All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I did exactly same but the again its fetching the next field.. pls look into the screenshot
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | stats count by WifiCountryDetails working fine, as suggested previo... See more...
source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty" | rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | stats count by WifiCountryDetails working fine, as suggested previously, check screenshot below..  (pls note the rex command closely.. i have edited ur rex little bit.. i added the ("\"\:\") before rex and (\") after the rex). 
Can someone help me with the Splunk code that would be necessary to search for the Idemia Machines? Thank you Anthony
What error messages do you see?  Are the indexes or the disk they're  on full? Restarting or re-installing Splunk may help correct some causes of the problem, but not the most likely ones.
For Simple XML dashboards, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components .  For Dashboard Studio, see https://docs.splunk.c... See more...
For Simple XML dashboards, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components .  For Dashboard Studio, see https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/setUpDashboard#Conditionally_show_or_hide_panels
The SEDCMD operation is performed at index time so changes will not be applied to existing data.  IOW, you will continue to see the field in events indexed before SEDCMD was changed.
I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below: D... See more...
I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below: DNS Identified_Host host1.domain.com host1.domain.com host1-admin.domain.com host1.domain.com host1-mgt.domain.com host1.domain.com host2.domain.com host2.domain.com host2-admin.com host2.domain.com host2-mgt.admin.com host2.domain.com host3.domain.com host3.domain.com host3-admin.com host3.domain.com   From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 
Hi, For some reason we cannot receive data to _interal or other indexes(all of them). Old indexes are still available through database. It looks like a generic problem, not related to any specific i... See more...
Hi, For some reason we cannot receive data to _interal or other indexes(all of them). Old indexes are still available through database. It looks like a generic problem, not related to any specific index. All I can see is _audit. Maybe it's ok to backup $SPLUNK_HOME/etc, and then reinstall splunk sw? or if possible restart some processes, or modify config file. input, output.conf   Rgds Geir
  Hello all, I have created and applied the configuration in props.conf file: SEDCMD-XXXXX = s/XXXXXX//g The field I wanted deleted is deleted from the logs... or it appears that way.  Looking a... See more...
  Hello all, I have created and applied the configuration in props.conf file: SEDCMD-XXXXX = s/XXXXXX//g The field I wanted deleted is deleted from the logs... or it appears that way.  Looking at the raw logs, the field/values are not there, but once I expand it (with the tab in the upper-left corner of the log entry), the field is there...? As if that field/value pair was not deleted but hidden?? The field shows in the left-side column of "All Fields" too. Hope someone can guide/explain it - I have not been able to find an answer (if it even has one)... Thanks!
Hello I am working on creating a dashboard to monitor some data flow info. this dashboard will have many panels so I was thinking I could hide them all when loaded and then only display the ones tha... See more...
Hello I am working on creating a dashboard to monitor some data flow info. this dashboard will have many panels so I was thinking I could hide them all when loaded and then only display the ones that the user selects in a multiselect input(maybe a better way?). I am unsure how to accomplish this though or if it can even be done. Does anyone have any ideas on how I could accomplish this task? Thanks for the help!
worked great, thanks!
Hi @shai, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points a... See more...
Hi @shai, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
@gcusello  marking as default solved the issue. thank you very much.
The regex is looking for 3 characters between "authentication" and "failure", but the event contains only 1.  Try REGEX = \bauthentication\sfailure\b
Hello, We currently have the following chart created. I would like to show each district split by week over a 4wk time period as shown in the Administration bar below. However, I'm struggling to get ... See more...
Hello, We currently have the following chart created. I would like to show each district split by week over a 4wk time period as shown in the Administration bar below. However, I'm struggling to get the results we want. Any assistance would be greatly appreciated!   Base search:   ```Grab badging data for the previous week``` index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0@w | bin span=1d _time | eval week_number=strftime(_time,"%U") | dedup _time CARDNUM | rename CARDNUM as badgeid ```lookup Ceridian and Active Directory and return fields associated with employeeID and badgeid``` | join type=left badgeid ```Use HR records to filter on only Active and LOA employees``` [search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d | eval "Employee ID"=ltrim(tostring('Employee ID'),"0") | stats count by "Employee ID" | rename "Employee ID" as employeeID | fields - count ```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region``` | lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region] | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" ```Calculate the number of badge check-ins in a given week by badgeid``` |stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid week_number ```Compensate for temporary badge check-in (primary badge= badgeid temporary badge =badgeid_1``` | append [|stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid_1 week_number | rename badgeid_1 as badgeid ] | eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3") ```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in ``` | join District [| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" | stats count as total by District]  
This thread is more than 2 years old with an accepted solution so it's unlikely to get many more responses.  If it does not solve your problem then please post a new question.
Hello, Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are ... See more...
Hello, Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover.  We are currently filtering out non-essentials, and for us one of the big players is linux syslog.  I am attempting to use transforms and props to filter out everything that aren't authentication failures.  The regular expression is looking for the string of text "authentication failure".  I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up. Can someone take a look at these and let me know what looks wrong here?  The transforms are meant to bring in only events with "authentication failure" and toss out everything else. Props.conf [syslog] TRANSFORMS-set=set_parsing,set_null Transforms.conf [set_parse] REGEX = \bauthentication\b\s\bfailure\b DEST_KEY = queue FORMAT = indexQueue [set_null] REGEX = . DEST_KEY = queue FORMAT = nullQueue
Hi @shai , in the [Settings > Roles > Indexes] Tab, are your index flagged also in the Default column? Ciao. Giuseppe
Hello, at the end we would like put write instead of read   | table app label title dashboard-read-permission dashboard-write-permission app-write-permission app-read-permission
That's not optimal.  Try this alternative using stats. | stats count as Count, values(Workstation) as Workstation, values(Source_Network_Address) as Source_Network_Address by Affected | table Af... See more...
That's not optimal.  Try this alternative using stats. | stats count as Count, values(Workstation) as Workstation, values(Source_Network_Address) as Source_Network_Address by Affected | table Affected, Workstation, Source_Network_Address, Count | sort - Count This may yield multiple workstation or source address values for each Affected value.