All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: How to create a visualization considering 2 columns and bytes of data?

by in Dashboards & Visualizations
‎10-05-2023 01:34 PM
2 Karma
‎10-05-2023 01:34 PM
2 Karma
To map things, you will need to enrich your data with what the map needs to display this info.   A good place to start is the Mapping section of docs.  For example, there are some built-in lookups ... See more...
To map things, you will need to enrich your data with what the map needs to display this info.   A good place to start is the Mapping section of docs.  For example, there are some built-in lookups in Splunk for countries and US States.  Depending on your country format in your data, you might need to add additional columns (aka enrich your data) with the relevant geo-info the maps visualization needs.  Reviewing the docs for this should get you on the right path. Another place to check out is the Splunk Dashboard Examples app.  It has a lot of good visualization examples with dummy data that you can copy from.  

Re: Apply condition and filter results

by in Splunk Search
‎10-05-2023 01:24 PM
‎10-05-2023 01:24 PM
Hi @alex4 - Does something like this help you get to where you want to be:   index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory* | eval username=coalesce(src_user,user,user_... See more...
Hi @alex4 - Does something like this help you get to where you want to be:   index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory* | eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName) | stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username     You were referring to EventID in your New Condition, but your SPL was using a field name of EventCode.  Also, it looks like the ObjectName field contains the EncryptedDSRMPasswordHistory based on the SPL you shared instead of the Properties field given in your New Condition.  Also, I removed the | search  in my SPL sample.  There's an implied search command happening for SPL, and so if you have | search as your first commmand you can collapse the boolean expression into the first implied search.     

Re: How to convert json events results into one json event?

by in Splunk Search
‎10-05-2023 01:24 PM
‎10-05-2023 01:24 PM
Thank you. The first solution is exactly what I wanted to achieve 

Re: Add hostname to email subject line of splunk alert

by in Other Usage
‎10-05-2023 01:10 PM
‎10-05-2023 01:10 PM
This post covers this topic: Solved: How to implement tokens in Email alert? - Splunk Community

Add hostname to email subject line of splunk alert

by in Other Usage
‎10-05-2023 12:55 PM
‎10-05-2023 12:55 PM
Trying to edit the email subject line of alerts I am receiving. I have tried adding host=$host$ to the base search and in the subject line and was unsuccessful.   I have tried using the $result. h... See more...
Trying to edit the email subject line of alerts I am receiving. I have tried adding host=$host$ to the base search and in the subject line and was unsuccessful.   I have tried using the $result. host$ macro and was unsuccessful as well.   search looks like : | stats latest(cpu_load_percent) AS "CPU Utilization" by host _time | where 'CPU Utilization' >= 95 |dedup host
Labels

Re: How to use mstats and inputlookup command

by SplunkTrust in Splunk Search
‎10-05-2023 12:45 PM
‎10-05-2023 12:45 PM
Matching hour of day is exactly why you cannot use inputlookup subsearch.  But now you want 9 - 5:30 instead of 9 - 5, this means that we need to consider %M as well. | mstats some filters | <some m... See more...
Matching hour of day is exactly why you cannot use inputlookup subsearch.  But now you want 9 - 5:30 instead of 9 - 5, this means that we need to consider %M as well. | mstats some filters | <some more sophisticated filters> | eval Date = split(strftime(_time, "%m/%d/%Y:%H%M"), ":") | eval tod = mvindex(Date, 1), Date = mvindex(Date, 0) | lookup mylookup Date | where NOT (Description == "Bank holiday" AND tod > 900 AND tod < 1730)

Apply condition and filter results

by in Splunk Search
‎10-05-2023 12:39 PM
‎10-05-2023 12:39 PM
Kindly help me with a new SPL In am getting results for the existing below SPL. I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am gett... See more...
Kindly help me with a new SPL In am getting results for the existing below SPL. I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am getting the unwanted results for EventID4662. So I want the existing SPL result to compare the below new condition and filter the result if Properties result has "msLAPS-Password".  New Condition: index=winsec_prod EventID=4662 Properties=*EncryptedDSRMPasswordHistory* Existing SPL:     index=winsec_prod 4794 OR (4657 AND DSRMAdminLogonBehavior) OR ((4104 OR 4103) AND DsrmAdminLogonBehavior) | search ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*")) | eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName) | stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username | rename values(*) as *      

