Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-21-2023
03:50 PM
Try gathering the different fields by Object | foreach Attributes.*
[| eval name=SectionName.".<<MATCHSEG1>>"
| eval {name}='<<FIELD>>']
| fields - Attributes.* name SectionName
| stats valu...
See more...
Try gathering the different fields by Object | foreach Attributes.*
[| eval name=SectionName.".<<MATCHSEG1>>"
| eval {name}='<<FIELD>>']
| fields - Attributes.* name SectionName
| stats values(*) as * by Object
| transpose column_name=Attribute header_field=Object
| eval match = if('HJn5server1' == 'HJn7server3', "y", "n")
09-21-2023
03:28 PM
Almost - the table is to restrict the fields to just those you want in the summary index. The where false() is to remove the events that you have added to the summary index, otherwise you will effect...
See more...
Almost - the table is to restrict the fields to just those you want in the summary index. The where false() is to remove the events that you have added to the summary index, otherwise you will effectively double the events you have returned by the search. The first half being the original events, and the second half being the events with the renamed fields. Consider this <your search>
| appendpipe
[] This duplicates all your events!
09-21-2023
03:19 PM
solved the issue. it had to do with permissions. tag should have global permissions for search app to recognize it
09-21-2023
02:33 PM
When I did a table view I realized that the data I'm looking for is actually part of the _raw field. I'm trying to figure out how isolate the user-agent portion (in bold) and count the different uni...
See more...
When I did a table view I realized that the data I'm looking for is actually part of the _raw field. I'm trying to figure out how isolate the user-agent portion (in bold) and count the different unique values that get reported. Here's a sanitized version of a record. "<133>1 2023-09-21T14:53:43+00:00 host-29490 example.apache-access - - - 208.207.1.214 - - [21/Sep/2023:14:53:43 +0000] ""GET / HTTP/1.1"" 302 46779 ""https://edit.onlineshop.example.com/"" ""Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)"" vhost=example.prod.my-sites.com host=edit.example.com hosting_site=example pid=24164 request_time=106271 forwarded_for=""208.51.62.14, 64.220.85.15, 23.120.51.94"" request_id=""reqid-a88558b0-5a8e-1ee-6e0-ea57887e2d"" location=""/user/login"" ","2023-09-21T10:53:43.000-04:00",778910529448,"52.22.171.60",application,1,,example,"tcp-raw","splunk-indexer-ip-10-128-128-5.ec2.internal"
09-21-2023
02:17 PM
@isoutamothanks for the tip. Unfortunately, I have no datamodels I can use ATM Regards,
09-21-2023
02:05 PM
Hi Have you defined any data model for this? That probably help you? R. Ismo
09-21-2023
02:04 PM
If you have rights set up correctly (you should have as this is working after restart), I don’t see any reason why it’s didn’t work! I said that your next step is to create a support case (bug report...
See more...
If you have rights set up correctly (you should have as this is working after restart), I don’t see any reason why it’s didn’t work! I said that your next step is to create a support case (bug report) to splunk support to solve this issue.
09-21-2023
02:03 PM
Hello, community I am trying to identify ways to make this search faster: index=Win_Logs EventCode IN (528,540,4624) AND user IN (C*,W*,X*)
| dedup user
| timechart span=1w dc(user) as Users Anyth...
See more...
Hello, community I am trying to identify ways to make this search faster: index=Win_Logs EventCode IN (528,540,4624) AND user IN (C*,W*,X*)
| dedup user
| timechart span=1w dc(user) as Users Anything tstats or metasearch, metadata? Thanks in advance
09-21-2023
01:57 PM
You should ask clarification from doc team. Just leave a comment o that document page and the will be back to you later.
09-21-2023
01:23 PM
I would like to get the number of people connected (one successful login session per user per day will suffice) to our network over a month period using earliest and now() attributes. The figures sho...
See more...
I would like to get the number of people connected (one successful login session per user per day will suffice) to our network over a month period using earliest and now() attributes. The figures should be presented per week like a chart
09-21-2023
01:12 PM
ITWhisperer: Thank you for the reply. Combining the 'SectionName' with each attribute makes sense; however, I can't get your code to resolve correctly. Here are my results with the following code: ...
See more...
ITWhisperer: Thank you for the reply. Combining the 'SectionName' with each attribute makes sense; however, I can't get your code to resolve correctly. Here are my results with the following code: index = websphere_cct (Object= "HJn5server1" Env="UAT") OR (Object = "HJn2server1" Env="Prod") | foreach Attributes.* [| eval name=SectionName.".<<MATCHSEG1>>" | eval {name}='<<FIELD>>'] | fields - Attributes.* name SectionName | fillnull value="" | transpose column_name=Attribute header_field=Object | eval match = if('HJn5server1' == 'HJn7server3', "y", "n") I can't seem to get the value of the "Attributes" field to printout.
