whenever I see "compare" and "appendcols" in the same sentence I raise my brow questioningly. Remember that appendcols doesn't preserve any order between the two searches. I'd probably go with single search with two timeframes limited with <your search> (earliest=$main_picker.earliest$ latest=$main_picker.latest$) OR (earliest=$secondary_picker.earliest$ latest=$secondatry_picker.latest$) Then you can classify, stats and whatever you want.
@woodcock did you ever complete a more granular tagging of FireEye events?  would you be willing to share?
No. The only "variable" (runtime-determined) parts of the config are those explicitly defined as such in specs. For example - serverName parameter in [general] section of server.conf. The specs say ... See more...
No. The only "variable" (runtime-determined) parts of the config are those explicitly defined as such in specs. For example - serverName parameter in [general] section of server.conf. The specs say that it can contain environment variables so it can be dynamically set. For other parameters you define constant values.