Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-26-2023
08:59 AM
I am trying to configure Splunk to read the aide.log file, which file(s) do I need to modify in Splunkforwarder to get it to read the aide.log file.
Labels
- Labels:
-
inputs.conf
-
Linux
10-26-2023
08:47 AM
After validating the logs and with the help of your solution, I decided to use these settings. SHOULD_LINEMERGE = false TRUNCATE = 0 (because some events are already broken and don't contain a li...
See more...
After validating the logs and with the help of your solution, I decided to use these settings. SHOULD_LINEMERGE = false TRUNCATE = 0 (because some events are already broken and don't contain a linebreaking rule). Thank you for the advice.
10-26-2023
08:42 AM
1 Karma
I also got that issue after upgrade the DMC. Find the missing js file from the developer console and copy those js from quarantined directory to the relevant directory. Then restart the server. My DM...
See more...
I also got that issue after upgrade the DMC. Find the missing js file from the developer console and copy those js from quarantined directory to the relevant directory. Then restart the server. My DMC resolve and visulizations are came back to norma. Don't forget to turn off restriction under Settings > Server Settings > Internal Library Settings.
10-26-2023
08:35 AM
Hi @ITWhisperer , How to make the fields to get displayed instead of row1,row2..... Thanks..
10-26-2023
08:28 AM
Hi Team,
I am using below query:
[search index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced succes...
See more...
Hi Team,
I am using below query:
[search index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True="✔"
| bin _time span=1d
| dedup _time
| eval EBNCStatus="ebnc event balanced successfully"
| table EBNCStatus True
I want if there are no events than message "ebnc event balanced successfully" should not get displayed.
Can someone guide me on that
10-26-2023
08:25 AM
Can someone suggest which type of storage is best for Splunk Cluster ? Is it Block storage or Object Storage.
Labels
- Labels:
-
indexer
-
Linux
-
search head
-
splunkd
10-26-2023
08:17 AM
Opened 8191 to resolve as well. Happened on initial build.
10-26-2023
08:07 AM
were you able to find fix solution for this ?
10-26-2023
07:59 AM
Im really not sure what this is doing. I incorporated it into my code and was not what I was expecting. I have also shifted my efforts to using a span=15m for my timechart command due to some other ...
See more...
Im really not sure what this is doing. I incorporated it into my code and was not what I was expecting. I have also shifted my efforts to using a span=15m for my timechart command due to some other calculations that are on the dashboard I am working on that using a span/bucket smaller than 15 minutes does not represent the data in the way the user(s) are expecting. So, my next question (I can start a new thread if needed) is that using a span=15m for an hour sample of four 15 min buckets. But, the buckets are at the 15 min mark of each hour and do not start from when the query is run. i.e. Buckets = 0-15, 15-30, 30-45, 45-00. Is there an option on timechart to force it to start at the current minute ? I found in the documentation a reference to <snap-to-time> but dont understand how to use it.
10-26-2023
07:57 AM
Try changing the fieldformat lines as I suggested
10-26-2023
07:53 AM
@ITWhisperer
I am using same in my query but not getting correct starttime and end time
query:
index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settle...
See more...
@ITWhisperer
I am using same in my query but not getting correct starttime and end time
query:
index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "TRIM\.CNX(CTR)?\.(?<TRIM_ID>\w+)"
| transaction TRIM_ID startswith="Reading Control-File /absin/TRIM.CNXCTR." endswith="Completed Settlement file processing, TRIM.CNX."
|eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as TRIM.CNX_Duration| table StartTime EndTime TRIM.CNX_Duration| sort +StartTime +EndTime| fieldformat ProcessingStartTime = strftime(ProcessingStartTime, "%F %T.%3N")| fieldformat ProcessingEndTime = strftime(ProcessingEndTime, "%F %T.%3N")
10-26-2023
07:52 AM
Thanks @ITWhisperer for this help
10-26-2023
07:52 AM
Please provide more information e.g. some sample events (anonymised of course) and your current search, and output, and your expected results.
10-26-2023
07:51 AM
In table want a field name as - Entity contractWithCustomers contracts
10-26-2023
07:48 AM
What would the expected output look like?
10-26-2023
07:40 AM
I want to extract the below contractWithCustomers and contracts using rex named as entity . For ID 1349c1f4-989c-4ea5-94ca-25fc40f6aab8 -flow started put:\contractWithCustomers:application\json:...
See more...
I want to extract the below contractWithCustomers and contracts using rex named as entity . For ID 1349c1f4-989c-4ea5-94ca-25fc40f6aab8 -flow started put:\contractWithCustomers:application\json:bmw-crm-wh-xl-cms-api-config For ID 1697108895 -flow started put:\contracts:application\json:bmw-crm-wh-xl-cms-api-config
- Tags:
- rex
Labels
- Labels:
-
rex
10-26-2023
07:39 AM
Hello, I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "dispositi...
See more...
Hello, I am trying to make report which will display what notables were closed with what disposition. But unfortunately when I make report, it shows me values as follows: "disposition:1", "disposition:2" and so on and I cant figure out how to change these values in the way that in chart/graph it will show "false positive" or "true positive". I found out a way to change name of column (rename as) but I cant find a way to change values itself and if I try to use same logic (rename disposition:1 as false positive) it doesnt make the trick. Could you point me in the correct direction, please? Thanks in advance
- Tags:
- advice
Labels
- Labels:
-
fields
10-26-2023
07:34 AM
@ITWhisperer How can I put it in my query can you please guide.
10-26-2023
07:30 AM
I see the trim function didn't remove the first quotation mark since it isn't at the beginning of the event (because of the timestamp). Here's another regex to try. It attempts to replace the event...
See more...
I see the trim function didn't remove the first quotation mark since it isn't at the beginning of the event (because of the timestamp). Here's another regex to try. It attempts to replace the event with the text after 'rawJson="' up to the last '"'. | rex mode=sed "s/rawJson=\\\"(.*)\\\"$/\1/"
