All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@bowesmana  Thank you !!! I had modified the query and and achieved what I'm looking for..... | foreach *_spend_limit [ eval type=if(match("<<MATCHSEG1>>","old"), "Pre", "Post"), MV=mvappend(mvz... See more...
@bowesmana  Thank you !!! I had modified the query and and achieved what I'm looking for..... | foreach *_spend_limit [ eval type=if(match("<<MATCHSEG1>>","old"), "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_limit', '<<FIELD>>', ";"), type, ";"), MV) ] | fields market MV | mvexpand MV | rex field=MV "(?<limit>[^\;]*);(?<spend>[^\;]*);(?<type>.*)" | eval market=market." ".type | fields market limit spend  
Did you deploy any props.conf for this sourcetype on your search head? Since you're doing index time field extraction (with INDEXED_EXTRACTIONS = json), there is no need to search time field extracti... See more...
Did you deploy any props.conf for this sourcetype on your search head? Since you're doing index time field extraction (with INDEXED_EXTRACTIONS = json), there is no need to search time field extraction. I've seen props.conf with search time field extraction (KV_MODE = json) along with index time field extraction causing double extraction. You need to use one. If you just want index time field extraction, explicitly set KV_MODE = none on search head.
Hello,   I am trying to set-up a ShowPanel token that I will use later on in the dashboard in this way:   <panel depends="$ShowPanel$">     Here is how I am setting it up   <input type="... See more...
Hello,   I am trying to set-up a ShowPanel token that I will use later on in the dashboard in this way:   <panel depends="$ShowPanel$">     Here is how I am setting it up   <input type="dropdown" token="tok_usecase" searchWhenChanged="true"> <label>Use Case</label> <choice value="&quot;01&quot;">Use Case 01</choice> <choice value="&quot;02&quot;">Use Case 02</choice> <choice value="&quot;03&quot;">Use Case 03</choice> <choice value="&quot;04&quot;">Use Case 04</choice> <choice value="&quot;05&quot;">Use Case 05</choice> <choice value="&quot;06&quot;">Use Case 06</choice> <default>"01"</default> <initialValue>"01"</initialValue> <change> <condition match="$tok_usecase$==&quot;05&quot;"> <set token="ShowPanel">true</set> <unset token="tok_audit"></unset> <unset token="tok_taskID"></unset> <unset token="tok_sessID"></unset> </condition> <condition match="$tok_usecase$!=&quot;05&quot;"> <unset token="ShowPanel"></unset> <unset token="tok_audit"></unset> <unset token="tok_taskID"></unset> <unset token="tok_sessID"></unset> </condition> </change> </input>     but it seems the $ShowPanel$ token is not valorized. I tried to print it in the panel title but it appears as $ShowPanel$ instead of having the value equal to "true". Do you know where the error is? Thanks a lot, Edoardo
There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely. Assuming the order of fields is fixed, this regex should do it.   | rex "Receiv... See more...
There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely. Assuming the order of fields is fixed, this regex should do it.   | rex "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"  
Hello @yannK is this still possible to split and get two .lic files? Thanks!  
I'd also settle for a slow response! 
{ [-]    logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor    message: Received update request IL_Customer. Size of array: 1    properties: { [-]      correlationId: 4b910aa... See more...
{ [-]    logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor    message: Received update request IL_Customer. Size of array: 1    properties: { [-]      correlationId: 4b910aaf-d316-4594-8eda-c56e861499d3       I want to extract the IL_customer and array size from the above log. What will be the regular expression. Thanks in Advance  
Hello, all! Im hopefully looking for an ELI5 (explain like im 5) on the best way to migrate indexer cluster database to an entirely new cluster environment. The end goal is to decommission the cur... See more...
Hello, all! Im hopefully looking for an ELI5 (explain like im 5) on the best way to migrate indexer cluster database to an entirely new cluster environment. The end goal is to decommission the current setup. My current setup.  RHEL 7, physical,  splunk 8.2.4. All log sources are still flowing to this setup. 3sh cluster, 3 idx cluster, 1cm, etc. New: RHEL 8,  AWS/VM's, splunk 9.1.1. This setup is still empty with no logs/sources flowing here yet. 3sh cluster, 3 idx cluster, 1cm, etc. From what i found online.. merging the 3 new indexers into the old cluster seems to be the preferred method.  Does anyone have a link to a detailed writeup on how to do so with all the little nuances comes with it?  are differing splunk versions okay?  do i change rep factor? im sure there are a bunch of steps to this method. I appreciate any help!
