All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello  I need something like below  Name Common Check Tool Specific   Running Service Name Application Name in Control Panel     UF Splunk Forwarder UF How we can che... See more...
Hi @gcusello  I need something like below  Name Common Check Tool Specific   Running Service Name Application Name in Control Panel     UF Splunk Forwarder UF How we can check the presence of uf like Path etc.,    
hi @jroeser1404  i have the exact same issue, did you resolve this maybe?
Hi @jerrynandak, add nomv to the end: | makeresults | eval id=11, event_type="ack" | fields id event_type | append [ | makeresults | eval id=11, event_type="req" | fields id event_type ] | append... See more...
Hi @jerrynandak, add nomv to the end: | makeresults | eval id=11, event_type="ack" | fields id event_type | append [ | makeresults | eval id=11, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=11, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=11, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=11, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=13, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=11, event_type="req" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=13, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="ack" | fields id event_type ] | append [ | makeresults | eval id=12, event_type="req" | fields id event_type ] | stats values(event_type) AS event_type BY id | nomv event_type Ciao. Giuseppe
Hi guys, I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.       Fields: Device_Name Device_Interfa... See more...
Hi guys, I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.       Fields: Device_Name Device_Interface SomeField Pseudocode: <some query> | if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String" | if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"        
You will need a closing parenthesis in the eval statement if you copy and paste this solution.  Thank you for the assist! | eval created=strptime(whenCreated, "%I:%M:%S %p, %a %m/%d/%y") | where cr... See more...
You will need a closing parenthesis in the eval statement if you copy and paste this solution.  Thank you for the assist! | eval created=strptime(whenCreated, "%I:%M:%S %p, %a %m/%d/%y") | where created>=relative_time(now(), "-48h")
Hi @gcusello  values() only stores distinct values. So, your solution gives the following output which doesn't match my expected result. 11 ack req 12 ack req 13 ack req
Hi @bapun18, yes, you can: create you text input and drag it into your panel. Ciao. Giuseppe
hi @AL3Z, the validation criteria is the presence both in the lookup and in the search results of each host. ciao. Giuseppe
Hi @jerrynandak, please try this: <your_search> | stats values(event_type) AS event_type BY id Ciao. Giuseppe
I have hundreds of thousands of events of this form. id event_type 11 ack 11 req 11 ack 12 req 11 req 12 ack 11 ack 13 req 12 req 12 req 11 req 12 ack 13 ack 12 ack 13 req How ca... See more...
I have hundreds of thousands of events of this form. id event_type 11 ack 11 req 11 ack 12 req 11 req 12 ack 11 ack 13 req 12 req 12 req 11 req 12 ack 13 ack 12 ack 13 req How can I create req-ack pairs of these events so that I can find the time difference between req and ack? Expected pairing: 11 req-ack, req-ack 12 req-ack, req-ack, req-ack 13 req-ack    
The Tenable TA only pulls in events with new information ( a new scan date, change in a field or status) each time it accesses the data. Once an item is pulled in, it doesn't pull it a second time. T... See more...
The Tenable TA only pulls in events with new information ( a new scan date, change in a field or status) each time it accesses the data. Once an item is pulled in, it doesn't pull it a second time. That means if you scan half of your devices on Monday and half of your devices on Tuesday, you need to search looking back 2 days to see all of your current data.  Once an individual finding has been pulled in, it doesn't grab the same item again unless there is a change.
You can start out doing this in Splunk. Expand on the configs you want to look for in the search below, and then after you've pulled all of the configs you care about from rest endpoints, run a searc... See more...
You can start out doing this in Splunk. Expand on the configs you want to look for in the search below, and then after you've pulled all of the configs you care about from rest endpoints, run a search for the keyword you're looking for in it.   You can find a list of configuration files here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Listofconfigurationfiles | rest/services/configs/conf-macros | eval config="macros" | append [| rest/services/configs/conf-lookups | eval config="lookups"] | append [| rest/services/configs/conf-savedsearches | eval config="searches"] You can add in views and such using other endpoints, like | rest /services/data/ui/views
Hi All i am struggling with a query and appreciate some help please i received the data on csv file - timestamp is today  i'm interested in 3 fields Account_No , Total and Order_Date My view look... See more...
