Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-16-2023
10:10 AM
No. Unless explicitly configured to do so (which may be the case but it's beyond us to know how your environment is configured) splunk doesn't "generate" data. It ingests (and possibly modifies if it...
See more...
No. Unless explicitly configured to do so (which may be the case but it's beyond us to know how your environment is configured) splunk doesn't "generate" data. It ingests (and possibly modifies if it's configured that way) data it's given for ingestion. And clustering doesn't change the data. It merely replicates (if needed) data to other nodes.
10-16-2023
10:07 AM
A temporary quick fix was changing "evt_resolve_ad_obj = 1" to "evt_resolve_ad_obj = 0" in inputs.conf, however this setting is responsible for automatic resolution of SIDs/GUIDs, thus it is a less t...
See more...
A temporary quick fix was changing "evt_resolve_ad_obj = 1" to "evt_resolve_ad_obj = 0" in inputs.conf, however this setting is responsible for automatic resolution of SIDs/GUIDs, thus it is a less than ideal approach. The long-term fix was to upgrade the UF to the latest codebase in 9.1.1. (If you don't want to go to 9.1, 9.0.6 appears to have the fix as well).
10-16-2023
10:02 AM
result is like such |table test_id test_id AB-17[3] AB-17[3] XY-17[2] XY-17[2] SI-17[1] SI-17[1] exactly above. 200% result. it should 100%, it's extracting twice? ...
See more...
result is like such |table test_id test_id AB-17[3] AB-17[3] XY-17[2] XY-17[2] SI-17[1] SI-17[1] exactly above. 200% result. it should 100%, it's extracting twice? i don't know..
10-16-2023
09:59 AM
1 Karma
Try like this (UPDATED) | rex "http(s)*:\/\/([^\/]+\/)+customer\/(?<customerId>[^\/]+)\/product\/(?<productId>[^\/]+)"
10-16-2023
09:57 AM
@gcusello Have a look in the ss able to see the data for last few days but not for last 3 days ,how to check that what is happen to the data for last 3 days .
10-16-2023
09:55 AM
Hi @Mohammed Saad.Shaikh,
Since this post is from 2019, it's unlikely to get a reply. I would suggest you re-ask this question on the forums so it gets more visibility from the community.
10-16-2023
09:54 AM
Please share the query that produced the results shown. Do you have any automatic field extractions defined?
10-16-2023
09:47 AM
My requirements are, using mulit-values, if DNS is listed in DNS_Matched, have matched=1
10-16-2023
09:46 AM
The results were literally the same as my originally search. My search is not different now than what I used from yours.
10-16-2023
09:33 AM
I'm trying to create a visual dashboard (specifically a column graph or bar chart) using index=guardium ruleDesc="OS Command Injection" | stats count by dbUser, DBName, serviceName, sql This ...
See more...
I'm trying to create a visual dashboard (specifically a column graph or bar chart) using index=guardium ruleDesc="OS Command Injection" | stats count by dbUser, DBName, serviceName, sql This is the graph I get: I would like to group these fields into categories on the chart where one part would show count of 1-5 then 6-10...and so on. Then I could drill down a specific bar within the count group to view the fields for that bar in a table format. How would I go about doing this. I am new to splunk and have been stuck finding the best way to represent this data. I was given this search statement and was told to make a visual dashboard of it.
10-16-2023
09:18 AM
On this page it states that we have to use An Amazon S3 or S3-API-compliant remote object storage location Azure blob storage Does anyone know if this will work with google cloud buckets as well?
10-16-2023
09:16 AM
using UF to send json file and below are the props.conf. [test_json] pulldown_type = true LINE_BREAKER = ([\r\n]+) INDEXED_EXTRACTIONS = json KV_MODE = none SHOULD_LINEMERGE = true AUTO_KV_JSO...
See more...
using UF to send json file and below are the props.conf. [test_json] pulldown_type = true LINE_BREAKER = ([\r\n]+) INDEXED_EXTRACTIONS = json KV_MODE = none SHOULD_LINEMERGE = true AUTO_KV_JSON = false category = Structured and from the inputs.conf also contain crcSalt = <SOURCE> result keep showing as below AB-17[3] AB-17[3] XY-17[2] XY-17[2] SI-17[1] SI-17[1] can't figure out the problem.
- Tags:
- prop.sconf
Labels
- Labels:
-
props.conf
-
universal forwarder
10-16-2023
09:14 AM
Also i have this url which has https://www-api.corp.google.com/google/com/customer/1015953/product/58870/create is there a way to regex and get these? 1015953 as customerId 58870 as productId
10-16-2023
09:04 AM
1 Karma
Hi @Sid , open a Case to Splunk Support, to be sure. Ciao. Giuseppe
10-16-2023
09:02 AM
Hi @Praz_123, let me understand: if you run this search: index=glo_pa_logs sourceType=abc:conf in the last 24 hours, have you results? have you results in the last 7 days? running this search...
See more...
Hi @Praz_123, let me understand: if you run this search: index=glo_pa_logs sourceType=abc:conf in the last 24 hours, have you results? have you results in the last 7 days? running this search: index=glo_pa_logs sourceType=abc:conf
| timechart span=1h count what are the results? Ciao. Giuseppe
10-16-2023
08:42 AM
1 Karma
Your filter to include weekends is "day_of_week="*"". The asterisk as wildcard doesn't work with "where" command. So either change your search to replace "where" with "search" OR change you...
See more...
Your filter to include weekends is "day_of_week="*"". The asterisk as wildcard doesn't work with "where" command. So either change your search to replace "where" with "search" OR change your include weekend filter. Either Change search to: `compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)`
| eval day_of_week = lower(strftime(_time,"%A"))
| search NOT (day_of_week="saturday" OR day_of_week="sunday")
| chart count by virus_global
| sort virus_global OR change radio button to: <input type="radio" token="weekends" searchWhenChanged="true">
<label>Weekends</label>
<choice value="NOT (day_of_week="saturday" OR day_of_week="sunday")">Exclude Weekends</choice>
<choice value="true()">Include Weekends</choice>
<default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default>
<initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday").
</initialValue>
</input>
10-16-2023
08:41 AM
This is what I'm thinking. Matched=if(isnotnull(mvfind(DNS,Identified_Host_Formatted)) OR isnotnull(mvfind(DNS,DNS_Matched)),1,0) If it doesn't work then please include the exact query you're testi...
See more...
This is what I'm thinking. Matched=if(isnotnull(mvfind(DNS,Identified_Host_Formatted)) OR isnotnull(mvfind(DNS,DNS_Matched)),1,0) If it doesn't work then please include the exact query you're testing in your reply.
10-16-2023
08:37 AM
This didn't seem to work. I got error saying it could only use Boolean, or an error if around the if fucntion if I used isnotnull. Can you please type out waht you're thinking with the 3 clauses plea...
See more...
This didn't seem to work. I got error saying it could only use Boolean, or an error if around the if fucntion if I used isnotnull. Can you please type out waht you're thinking with the 3 clauses please?
10-16-2023
08:36 AM
The string following "AS" should be a valid field name or a partial field name with a wildcard. You can rename the field to something more verbose later in the query using rename.
10-16-2023
08:35 AM
So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the pa...
See more...
So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the past year?
index=_internal source=*license_usage.log* type="RolloverSummary" splunk_server=* NOT date_wday IN ("saturday", "sunday")
| stats avg(b) AS bytes BY date_month
| eval TB=(bytes/1024/1024/1024/1024)
- Tags:
- search