09-21-2023
12:58 PM
1 Karma
It worked!! Thank you..
09-21-2023
12:34 PM
1 Karma
Since rex is my favorite command, I'll say that's the best way to extract the field. Of course, that depends on the details. Please share (sanitized) sample events with message fields.
09-21-2023
12:26 PM
Those props.conf settings should be on a heavy forwarder and/or an indexer. They do no good on a universal forwarder. If the event is not pure and correct JSON then the INDEXED_EXTRACTIONS=JSON and...
See more...
Those props.conf settings should be on a heavy forwarder and/or an indexer. They do no good on a universal forwarder. If the event is not pure and correct JSON then the INDEXED_EXTRACTIONS=JSON and KV_MODE=_json settings won't work.
09-21-2023
12:07 PM
I would like to setup a dashboard that tracks the totals for user agents in incoming requests. I couldn't find a "user agent", "user-agents" or any other field listed. When I exported the search re...
See more...
I would like to setup a dashboard that tracks the totals for user agents in incoming requests. I couldn't find a "user agent", "user-agents" or any other field listed. When I exported the search results to CSV, I saw the following heading:
"_raw","_time",cloudaccount,host,index,linecount,message,source,sourcetype,"splunk_server"
It appears that the info containing the user agent is contained in the message field, enclosed in double double-quotes.
I assume that in order to count each type of user agent, I first need to isolate these values, then count them. What's the best way to do that?
- Tags:
- splunk search
Labels
- Labels:
-
dashboard
-
Dashboard Studio
09-21-2023
11:41 AM
So to make sure I understand what's happening, we are modifying information in a separate summary, then using table to reveal that information, collecting that info. Once we break out of the appendpi...
See more...
So to make sure I understand what's happening, we are modifying information in a separate summary, then using table to reveal that information, collecting that info. Once we break out of the appendpip, we then display the original fields. If you don't mind me asking, what is the where false() for?
09-21-2023
11:35 AM
yuanliu: Thank you for the reply. As per having a illustrating sample data, I went over the character limit; however, I could have just made another post. Anyway, here is what I am looking for. I...
See more...
yuanliu: Thank you for the reply. As per having a illustrating sample data, I went over the character limit; however, I could have just made another post. Anyway, here is what I am looking for. It is muptiple tables in one dashboard where the tables are ordered by SectionName followed by the Attributes for that section and a column stating the attributes match or do not match. * * I will look at the rest of your post now.
09-21-2023
11:25 AM
It was the way for previous beta exams. Whether it is a good use of time is your own decision. You can take the exam today and wait a while for the results or wait a while to take the GA exam and g...
See more...
It was the way for previous beta exams. Whether it is a good use of time is your own decision. You can take the exam today and wait a while for the results or wait a while to take the GA exam and get the results immediately. It's the same to me except I save $130 by taking the beta exam.
09-21-2023
11:15 AM
Official answer: We have a default clean up script but it is by no means a full solution, it will age off files that are older than some frequency (in the splencore.sh) script, but if you have a ...
See more...
Official answer: We have a default clean up script but it is by no means a full solution, it will age off files that are older than some frequency (in the splencore.sh) script, but if you have a high volume that threshold may not be acceptable. There are a few options we recommend to our clients: (#1) In inputs.conf: Change the monitor stanza to batch, this will delete files upon ingest to Splunk, this is useful if Splunk is only system of record. (#2) Sym Link to a NAS drive or larger file system: If you want to retain the estreamer log files then you could create a sym link to the folder where output is stored, the sym link would need to represent an adequate file capacity, something on the order of /var/log (#3) Modify the age off task, its default is 12 hours, but that can be modified, once modified though you will need to update it with new versions of the TA. This is located in the /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh file, note modifying this file will potentially conflict with future updates of the app, so keep in mind during and upgrade you will need to go back and modify this file after an overwrite clean() { # Delete data older than 12 hours -> 720mins
09-21-2023
11:14 AM
1 Karma
The Account_Number values are repeated because they are repeated in the data. That's the nature of the list function. To show unique values, use the values function. ... main search
| rename Orde...
See more...
The Account_Number values are repeated because they are repeated in the data. That's the nature of the list function. To show unique values, use the values function. ... main search
| rename Order_Date as Month
| stats count by Account_Number, Total_Sum, Month
| eventstats sum(Total_Sum) as Monthly_Total by Month
| sort - Total_Sum
| sort Account_Number
| stats values(Account_Number) as Account_Number, list(Total_Sum) as Total_Sum, values(Monthly_Total) as Monthly_Total by Month You didn't what "it wont work" means, but I suspect the fieldformat command is failing because the Total field doesn't exist. The eval trick to sort fields as desired is a proven method, but how well it works depends on where it's placed in the query. Please show the full query with the code that "hasn't helped".
