All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Trying to edit the email subject line of alerts I am receiving. I have tried adding host=$host$ to the base search and in the subject line and was unsuccessful.   I have tried using the $result. h... See more...
Trying to edit the email subject line of alerts I am receiving. I have tried adding host=$host$ to the base search and in the subject line and was unsuccessful.   I have tried using the $result. host$ macro and was unsuccessful as well.   search looks like : | stats latest(cpu_load_percent) AS "CPU Utilization" by host _time | where 'CPU Utilization' >= 95 |dedup host
Matching hour of day is exactly why you cannot use inputlookup subsearch.  But now you want 9 - 5:30 instead of 9 - 5, this means that we need to consider %M as well. | mstats some filters | <some m... See more...
Matching hour of day is exactly why you cannot use inputlookup subsearch.  But now you want 9 - 5:30 instead of 9 - 5, this means that we need to consider %M as well. | mstats some filters | <some more sophisticated filters> | eval Date = split(strftime(_time, "%m/%d/%Y:%H%M"), ":") | eval tod = mvindex(Date, 1), Date = mvindex(Date, 0) | lookup mylookup Date | where NOT (Description == "Bank holiday" AND tod > 900 AND tod < 1730)
Kindly help me with a new SPL In am getting results for the existing below SPL. I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am gett... See more...
Kindly help me with a new SPL In am getting results for the existing below SPL. I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am getting the unwanted results for EventID4662. So I want the existing SPL result to compare the below new condition and filter the result if Properties result has "msLAPS-Password".  New Condition: index=winsec_prod EventID=4662 Properties=*EncryptedDSRMPasswordHistory* Existing SPL:     index=winsec_prod 4794 OR (4657 AND DSRMAdminLogonBehavior) OR ((4104 OR 4103) AND DsrmAdminLogonBehavior) | search ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*")) | eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName) | stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username | rename values(*) as *      
I see that the time tokens are symbolic, not actual time values.  In that case, use addinfo as @fredclown suggested.  Just a couple tweaks, one to make search faster if there are lots of events, the ... See more...
I see that the time tokens are symbolic, not actual time values.  In that case, use addinfo as @fredclown suggested.  Just a couple tweaks, one to make search faster if there are lots of events, the other is syntactic. index=... Host=HostName "User ID"=* | stats count by "User ID" | addinfo ``` magical command goes anywhere, but less work in fewer rows ``` | stats avg(eval(count*86400/(info_max_time - info_min_time))) as average
Figured it out, just didn't enter anything into the optional Cloud App Security Token, Tenant Subdomain, or Tenant Data Center fields and that got it working again.
@yuanliu Thanks for the query, just wanted to update that I was able to get the results that are not in the holiday date but got stuck on how to also put a filter on the hour (9 Am - 5:30 PM on holid... See more...
@yuanliu Thanks for the query, just wanted to update that I was able to get the results that are not in the holiday date but got stuck on how to also put a filter on the hour (9 Am - 5:30 PM on holiday) The query I used to exclude events on holiday | search NOT [| inputlookup holidays.csv | rename HolidayDate as Date | fields Date ]
Can you pls assist with valid solution for above query.
when i do query for percentage of success to the total jobs it gives result 87.716 but when i see on dashboard it gives result 90 
Why do you escape the quotes? You don't need to do that.
That fixed the Parenthesis error but now I'm receiving this error: Thank you for your time! 
As you said "I" (you) have created the lookup table, my advice is to enter Date as epoch time if possible. (Splunk itself can help with that using commands like outputlookup.)  If you must use a huma... See more...
As you said "I" (you) have created the lookup table, my advice is to enter Date as epoch time if possible. (Splunk itself can help with that using commands like outputlookup.)  If you must use a human readable format such as "%m/%d/%Y" as your screenshot suggests, you need to convert your event _time to that same format.  Something like | mstats some filters | <some more sophisticated filters> | eval Date = split(strftime(_time, "%m/%d/%Y:%H"), ":") | eval hour = mvindex(Date, 1), Date = mvindex(Date, 0) | lookup mylookup Date | where NOT (Description == "Bank holiday" AND hour > 8 AND hour < 18) Hope this helps.
Hi I have main dashboard "MFA Compliance Rate" as shown below in screenshot.   I have enabled drilldown feature in "MFA Compliance Rate Per Country" panel of main dashboard. Drilldown dashboa... See more...
