Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-17-2023
10:56 PM
Hello @ITWhisperer , Is the above data is sufficient to resolve this issue. could you please help me in this.
10-17-2023
10:37 PM
Hi @sateesh250795 .... may we know if you got answer for your question please, thanks.
10-17-2023
08:58 PM
I think the bin command never really works with the start or end parameter as documented. For me, I need a simple behavior like this: For a span of 10: 1 = 1-10 2 = 1-10 10 = 1-10 11 = 11-2...
See more...
I think the bin command never really works with the start or end parameter as documented. For me, I need a simple behavior like this: For a span of 10: 1 = 1-10 2 = 1-10 10 = 1-10 11 = 11-20 19 = 11-20 20 = 11-20 21 = 21-30 So I created a macro called bin2 like this: macro body: eval $data$=$data$-1 | bin span=$span$ $data$ as bucket | eval $data$=$data$+1 | rex field=bucket "^(?<_bin_start>\d+)" | rex field=bucket "\-(?<_bin_end>\d+)$" | eval _bin_start=_bin_start+1 | eval bucket=_bin_start."-"._bin_end | fields - _bin_start, _bin_end marco arguments: data,span And here is an example query: | makeresults count=1 | eval data = "1,5,9,10,11,19,20,25,29" | makemv data delim="," | mvexpand data | `bin2(data, 10)` | table data, bucket And here is the result: data bucket 1 1-10 5 1-10 9 1-10 10 1-10 11 11-20 19 11-20 20 11-20 25 21-30 29 21-30
10-17-2023
08:56 PM
@Manish_Sharma wrote: As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message. Hi @Manish_Sharma ... by the "10 lines before and after", i ...
See more...
@Manish_Sharma wrote: As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message. Hi @Manish_Sharma ... by the "10 lines before and after", i assume you would like to see the 10 logs/events before the "error" log/event. if so, you can try this step.. expand the "error" log/event... it will have a field "_time" with a drop down arrow. when you click that drop down.. You can find the "Nearby Events".. you can add 5 seconds(or mins or hrs, etc) plus or minus.
10-17-2023
08:20 PM
Hello Community, I have a sample data as below: 2023-10-17T17:14:24,436Z client-id=1159222917, transaction-id=522f4012-9737-483c-a3bb-8f23f146da0f [INFO ] [http-nio-9010-exec-3] c.c.a.s.AService Ad...
See more...
Hello Community, I have a sample data as below: 2023-10-17T17:14:24,436Z client-id=1159222917, transaction-id=522f4012-9737-483c-a3bb-8f23f146da0f [INFO ] [http-nio-9010-exec-3] c.c.a.s.AService AddressMetrics: {"fieldsToCompare":["addressLine1","city","stateProvince","postalCode","latitude","longitude","taxGeoCode","matchCode","locationCode"],"addressResponseV1":{"addresses":[{"taxGeoCode":"442150950","apartmentLabel":"","matchCode":"S80","city":"EDINBURG","postalCode":"785413355","latitude":"26.307701","houseNumber":"121","stateProvince":"TX","leadingDirectional":"W","streetName":"VAN WEEK","lastLine":"EDINBURG, TX 78541-3355","addressLine1":"121 W VAN WEEK ST","addressLine2":"","streetSuffix":"ST","locationCode":"AP05","trailingDirectional":"","longitude":"-98.162231","apartmentNumber":""}]},"addressRequest":{"clientId":"1159222917","city":"EDINBURG","postalCode":"78541","multiMatch":false,"addressLine1":"121 W VAN WEEK ST","addressLine2":"","state":"TX","sessionId":"1159222917","userId":"1366654994","transactionId":"522f4012-9737-483c-a3bb-8f23f146da0f"},"addressResponseV2":{"addresses":[{"geoResultCode":"S8HPNTSCZA","zipCode":"78541","taxGeoCode":"442150950","matchCode":"S80","city":"EDINBURG","latitude":26.307701,"addressLine1":"121 W VAN WEEK ST","zip4":"3355","addressLine2":"","state":"TX","locationCode":"AP05","longitude":-98.162231}]},"decisionMatrix":{"taxGeoCode":true,"matchCode":true,"city":true,"postalCode":true,"latitude":true,"addressLine1":true,"stateProvince":true,"locationCode":true,"longitude":false}}
