All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

There is a potentially rather expensive way to do it.  Suppose your raw events are all single lines, you can do something like   | eval beginning_of_transaction = mvindex(split(_raw, " "), 0) ``` u... See more...
There is a potentially rather expensive way to do it.  Suppose your raw events are all single lines, you can do something like   | eval beginning_of_transaction = mvindex(split(_raw, " "), 0) ``` use index -1 for end of transaction ``` | rex field=beginning_of_transaction "<your regex>"   If the events are not all single line, but there is a distinct string (including newline) to split them without interfering with your regex, this formula can still work. Update: Your title says to exclude.  If exclusion is the goal, I assume that you meant to exclude start AND end, not start or end.  This can be achieved with | eval middle_of_transaction = mvindex(split(_raw, " "), 1, -2) | rex field=middle_of_transaction "<your regex>"  
Hi, Try something like this, hope it works. You can hide the table and use the token on your panel title. <row> <panel> <table depends="$hide$"> <title>$Time_Period_Start$ $Ti... See more...
Hi, Try something like this, hope it works. You can hide the table and use the token on your panel title. <row> <panel> <table depends="$hide$"> <title>$Time_Period_Start$ $Time_Period_End$</title> <search> <query>| makeresults | addinfo | eval SearchStart = strftime(info_min_time, "%Y-%m-%d %H:%M:%S"), SearchEnd = strftime(info_max_time, "%Y-%m-%d %H:%M:%S") | table SearchStart, SearchEnd</query> <earliest>-7d@d</earliest> <latest>@d</latest> <done> <set token="Time_Period_Start">$result.SearchStart$</set> <set token="Time_Period_End">$result.SearchEnd$</set> </done> </search> </table> </panel> </row>  
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(countr... See more...
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(country_name) Brazil Norway Spain ------------------------------------------------------------------ How do I write a query (using join or append)- to output  only "Spain" in the results. Thanks!
thanks for your reply, we do have https://splunkbase.splunk.com/app/1724)? that one just need your help to create a dashboard .
Can anyone help on this??
Hi, Here is the try anywhere query for your requirement.   | makeresults | eval _raw="Script exception for job id 'ABc12345' : Too many rows: 500." | rex field=_raw ": (?<Extracted>.*)"    
Hi @Splunk235, please try this regex: | rex "Script exception for job id \'\w*\d*\' : (?<message>[^\.]*)" that you can test at https://regex101.com/r/tJwzeA/1 Ciao. Giuseppe
Hi @Praz_123, did you tried the Lookup Editor App (https://splunkbase.splunk.com/app/1724)? Otherwise it's really difficoult to create a dashboard to modify a csv Excel like! Ciao. Giuseppe
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id... See more...
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id 'ABc12345' : Too many rows: 500. Script exception for job id 'XyZ78943' : Too many DMLs: 20.   Results should be: Too many rows: 500. Too many DMLs: 20.
Karma would be appreciate if someone could help us earliest .
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as i... See more...
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as in dashboard if we make any changes it should be reflect in lookup table and the fields will be dynamic here , and in dashboard we could have text box to update the fileds  
I tried installing Add-on on HF and mapped the right source type still no luck.  Few events are truncated in the beginning.  
Yes, you should update a local config file and (almost) never a default file.
Hi @Mohammed Saad.Shaikh, I wanted to share this AppD Docs page that has some info on exporting and importing Health Rules via API. Let me know if it helps.
Hi @Sujal Kumar.Mitra, Have you seen our AppD Docs pages on Enterprise Console? 
Yes, that's correct. Taking about Enterprise Console only.
Hi @Aatom! Thanks for your community input. Since this is an old post, I recommend starting a new thread with your question, so it can gain more current visibility.    Cheers! -Kara D, Splunk C... See more...
Hi @Aatom! Thanks for your community input. Since this is an old post, I recommend starting a new thread with your question, so it can gain more current visibility.    Cheers! -Kara D, Splunk Community Manager  
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rL... See more...
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rLWRhc2hib2FyZC1hcHAtMg__getter_1695998843.535512 splunk_server=local | fields resultCount   Do I need to do something in my app in order to see the resultCount field? The jobs are generated by javascript, very similar script between apps, just change the search. I'm running version 9.0.6, in last version 8.2.8 I always see the resultCount    
A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try m... See more...
A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try match() | eval UserAgent = if(match('ContextData.UserAgent',"ios"),"ios","android")
Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need t... See more...
Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need to be updating, referencing this spec. I will do some more research and post a full answer when I have one