Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-12-2023
06:28 AM
Thank you for the fast answer. Now i can see all columns, but the Events in the Statistics are separate and not grouped. Now i see for example 50 times one user and then the another one 20 times, a...
See more...
Thank you for the fast answer. Now i can see all columns, but the Events in the Statistics are separate and not grouped. Now i see for example 50 times one user and then the another one 20 times, and so on.
10-12-2023
06:26 AM
hi @gcusello as written in the original post the mode is Verbose.
10-12-2023
06:15 AM
Search IDs remain unchanged until the search expires, usually in 10 minutes, but sometimes longer. After that, a new search must be started and a new SID generated.
10-12-2023
06:14 AM
Knowing what those blockers are would help us help you. It would also help to know what search(es) you are running.
10-12-2023
06:04 AM
1 Karma
Sign in to the UF's CLI and run this btool command. It will show which settings will take effect at the next restart and the file each setting comes from. splunk btool --debug inputs list
10-12-2023
05:50 AM
Please tell us more. Were you successful at enabling boot-start? What command did you use? Did you do so as root? What errors are reported when the UF tries to start automatically?
10-12-2023
05:25 AM
1 Karma
The stats command is a transforming one, meaning it changes the results so only the referenced fields exist. In this case, only the Count and Affected fields are available to subsequent commands. P...
See more...
The stats command is a transforming one, meaning it changes the results so only the referenced fields exist. In this case, only the Count and Affected fields are available to subsequent commands. Perhaps the best fix is to use the eventstats command, which is not transforming. | eventstats count as Count by Affected
| table Affected, Workstation, Source_Network_Address, Count
| sort - Count
10-12-2023
05:11 AM
Hi @Bleepie, did you tried with dedup (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview)? <your_search>
| dedup host
| sort host
| table host but in this way ...
See more...
Hi @Bleepie, did you tried with dedup (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview)? <your_search>
| dedup host
| sort host
| table host but in this way you have only the list of hosts with events. If you want o check if there are some missing host, you have to create a lookup (called e.g. perimeter.csv) containing at least one column called host and then run a search like the following: | tstats count WHERE index=your_index BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0 in this way, if you have results the host is missed. Ciao. Giuseppe Ciao. Giuseppe
10-12-2023
05:11 AM
If we r doing it for stats its not working.... giving the same results as before .... can u pls try for stats count by wificountrydetails instead of table
- Tags:
- error
10-12-2023
05:00 AM
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" an...
See more...
Hello! we would like to extend our alarm for our users' monthly failed logon. I have created the following script. There is a problem with the table. The table is not showing me the "Workstation" and "Source_Network_Address", the Affected and the Count are working fine. I did some troubleshooting and found out that the command line with "stats count as" is the reason, as it works without that and shows everything except Count then of course. Does anyone have an idea how I can create a table and a counter? index=*..... (Account_Name="*" OR Group_Name="*") EventCode="4625" NOT EventCode IN ("4735", "4737", "4755") NOT Account_Name="*$*" Name | eval time=_time | eval Operator=mvindex(Account_Name, 0) | eval Affected=mvindex(Account_Name, 1) | eval Group=mvindex(Account_Name, 2) | eval Workstation=mvindex(Workstation_Name, 0) | eval Group=if(isnull(Group),Group_Name,Group) | eval Workstation=if(isnull(Workstation),"",Workstation) | eval Workstation=nullif(Workstation,"") | eval Affected=if(isnull(Affected),Account_Name,Affected) | eval ExpirationTime=if(isnull(Expiration_time),"",Expiration_time) | rex field=Message "(?<Message>[^\n]+)" | stats count as Count by Affected | table Affected, Workstation, Source_Network_Address, Count | sort -Count
Labels
- Labels:
-
troubleshooting
10-12-2023
04:58 AM
Hi @shai, which Mode are you using in your searches? did you try to use Verbose Mode? Ciao. Giuseppe
10-12-2023
04:47 AM
Lets try this (i have tested this on my laptop, its working fine) source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty"
| rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | ta...
See more...
Lets try this (i have tested this on my laptop, its working fine) source="rex-empty-string.txt" host="laptop" sourcetype="rexEmpty"
| rex "WifiCountryDetails\"\:\"(?<WifiCountryDetails>\w+)\"" | table _raw WifiCountryDetails
10-12-2023
04:42 AM
No. its not working . again its taking the next field value... and we r gathering the count by using stats count by wificountrydetails...
