Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-16-2023
08:34 AM
So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the pa...
See more...
So i am using the below search run over the past 365 days, however it is only providing me with the last month. How do i get the average monthly ingest (excluding weekends) for each month over the past year?
index=_internal source=*license_usage.log* type="RolloverSummary" splunk_server=* NOT date_wday IN ("saturday", "sunday")
| stats avg(b) AS bytes BY date_month
| eval TB=(bytes/1024/1024/1024/1024)
10-16-2023
08:33 AM
The equal sign might be causing issues, escape them with backward slash. Also, the OR keyword between two stats fields is invalid, remove it. index=abcd | stats count(eval(searchmatch("https://drive...
See more...
The equal sign might be causing issues, escape them with backward slash. Also, the OR keyword between two stats fields is invalid, remove it. index=abcd | stats count(eval(searchmatch("https://drive.google.com/uc?export\=download&id\=1HGFF5ziAFGn8161CKQC$Xyuhni9PNK_X"))) as "https://drive.google.com/uc?export=download&id=1HGFF5ziAFGn8161CKQC$Xyuhni9PNK_X" count(eval(searchmatch("value2"))) as "value2"
10-16-2023
08:31 AM
thank you. much appreciated.
10-16-2023
08:14 AM
You'll want to backup your index data as well. https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Backupindexeddata
10-16-2023
08:07 AM
1 Karma
Assuming your value always starts with ESC, give this a try: | rex "value\":\"(?<ESC>ESC[^\"]+)"
10-16-2023
08:06 AM
Hi There! I would like to include/exclude weekend in the search, So i had created the dropdown for that, I'm getting error in the searches, My Time format is 2023-10-15T13:11:20.000+05:30 ...
See more...
Hi There! I would like to include/exclude weekend in the search, So i had created the dropdown for that, I'm getting error in the searches, My Time format is 2023-10-15T13:11:20.000+05:30 My dropdown is <input type="radio" token="weekends" searchWhenChanged="true"> <label>Weekends</label> <choice value="NOT (day_of_week="saturday" OR day_of_week="sunday")">Exclude Weekends</choice> <choice value="day_of_week="*"">Include Weekends</choice> <default>NOT (day_of_week="saturday" OR day_of_week="sunday")</default> <initialValue>NOT (day_of_week="saturday" OR day_of_week="sunday")</initialValue> </input> My search is `compliance("`console`", now(), -15d@d, mcafee,*, virus_, *, *, *)` | eval day_of_week = lower(strftime(_time,"%A")) | where NOT (day_of_week="saturday" OR day_of_week="sunday") | chart count by virus_global | sort virus_global Thanks!
10-16-2023
07:41 AM
I have this multivalue fields where i am tring to rex and get particular field value like "value":"ESC1000", but instead getting multiple. Tried with this but shows all the fields value | rex m...
See more...
I have this multivalue fields where i am tring to rex and get particular field value like "value":"ESC1000", but instead getting multiple. Tried with this but shows all the fields value | rex max_match=0 "value\":\"(?<ESC>[^\"]+)" "productChanges":[ { "Products":[ { "productSpecContainmentID":"1", "changedCharacteristics":[ { "characteristicID":"2", "value":"SERVICE" }, { "characteristicID":"3", "value":"99" }, { "characteristicID":"4", "value":"monthly" }, { "characteristicID":"5", "value":"ESC1000" }, { "characteristicID":"6", "value":"Discount" }, { "characteristicID":"7", "value":"Escalation" }, { "characteristicID":"8", "value":"AMOUNT" }, { "characteristicID":"9", "value":"9" }, { "characteristicID":"10", "value":"Y" }, { "characteristicID":"11", "value":"N" } ], "temporaryID":"xxxaaaacccc" } ] } ] Is there a way to get the required fields value only like above?
10-16-2023
07:26 AM
1 Karma
Try this query. The transpose command "rotates" the results table into the desired format. | makeresults
| eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDA...
See more...
