All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please tell us more.  Were you successful at enabling boot-start?  What command did you use?  Did you do so as root?  What errors are reported when the UF tries to start automatically?
The stats command is a transforming one, meaning it changes the results so only the referenced fields exist.  In this case, only the Count and Affected fields are available to subsequent commands.  P... See more...
The stats command is a transforming one, meaning it changes the results so only the referenced fields exist.  In this case, only the Count and Affected fields are available to subsequent commands.  Perhaps the best fix is to use the eventstats command, which is not transforming. | eventstats count as Count by Affected | table Affected, Workstation, Source_Network_Address, Count | sort - Count  
Hi @Bleepie, did you tried with dedup (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview)? <your_search> | dedup host | sort host | table host but in this way ... See more...
Hi @Bleepie, did you tried with dedup (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview)? <your_search> | dedup host | sort host | table host but in this way you have only the list of hosts with events. If you want o check if there are some missing host, you have to create a lookup (called e.g. perimeter.csv) containing at least one column called host and then run a search like the following: | tstats count WHERE index=your_index BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 in this way, if you have results the host is missed. Ciao. Giuseppe Ciao. Giuseppe
If we r doing it for stats its not working.... giving the same results as before .... can u pls try for stats count by wificountrydetails instead of table  
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" an... See more...
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" and "Source_Network_Address", the Affected and the Count are working fine. I did some troubleshooting and found out that the command line with "stats count as" is the reason, as it works without that and shows everything except Count then of course. Does anyone have an idea how I can create a table and a counter? index=*..... (Account_Name="*" OR Group_Name="*") EventCode="4625" NOT EventCode IN ("4735", "4737", "4755") NOT Account_Name="*$*" Name | eval time=_time | eval Operator=mvindex(Account_Name, 0) | eval Affected=mvindex(Account_Name, 1) | eval Group=mvindex(Account_Name, 2) | eval Workstation=mvindex(Workstation_Name, 0) | eval Group=if(isnull(Group),Group_Name,Group) | eval Workstation=if(isnull(Workstation),"",Workstation) | eval Workstation=nullif(Workstation,"") | eval Affected=if(isnull(Affected),Account_Name,Affected) | eval ExpirationTime=if(isnull(Expiration_time),"",Expiration_time) | rex field=Message "(?<Message>[^\n]+)" | stats count as Count by Affected | table Affected, Workstation, Source_Network_Address, Count | sort -Count
Hi @shai, which Mode are you using in your searches? did you try to use Verbose Mode? Ciao. Giuseppe
Lets try this (i have tested this on my laptop, its working fine) source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | ta... See more...
Lets try this (i have tested this on my laptop, its working fine) source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | table _raw WifiCountryDetails    
No. its not working . again its taking the next field value... and we r gathering the count by using stats count by wificountrydetails... 
the rex command, in my previous reply.. works perfect. pls check it.    As you are  a new member, karma points / upvotes are appreciated, pls help those who help you, with your karma points. if... See more...
the rex command, in my previous reply.. works perfect. pls check it.    As you are  a new member, karma points / upvotes are appreciated, pls help those who help you, with your karma points. if any reply solved your issue, pls accept it as "Accept as solution", thanks. 
there is : in the place of wificountry details ..... its has to fetch as it is.. but it is fetching next field value batpercent in the place of wificountry details.
178.197.202.134 SECURITY_MONITORING_AUTOMATION CAMERA_SYSTEMS VML4 VML4030 1697109816450 INFO 51D29C77A022A KU5TFBKH-1700-316-114351851 - statusInfo {"Type":"status","HardwareRevision":"H6","WifiCoun... See more...
