All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

First, some house cleaning: You posted two nearly identical topics.  This one appears to be more specific in subject.  Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-spe... See more...
First, some house cleaning: You posted two nearly identical topics.  This one appears to be more specific in subject.  Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-specific-result/m-p/659465#M227694, then? Second, you need to give enough context for a person with no context about your environment, dataset, etc., to understand what difficulty you face, what attempts you have made with what result.  Do not assume that volunteers are mind-readers.  For example, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start Never mind the problem.  I tail to see any problem of putting system_id in a token as discrete values.  For one, system_id starts with AA-1, but there is no asterisk ('*') in any of the examples.  If I use <your initial search> | stats count by system_id to populate $mytoken$, none of the values will have wildcard.  Your problem statement implies that you populate $mytoken$ either with fixed strings including AA-1*, AA-10*, etc., or you populate $mytoken$ with a search like my example, but manipulate the results in a way the adds wildcard to certain positions.  Another person would have no way of knowing why you populate $mytoken$ with AA-1* instead of AA-1-*, for example. Then, there is a question of use of said token.  Do you use it in a search command?  A where command?  A match function?  A different part of an eval expression?  Each of these can work with a string differently. Can you explain how that wildcard character gets into your token values and how you token is used?
Hello @Rob2520, If you go to Content -> Manage Bookmarks section, there's a button for "Backup and Restore", have you tried that? Below screenshot for reference -  Please accept the solution and... See more...
Hello @Rob2520, If you go to Content -> Manage Bookmarks section, there's a button for "Backup and Restore", have you tried that? Below screenshot for reference -  Please accept the solution and hit Karma, if this helps!
Wow! it works like a charm! Thank you so much for the help! Best,
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
Hello, Just checking through if the issue was resolved or you have any further questions?
 I'm new here and still learning to make the change. Currently I'm on the Splunk cloud version and this Field transformations is where I can find to add the transform but not sure how I can spec... See more...
 I'm new here and still learning to make the change. Currently I'm on the Splunk cloud version and this Field transformations is where I can find to add the transform but not sure how I can specify the log field and the Format option there. Should I update the Source Key there? Thanks for the help!
suorce key is the field name, change _raw to log. You don't need the format, as you have specified the field names in the extraction string Note that the existing JSON needs to be auto extracted, wh... See more...
suorce key is the field name, change _raw to log. You don't need the format, as you have specified the field names in the extraction string Note that the existing JSON needs to be auto extracted, which means that it has to have been set up to do so. It's easy to see just do index=x and look down the left hand side of the display in verbose mode to see if the 'log' field is shown as a field.
Why do you need them in one token. You will not be able to search for  AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e.  s... See more...
Why do you need them in one token. You will not be able to search for  AA-1* without picking up the AA-10, so if you have a token that is base_id, which contain AA-1, which you search for, i.e.  system_id=$base_token$* and then a second token with AA-1($|-) and do a regex, e.g. | regex system_id="$regex_token$"  
Thank you so much for the quick response! I found this Field transformations to be added in our Splunk cloud.  Where can I specify the source field log and what should be configured in the Format o... See more...
Thank you so much for the quick response! I found this Field transformations to be added in our Splunk cloud.  Where can I specify the source field log and what should be configured in the Format option there? Best,  
Thank you so much for the quick response! I found this Field transformations to be added in our Splunk cloud.  Where can I specify the source field log and what should be configured in the Form... See more...
Thank you so much for the quick response! I found this Field transformations to be added in our Splunk cloud.  Where can I specify the source field log and what should be configured in the Format option there? Best,
are you not receiving Snow incident tickets only for a particular set of alerts  or are you not receiving Snow incident tickets for whole splunk altogether?
>>> This is my first post here to ask for help Welcome to Splunk Community. here you can find almost 90 % of everybody's splunk issues will be solved, your issue is definitely one inside that 90%.  ... See more...
>>> This is my first post here to ask for help Welcome to Splunk Community. here you can find almost 90 % of everybody's splunk issues will be solved, your issue is definitely one inside that 90%.  >>> How can I extract trace_id, event, program_run_sec, and status from the log section automatically by setting up a sourcetype? Is it doable? it is very much doable. as updated by bowesmana , you should just update one or two config files. thats all. we will guide you on this task step by step. please update us more details on which stage/step you are currently into.  As u r a new member, i thought to tell you, upvotes / karma points are appreciated by everyone. kindly help those who help you with your karma points, thanks. 
You have lots of unnecessary fieldformat statements. I would suggest index=Prod123 methodType='WITHDRAW' currency='GBP' jurisdiction=UK transactionAmount>=3 | search transactionAmount=* | bin spa... See more...
You have lots of unnecessary fieldformat statements. I would suggest index=Prod123 methodType='WITHDRAW' currency='GBP' jurisdiction=UK transactionAmount>=3 | search transactionAmount=* | bin span=20s _time | stats list(transactionAmount) as Total, list(currency) as currency, dc(customerId) as Users by _time | where Users>=2 | eval diff=tonumber(mvindex(Total, 0)) - tonumber(mvindex(Total, 1)) | sort - _time you don't need list(_time) as Time because it will contain the same values as your split by _time field as you a binning _time You don't need fieldformat for _time as that is how _time is already displayed.  
>>> Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors.   did you select the correct timepicker? (i mean, if you edited... See more...
>>> Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors.   did you select the correct timepicker? (i mean, if you edited just within last 30 mins ago.. search the internal logs only for last 20 or 25 mins)..  is it a production system? do you have any weekly service restarts?   upvotes / Karma points are appreciated by everybody, thanks. 
Settings ---> All Configurations select ...App (all) and Owner (any)... in the text box, enter the lookup name. search it and update us what happens, thanks. 
Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup. Your pattern is a bit odd in that it has C:\\Wi... See more...
Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup. Your pattern is a bit odd in that it has C:\\Windows\\system32\\cmd\.exe*C:\\P... where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times. If your process field contains C:\Windows\system32\cmd.exe ...  then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data. That * wildcarding is all that is supported in lookups.
Thanks @inventsekar  I tried but no luck, Can you help me with the query to find out the search query/report/alert/dashboard where this lookup is used? May be I am doing wrong, please help me wit... See more...
Thanks @inventsekar  I tried but no luck, Can you help me with the query to find out the search query/report/alert/dashboard where this lookup is used? May be I am doing wrong, please help me with the query.