Re: How to display Avg of Users per Time Picker?

by SplunkTrust in Splunk Search
‎10-05-2023 12:38 PM
1 Karma
‎10-05-2023 12:38 PM
1 Karma
I see that the time tokens are symbolic, not actual time values.  In that case, use addinfo as @fredclown suggested.  Just a couple tweaks, one to make search faster if there are lots of events, the ... See more...
I see that the time tokens are symbolic, not actual time values.  In that case, use addinfo as @fredclown suggested.  Just a couple tweaks, one to make search faster if there are lots of events, the other is syntactic. index=... Host=HostName "User ID"=* | stats count by "User ID" | addinfo ``` magical command goes anywhere, but less work in fewer rows ``` | stats avg(eval(count*86400/(info_max_time - info_min_time))) as average

Re: o365 Add-On error can't complete tenant edits

by in Getting Data In
‎10-05-2023 12:31 PM
‎10-05-2023 12:31 PM
Figured it out, just didn't enter anything into the optional Cloud App Security Token, Tenant Subdomain, or Tenant Data Center fields and that got it working again.

Re: How to use mstats and inputlookup command

by in Splunk Search
‎10-05-2023 12:29 PM
‎10-05-2023 12:29 PM
@yuanliu Thanks for the query, just wanted to update that I was able to get the results that are not in the holiday date but got stuck on how to also put a filter on the hour (9 Am - 5:30 PM on holid... See more...
@yuanliu Thanks for the query, just wanted to update that I was able to get the results that are not in the holiday date but got stuck on how to also put a filter on the hour (9 Am - 5:30 PM on holiday) The query I used to exclude events on holiday | search NOT [| inputlookup holidays.csv | rename HolidayDate as Date | fields Date ]

Re: Getting different result when do search query and same implement on dashboard for percentage of success to total job

by in Splunk Cloud Platform
‎10-05-2023 11:42 AM
‎10-05-2023 11:42 AM
Can you pls assist with valid solution for above query.

Re: Getting different result when do search query and same implement on dashboard for percentage of success to total job

by in Splunk Cloud Platform
‎10-05-2023 11:21 AM
‎10-05-2023 11:21 AM
when i do query for percentage of success to the total jobs it gives result 87.716 but when i see on dashboard it gives result 90 

Re: props.conf | multiple EXTRACT single GROUP name

by SplunkTrust in Knowledge Management
‎10-05-2023 11:13 AM
‎10-05-2023 11:13 AM
Why do you escape the quotes? You don't need to do that.

Re: How to display Avg of Users per Time Picker?

by in Splunk Search
‎10-05-2023 11:09 AM
‎10-05-2023 11:09 AM
That fixed the Parenthesis error but now I'm receiving this error: Thank you for your time! 

Re: How to use mstats and inputlookup command

by SplunkTrust in Splunk Search
‎10-05-2023 10:53 AM
‎10-05-2023 10:53 AM
As you said "I" (you) have created the lookup table, my advice is to enter Date as epoch time if possible. (Splunk itself can help with that using commands like outputlookup.)  If you must use a huma... See more...
As you said "I" (you) have created the lookup table, my advice is to enter Date as epoch time if possible. (Splunk itself can help with that using commands like outputlookup.)  If you must use a human readable format such as "%m/%d/%Y" as your screenshot suggests, you need to convert your event _time to that same format.  Something like | mstats some filters | <some more sophisticated filters> | eval Date = split(strftime(_time, "%m/%d/%Y:%H"), ":") | eval hour = mvindex(Date, 1), Date = mvindex(Date, 0) | lookup mylookup Date | where NOT (Description == "Bank holiday" AND hour > 8 AND hour < 18) Hope this helps.

