All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Oh, I guess there was a typo. The search works well now! thank you
Hello, I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button. My custom dashboard: My custom dashboard D... See more...
Hello, I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button. My custom dashboard: My custom dashboard Default dashboard with Key Indicators: Default dashboard with Key Indicator I also tried to clone the default "Email Activity" dashboard (which has existing key indicators in it), but the clone dashboard cannot be loaded. What should I do? If this is a bug, which log files do I need to check?   Thank you. 
Hello, I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button. My custom dashboard: My custom dashboard... See more...
Hello, I'm trying to add new/existing key indicator searches to my dashboard in ES, but the edit toolbar does not have the "Add Key Indicator" button. My custom dashboard: My custom dashboard Default dashboard with Key Indicators: Default dashboard with Key Indicator I also tried to clone the default "Email Activity" dashboard (which has existing key indicators in it), but the clone dashboard cannot be loaded. What should I do? If this is a bug, which log files do I need to check?   Thank you. 
I looked it up and all the indexes values ​​are 2, so where < 1 is 0. There is clearly a value without ev_id.  
index IN (A, B) | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | dedup id index ``` this line is only required if or_id or ev_id can occur multiple times in either of the index... See more...
index IN (A, B) | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | dedup id index ``` this line is only required if or_id or ev_id can occur multiple times in either of the indexes ``` | eval index_no=if(index="A",1,2) | stats sum(index_no) as indexes by id | where indexes=1
omg!! sorry for the confusion. 111,222 is correct.  I searched as shown below, and all idexes values ​​are 1.    index IN (A, B)  | eval id=case(index="A" AND title="check", or_id, index="B", ev_... See more...
omg!! sorry for the confusion. 111,222 is correct.  I searched as shown below, and all idexes values ​​are 1.    index IN (A, B)  | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | stats dc(index) as indexes by id  | where indexes=2    Ultimately, I want to find the value that has or_id but does not have ev_id.  The final answer I really want is 333 in the example above.  | was trying to find the case "where count<2",  but I think about it again,  there may be a case where there is an ev_id and an or_id.  Could you please help me further?
Try something like this | eval _time=relative_time(_time, "+7h")
I  am getting in logs as of date format below   Sat Sep 5 15:18:52 UTC 2023   This date I need to convert it as a JKT
7 hours
Assuming you mean 111 and 222 (not 777 - that's one of the problems with constructed examples!), you could try something like this | eval id=case(index="A" AND title="check", or_id, index="B", ev_id... See more...
Assuming you mean 111 and 222 (not 777 - that's one of the problems with constructed examples!), you could try something like this | eval id=case(index="A" AND title="check", or_id, index="B", ev_id) | stats dc(index) as indexes by id | where indexes=2
Hi, How we can find out  the HEC url for my splunk cloud instance ...
  no index title or_id ev_id 1 A check 111   2 A check 222   3 A check 333   4 A confirm 444   5 A confirm 555   6 A confirm 666   7 B OK   11... See more...
  no index title or_id ev_id 1 A check 111   2 A check 222   3 A check 333   4 A confirm 444   5 A confirm 555   6 A confirm 666   7 B OK   111 8 B OK   777 9 B OK   888 10 B OK   999 11 B NO   123 12 B NO   666 13 B NO   234 14 B NO   222     Let me give you a specific example again. In the case above, I want to check if the or_id of the event with title "check" in index=a has the same value in the ev_id of index=b. I want to look up or_id or ev_id if they have the same value. In the example, numbers 1 and 7, 2 and 14 are the same, and the value I want to look up is 111,777. Numbers 6 and 12 are the same, but since title 6 is not a check, it is not counted in the results.  
What is JKT? What is the time difference between JKT and GMT?
Given your limited construct example, the solution proposed by @yuanliu works. If this doesn't work for your real usecase, please provide more realistic examples showing how the proposed solution doe... See more...
Given your limited construct example, the solution proposed by @yuanliu works. If this doesn't work for your real usecase, please provide more realistic examples showing how the proposed solution does not fit your needs.
Hi, I'm trying to configure "custom Data Type" > SQS input in Splunk add-on for AWS app to onboard data from an AWS account. is it possible to create the SQS input using IAM role instead of account (... See more...
Hi, I'm trying to configure "custom Data Type" > SQS input in Splunk add-on for AWS app to onboard data from an AWS account. is it possible to create the SQS input using IAM role instead of account (for which I need KeyId and secret Key of the account)?  
Note that when using stats values(*) as * the values aggregation will remove duplicates and you will end with a sorted set of unique values for each field. If you use stats list(*) as * then you will... See more...
Note that when using stats values(*) as * the values aggregation will remove duplicates and you will end with a sorted set of unique values for each field. If you use stats list(*) as * then you will get all values of all fields with each value in sequence in each field from the second data set including duplicates. Note that there is a 100 event limit when using list(). The differentiation is important if you need to keep some kind of correlation between the values of each joined result based on your common key. Note that you can combined these on any number of common keys between the two data sets as there is no concept of primary key as @yuanliu says.
How to convert GMT to JKT time in Splunk events by using query
@yuanliu  Or you can use the _ field prefix to hide it from the foreach, i.e. | addtotals fieldname=_T | delta "_T" as _delta | foreach * [eval <<FIELD>> = if(-'_delta' > '_T' OR '_T' < 5000, n... See more...
@yuanliu  Or you can use the _ field prefix to hide it from the foreach, i.e. | addtotals fieldname=_T | delta "_T" as _delta | foreach * [eval <<FIELD>> = if(-'_delta' > '_T' OR '_T' < 5000, null(), '<<FIELD>>')] ``` To show that the _ fields are present ``` | eval y=_T, x=_delta
Hi, I 'm trying to integrate the module of tanium using http with splunk  as i dnt see what exactly we need to add in the URL and also in the Headers splunk what we need to add, can anyone help me... See more...
Hi, I 'm trying to integrate the module of tanium using http with splunk  as i dnt see what exactly we need to add in the URL and also in the Headers splunk what we need to add, can anyone help me with the masked data ??    
@smanojkumar  It looks like you have a custom dashboard. So you can apply CSS by adding it to the HTML tag. Sample Code:   Here I'm changing the background. <dashboard version="1.1"> <label>De... See more...
@smanojkumar  It looks like you have a custom dashboard. So you can apply CSS by adding it to the HTML tag. Sample Code:   Here I'm changing the background. <dashboard version="1.1"> <label>Demo</label> <row> <panel> <html depends="$alwaysHideCSSStyle$"> <style> .dashboard-body { background: #1E93C6 !important; } .dashboard-header h2{ color: #ffffff !important; } </style> </html> </panel> </row> </dashboard>   To identify the element you can Use your Browser Inspector tool. Check this link for instructions. https://community.splunk.com/t5/Dashboards-Visualizations/How-do-I-update-panel-color-in-Splunk-using-CSS/m-p/364590/highlight/true#M23796   For further help on CSS, share sample code so we can replicate in our instance.   I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.