All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the pa... See more...
So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the past year? index=_internal source=*license_usage.log* type="RolloverSummary" splunk_server=* NOT date_wday IN ("saturday", "sunday") | stats avg(b) AS bytes BY date_month | eval TB=(bytes/1024/1024/1024/1024)
The equal sign might be causing issues, escape them with backward slash. Also, the OR keyword between two stats fields is invalid, remove it. index=abcd | stats count(eval(searchmatch("https://drive... See more...
The equal sign might be causing issues, escape them with backward slash. Also, the OR keyword between two stats fields is invalid, remove it. index=abcd | stats count(eval(searchmatch("https://drive.google.com/uc?export\=download&id\=1HGFF5ziAFGn8161CKQC$Xyuhni9PNK_X"))) as "https://drive.google.com/uc?export=download&id=1HGFF5ziAFGn8161CKQC$Xyuhni9PNK_X" count(eval(searchmatch("value2"))) as "value2"
thank you. much appreciated.
You'll want to backup your index data as well. https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Backupindexeddata
Assuming your value always starts with ESC, give this a try: | rex "value\":\"(?<ESC>ESC[^\"]+)"
Hi There!    I would like to include/exclude weekend in the search, So i had created the dropdown for that, I'm getting error in the searches, My Time format is  2023-10-15T13:11:20.000+05:30 ... See more...
Hi There!    I would like to include/exclude weekend in the search, So i had created the dropdown for that, I'm getting error in the searches, My Time format is  2023-10-15T13:11:20.000+05:30 My dropdown is <input type="radio" token="weekends" searchWhenChanged="true"> <label>Weekends</label> <choice value="NOT (day_of_week=&quot;saturday&quot; OR day_of_week=&quot;sunday&quot;)">Exclude Weekends</choice> <choice value="day_of_week=&quot;*&quot;">Include Weekends</choice> <default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default> <initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday")</initialValue> </input> My search is `compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)` | eval day_of_week = lower(strftime(_time,"%A")) | where NOT (day_of_week="saturday" OR day_of_week="sunday") | chart count by virus_global | sort virus_global Thanks!
I have this multivalue fields where i am tring to rex and get particular field value like  "value":"ESC1000",  but instead getting multiple. Tried with this but shows all the fields value  | rex m... See more...
I have this multivalue fields where i am tring to rex and get particular field value like  "value":"ESC1000",  but instead getting multiple. Tried with this but shows all the fields value  | rex max_match=0 "value\":\"(?<ESC>[^\"]+)" "productChanges":[ { "Products":[ { "productSpecContainmentID":"1", "changedCharacteristics":[ { "characteristicID":"2", "value":"SERVICE" }, { "characteristicID":"3", "value":"99" }, { "characteristicID":"4", "value":"monthly" }, { "characteristicID":"5", "value":"ESC1000" }, { "characteristicID":"6", "value":"Discount" }, { "characteristicID":"7", "value":"Escalation" }, { "characteristicID":"8", "value":"AMOUNT" }, { "characteristicID":"9", "value":"9" }, { "characteristicID":"10", "value":"Y" }, { "characteristicID":"11", "value":"N" } ], "temporaryID":"xxxaaaacccc" } ] } ] Is there a way to get the required fields value only like above?
Try this query.  The transpose command "rotates" the results table into the desired format. | makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDA... See more...
Try this query.  The transpose command "rotates" the results table into the desired format. | makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>\" 1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" | eval data=split(data," ") | mvexpand data | eval _raw=data | fields - data ``` Everything above sets up demo data. Delete IRL ``` ``` Extract keys and values ``` | rex max_match=0 "<(?<key>[^>]+)>(?<value>[^<]+)<\/\1>" ``` Match keys and values so they stayed paired during mvexpand ``` | eval pairs=mvzip(key,value) | mvexpand pairs ``` Separate key from value ``` | eval pairs=split(pairs,",") ``` Define key=value result ``` | eval key=mvindex(pairs,0), value=mvindex(pairs,1) | fields key,value | fields - _* | transpose 0 header_field=key
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host | searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*"... See more...
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host | searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host]) | where match(host,"^\w{3}\d+")
How do they appear in Splunk right now?
@richgalloway  Thanks for your support ,it really means a lot
@gcusello  No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf   How to find in SSH o... See more...
@gcusello  No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf   How to find in SSH or in UI
did you resolve this? I am trying 6.1.1 on RHEL 7.9 and using the RHEL 7 install getting the same issue
Did you get this resolved in the end? having the same issue
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be ni... See more...
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be nice to see them in SPL. I would appreciate if anyone can share their search or could tell me how to build one.   Thank you.
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned err... See more...
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned error code 2. Script output = "ERROR Unable to get apikey from firewall: local variable 'username' referenced before assignment ". The Query index=wineventlog host=xxxxxx | mvexpand Security_ID | mvexpand Source_Network_Address | dedup Security_ID Source_Network_Address | search Security_ID!="NULL SID" | rename Security_ID as user | rename Source_Network_Address as src_ip | panuserupdate panorama=x.x.x.x serial=000000000000 | fields user src_ip Brief overview of my data ingestion: Panorama syslog is ingested to splunk cloud through Heavy forwarder. Palo Alto Add on for Splunk is installed on both HF and Splunk Cloud also, but no data is showing on the app. Every data is 0 0.  Also I do have a user account in Panorama with api permissions.
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extra... See more...
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extract field headers and field values from raw data. As to search for SPL query "index=index_name sourcetype=sourcetype |table current, encrypted, keywordp,boriskhan, rolename, prepres, externalFactor, parkeristrator".   so, what i got is field_header as paris and field_values as current=parker,  encrypted=true,  .  .  .  .  paris current=parker encrypted=true keywordp=****** boriskhan=1-CMX_PRTY roleName=ROLE.CustomerManager pepres=false externalFactor=false parkeristrator=true current=parker   What goal is, field_header_1 is current, field_header_2 is encrypted, field_header_3 is keyword as below and to get field_headers showup in Splunk interesting fields with its values. current encrypted keywordp boriskhan roleName pepres externalFactor parker true ****** 1-CMX_PRTY ROLE.CustomerManager false false  
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy... See more...
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy.yy" | stats values(dest_url) AS dest_url values(logs) AS logs sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out | eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024 Ciao. Giuseppe
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression.  The current value is n... See more...
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression.  The current value is neither.
Hi @karimoss, in this case, you have to create a regex to search for ComputerName: something like this: | regex ComputerName!="^?![A-Z]{2}\d{6}" Ciao. Giuseppe