Pass dropdown value from main dashboard to drilldown dashboard along with value where click in panel of main dashboard.

by in Dashboards & Visualizations
‎10-05-2023 10:51 AM
‎10-05-2023 10:51 AM
Hi I have main dashboard "MFA Compliance Rate" as shown below in screenshot.   I have enabled drilldown feature in "MFA Compliance Rate Per Country" panel of main dashboard. Drilldown dashboa... See more...
Hi I have main dashboard "MFA Compliance Rate" as shown below in screenshot.   I have enabled drilldown feature in "MFA Compliance Rate Per Country" panel of main dashboard. Drilldown dashboard name is "Country_Compliance" in same splunk app.  Able to pass country data from main dashboard to drilldown dashboard below mentioned screenshot have on click config. I want to pass dropdown field value from main dashboard to drilldown dashboard.   For Example : I want to pass "Business-Unit" Dropdown value to drilldown dashboard along with "country" value after clicking on particular country bar from "MFA Compliance Rate Per Country" panel of main dashboard. Help me out how to pass dropdown value to drilldown dashboard. Thanks Abhineet kumar    
Labels

Re: Search time parsing for nested json logs

by SplunkTrust in Splunk Search
‎10-05-2023 10:39 AM
‎10-05-2023 10:39 AM
list.entry{}.fields is not itself a valid JSON path, but merely Splunk's own flat representation of one element in JSON array list.entry[].  Therefore it cannot be used in spath command.  Splunk's re... See more...
list.entry{}.fields is not itself a valid JSON path, but merely Splunk's own flat representation of one element in JSON array list.entry[].  Therefore it cannot be used in spath command.  Splunk's representation of JSON array is {}, such as list.entry{}.  The search you are looking for is   | fields - list.entry{}.* ``` these are distractions if you want to access full array ``` | spath path=list.entry{} | mvexpand list.entry{} | spath input=list.entry{}   After this, you will have JSON node list[].fields.* extracted as fields.*.  Your sample data would give created createdBy fields.AppKey001 fields.AutoTestCount001 fields.Engaged fields.NumBARes001 fields.NumDevRes001 fields.ProdGroup001 fields.Project fields.QEResIND001 fields.QEResLoc001 fields.QEResLoc002 fields.QEResLoc003 fields.QEResSGP001 fieldsQEResTOR001 fields.RelSupport001 fields.SITBugs001 fields.UnitTest001 fields.engStartDate fields.lastUpdated id list.entry{} ownedBy recordId total 1682416024092   ABC 1657 1 3 11111 1 Registration Employee Directory Services 5 3 3 3 0.5 1 0 31 0 1538452800000 1695960000000 e70dbd86-53cf-4782-aa84-cf28cde16c86 { "recordId": 7, "created": 1682416024092, "id": "e70dbd86-53cf-4782-aa84-cf28cde16c86", "fields": { "NumDevRes001": 11111, "NumBARes001": 3, "lastUpdated": 1695960000000, "engStartDate": 1538452800000, "RelSupport001": 0, "UnitTest001": 0, "Engaged": 1, "ProdGroup001": 1, "QEResSGP001": 0.5, "QEResTOR001": 1, "QEResLoc001": 3, "SITBugs001": 31, "QEResIND001": 5, "QEResLoc003": 3, "QEResLoc002": 3, "Project": "Registration Employee Directory Services", "AutoTestCount001": 1657, "AppKey001": "ABC" }, "ownedBy": "TEST1" } TEST1 7 64 1682416747947 TEST2 ABC 1657 1 3 22222 1 Registration Employee Directory Services 5 3 3 3 0.5 1 0 31 0 1538452800000 1695960000000 91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e { "recordId": 8, "createdBy": "TEST2", "created": 1682416747947, "id": "91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e", "fields": { "NumDevRes001": 22222, "NumBARes001": 3, "lastUpdated": 1695960000000, "engStartDate": 1538452800000, "RelSupport001": 0, "UnitTest001": 0, "Engaged": 1, "ProdGroup001": 1, "QEResSGP001": 0.5, "QEResTOR001": 1, "QEResLoc001": 3, "SITBugs001": 31, "QEResIND001": 5, "QEResLoc003": 3, "QEResLoc002": 3, "Project": "Registration Employee Directory Services", "AutoTestCount001": 1657, "AppKey001": "ABC" }, "ownedBy": "TEST2" } TEST2 8 64 Here is an emulation (correcting for one minor JSON syntax error) you can play with and compare with real data   | makeresults | eval _raw = "{ \"total\": 64, \"list\": { \"entry\": [ { \"recordId\": 7, \"created\": 1682416024092, \"id\": \"e70dbd86-53cf-4782-aa84-cf28cde16c86\", \"fields\": { \"NumDevRes001\": 11111, \"NumBARes001\": 3, \"lastUpdated\": 1695960000000, \"engStartDate\": 1538452800000, \"RelSupport001\": 0, \"UnitTest001\": 0, \"Engaged\": 1, \"ProdGroup001\": 1, \"QEResSGP001\": 0.5, \"QEResTOR001\": 1, \"QEResLoc001\": 3, \"SITBugs001\": 31, \"QEResIND001\": 5, \"QEResLoc003\": 3, \"QEResLoc002\": 3, \"Project\": \"Registration Employee Directory Services\", \"AutoTestCount001\": 1657, \"AppKey001\": \"ABC\" }, \"ownedBy\": \"TEST1\" }, { \"recordId\": 8, \"createdBy\": \"TEST2\", \"created\": 1682416747947, \"id\": \"91e88ae6-0b64-48fc-b8ed-4fcfa399aa3e\", \"fields\": { \"NumDevRes001\": 22222, \"NumBARes001\": 3, \"lastUpdated\": 1695960000000, \"engStartDate\": 1538452800000, \"RelSupport001\": 0, \"UnitTest001\": 0, \"Engaged\": 1, \"ProdGroup001\": 1, \"QEResSGP001\": 0.5, \"QEResTOR001\": 1, \"QEResLoc001\": 3, \"SITBugs001\": 31, \"QEResIND001\": 5, \"QEResLoc003\": 3, \"QEResLoc002\": 3, \"Project\": \"Registration Employee Directory Services\", \"AutoTestCount001\": 1657, \"AppKey001\": \"ABC\" }, \"ownedBy\": \"TEST2\" } ] } }" | spath ``` data emulation above ```     

