Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-11-2023
04:58 AM
Name
sku
kit
NAC-D-CDSK-DLS-05.90
NAC-D
HJA-JEOE-DNDN-94.4.0
This my data, I want to replace with NAC-D to ANT-P for multiple values this is my search query
...
See more...
Name
sku
kit
NAC-D-CDSK-DLS-05.90
NAC-D
HJA-JEOE-DNDN-94.4.0
This my data, I want to replace with NAC-D to ANT-P for multiple values this is my search query
| eval sku = if(name=="",substr(kit,0,5),substr(name,0,5))
| eval sku=case(sku =="NAC-D","ANT-P ",sku =="DHV-K","ABD-U",true(),sku)
Labels
- Labels:
-
field extraction
-
fields
10-11-2023
04:55 AM
1 Karma
Hi @ApolloJ, you said that you need "bandwidth usage by uri". anyway, did my answer solve your request? If yes, please accept the answer, otherwise, tell me how can I help you. ciao. Giuseppe P...
See more...
Hi @ApolloJ, you said that you need "bandwidth usage by uri". anyway, did my answer solve your request? If yes, please accept the answer, otherwise, tell me how can I help you. ciao. Giuseppe P.S.: Karma Points are appreciated
10-11-2023
04:44 AM
Hi gcusello, Thanks for the reply. "By URI" is not necessary for my case (as I want all of them
10-11-2023
04:43 AM
Hi, I have created a custom app to implement ACME on search head cluster members with a script on bin folder that update files/certificates on 3 folders ./acme ./certs ./backup the content of th...
See more...
Hi, I have created a custom app to implement ACME on search head cluster members with a script on bin folder that update files/certificates on 3 folders ./acme ./certs ./backup the content of these folders are required to be different on each server (deployer and 3 members). How to correctly deploy/implement this configuration? Thanking you in advance, Graça
Labels
10-11-2023
04:24 AM
| appendpipe
[| stats count as _count
| where _count=0
| eval sum="100%"]
10-11-2023
04:14 AM
What if I want to show 100% in existing field. let say i have a sum field which showing 0, so i want to show 100% is there a way to do that?
10-11-2023
04:04 AM
If I have a lookup table that contains the following: error,priority
Unable to find any company of ID,P2
500 Internal Server Error,P1 And result query with fields: 500 Internal Server Error:...
See more...
If I have a lookup table that contains the following: error,priority
Unable to find any company of ID,P2
500 Internal Server Error,P1 And result query with fields: 500 Internal Server Error: {xxx} Unable to find any company of ID: xxx Using the below query only brings back direct matches: <search query> | lookup _error_message_prority error AS ErrorMessage OUTPUTNEW Priority AS Priority Is there a way to use wildcards, 'like' or 'contains' when using lookup tables in Splunk Cloud?
Labels
- Labels:
-
using Splunk Cloud
10-11-2023
03:54 AM
1 Karma
Try this one: index=_internal "Splunkd starting" sourcetype=splunkd component=loader AND host=*
| append
[| search index=_internal "splunkd started" sourcetype=splunkd_stderr AND host=*
...
See more...
Try this one: index=_internal "Splunkd starting" sourcetype=splunkd component=loader AND host=*
| append
[| search index=_internal "splunkd started" sourcetype=splunkd_stderr AND host=*
]
| eval st_{sourcetype}=1
| stats count sum(st_*) AS * earliest(_time) AS firstTime latest(_time) AS lastTime BY host
| eval uptime = tostring(now() - lastTime,"duration")
| foreach *Time
[| eval <<FIELD>>=strftime(<<FIELD>>,"%Y-%m-%d %H:%M:%S")
]
| table host count firstTime lastTime uptime *
10-11-2023
03:19 AM
Hello! According to ITSI documentation (https://docs.splunk.com/Documentation/ITSI/4.17.1/Configure/KVPerms) there is a KV store called "maintenance_calendar" that contains maintenance window detail...
See more...
Hello! According to ITSI documentation (https://docs.splunk.com/Documentation/ITSI/4.17.1/Configure/KVPerms) there is a KV store called "maintenance_calendar" that contains maintenance window details. I need to run some searches on the schedules, but I cannot access the data in the KV store due to the error: Is it possible to achieve what I am looking to do? Thank you and best regards, Andrew
Labels
10-11-2023
03:11 AM
Try something like this | appendpipe
[| stats count as _count
| where _count=0
| eval message="100%"]
10-11-2023
03:10 AM
1 Karma
Hi @ApolloJ, at first use always the index in the main search to have faster searches. then the uri is missed in your timechart and in the round option the approx is missed. Please try something l...
See more...
Hi @ApolloJ, at first use always the index in the main search to have faster searches. then the uri is missed in your timechart and in the round option the approx is missed. Please try something like this: index=your_index uri="/myappli/*"
| timechart span=10s sum(round(bytes/1024/1024,2)) AS MB BY uri Ciao. Giuseppe
10-11-2023
03:04 AM
Hi @AL3Z, blacklisting is in inputs.conf. transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when y...
See more...
Hi @AL3Z, blacklisting is in inputs.conf. transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder. It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf Ciao. Giuseppe
10-11-2023
02:57 AM
When can customers with existing SOAR instances expect to get migrated from the trial MC instance?
Labels
- Labels:
-
Mission Control
10-11-2023
02:49 AM
Hi @gcusello , I had gone through your one of the answer in the post https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999 , But in my case there is no Transfo...
See more...
Hi @gcusello , I had gone through your one of the answer in the post https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999 , But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ? Thanks
10-11-2023
02:48 AM
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok (but not sure) - is it correct ? uri="/myappli/*" | timechart su...
See more...
Hi, I want to simply know bandwidth usage by url (I span on 10s for not flooding) then I divide by 10 I wrote this, it seems ok (but not sure) - is it correct ? uri="/myappli/*" | timechart sum(eval(round(bytes/1024/1024))) AS MB span=10s Thanks
10-11-2023
02:46 AM
what if I want to print 100.00% instead of zero
10-11-2023
02:45 AM
Hello MarcoAlves, did you find a solution for this? Regards
10-11-2023
02:44 AM
I want to see 100% when the "No results found. " message comes.
10-11-2023
02:41 AM
1 Karma
Assuming IP comes in from the look up as a multi-value field, you could try something like this: | inputlookup lookup_A
| eval tag="A"
| append
[ | inputlookup lookup_B
| eval tag="B" ]
| mvexpa...
See more...
Assuming IP comes in from the look up as a multi-value field, you could try something like this: | inputlookup lookup_A
| eval tag="A"
| append
[ | inputlookup lookup_B
| eval tag="B" ]
| mvexpand IP
| stats values(tag) as tag by Hostname IP
| nomv tag
| where tag="B"
10-11-2023
02:38 AM
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is r...
See more...
Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it have 3 Search Head Cluster, 2 Indexer Cluster and 1 Master Node (Master Node is roles of Deployer and License Master) and all version Splunk Enterprise in each components is 9.1.0.2. I want to install Splunk ES 7.2 Apps to Search Head Cluster with guild of Splunk (https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallEnterpriseSecuritySHC ) . When i install Splunk ES Apps in Deployer, an error occurs as this image : Please help me the solution of this issue. Thanks for all the contributions!