Hi All i am struggling with a query and appreciate some help please i received the data on csv file - timestamp is today  i'm interested in 3 fields Account_No , Total and Order_Date My view looks like this: Account_No      Total       Order_Date 123                      15.00        1/01/2023 123                      35.00        15/02/2023 123                      45.00        19/02/2023 456                      15.00         1/01/2023 456                      50.00        25/01/2023 456                     10.00        19/02/2023   I'd like a view like this                             Account_No            Jan                Feb Total Sum         123                          15.00            80.00                              456                           65.00            10.00   My main issue is using the eval to change the date format that appears in the csv file from 01/01/2023 to read January 2023 or even just January will probably do for this exercise.  I've come up with this so far | eval Order_Date = replace(Order_Date,"01", "January") but firstly i see 06/January/2023 and not just January  my other issue is that if any other month has 01 in it (for example 01/07/2023 it appears like this January/07/2023) Any ideas? Also i started looking at stats list command to group all Account_Nos together  main search..... | fields Order_Date Account_No Total | stats list(Total) as Total by Account_No i am unable to figure out how to get the subtotals for each Account_No    Any pointers would be appreciated    Thank you                
Hello @cbhattad  I'm not sure if this is still of use to you but have you setup the private key as per the documentation? Regards, RCA
Hi @melanie_granite  I'm not sure if this is still of use to you but to answer your question: You have to configure inputs in  Settings > Data Inputs > Google Spreadsheet Check this link: htt... See more...
Hi @melanie_granite  I'm not sure if this is still of use to you but to answer your question: You have to configure inputs in  Settings > Data Inputs > Google Spreadsheet Check this link: https://community.splunk.com/t5/All-Apps-and-Add-ons/Google-Import-Export-app-configuration/m-p/521681
Hello @esnaidergarzon  I'm not sure if this is still of help since the question was asked quite a while ago.  But if you follow the documentation from here https://lukemurphey.net/projects/splu... See more...
Hello @esnaidergarzon  I'm not sure if this is still of help since the question was asked quite a while ago.  But if you follow the documentation from here https://lukemurphey.net/projects/splunk-google-docs/wiki/How_to_setup_app You should be able to set it up correctly.
Hi, You might have got the result i am replying so that it can help others  as you are using sendemail command and you need Contact field do the following ...|rename Contact as _Contact |sendema... See more...
Hi, You might have got the result i am replying so that it can help others  as you are using sendemail command and you need Contact field do the following ...|rename Contact as _Contact |sendemail to=$result._Contact$ subject=subject sendresults=true format=table  while sending mail splunk will ignore _Contatct field as it has underscore(_) Hope this helps Happy Splunking  
We have Splunk message validation scenarios in our test scenarios and need to know whether any Open API's are available for Test automation? Automation Framework -TOSCA 
Hi Team, We are using Alert manager enterprise to receive the alert notifications. As we are new to this alert manager enterprise, we would like to understand few features about it. Firstly, we have ... See more...
Hi Team, We are using Alert manager enterprise to receive the alert notifications. As we are new to this alert manager enterprise, we would like to understand few features about it. Firstly, we have use cases with threshold criteria.  So, we would like to understand that if we have events which are with inside the threshold limit but not with exact threshold match (i.e) we set an alert to trigger if we encounter 5 failure attempts for any user within 5minutes. But in real time, we noticed that 5 failure attempts for user within 2 minutes, as we set up threshold as 5 minutes, even though we have 5 failure attempts within  2 minutes, will it trigger an alert? 
And another not so happy user here. The documentation clearly states "When a search head cluster member is in manual detention, it stops accepting all new searches from the search scheduler or from ... See more...
And another not so happy user here. The documentation clearly states "When a search head cluster member is in manual detention, it stops accepting all new searches from the search scheduler or from users. Existing ad-hoc and scheduled search jobs run to completion. New scheduled searches are distributed by the captain to search head cluster members that are up and not in detention." As expected, an interactive search is refused. Yet when I monitor the active_historical_search_count of a member in detention, I observe the count going up and down. When I look at the Job Manager screen, I see lots of newly created jobs. Either I misunderstood the detention feature, or the documentation is off the mark, or there is a bug. What is it?