All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I've got the following query to detect that a worker instance of mine is actually doing what it's supposed to on a regular basis. If it doesn't in a particular environment, the query won't return a r... See more...
I've got the following query to detect that a worker instance of mine is actually doing what it's supposed to on a regular basis. If it doesn't in a particular environment, the query won't return a row for that environment. I thought perhaps I could join the results with a literal dataset of environments, to ensure there is a row for each environment, but despite looking over the documentation, I can't find a way to make the join work. Admittedly, I'm new to Splunk querying, so might be missing something obvious, or there might be some other way of doing this without `join`.   | mstats sum(worker.my_metric) AS my_metric WHERE index="service_metrics" AND host=my-worker-* earliest=-2h BY host | eval env = replace(host, "^my-worker-(?<env>[^-]+)$", "\1") | stats sum(my_metric) AS my_metric BY env | eval active = IF(my_metric > 0, "yes", "no") | join type=right left=M right=E WHERE M.env = E.env from [{ env: "dev" }, { env: "beta" }, { env: "prod" }]      
what worked for you. please explain and help
Hello, everyone. I just ran into an issue where a stanza within apps\SplunkUniversalForwarder\local\inputs.conf on a forwarder is overwriting other apps\AppName\local\inputs.conf  from other apps in... See more...
Hello, everyone. I just ran into an issue where a stanza within apps\SplunkUniversalForwarder\local\inputs.conf on a forwarder is overwriting other apps\AppName\local\inputs.conf  from other apps in the apps folder. I would like to either disable this app, or delete the \SplunkUniversalForwarder\local folder or delete the stanza. The problem is that this has happened on multiple hosts and I need an automated method of doing this. Does anyone have an idea so that this default app that I don't even want to touch doesn't overwrite my own actually used apps? Thanks
Thanks, ITWhisperer. Perhaps I didn't ask my question clearly enough. I was looking for something like this: [\S\s\n\t\r\n\f.]+ It may be redundant, but it seems to work.
Is this still the case with 9.1.2? I'm getting the same error though I don't have privKeyPath listed in the server.conf file. My pem does have a password/key when I created it.
whats the difference between :: and = in splunk search. what are the benefits vs drawbacks
Edit the search and select "For each result" in the Trigger field.  
I want to get information related to writing of debug logs to Splunk from Saleforce Apex code. Can you provide us with steps or which Managed packe package or COnnector can we use for this.   Than... See more...
I want to get information related to writing of debug logs to Splunk from Saleforce Apex code. Can you provide us with steps or which Managed packe package or COnnector can we use for this.   Thanks, regards  Kr Saket
The tstats command will be faster, but processing a year of data for all hosts will still take a long time. | tstats prestats=true count where index=foo by _time,host span=1mon | timechart span=1mon... See more...
The tstats command will be faster, but processing a year of data for all hosts will still take a long time. | tstats prestats=true count where index=foo by _time,host span=1mon | timechart span=1mon count by host  
To find out which fields are present in the lookup and absent in the index use a subsearch, like this: | inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields f... See more...
To find out which fields are present in the lookup and absent in the index use a subsearch, like this: | inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields field1 field2 | format]
Nope, I am using inputs.conf.
Hello, Was a solution ever found?  I am experiencing this, a Note in an investigation is easier to read in Edit mode than after its published.  When published, it looks like one runon sentence, no s... See more...
Hello, Was a solution ever found?  I am experiencing this, a Note in an investigation is easier to read in Edit mode than after its published.  When published, it looks like one runon sentence, no spacing, no formatting. Thanks in advance! Kai
Start with (?s) | makeresults | eval _raw="ABC DEF GHI" | rex "(?s)ABC(?<middle>.*)GHI"
Just came here to say this worked for me, thanks for posting it.
What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I... See more...
What is the fastest way to run a query to get an event count on a timechart per host? This is for windows events and I want to get a list of how many events each device is logging per month so that I can identify the increase/decrease. They are all ingested in one index. A query like this will take a while to run if run for about a year. Is there a faster way to get this data? index=<index_name> | timechart count by Computer span=1mon Thanks.
Can you confirm whether your original search returns > 0 events by running it in the search bar on the "Search" tab in AnomalyApp (or in Search & Reporting)?  This message may be shown because the ... See more...
Can you confirm whether your original search returns > 0 events by running it in the search bar on the "Search" tab in AnomalyApp (or in Search & Reporting)?  This message may be shown because the search is returning 0 events.  We expect to have a fix for this, so our error message is more informative, in our next patch release of AnomalyApp.
What's the simplest regex that will match any character including newline? I want to be able to match all unknown content between two very specific capture groups. Thanks! Jonathan
Sorry, I left that out of my original reply.  The number of results is in the result_count field.  If the alert did anything, then the alert_actions field is not empty. If an alert fired (was trigge... See more...
Sorry, I left that out of my original reply.  The number of results is in the result_count field.  If the alert did anything, then the alert_actions field is not empty. If an alert fired (was triggered), it will be in the output of this command | rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | search title!="-"  
Hi @gcusello , Thanks for getting back to me. Turns out the splunk user did not have access to the pihole.log, only to the pihole-FTL.log files. Splunk started to ingest both files after I changed ... See more...
Hi @gcusello , Thanks for getting back to me. Turns out the splunk user did not have access to the pihole.log, only to the pihole-FTL.log files. Splunk started to ingest both files after I changed the permissions. Thanks, Toma.
I'm using the rex command to parse a value out of the results of a transaction command. Is there an easy way to restrict the resulting capture from searching either the start or end block of the tran... See more...
I'm using the rex command to parse a value out of the results of a transaction command. Is there an easy way to restrict the resulting capture from searching either the start or end block of the transaction? This would be much easier than doing it in the regex itself, since both blocks of text returned are very similar. Thanks! Jonathan