Hi I have main dashboard "MFA Compliance Rate" as shown below in screenshot.   I have enabled drilldown feature in "MFA Compliance Rate Per Country" panel of main dashboard. Drilldown dashboard name is "Country_Compliance" in same splunk app.  Able to pass country data from main dashboard to drilldown dashboard below mentioned screenshot have on click config. I want to pass dropdown field value from main dashboard to drilldown dashboard.   For Example : I want to pass "Business-Unit" Dropdown value to drilldown dashboard along with "country" value after clicking on particular country bar from "MFA Compliance Rate Per Country" panel of main dashboard. Help me out how to pass dropdown value to drilldown dashboard. Thanks Abhineet kumar    
list.entry{}.fields is not itself a valid JSON path, but merely Splunk's own flat representation of one element in JSON array list.entry[].  Therefore it cannot be used in spath command.  Splunk's re... See more...
list.entry{}.fields is not itself a valid JSON path, but merely Splunk's own flat representation of one element in JSON array list.entry[].  Therefore it cannot be used in spath command.  Splunk's representation of JSON array is {}, such as list.entry{}.  The search you are looking for is   | fields - list.entry{}.* ``` these are distractions if you want to access full array ``` | spath path=list.entry{} | mvexpand list.entry{} | spath input=list.entry{}   After this, you will have JSON node list[].fields.* extracted as fields.*.  Your sample data would give created createdBy fields.AppKey001 fields.AutoTestCount001 fields.Engaged fields.NumBARes001 fields.NumDevRes001 fields.ProdGroup001 fields.Project fields.QEResIND001 fields.QEResLoc001 fields.QEResLoc002 fields.QEResLoc003 fields.QEResSGP001 fieldsQEResTOR001 fields.RelSupport001 fields.SITBugs001 fields.UnitTest001 fields.engStartDate fields.lastUpdated id list.entry{} ownedBy recordId total 1682416024092   ABC 1657 1 3 11111 1 Registration Employee Directory Services 5 3 3 3 0.5 1 0 31 0 1538452800000 1695960000000 e70dbd86-53cf-4782-aa84-cf28cde16c86 { "recordId": 7, "created": 1682416024092, "id": "e70dbd86-53cf-4782-aa84-cf28cde16c86", "fields": { "NumDevRes001": 11111, "NumBARes001": 3, "lastUpdated": 1695960000000, "engStartDate": 1538452800000, "RelSupport001": 0, "UnitTest001": 0, "Engaged": 1, "ProdGroup001": 1, "QEResSGP001": 0.5, "QEResTOR001": 1, "QEResLoc001": 3, "SITBugs001": 31, "QEResIND001": 5, "QEResLoc003": 3, "QEResLoc002": 3, "Project": "Registration Employee Directory Services", "AutoTestCount001": 1657, "AppKey001": "ABC" }, "ownedBy": "TEST1" } TEST1 7 64 1682416747947 TEST2 ABC 1657 1 3 22222 1 Registration Employee Directory Services 5 3 3 3 0.5 1 0 31 0 1538452800000 1695960000000 91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e { "recordId": 8, "createdBy": "TEST2", "created": 1682416747947, "id": "91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e", "fields": { "NumDevRes001": 22222, "NumBARes001": 3, "lastUpdated": 1695960000000, "engStartDate": 1538452800000, "RelSupport001": 0, "UnitTest001": 0, "Engaged": 1, "ProdGroup001": 1, "QEResSGP001": 0.5, "QEResTOR001": 1, "QEResLoc001": 3, "SITBugs001": 31, "QEResIND001": 5, "QEResLoc003": 3, "QEResLoc002": 3, "Project": "Registration Employee Directory Services", "AutoTestCount001": 1657, "AppKey001": "ABC" }, "ownedBy": "TEST2" } TEST2 8 64 Here is an emulation (correcting for one minor JSON syntax error) you can play with and compare with real data   | makeresults | eval _raw = "{ \"total\": 64, \"list\": { \"entry\": [ { \"recordId\": 7, \"created\": 1682416024092, \"id\": \"e70dbd86-53cf-4782-aa84-cf28cde16c86\", \"fields\": { \"NumDevRes001\": 11111, \"NumBARes001\": 3, \"lastUpdated\": 1695960000000, \"engStartDate\": 1538452800000, \"RelSupport001\": 