Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-14-2023
05:13 AM
_time is already in epoch form so it does not need to be (and cannot be) converted using strptime. | eval weeknum=strftime(_time, "%V")
| chart dc(Task_num) as Tasks over weeknum by STATUS
09-14-2023
05:10 AM
Same issue here
09-14-2023
05:10 AM
@gcusello Can you please guide me on this .
09-14-2023
04:52 AM
Hello Team,
I need to use the predict command but currently i have only 110 data events therefore to have more data points i am trying to add mock data with only time field which is different. Also...
See more...
Hello Team,
I need to use the predict command but currently i have only 110 data events therefore to have more data points i am trying to add mock data with only time field which is different. Also in my dataset i have only MonthYear field and data collected from March month of this year. I read about repeat function and dataset literal can we use it in this scenario
Quarter
Subscription ID
Subscription name
Azure service
Azure region
Usage
MonthYear
Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 9,10E-12 March 2023 Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 0 March 2023 Qtr 1 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EDL Azure Data Factory West 4,40303E-09 March 2023
09-14-2023
04:51 AM
Hello, You said "You should change the permission to app before you do the outputlookup" Do you mean to change the permission to the app, not the CSV file? If so, can you please give me an examp...
See more...
Hello, You said "You should change the permission to app before you do the outputlookup" Do you mean to change the permission to the app, not the CSV file? If so, can you please give me an example? Note that I am not the admin Thank you Before outputlookup - no CSV file After outputlookup - CSV file exists - but I cannot change the permission (it's greyed out) /opt/splunk/etc/users/[myuserID]/testapp/lookups/test.csv
09-14-2023
04:41 AM
1 Karma
I am also facing same issue. did you find any solution?
09-14-2023
04:38 AM
| eval zip=mvzip(Cluster, Current, Max)
| mvexpand zip
| eval zip=split(zip, ","), Cluster=mvindex(zip, 0), Current=mvindex(zip, 1), Max=mvindex(zip,2)
09-14-2023
04:32 AM
Hi @nill, you can download the Universal Forwarder installation package at https://www.splunk.com/en_us/download/universal-forwarder.html then the instruction for installation are at https://docs.s...
See more...
Hi @nill, you can download the Universal Forwarder installation package at https://www.splunk.com/en_us/download/universal-forwarder.html then the instruction for installation are at https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Linux Ciao. Giuseppe
09-14-2023
04:32 AM
Try something like this: | rex max_match=0 "\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<file>OU_\S+)" In future, please paste the text of your event into a code block </> much like I have done with the SPL above...
See more...
Try something like this: | rex max_match=0 "\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<file>OU_\S+)" In future, please paste the text of your event into a code block </> much like I have done with the SPL above. This prevents the text from being reformatted and losing spaces and new lines etc.
09-14-2023
04:31 AM
Hi @danroberts, please try this: | rex "(?<filename>OU_\w*\.\w*" that you can test at https://regex101.com/r/UiiMSA/1 Ciao. Giuseppe
09-14-2023
04:30 AM
Hi Team,
How do I download and install splunk forwarder on ubuntu 20.04 by downloading a file
- Tags:
- splunk search
Labels
- Labels:
-
Linux
-
universal forwarder
09-14-2023
04:24 AM
How to split the above table in one line each and wanted to have threshold if the current Block size exceeds Max Block size i.,e (85%) i want to trigger alert
09-14-2023
04:11 AM
Hello, Can anyone help me to extract the below file name which is OU_..... from the below raw data.
12:04:19.85 14/09/2023 directory="E:\data\Test" ECHO is off.
Volume in drive E is Data Vol...
See more...
Hello, Can anyone help me to extract the below file name which is OU_..... from the below raw data.
12:04:19.85 14/09/2023 directory="E:\data\Test" ECHO is off.
Volume in drive E is Data Volume Serial Number is 7808-CA1B
Directory of E:\data\Test 13/09/2023 13:22
<DIR> XXX\xxxx . 13/09/2023 13:22 <DIR> xxx\xxx .. 12/09/2023 09:31 95 xxx\xxx dir_details.bat 13/09/2023 13:41 171 xxx\xxx dir_details_copy.bat 07/09/2023 13:26 0 xxx\xxx edsadsad.txt 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkdl.zip 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkewew.zip 07/09/2023 13:26 22 xxx\xxx OU_kljdajdklsajkewewdsads.zip 6 File(s) 332 bytes 2 Dir(s) 20718067712 bytes free
- Tags:
- splunk search
Labels
- Labels:
-
field extraction
09-14-2023
03:28 AM
@gcusello I have selected last 7 days but its showing only 2 with below query index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ...
See more...
@gcusello I have selected last 7 days but its showing only 2 with below query index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔",""), EBNCStatus="ebnc event balanced successfully", Day=strftime(_time,"%Y-%m-%d") | dedup EBNCStatus Day | table EBNCStatus True Day
09-14-2023
03:25 AM
I got the following errors in my Splunk Error Logs: Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Init failed, unable to subscribe t...
See more...
I got the following errors in my Splunk Error Logs: Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
09-14-2023
03:17 AM
Hi @love0sxy, how did you configure the deploymentclient.conf file in your UFs? if this file in in a custom Add-On deployed using the Deployment Server, you can modify this file in the app to deplo...
See more...
Hi @love0sxy, how did you configure the deploymentclient.conf file in your UFs? if this file in in a custom Add-On deployed using the Deployment Server, you can modify this file in the app to deploy and the new addressing is deployed to all the UFs. If instead you configured it using the CLI command and the deploymentclient.conf file is in $SPLUNK_HOME/etc/system/local, there isn't any automatic way to change the DS addressing. In this case, you could deploy an add-on containing this file using the old DS and run a remote script that deletes the old deploymentclient.conf file and restarts Splunk. Ciao. Giuseppe
09-14-2023
03:11 AM
Hello, guys I want change my universal forward for new deployment_server,how to use Current deployment server。 I am currently pushing the app for universal forwarder, but can‘t change deployment_server
- Tags:
- Universal Forwarder
Labels
- Labels:
-
universal forwarder
09-14-2023
03:09 AM
Hi @aditsss, as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! ...
See more...
Hi @aditsss, as I said, if you use a fixed (for all events) value for EBNCStatus, you'll have always only one value in this field, so when you'll dedup for this field, you'll always have one value! try to delete the dedup row and see what happens. You could try to dedup for the EBNCStatus field and another field (e.g. day), something like this: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully"
| eval
True=if(searchmatch("ebnc event balanced successfully"),"✔",""),
EBNCStatus="ebnc event balanced successfully",
Day=strftime(_time,"%Y-%m-%d")
| dedup EBNCStatus Day
| table EBNCStatus True Day Ciao. Giuseppe
09-14-2023
03:07 AM
@gcusello Currently when I am doing dedup and selecting last 7 days its showing only event. I want when I select last 7 days it should show 7 times that message. when I select last 30 days it...
See more...
@gcusello Currently when I am doing dedup and selecting last 7 days its showing only event. I want when I select last 7 days it should show 7 times that message. when I select last 30 days it should 30 times that message. Can you help me with this.
09-14-2023
03:00 AM
Hi here is link to old post for your replication issue https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594 there are some more if ...
See more...
Hi here is link to old post for your replication issue https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594 there are some more if you need. Can you describe your SHC environment, so we can better understand your issue (OS, versions, size, apps, lookups etc.)? r. Ismo