2023-10-17T17:14:24,432Z client-id=0122346633, transaction-id=1fde5a12-ee65-4523-bed4-c8dd76cc666b [INFO ] [http-nio-9010-exec-6] c.c.a.s.AService AddressMetrics: {"fieldsToCompare":["addressLine1","city","stateProvince","postalCode","latitude","longitude","taxGeoCode","matchCode","locationCode"],"addressResponseV1":{"addresses":[{"taxGeoCode":"442152020","apartmentLabel":"","matchCode":"S80","city":"MISSION","postalCode":"785741749","latitude":"26.240278","houseNumber":"1004","stateProvince":"TX","leadingDirectional":"E","streetName":"DAWSON","lastLine":"MISSION, TX 78574-1749","addressLine1":"1004 E DAWSON LN","addressLine2":"","streetSuffix":"LN","locationCode":"AP05","trailingDirectional":"","longitude":"-98.310512","apartmentNumber":""}]},"addressRequest":{"clientId":"0122346633","city":"MISSION","postalCode":"78574","multiMatch":false,"addressLine1":"1004 E DAWSON LN","addressLine2":"","state":"TX","sessionId":"0122346633","userId":"0867774533","transactionId":"1fde5a12-ee65-4523-bed4-c8dd76cc666b"},"addressResponseV2":{"addresses":[{"geoResultCode":"S8HPNTSCZA","zipCode":"78574","taxGeoCode":"442152020","matchCode":"S80","city":"MISSION","latitude":26.240278,"addressLine1":"1004 E DAWSON LN","zip4":"1749","addressLine2":"","state":"TX","locationCode":"AP05","longitude":-98.310512}]},"decisionMatrix":{"taxGeoCode":false,"matchCode":true,"city":false,"postalCode":true,"latitude":true,"addressLine1":true,"stateProvince":true,"locationCode":true,"longitude":true}} what I am trying to achieve here is get the stats of each field within the decisionMatrix object as below: Field TRUE FALSE taxGeoCode 1 1 matchCode 2 0 city 1 1 Any suggestions?
10-17-2023
08:18 PM
According to UBA document, looks like UBA's machine learning is based on on-prem Microsoft Active Directory and corresponding event code. I'm wondering if UBA's capable to deal with AAD events when ...
See more...
According to UBA document, looks like UBA's machine learning is based on on-prem Microsoft Active Directory and corresponding event code. I'm wondering if UBA's capable to deal with AAD events when now many organizations have been shifted to Azure AD/Entra.
Labels
- Labels:
-
using UBA
10-17-2023
06:18 PM
1 Karma
Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event? If so, you will need to f...
See more...
Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event? If so, you will need to first extract the part with compliant JSON. (It is also a very bad log pattern from your developer.) You can do so with | eval json = replace(_raw, "^{.+}", "") (Actual method will depend on how raw logs are structure, how stable such a structure is, etc.) Then, apply spath. | eval json = replace(_raw, "^{.+}", "")
| spath input=json Alternatively, get rid of the spurious part from _raw then spath. | rex mode=sed "s/^{.+}//"
| spath Here is an emulation you can play with and compare with real data | makeresults
| fields - _time
| eval _raw = "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}
{
\"correlationId\": \"3-f0d89f31-6c3c-11ee-8502-123c53e78683\",
\"message\": \"API Request\",
\"tracePoint\": \"START\",
\"priority\": \"INFO\",
\"category\": \"com.cfl.api.service\",
\"elapsed\": 0,
\"timestamp\": \"2023-10-16T15:59:09.051Z\",
\"content\": {
\"clientId\": \"\",
\"attributes\": {
\"headers\": {
\"accept-encoding\": \"gzip,deflate\",
\"content-type\": \"application/json\",
\"content-length\": \"92\",
\"host\": \"hr-fin.svr.com\",
\"connection\": \"Keep-Alive\",
\"user-agent\": \"Apache-HttpClient/4.5.5 (Java/16.0.2)\"
},
\"clientCertificate\": null,
\"method\": \"POST\",
\"scheme\": \"https\",
\"queryParams\": {},
\"requestUri\": \"/cfl-service-api/api/process\",
\"queryString\": \"\",
\"version\": \"HTTP/1.1\",
\"maskedRequestPath\": \"/api/queue/send\",
\"listenerPath\": \"/cfl-service-api/api/*\",
\"localAddress\": \"/localhost:8082\",
\"relativePath\": \"/cfl-service-api/api/process\",
\"uriParams\": {},
\"rawRequestUri\": \"/cfl-service-api/api/process\",
\"rawRequestPath\": \"/cfl-service-api/api/process\",
\"remoteAddress\": \"/123.123.123.123:123\",
\"requestPath\": \"/cfl-service-api/api/process\"
}
},
\"applicationName\": \"cfl-service-api\",
\"applicationVersion\": \"6132\",
\"environment\": \"dev\",
\"threadName\": \"[cfl-service-api].proxy.BLOCKING @78f55ba\"
}"
``` data emulation above ```
10-17-2023
04:25 PM
When you enable indexer clustering on the cluster manager what does the /opt/splunk/etc/system/local/server.conf file look like (don't post it ... there is sensitive stuff there)? Is anything getting...
See more...
When you enable indexer clustering on the cluster manager what does the /opt/splunk/etc/system/local/server.conf file look like (don't post it ... there is sensitive stuff there)? Is anything getting port 8000 assigned to it?