How to use mstats and inputlookup command

by in Splunk Search
‎10-05-2023 10:38 AM
‎10-05-2023 10:38 AM
Hi, I have a alert query that uses mstats, I want this query to not throw alert during public holidays (from 9 AM to 5 PM). I have created a lookup holidays.csv with columns "Date","Description". Ho... See more...
Hi, I have a alert query that uses mstats, I want this query to not throw alert during public holidays (from 9 AM to 5 PM). I have created a lookup holidays.csv with columns "Date","Description". How can i use this lookup with the already mstats command to check for the date and time in the lookup file and if its in the timerange in the file then not trigger the alert or probably not search. Thanks in advance. Lookup file:  
Labels

How to create a visualization considering 2 columns and bytes of data?

by in Dashboards & Visualizations
‎10-05-2023 10:35 AM
‎10-05-2023 10:35 AM
I have a search result which gives 2 columns country_name and bytes of data transferred. How can I create a map visualization out of this that shows how many bytes were transferred to each country.  ... See more...
I have a search result which gives 2 columns country_name and bytes of data transferred. How can I create a map visualization out of this that shows how many bytes were transferred to each country.  Thanks
Labels

Re: Getting different result when do search query and same implement on dashboard for percentage of success to total job

by SplunkTrust in Splunk Cloud Platform
‎10-05-2023 10:32 AM
‎10-05-2023 10:32 AM
Please use the body of the message to ask your question.  Tell us how the search results differ when run in a dashboard.