All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2
What I have done is to add these lines at the end of my query, from my initial testing it works. Is this what you were getting at ? | eval hour=strftime(now(),"%H") | eval weekday=strftime(now(),"... See more...
What I have done is to add these lines at the end of my query, from my initial testing it works. Is this what you were getting at ? | eval hour=strftime(now(),"%H") | eval weekday=strftime(now(),"%w") | where NOT (hour IN (13,14)) AND weekday != 0 This would not generate any results if its Sunday between 1 AM through 2:59 AM ?
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one ... See more...
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one event with all the results. I'll appreciate your answer
Is it possible to add some parameters in Splunk URL so that after clicking the URL, the viewer will see a well formatted SPL search and does not need to format manually?
Digging into the job inspector, it looks like the subsearch is not actually running before the ldapsearch runs. 
@smanojkumar  Can you please share more details like which info button you want to change color? A screenshot of a sample dashboard or panel would be helpful. KV
| eval hour=strftime(now(),"%H") | eval day=strftime(now(),"%d") | where false()
Your solution make sense but I am still getting this error when I try to run the search.  External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".... See more...
Your solution make sense but I am still getting this error when I try to run the search.  External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".    
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLE... See more...
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLED but do not know how to disable it. Can anybody help me pls ? thanks, pawel
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject.  I do not want an alert to be triggered if lets say its Sunday between 1-2 AM.  I can... See more...
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject.  I do not want an alert to be triggered if lets say its Sunday between 1-2 AM.  I cannot do this via CRON so looking for an alternative solution. Questions/Thoughts: (1) What is the best/simplest way to get from Splunk the Day and Hour (2) Once I get day & hour how should I incorporate that into my existing alert query.  Should I create a var to indicate outage or not (0/1) (3) Once I determine if I am in an outage (1) is there an easy way to force the alerts results to = 0  I know there are going to be many questions so fire away and I will try to explain or answer the best I can as there are many alerts im trying to make this work for and they are all slightly different in their implementation...  
Lack of indexes.conf on SH results only in lack of auto-completion in the search edit window. You still can manually write which index you want to search and it works.
@phanTom Thank you for your answer, it will be very useful. I was just asking why from the events that come to me it seems as if my playbook were running in more than one event at the same time, if i... See more...
@phanTom Thank you for your answer, it will be very useful. I was just asking why from the events that come to me it seems as if my playbook were running in more than one event at the same time, if it were running in 2 events or more at the same time it wouldn't work for me.I need it to execute one event at a time.
it's really nothing to share honestly.   [test] DATETIME_CONFIG = current
Thank you!!
Try this | where isnull(TotalDuration)
<search> (ipaddress="1.1.1.1" OR ipaddres="1.1.1.2")
| where TotalDuration = null returns no results as well.
i need to do a search on a group of IP adress
Are there pre-configured or default Dashboards associated with this Add-on?  Is the Add-on suppose to show up under App when it's installed? 
Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results:  Every incident is an... See more...
Goal: Being able to alert off the latest event if the event is more than 300 seconds and is not blank or "non-productive". Here is my current search and the results:  Every incident is an open or a closing of an event. If the incident is blank, that signifies a closing of the previous event. If the incident has a string, that is the current open event.  In my ideal scenario, I would alert based on any incident where I have a string value within the incident field, current duration has surpassed 300 seconds, and I don't have a value in the total duration field.  However, when I try to add a filter for | where total duration = "", no results are returned at all.. Which I am confused about since the latest totalduration event is blank since streamstats is false... Any help or tips greatly appreciated!