- Tags:
- error
10-12-2023
04:35 AM
the rex command, in my previous reply.. works perfect. pls check it. As you are a new member, karma points / upvotes are appreciated, pls help those who help you, with your karma points. if...
See more...
the rex command, in my previous reply.. works perfect. pls check it. As you are a new member, karma points / upvotes are appreciated, pls help those who help you, with your karma points. if any reply solved your issue, pls accept it as "Accept as solution", thanks.
10-12-2023
04:27 AM
there is : in the place of wificountry details ..... its has to fetch as it is.. but it is fetching next field value batpercent in the place of wificountry details.
- Tags:
- issue
10-12-2023
04:25 AM
178.197.202.134 SECURITY_MONITORING_AUTOMATION CAMERA_SYSTEMS VML4 VML4030 1697109816450 INFO 51D29C77A022A KU5TFBKH-1700-316-114351851 - statusInfo {"Type":"status","HardwareRevision":"H6","WifiCoun...
See more...
178.197.202.134 SECURITY_MONITORING_AUTOMATION CAMERA_SYSTEMS VML4 VML4030 1697109816450 INFO 51D29C77A022A KU5TFBKH-1700-316-114351851 - statusInfo {"Type":"status","HardwareRevision":"H6","WifiCountryDetails":"","BatPercent":100,"BatTech":"Rechargeable","ChargerTech":"QuickCharger","ChargingState":"Off","Bat1Volt":7.931,"Temperature":24,"Battery1CaliVoltage":7.931,"Streamed":53395,"UserStreamed":1650,"MotionStreamed":7561,"IRLEDsOn":21054,"PoweredOn":11029385,"CameraOnline":11029337,"CameraOffline":48,"WifiConnectionCount":2,"WifiConnectionAttempts":2,"PIREvents":66,"FailedStreams":1,"FailedUpgrades":0,"SnapshotCount":0,"LogFrequency":2,"CriticalBatStatus":0,"ISPOn":57564,"TimeAtPlug":11025490,"TimeAtUnPlug":10979418,"PercentAtPlug":95,"PercentAtUnPlug":100,"ISPWatchdogCount":0,"ISPWatchdogCount2":0,"SecsPerPercentCurr":0,"SecsPerPercentAvg":0,"PirOorEvents":0,"DdrFailCnt":0,"carrierFw":"Generic","SignalStrengthIndicator":2,"SystemVersionString":"1.096.3.2_1.8.65.0_22","ID":534,"SystemFirmwareVersion":"1.096.3.2_30_0bad0df","HardwareVersion":"H6","SystemSerialNumber":"51D29C77A022A","TimeStamp":"2023-10-12T11:23:36+0000"}
- Tags:
- logs
10-12-2023
04:14 AM
Hi @sateesh250795 .. 1)Can you provide some sample logs.. 2) After the "WifiCountryDetails" field, do you have a "," or ":", etc ?!?!? let me assume it is a comma (",")...then, lets try this rex: ...
See more...
Hi @sateesh250795 .. 1)Can you provide some sample logs.. 2) After the "WifiCountryDetails" field, do you have a "," or ":", etc ?!?!? let me assume it is a comma (",")...then, lets try this rex: rex "WifiCountryDetails\W+(?<WifiCountryDetails>[\w*\s*]+)\,"
10-12-2023
04:01 AM
Hi @gcusello Thank you for your response However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. ...
See more...
Hi @gcusello Thank you for your response However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. So can you explain what else I might be missing? Note that I witnessed this issue not only with indexes but with sourcetype. for example searching for field=value yielded zero results but searching field=value AND sourcetype=certail_type did return results...
10-12-2023
03:52 AM
I am getting blockers to group these different error messages from different exception events in our logs
10-12-2023
03:50 AM
so like...table would be like : Error Message: Object reference not set to an instance of an object. description" : "{\"message\": \"Endpoint request timed out\ "message" : "EMERGENCY_SHUTDOWN || ...
See more...
so like...table would be like : Error Message: Object reference not set to an instance of an object. description" : "{\"message\": \"Endpoint request timed out\ "message" : "EMERGENCY_SHUTDOWN || Products Not Available" ...such kind of different error messages with their number of occurences..