10-17-2023
03:35 PM
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTi...
See more...
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTime$ ($dd_span$ is created from a pulldown menu, it has options of 1d, 1h, 2h, etc). I wanted to use the start time and end time to narrow down a search in another panel. index=main (earliest=$startTime$ latest=$startTime$+$dd_span$) | spath ... does not resolve, is there a way to add the time together?
Labels
- Labels:
-
dashboard
-
Dashboard Studio
-
drilldown
10-17-2023
03:19 PM
1 Karma
If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and afte...
See more...
If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and after the event.
10-17-2023
03:04 PM
Is there any optimal way to get context bith before and after fir search result? As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.
Labels
- Labels:
-
transaction
-
tstats
10-17-2023
03:02 PM
I want to enable/disable splunk alerts in splunk cloud, How to disable/enable alerts using rest api spl commands in splunk cloud?
Labels
- Labels:
-
using Splunk Cloud
10-17-2023
02:58 PM
Were you able to resolve this? If so, what approach did you take?
10-17-2023
02:43 PM
I have to delete app.conf sometimes in deployment-apps then reload deploy-server to reset the state.
10-17-2023
02:29 PM
I'm not seeing how the $HIDEME$ token is ever set. Without that being set the whole row will stay hidden as it depends on that token.
10-17-2023
02:23 PM
Are you saying you want it both stacked and a weekly bar chart overlaying the stack?
10-17-2023
02:09 PM
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out. Given this javas...
See more...
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out. Given this javascript (in <app>/appserver/static/js/help.js): require([
'jquery',
'splunkjs/mvc/simplexml/ready!'
], function($) {
$('#help-btn').on( 'click', function() {
$('#help').toggle();
});
$('#help-close').on( 'click', function() {
$('#help').toggle();
});
}); And this dashboard which adds a "Dashboard Help" button (next to Edit), the idea would be that simply clicking the button will toggle() the #help id, which is the panel. In "Edit" mode, I can see my overview.html panel as well as the "Dashboard Help" button, and clicking it will perform the correct action. I've used this on live dashboards as well, successfully on some and not so much on others. I imagine there's some sort of timing condition with dynamic loading and whatnot that I'm running into. Can anyone advise? <form version="1.1" script="common_ui_util:/js/help.js">
<label>TEST</label>
<row>
<panel>
<html>
<div>
<input id="help-btn" type="button" value="Dashboard Help" style="top: -40px;" class="btn default"></input>
</div>
</html>
</panel>
</row>
<row depends="$HIDEME$">
<panel id="help">
<html>
<button id="help-close" class="help-close close close_btn"/>
</html>
<html src="html_docs/overview.html"></html>
</panel>
</row>
</form>
Labels
- Labels:
-
javascript
10-17-2023
01:39 PM
Thank you for the response but the suggestion does not resolve the problem. The dashboard needs to be delineated in a stacked format by District with each District showing weekly results over a 4week...
See more...
Thank you for the response but the suggestion does not resolve the problem. The dashboard needs to be delineated in a stacked format by District with each District showing weekly results over a 4week period.
10-17-2023
01:35 PM
1 Karma
Ok. One at a time 1. While the default retention period for an index might be 6 years (I don't remember exactly but that sounds legit) the retention period for _internal index is just 30 days (yo...
See more...
Ok. One at a time 1. While the default retention period for an index might be 6 years (I don't remember exactly but that sounds legit) the retention period for _internal index is just 30 days (you can check where it's defined by doing splunk btool list indexes _internal --debug on your indexer) 2. While your environment might not be that long, there might be some events that were for example produced by hosts with badly configured time. Check the actual events to see where they came from. Remember that the timestamps do not have to reflect the time at which the event was ingested. 3. Events are rotated hot->warm->cold->frozen (deleted) as whole buckets. So the bucket gets rolled to frozen if most recent event from that bucket is older than the retention period. 4. While most buckets will contain events from a relatively small time range, there is a special bucket created for each index which catches all "weird" events - older than expected or from the future. Since this bucket may contain events both very old (as is probably your case) as well as from the future it might actualy not get rotated for a long time. 5. Do a dbinspect of your index to see what buckets you have in your index and what time ranges they contain.
10-17-2023
01:20 PM
In a customer environment, we disabled all the rules from ABAP agent. As you can see in the image below
We then stopped the ABAP agent going into status, stop all. And wait 15min to start it a...
See more...
In a customer environment, we disabled all the rules from ABAP agent. As you can see in the image below
We then stopped the ABAP agent going into status, stop all. And wait 15min to start it again. After restarted and all rules disabled, we're still receiving some BTs in controller.
I'd like a help with that, please.
Thank you. Luiz Polli
Labels
- Labels:
-
Controller
-
Licensing
-
User Management
