Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(countr...
See more...
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(country_name) Brazil Norway Spain ------------------------------------------------------------------ How do I write a query (using join or append)- to output only "Spain" in the results. Thanks!
Hi, Here is the try anywhere query for your requirement. | makeresults
| eval _raw="Script exception for job id 'ABc12345' : Too many rows: 500."
| rex field=_raw ": (?<Extracted>.*)"
Hi @Splunk235, please try this regex: | rex "Script exception for job id \'\w*\d*\' : (?<message>[^\.]*)" that you can test at https://regex101.com/r/tJwzeA/1 Ciao. Giuseppe
Hi @Praz_123, did you tried the Lookup Editor App (https://splunkbase.splunk.com/app/1724)? Otherwise it's really difficoult to create a dashboard to modify a csv Excel like! Ciao. Giuseppe
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks. Sample Log lines: Script exception for job id...
See more...
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks. Sample Log lines: Script exception for job id 'ABc12345' : Too many rows: 500. Script exception for job id 'XyZ78943' : Too many DMLs: 20. Results should be: Too many rows: 500. Too many DMLs: 20.
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more fields name with dynamic values and also empty values . so what we need as i...
See more...
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more fields name with dynamic values and also empty values . so what we need as in dashboard if we make any changes it should be reflect in lookup table and the fields will be dynamic here , and in dashboard we could have text box to update the fileds
Hi @Mohammed Saad.Shaikh,
I wanted to share this AppD Docs page that has some info on exporting and importing Health Rules via API.
Let me know if it helps.
Hi @Aatom! Thanks for your community input. Since this is an old post, I recommend starting a new thread with your question, so it can gain more current visibility.
Cheers!
-Kara D, Splunk C...
See more...
Hi @Aatom! Thanks for your community input. Since this is an old post, I recommend starting a new thread with your question, so it can gain more current visibility.
Cheers!
-Kara D, Splunk Community Manager
Hi all,
I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0.
| rest /services/search/jobs/xx__xx_c3BsdW5rL...
See more...
Hi all,
I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0.
| rest /services/search/jobs/xx__xx_c3BsdW5rLWRhc2hib2FyZC1hcHAtMg__getter_1695998843.535512 splunk_server=local | fields resultCount
Do I need to do something in my app in order to see the resultCount field?
The jobs are generated by javascript, very similar script between apps, just change the search.
I'm running version 9.0.6, in last version 8.2.8 I always see the resultCount
A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try m...
See more...
A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try match() | eval UserAgent = if(match('ContextData.UserAgent',"ios"),"ios","android")
Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need t...
See more...
Thanks for your swift reply! I haven't got the whole answer yet, but that certainly helps as I was not aware of how the config works. Seems like it is probably the local/props.conf file that I need to be updating, referencing this spec. I will do some more research and post a full answer when I have one
Hi @SplunkySplunk, the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work: | rename ContextData.UserAgent AS ContextData_U...
See more...
Hi @SplunkySplunk, the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work: | rename ContextData.UserAgent AS ContextData_UserAgent
| eval UserAgent = if("ContextData_UserAgent"="*ios*","ios","android") Ciao. Giuseppe
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don'...
See more...
Hello I'm trying to count events by field called "UserAgent" If im searching for the events without any calculated field im getting results from different UserAgents But once im using eval, I don't get the expected results For example: I've tried this eval and im getting only "android" also im searching for "ios" only with
"ContextData.UserAgent"=*ios*
as part of my query
| eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")
what im doing wrong ?