All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

As stated in my response, a saved search will have a non-empty value in the savedsearch_name field (keyword).  If savedsearch_name="" then the search is ad-hoc.
You can't use subsearches in this way. What are you trying to achieve?
Remember that subsearches run first and their results become text that replace the subsearch in the query.  So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes ind... See more...
Remember that subsearches run first and their results become text that replace the subsearch in the query.  So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null) foo.exe stats values(file_name) as file_name..... See the problem?  "foo.exe" and the following stats command are considered part of the eval command because there is no intervening |. The fix depends on what you want the query to do.
This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports. 
I use the Splunk Machine Learning command: | fit LinearRegression blah, blah into ModelName I can generate a ModelName file. Using the command  | summary ModelName I can generate a result s... See more...
I use the Splunk Machine Learning command: | fit LinearRegression blah, blah into ModelName I can generate a ModelName file. Using the command  | summary ModelName I can generate a result set that has feature and coefficient fields. How can I "extract" the numerical coefficients so that I can create a regression equation for future use? Example: I'm trying to create the equation y = c0 + c1 * Term1 + c2 * Term2 for a future modeling activity?  
It is not working since mvzip will process only X and Y fields. It worked with the below. eval zip= mvzip(mvzip(Cluster,Current),Max)|mvexpand zip|eval zip=split(zip, ","), Cluster=mvindex(zip, 0), ... See more...
It is not working since mvzip will process only X and Y fields. It worked with the below. eval zip= mvzip(mvzip(Cluster,Current),Max)|mvexpand zip|eval zip=split(zip, ","), Cluster=mvindex(zip, 0), Current=mvindex(zip, 1),Max=mvindex(zip, 2) I am left with threshold, if the current is above 85% than Max, it should trigger an alert.  
Hi When I run the command below, it works fine   index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)   Now I need to combine th... See more...
Hi When I run the command below, it works fine   index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)   Now I need to combine this search with a subearch   index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null) [| inputlookup test where software=pm | table pm |rename pm as file_name | format] | stats values(file_name) as file_name.....   But i have the message "Error in "EvalCommand": The expression is malformed What is wrong please?
Please read the my previous response fully...I have tried in both ways Anyways thanks for your response. I found a solution   
This is what you asked for
Thanks for the rely, this has worked.  Would this also work in a props.conf file ?  I'm utilising a universal forwarder with a bat script to pull the data from the directory. 
Thanks for the reply, unfortunately this just pulls out one of the OU file names. 
@gcusello  Apologies the query is working but I am getting one additional row . My query: search index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log"... See more...
@gcusello  Apologies the query is working but I am getting one additional row . My query: search index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day | table EBNCStatus True Day      
@gcusello  yes but with that I am only getting two message  I have selected last 7 days and I am getting only two. I want if I select last 7 it should show 7 message  when I select yesterday it s... See more...
@gcusello  yes but with that I am only getting two message  I have selected last 7 days and I am getting only two. I want if I select last 7 it should show 7 message  when I select yesterday it should show 1 message.
Hi @aditsss, did you try my last answer? Ciao. Giuseppe
_time is already in epoch form so it does not need to be (and cannot be) converted using strptime. | eval weeknum=strftime(_time, "%V") | chart dc(Task_num) as Tasks over weeknum by STATUS
Same issue here
@gcusello    Can you please guide me on this .
Hello Team, I need to use the predict command but currently i have only 110 data events therefore to have more data points i am trying to add mock data with only time field which is different. Also... See more...
Hello Team, I need to use the predict command but currently i have only 110 data events therefore to have more data points i am trying to add mock data with only time field which is different. Also in my dataset i have only MonthYear field and data collected from March month of this year.  I read about repeat function and dataset literal can we use it in this scenario Quarter Subscription ID Subscription name Azure service Azure region Usage MonthYear Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 9,10E-12 March 2023 Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 0 March 2023 Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 4,40303E-09 March 2023
Hello, You said "You should change the permission to app before you do the outputlookup" Do you mean to change the permission to the app, not the CSV file? If so, can you please give me an examp... See more...
Hello, You said "You should change the permission to app before you do the outputlookup" Do you mean to change the permission to the app, not the CSV file? If so, can you please give me an example?   Note that I am not the admin Thank you Before outputlookup - no CSV file After outputlookup - CSV file exists - but I cannot change the permission (it's greyed out) /opt/splunk/etc/users/[myuserID]/testapp/lookups/test.csv
I am also facing same issue. did you find any solution?