178.197.202.134 SECURITY_MONITORING_AUTOMATION CAMERA_SYSTEMS VML4 VML4030 1697109816450 INFO 51D29C77A022A KU5TFBKH-1700-316-114351851 - statusInfo {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"","BatPercent":100,"BatTech":"Rechargeable","ChargerTech":"QuickCharger","ChargingState":"Off","Bat1Volt":7.931,"Temperature":24,"Battery1CaliVoltage":7.931,"Streamed":53395,"UserStreamed":1650,"MotionStreamed":7561,"IRLEDsOn":21054,"PoweredOn":11029385,"CameraOnline":11029337,"CameraOffline":48,"WifiConnectionCount":2,"WifiConnectionAttempts":2,"PIREvents":66,"FailedStreams":1,"FailedUpgrades":0,"SnapshotCount":0,"LogFrequency":2,"CriticalBatStatus":0,"ISPOn":57564,"TimeAtPlug":11025490,"TimeAtUnPlug":10979418,"PercentAtPlug":95,"PercentAtUnPlug":100,"ISPWatchdogCount":0,"ISPWatchdogCount2":0,"SecsPerPercentCurr":0,"SecsPerPercentAvg":0,"PirOorEvents":0,"DdrFailCnt":0,"carrierFw":"Generic","SignalStrengthIndicator":2,"SystemVersionString":"1.096.3.2_1.8.65.0_22","ID":534,"SystemFirmwareVersion":"1.096.3.2_30_0bad0df","HardwareVersion":"H6","SystemSerialNumber":"51D29C77A022A","TimeStamp":"2023-10-12T11:23:36+0000"}
Hi @sateesh250795 .. 1)Can you provide some sample logs.. 2) After the "WifiCountryDetails" field, do you have a "," or ":", etc ?!?!? let me assume it is a comma (",")...then, lets try this rex: ... See more...
Hi @sateesh250795 .. 1)Can you provide some sample logs.. 2) After the "WifiCountryDetails" field, do you have a "," or ":", etc ?!?!? let me assume it is a comma (",")...then, lets try this rex: rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)\,"  
Hi @gcusello  Thank you for your response However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. ... See more...
Hi @gcusello  Thank you for your response However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. So can you explain what else I might be missing? Note that I witnessed this issue not only with indexes but with sourcetype. for example searching for field=value yielded zero results but searching field=value AND sourcetype=certail_type did return results... 
I am getting blockers to group these different error messages from different exception events in our logs  
so like...table would be like : Error Message: Object reference not set to an instance of an object. description" : "{\"message\": \"Endpoint request timed out\ "message" : "EMERGENCY_SHUTDOWN || ... See more...
so like...table would be like : Error Message: Object reference not set to an instance of an object. description" : "{\"message\": \"Endpoint request timed out\ "message" : "EMERGENCY_SHUTDOWN || Products Not Available" ...such kind of different error messages with their number of occurences..
Hi all, rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)" We r using the above Rex for getting the Wi-Fi country details... But the problem is while fetching the data, if the Wi-Fi co... See more...
Hi all, rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)" We r using the above Rex for getting the Wi-Fi country details... But the problem is while fetching the data, if the Wi-Fi country name is empty it automatically gathers the next field value in it.. But if the wificountrydetails are empty it has to show empty in the data, please let me know how to achieve it.
"Hi @bowesmana, thank you for your response. I need a regular expression to extract the correlation_id because I want to calculate the average time taken for two source events. The samples I provided... See more...
"Hi @bowesmana, thank you for your response. I need a regular expression to extract the correlation_id because I want to calculate the average time taken for two source events. The samples I provided are as follows: correlation_id: "['321e2253-443a-41f1-8af3-81dbdb8bcc77']" correlation_id: "11315ad3-02a3-419d-a656-85972e07a1a5" These are two format logs one is in array format and another normal value. Thanks in advance
Hi @vennemp  Were you able to get the issue fixed? I am facing the same issue with OKTA Splunk SAML integration.
Thank you for your message, I checked all occurrences of the original app name in all files and I found that in many .py files the original name was used, so i replaced those with the new name. Now... See more...
Thank you for your message, I checked all occurrences of the original app name in all files and I found that in many .py files the original name was used, so i replaced those with the new name. Now the inputs.conf seems to work and I can see logs, the issue I have now is that the UI of the app shows a new error:   "Configuration page failed to load, the server reported internal errors which may indicate you do not have access to this page." I am checking again what other replacements I need to do.  
Hi, How do I limit the results per host? I have any (random) search query. I have 10 hosts. For each hosts, hundreds of events are shown. In a statistics table, I want to show only 1 event, per host... See more...
Hi, How do I limit the results per host? I have any (random) search query. I have 10 hosts. For each hosts, hundreds of events are shown. In a statistics table, I want to show only 1 event, per host. This way, I can check if each host has the logfile. It doesn't matter what the contents of the logfile are. How do I perform this search? This statistics table, or splunk dashboard, will have the following function: Check if log exists on every server