  It's my understanding that the default frozenTimePeriodInSecs is 6 years.  I am confused about what this graph means for my _internal index. This is Data Age vs Frozen Age. 1. I don' t have 1.461... See more...
  It's my understanding that the default frozenTimePeriodInSecs is 6 years.  I am confused about what this graph means for my _internal index. This is Data Age vs Frozen Age. 1. I don' t have 1.461 days of data because my deployment isn't that old. 2. This appears that my frozen age is 30 days?  I'm not really sure that this number means.    
Try something like this index=bla "JOB Initiated" OR "JOB Completed" ``` If your ID is not already extracted, then extract it ``` | rex field=_raw "(?<id>your_regex_to_extract_id)" | stats count as ... See more...
Try something like this index=bla "JOB Initiated" OR "JOB Completed" ``` If your ID is not already extracted, then extract it ``` | rex field=_raw "(?<id>your_regex_to_extract_id)" | stats count as eventCount range(_time) as duration by ID So this will assume 2 events per ID and the range(_time) will calculate duration. You can always then check eventCount=2 to make sure you have seen both events.  
Is this more like what you envision? index=_internal | fieldsummary | eventstats sum(count) as Total ``` Get rid of fields we don't need ``` | fields - max mean min stdev is_exact ``` Convert the va... See more...
Is this more like what you envision? index=_internal | fieldsummary | eventstats sum(count) as Total ``` Get rid of fields we don't need ``` | fields - max mean min stdev is_exact ``` Convert the values array to a multi-value field ``` | eval mv_values=json_array_to_mv(values) ``` Put each value into a separate event ``` | mvexpand mv_values ``` Extract value and its count ``` | rex field=mv_values "value\\\":\\\"(?<value>[^\"]+)\\\",\\\"count\\\":(?<valueCount>\d+)" | eval Pct=round(valueCount*100/Total,2) | table field value valueCount Pct
I don't like abandoned threads, so after hours and hours with Splunk Tech Support and having opened multiple cases on this issue I have something worth sharing. You may need to do Two things to get ... See more...
I don't like abandoned threads, so after hours and hours with Splunk Tech Support and having opened multiple cases on this issue I have something worth sharing. You may need to do Two things to get this to work / install: First Part 1.  using the command line stop Splunk from running, so run SPLUNK STOP on Windows it may look somethign like this C:\Program Files\Splunk\bin>splunk stop 2. then run the install MSI with the LAUNCHSPLUNK=0 parameter (no it does not have to be all in caps, not on Windows anyways) C:\Software\Splunk>splunk-9.1.1-64e843ea36b1-x64-release.msi launchsplunk=0   Alright, that may get it installed, but afterwards you will notice it does not want to start, but that's ok, I will show you what to do to get it to start in the follow up post.  
I would like to get the percentage of some count field from the total count for example:  after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plis... See more...
I would like to get the percentage of some count field from the total count for example:  after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plist","count":61372} under value key and the total count events is1,039,803, so in a new field I want to get the calculate for how much in percentage the count (61372) is from the total (1,039,803), this result I want to get to all my fields. 
I'm seeing the same errors. It's looking to perform a GET on an object that doesn’t exist in S3. Did you find a solution?
Set the type field based on which string was found in the event. cf_org_name="ABB" cf_space_name="qa" cf_app_name=*qa-my-app* index=ocf_* "CACHE Hit" OR "CACHE Miss" | eval type=if(searchmatch("CAC... See more...
Set the type field based on which string was found in the event. cf_org_name="ABB" cf_space_name="qa" cf_app_name=*qa-my-app* index=ocf_* "CACHE Hit" OR "CACHE Miss" | eval type=if(searchmatch("CACHE Hit"),"Hit","Miss") | timechart span=1d count by type
Thank you. It is working
Thank you for the  explanation. The rate in seconds you see above  are produced by Loadbalancer upon incoming TCP requests.  The logs are later pushed to splunk for analysis. I d'ont want to carry a... See more...
Thank you for the  explanation. The rate in seconds you see above  are produced by Loadbalancer upon incoming TCP requests.  The logs are later pushed to splunk for analysis. I d'ont want to carry any futher calculation. I just want to extract the rate /sec from the raw and present it upon time (x-axis).
The backfill script may help here.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Managesummaryindexgapsandoverlaps You can put a wrapper around this script that runs it mul... See more...
The backfill script may help here.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Managesummaryindexgapsandoverlaps You can put a wrapper around this script that runs it multiple times with the appropriate earliest/latest settings.
Hi @Praz_123 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poi... See more...
Hi @Praz_123 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
@gcusello  Thanks for support