Try this query. The transpose command "rotates" the results table into the desired format. | makeresults
| eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>\"
1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"<?xml version=\"1.0\" encoding=\"UTF-8\"?><externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>"
| eval data=split(data,"
")
| mvexpand data
| eval _raw=data
| fields - data
``` Everything above sets up demo data. Delete IRL ```
``` Extract keys and values ```
| rex max_match=0 "<(?<key>[^>]+)>(?<value>[^<]+)<\/\1>"
``` Match keys and values so they stayed paired during mvexpand ```
| eval pairs=mvzip(key,value)
| mvexpand pairs
``` Separate key from value ```
| eval pairs=split(pairs,",")
``` Define key=value result ```
| eval key=mvindex(pairs,0), value=mvindex(pairs,1)
| fields key,value
| fields - _*
| transpose 0 header_field=key
10-16-2023
07:21 AM
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host
| searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*"...
See more...
Give this a try Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host
| searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host])
| where match(host,"^\w{3}\d+")
10-16-2023
07:17 AM
How do they appear in Splunk right now?
10-16-2023
07:13 AM
1 Karma
@richgalloway Thanks for your support ,it really means a lot
10-16-2023
07:11 AM
@gcusello No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf How to find in SSH o...
See more...
@gcusello No Recent Logs Found for Source: abc:conf No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for: Index: glo_pa_logs SourceType: abc:conf How to find in SSH or in UI
10-16-2023
07:05 AM
did you resolve this? I am trying 6.1.1 on RHEL 7.9 and using the RHEL 7 install getting the same issue
10-16-2023
07:03 AM
Did you get this resolved in the end? having the same issue
10-16-2023
06:19 AM
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be ni...
See more...
Hi. I want to create a search that checks for last user login date in AWS. I can see them in AWS IAM and there are bunch of them that has last time logged in more than 300 days ago, but would be nice to see them in SPL. I would appreciate if anyone can share their search or could tell me how to build one. Thank you.
10-16-2023
06:14 AM
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned err...
See more...
I am trying to use my windows event data to update users ID on panorama, however, running the below query in my es environment returns the error : External search command 'panuserupdate' returned error code 2. Script output = "ERROR Unable to get apikey from firewall: local variable 'username' referenced before assignment ".
The Query
index=wineventlog host=xxxxxx
| mvexpand Security_ID
| mvexpand Source_Network_Address
| dedup Security_ID Source_Network_Address
| search Security_ID!="NULL SID"
| rename Security_ID as user
| rename Source_Network_Address as src_ip
| panuserupdate panorama=x.x.x.x serial=000000000000
| fields user src_ip
Brief overview of my data ingestion: Panorama syslog is ingested to splunk cloud through Heavy forwarder. Palo Alto Add on for Splunk is installed on both HF and Splunk Cloud also, but no data is showing on the app. Every data is 0 0. Also I do have a user account in Panorama with api permissions.
10-16-2023
06:09 AM
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extra...
See more...
Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extract field headers and field values from raw data. As to search for SPL query "index=index_name sourcetype=sourcetype |table current, encrypted, keywordp,boriskhan, rolename, prepres, externalFactor, parkeristrator". so, what i got is field_header as paris and field_values as current=parker, encrypted=true, . . . . paris current=parker encrypted=true keywordp=****** boriskhan=1-CMX_PRTY roleName=ROLE.CustomerManager pepres=false externalFactor=false parkeristrator=true current=parker What goal is, field_header_1 is current, field_header_2 is encrypted, field_header_3 is keyword as below and to get field_headers showup in Splunk interesting fields with its values. current encrypted keywordp boriskhan roleName pepres externalFactor parker true ****** 1-CMX_PRTY ROLE.CustomerManager false false
10-16-2023
06:04 AM
1 Karma
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy...
See more...
Hi @AL3Z , if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try: index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy.yy"
| stats
values(dest_url) AS dest_url
values(logs) AS logs
sum(bytes_in) AS bytes_in
sum(bytes_out) AS bytes_out
| eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024 Ciao. Giuseppe
10-16-2023
06:03 AM
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression. The current value is n...
See more...
What is the problem you are having with that query (other than the spelling errors)? FWIW, the value of the startswith argument must be a valid SPL search or eval expression. The current value is neither.
10-16-2023
06:02 AM
Hi @karimoss, in this case, you have to create a regex to search for ComputerName: something like this: | regex ComputerName!="^?![A-Z]{2}\d{6}" Ciao. Giuseppe
