Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-19-2023
06:48 AM
|tstats latest(_time) as latestTime where index=* by index | eval latestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S") | eval status=if(strftime(latestTime, "%Y/%m/%d") != strftime(now(), "%Y/%m/%d"...
See more...
|tstats latest(_time) as latestTime where index=* by index | eval latestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S") | eval status=if(strftime(latestTime, "%Y/%m/%d") != strftime(now(), "%Y/%m/%d"), "not updated", "updated") i'm using this query to find the index which is not indexed till today..For all the indexes i'm getting updated, eventhough there are indexes which are not updated a week.
09-19-2023
06:48 AM
Thanks rich... It helps and solve my problem...
09-19-2023
06:43 AM
1 Karma
Please share the [tos_access] props.conf stanza from both the Enterprise and Cloud installations. Is it possible the data goes through a heavy forwarder before reach Splunk Enterprise and by redirec...
See more...
Please share the [tos_access] props.conf stanza from both the Enterprise and Cloud installations. Is it possible the data goes through a heavy forwarder before reach Splunk Enterprise and by redirecting the EC2 instance to Splunk Cloud the HF is skipped and any transforms done by it are not applied?
09-19-2023
06:37 AM
@ITWhisperer IT worked !!! thank you so much
09-19-2023
06:22 AM
Hi @MScottFoley , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
09-19-2023
06:17 AM
That is perfect. I see now why it was not working before.
09-19-2023
06:16 AM
There is a REST endpoint that returns all fired alerts (/servicesNS/-/-/alerts/fired), but it doesn't say when the alert fired. You have to query each alert separately to get that. Another way is t...
See more...
There is a REST endpoint that returns all fired alerts (/servicesNS/-/-/alerts/fired), but it doesn't say when the alert fired. You have to query each alert separately to get that. Another way is to search the scheduler log like this index=_internal sourcetype=scheduler thread_id="AlertNotifier*" NOT alert_actions IN ("summary_index" "") app=FSS earliest=-30d
09-19-2023
06:04 AM
I have created an Information Point which basically works so now I also want to create a metric based on the return value.- Only thing is that the return value is a Boolean so how do I cast it to an ...
See more...
I have created an Information Point which basically works so now I also want to create a metric based on the return value.- Only thing is that the return value is a Boolean so how do I cast it to an Integer (with a Getter Chain I suppose)?
Labels
- Labels:
-
Controller
-
Licensing
-
User Management
09-19-2023
06:01 AM
Hi @aditsss, can you confirm that the values in the field EBNCStatus always starts with "ebnc"? if yes, please try this: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs...
See more...
Hi @aditsss, can you confirm that the values in the field EBNCStatus always starts with "ebnc"? if yes, please try this: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval True=if(searchmatch("ebnc event balanced successfully"),"✔","")
| eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day
| search EBNCStatus="ebnc*"
| table EBNCStatus True Day Ciao. Giuseppe
09-19-2023
06:01 AM
We are migrating our syslog server to Splunk Connect 4 Syslog running on a RHEL server inside a Docker container. The syslog messages are being forwarded to Splunk, however, SC4S is stripping the dom...
See more...
We are migrating our syslog server to Splunk Connect 4 Syslog running on a RHEL server inside a Docker container. The syslog messages are being forwarded to Splunk, however, SC4S is stripping the domain name off of the device names, causing issues with interfaces that are sending log messages.
For example, the host - "hostname.contoso.com", will have the host= hostname, while the hostname "lo0.hostname.contoso.com.", will have the host = lo0.
It appears SC4S is doing some sort of split on the first period (.) in the hostname and only keeping the first item in the array.
Is it possible to tell SC4S to use the FQDN as the hostname?
We are using reverse DNS on the SC4S instance - ie. SC4S_USE_REVERSE_DNS=yes
Any help is much appreciated!!
Labels
- Labels:
-
syslog
09-19-2023
05:53 AM
Hello,
Has anyone had issues with the color codes used in your json are not the colors appearing in your visualization?
{
"type": "splunk.column",
"options": {
"legendDisp...
See more...
Hello,
Has anyone had issues with the color codes used in your json are not the colors appearing in your visualization?
{
"type": "splunk.column",
"options": {
"legendDisplay": "off",
"dataValuesDisplay": "all",
"yAxisTitleText": "Volulme (GB)",
"xAxisTitleText": "Day",
"stackMode": "stacked",
"seriesColorsByField": {
"over_500_red": "#FF0000",
"between_400_and_500_orange": "#FFA500",
"between_200_and_400_green": "#008000",
"under_200_blue": "#0000FF"
}
},
"dataSources": {
"primary": "ds_search_1"
},
"title": "License Usage - Last 14 Days",
"showProgressBar": false,
"showLastUpdated": false,
"context": {}
}
Green and blue are not in the chart below.
Thanks and God bless, Genesius
Labels
- Labels:
-
chart
-
Dashboard Studio
09-19-2023
05:39 AM
@gcusello Can you guide me with this query how can I use it index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced ...
See more...
@gcusello Can you guide me with this query how can I use it index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day|search EBNCStatus=* | table EBNCStatus True Day
09-19-2023
05:30 AM
I'm not sure how to handle that case, but perhaps someone else will have an idea.
09-19-2023
05:27 AM
Hi @man03359, only for confirmation: you need to filter the main search using two fields from a lookup (src_ip and Device), is it correct? if this is your requirement, you have to use a subsearch w...
See more...
Hi @man03359, only for confirmation: you need to filter the main search using two fields from a lookup (src_ip and Device), is it correct? if this is your requirement, you have to use a subsearch with inputlookup: index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic") [ | inputlookup Stores_Inventory | fields src_ip Device ]
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip
Ciao. Giuseppe
09-19-2023
05:23 AM
Hi @gcusello , What I am trying to do it create search query that finds src_ip when the field values of two fields, src and device matches with the below output. src field values I am getting from ...
See more...
Hi @gcusello , What I am trying to do it create search query that finds src_ip when the field values of two fields, src and device matches with the below output. src field values I am getting from -- index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic") | stats latest(_time) values(srcname) as src latest(app) as app by src_ip and device field value I am getting from lookup - | lookup Stores_Inventory src_ip OUTPUT Device | table src_ip Device src app hope this is clear!
09-19-2023
04:47 AM
Always with that String
09-19-2023
04:43 AM
Does it always start with "awswaf:managed"? Or is there some other way to recognise the part you want displayed?
09-19-2023
04:41 AM
not always the last
09-19-2023
04:30 AM
Hello Splunkers,
I have a index-time field extraction question, here is my raw log : wheel:x:10:user1,user2,user3
I would like to use props.conf and transforms.conf to extract the users
props....
See more...
Hello Splunkers,
I have a index-time field extraction question, here is my raw log : wheel:x:10:user1,user2,user3
I would like to use props.conf and transforms.conf to extract the users
props.conf :
[mysourcetype]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRANSFORMS-users = get-users
transforms.conf :
[get-users]
REGEX = (\d:|,)(?<user>\w+)
FORMAT = users::$1
With my current config, I will only be able to extract the first match of my regex who is here the user1. How could I extract and store each user value ?
Thanks for your time, GaetanVP
Labels
- Labels:
-
using Splunk Enterprise
09-19-2023
04:25 AM
Typo on my part (updated my response to use uri instead of url)