0, \"UnitTest001\": 0, \"Engaged\": 1, \"ProdGroup001\": 1, \"QEResSGP001\": 0.5, \"QEResTOR001\": 1, \"QEResLoc001\": 3, \"SITBugs001\": 31, \"QEResIND001\": 5, \"QEResLoc003\": 3, \"QEResLoc002\": 3, \"Project\": \"Registration Employee Directory Services\", \"AutoTestCount001\": 1657, \"AppKey001\": \"ABC\" }, \"ownedBy\": \"TEST1\" }, { \"recordId\": 8, \"createdBy\": \"TEST2\", \"created\": 1682416747947, \"id\": \"91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e\", \"fields\": { \"NumDevRes001\": 22222, \"NumBARes001\": 3, \"lastUpdated\": 1695960000000, \"engStartDate\": 1538452800000, \"RelSupport001\": 0, \"UnitTest001\": 0, \"Engaged\": 1, \"ProdGroup001\": 1, \"QEResSGP001\": 0.5, \"QEResTOR001\": 1, \"QEResLoc001\": 3, \"SITBugs001\": 31, \"QEResIND001\": 5, \"QEResLoc003\": 3, \"QEResLoc002\": 3, \"Project\": \"Registration Employee Directory Services\", \"AutoTestCount001\": 1657, \"AppKey001\": \"ABC\" }, \"ownedBy\": \"TEST2\" } ] } }" | spath ``` data emulation above ```     
Hi, I have a alert query that uses mstats, I want this query to not throw alert during public holidays (from 9 AM to 5 PM). I have created a lookup holidays.csv with columns "Date","Description". Ho... See more...
Hi, I have a alert query that uses mstats, I want this query to not throw alert during public holidays (from 9 AM to 5 PM). I have created a lookup holidays.csv with columns "Date","Description". How can i use this lookup with the already mstats command to check for the date and time in the lookup file and if its in the timerange in the file then not trigger the alert or probably not search. Thanks in advance. Lookup file:  
I have a search result which gives 2 columns country_name and bytes of data transferred. How can I create a map visualization out of this that shows how many bytes were transferred to each country.  ... See more...
I have a search result which gives 2 columns country_name and bytes of data transferred. How can I create a map visualization out of this that shows how many bytes were transferred to each country.  Thanks
Please use the body of the message to ask your question.  Tell us how the search results differ when run in a dashboard.
@bowesmana    I've used this code to check on the values <html> <h3>Token values</h3> <table border="0" cellpadding="12" cellspacing="0"> <tr> <td> ... See more...
@bowesmana    I've used this code to check on the values <html> <h3>Token values</h3> <table border="0" cellpadding="12" cellspacing="0"> <tr> <td> <p> <b>Time range (epoch time)</b> </p> <p> <b>$$timeSelect1.earliest$$</b>: $timeSelect1.earliest$<br/> <b>$$timeSelect1.latest$$</b>: $timeSelect1.latest$<br/> <b>$$timeSelect1.earliest_ts$$</b>: $timeSelect1.earliest_ts$<br/> <b>$$timeSelect1.latest_ts$$</b>: $timeSelect1.latest_ts$<br/> <b>$$earliest$$</b>: $earliest$<br/> <b>$$latest$$</b>: $latest$<br/> <b>$$table_minutes_away$$</b>: $table_minutes_away$<br/> <b>$$drilldownsettingtimerange$$</b>: $drilldownsettingtimerange$<br/> </p> </td> <td> <p> <b>Filter Values</b> </p> <p> <b>$$displayUnits$$</b>: $displayUnits$<br/> <b>$$filterBy$$</b>: $filterBy$<br/> <b>$$removeParam$$</b>: $removeParam$<br/> <b>$$rankBy$$</b>: $rankBy$<br/> <b>$$filterNWCompletionCode$$</b>: $filterNWCompletionCode$<br/> <b>$$filterNWPredictionCode$$</b>: $filterNWPredictionCode$<br/> <b>$$useLoad$$</b>: $useLoad$<br/> <b>$$showLive$$</b>: $showLive$<br/> </p> </td> <td> <p> <b>Click Values</b> </p> <p> <b>$$job.runDuration$$</b>: $job.runDuration$<br/> <b>$$whereclick$$</b>: $whereclick$<br/> <b>$$clickname$$</b>: $click.name$<br/> <b>$$clickvalue$$</b>: $click.value$<br/> <b>$$clickname2$$</b>: $click.name2$<br/> <b>$$clickvalue2$$</b>: $click.value2$<br/> <b>$$clickearly$$</b>: $clickearly$<br/> <b>$$clicklate$$</b>: $clicklate$<br/> <b>$$row.duration$$</b>: $row.duration$<br/> <b>$$rownode$$</b>: $rownode$</p> </td> <td> <p> <b>Search Values</b> </p> <p> <b>$$radar|s$$</b>: $radar|s$<br/> <b>$$form.pre_source$$</b>: $form.pre_source$<br/> <b>$$form.source|s$$</b>: $form.source|s$<br/> <b>$$source$$</b>: $source$<br/> <b>$$form.terms|s$$</b>: $form.terms|s$<br/> <b>$$terms$$</b>: $terms$<br/> <b>$$subsystems|s$$</b>: $subsystems|s$<br/> <b>$$categories|s$$</b>: $categories|s$<br/> <b>$$hidden$$</b>: $hidden$<br/> <b>$$mlModelsAvailable$$</b>: $mlModelsAvailable$</p> </td> <td> <p> <b>Search Values</b> </p> <p> <b>$$search_results$$</b>: $search_results$<br/> </p> </td> </tr> </table> </html>   This is what I see when I clicked on any parts of the stacked charts (no difference in values)  
index="jenkins_console" source="*-deploy/*" NOT (source="*/gremlin-fault-injection-deploy/*" OR source="*pipe-test*" OR source="*java-validation-*") ("Approved by" OR "*Finished:*") | fields source |... See more...
index="jenkins_console" source="*-deploy/*" NOT (source="*/gremlin-fault-injection-deploy/*" OR source="*pipe-test*" OR source="*java-validation-*") ("Approved by" OR "*Finished:*") | fields source | stats count(eval(match(_raw, "Approved by"))) as count_approved, count(eval(match(_raw, ".*Finished:*."))) as count_finish by source | where count_approved > 0 AND count_finish > 0 | stats dc(source) as Total | appendcols [ search(index="jenkins_console" source="*-deploy/*" NOT (source="*/gremlin-fault-injection-deploy/*" OR source="*pipe-test*" OR source="*java-validation-*") ("Finished: UNSTABLE" OR "Finished: SUCCESS" OR "Approved by" OR "Automatic merge*" OR "pushed branch tip is behind its remote" OR "WARNING: E2E tests did not pass")) | fields source host | stats count(eval(match(_raw, "Approved by"))) as count_approved, count(eval(match(_raw, "Finished: SUCCESS"))) as count_success, count(eval(match(_raw, "Finished: UNSTABLE"))) as count_unstable, count(eval(match(_raw, "Automatic merge.*failed*."))) as count_merge_fail, count(eval(match(_raw, "WARNING: E2E tests did not pass"))) as count_e2e_failure, count(eval(match(_raw, "pushed branch tip"))) as count_branch_fail by source, host | where count_approved > 0 AND (count_success > 0 OR (count_unstable > 0 AND (count_merge_fail > 0 OR count_branch_fail > 0 OR count_e2e_failure > 0))) | stats dc(source) as success ] | stats avg(success) as S, avg(Total) as T | eval percentage=( S / T * 100) | fields percentage,success, Total
That was my omission. (Syntax is explained in lookup.)  I assume that you are trying to match "host" field in the following. (Also, you need to control letter case in the table to all-lower case. | ... See more...
That was my omission. (Syntax is explained in lookup.)  I assume that you are trying to match "host" field in the following. (Also, you need to control letter case in the table to all-lower case. | metasearch (index=os_* OR index=perfmon_*) | dedup host | eval host=lower(host) ```| eval eventTime=_time | convert timeformat="%Y/%m/%d %H:%M:%S" ctime(eventTime) AS LastEventTime | fields host eventTime LastEventTime index ^^^ the above is not calculated or used ``` | lookup host_lookup host output host AS matchhost | append [inputlookup host_lookup | rename host AS tablehost] | eventstats values(matchhost) as matchhost | eval Action = if(tablehost IN matchhost, "Keep Host", "Remove from Lookup")  
Hi @Michael.Medel, Have a read of this TKB article and see if it helps out - https://community.appdynamics.com/t5/Knowledge-Base/Understanding-Synthetic-Visual-metrics-vs-BRUM-metrics-for-page/ta-p... See more...
Hi @Michael.Medel, Have a read of this TKB article and see if it helps out - https://community.appdynamics.com/t5/Knowledge-Base/Understanding-Synthetic-Visual-metrics-vs-BRUM-metrics-for-page/ta-p/31284