All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You literally said "add new row"! If you just want the difference, try this | eval difference=count_carmen-inserts-updates-errors
Hi, It seems that it doesn't work for line sp_addlinkedsrvlogin, i get this word and the word of the next line. If there is only one word one the line, i need to get only these word.   Regards T... See more...
Hi, It seems that it doesn't work for line sp_addlinkedsrvlogin, i get this word and the word of the next line. If there is only one word one the line, i need to get only these word.   Regards Tchounga
Hi, I am looking for a query to get list of DBConnect exceptions with their timestamp in order to plot them in a graph. Thank you Kind regards Marta
It is giving me a new column and row  what if I only wants a column of field name difference.  
Hi @jamaluddin-k, as you can see in the following question (https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-and-all-logs/m-p/506184) I had the same ... See more...
Hi @jamaluddin-k, as you can see in the following question (https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-and-all-logs/m-p/506184) I had the same problem and I solved  adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog. Ciao. Giuseppe
Hi @gcusello , I see, That was a big gap on my end. But I also already had tried the Syslog Forwarding section on the URL you shared. I was not able to receive any data at the syslog server. My out... See more...
Hi @gcusello , I see, That was a big gap on my end. But I also already had tried the Syslog Forwarding section on the URL you shared. I was not able to receive any data at the syslog server. My output.conf file is as simple as below.   [syslog] defaultGroup=syslogGroup [syslog:syslogGroup] server = 192.168.6.158:514   I initially felt that the syslog server configuration might have some issue or maybe network, but no I was able to send TCP message to the syslog server from the Splunk Enterprise VM Instance. Only the data from Splunk is not getting forwarded. Both the Sysylog Server VM and Splunk Enterprise VM are in the same network. Just curious, is the defaultGroup parameter got to do something here?   Thanks for your help.
schedule_search is all you need from my experience
Hi Team, we are observing below error while accessing analytic page, what could be reason of it?
This worked, thanks a lot Good day.
| rex "command:(?<firstwords>\w+(\s\w+)?)"
If I understand correctly, you could try something like this: | eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat"... See more...
If I understand correctly, you could try something like this: | eval src=case(src="retailautonomyfileage" AND Fname="mdmdat", "retailautonomyfileage1", src="retailautonomyfileage" AND Fname="omsdat", "retailautonomyfileage2", src="retailautonomyfileage" AND Fname="promodat", "retailautonomyfileage3", true(), src) | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR ((src="retailautonomyfileage1" OR src="retailautonomyfileage2") AND Age>240) OR (src="retailautonomyfileage3" AND Age>120) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VER... See more...
Hi,   I need to extract with rex the two first words of one event but sometimes they are only one word. For example, with these data : command:RESTORE LABELONLY FROM DISK=@P1 command:RESTORE VERIFYONLY FROM DISK = 'i:\toto.sql' command:RESTORE VERIFYONLY FROM DISK = 'i:\tata.sql' command:RESTORE LABELONLY FROM DISK=@P1 command:sp_addlinkedsrvlogin command:RESTORE LABELONLY FROM DISK=@P1 I need to have set the field command with these value from these data : RESTORE LABELONLY RESTORE VERIFYONLY RESTORE VERIFYONLY RESTORE LABELONLY sp_addlinkedsrvlogin RESTORE LABELONLY I will apreciate some help to have the correct syntax for rex. Regards
Hi @man03359, as I already asked, do you have the same issue also dividing the eval command by src? | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") A... See more...
Hi @man03359, as I already asked, do you have the same issue also dividing the eval command by src? | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) ,"Down","Up") | eval status=if(src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down","Up") | eval status=if(src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down","Up") | eval status=if(src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))),"Down","Up") | eval status=if(src="retaillineitemdup" AND Count>0),"Down","Up") | eval status=if(src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain Ciao. Giuseppe
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_Index... See more...
Hi All, I am relatively new to splunk. I am trying to build a search query and below is the condition of the query- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  I am facing problem in line no 4 which is - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). The source "retailautonomyfileage has 3 filenames (Fname="mdmdat" , Fname="omsdat", Fname="promodat") and when I do the stats count, not sure why it is counting the sum of all 3  filenames altogether in the output (18 instead of 6)- Output- Device Store src host Chain StoreNum Domain count stp-020sql1 stp0020 DB_Rebuild_Indexes_UpdateStats_MDM stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 DB_Stop_IndexRebuild_Jobs stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 RetailAutonomyPromotionsDataSync stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 esbmessagecount stp-020sql1.stp.local stp 20 stp.local 6 stp-020sql1 stp0020 retailautonomyfileage stp-020sql1.stp.local stp 20 stp.local 18 stp-020sql1 stp0020 retaillineitemdup stp-020sql1.stp.local stp 20 stp.local 6 stp-089sql1 stp0089 DB_Rebuild_Indexes_UpdateStats_MDM stp-089sql1.stp.local stp 89 stp.local 6 stp-089sql1 stp0089 DB_Stop_IndexRebuild_Jobs stp-089sql1.stp.local stp 89 stp.local 6   I am trying to break it into 3 lines under the search query . eg  (src="retailautonomyfileage1") AND (Fname="mdmdat" AND Age>240))  (src="retailautonomyfileage2" AND (Fname="omsdat" AND Age>240)) (src="retailautonomyfileage3" AND (Fname="promodat" AND Age>120)) Not sure how I can obtain that. Please help.   Thanks in Advance.
Alternatively, you could look at using CSS to modify the fill pattern used. There are a number of issues with this. Firstly, the pattern must have been visible on your dashboard. Secondly, for column... See more...
Alternatively, you could look at using CSS to modify the fill pattern used. There are a number of issues with this. Firstly, the pattern must have been visible on your dashboard. Secondly, for column charts for example, the "bars" are defined as a path for each series; this means that the pattern is applied across the whole series, not each bar separately. Thirdly, the image used must be available. In this example, I have used the app icon <row> <panel> <html> <svg version="1.1" height="100" width="200"> <defs> <pattern id="imagefiller" patternUnits="userSpaceOnUse" width="500" height="500"> <rect style="fill:blue" width="500" height="500"/> <image href="/en-GB/splunkd/__raw/servicesNS/username/application/static/appIcon_2x.png" x="20" y="100" width="30" height="30" /> </pattern> </defs> <g> <rect style="fill:url(#imagefiller)" width="150" height="90"/> </g> </svg> <style> #filler g.highcharts-series path.highcharts-graph { fill: url(#imagefiller); } </style> </html> </panel> <panel> <chart id="filler"> <search> <query>| makeresults count=5 | eval value=random()%5 | eval series=mvindex(split("ABC",""),random()%3) | chart sum(value) by series</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row>
Assuming the field you are looking at is called message, you could try something like this | streamstats count reset_on_change=t by message | where count>2
I tried below search for 2nd question but didn't work. P.S: In my environment we parsed EventID as EventCode | rest /services/saved/searches | search is_scheduled=1 OR alert_type=1 | table title,... See more...
I tried below search for 2nd question but didn't work. P.S: In my environment we parsed EventID as EventCode | rest /services/saved/searches | search is_scheduled=1 OR alert_type=1 | table title, actions | mvexpand actions | rex field=actions ".*EventCode=(?<EventCode>\d+).*" | stats count by EventCode, title   Please help me..
I am getting this error when trying to set the Default SLA on a newly installed Mission control app  
I found 1. item with this search. index=wineventlog | stats count by EventCode, host | where count > 1 | sort -count | table EventCode, host, count   I need 2 and 3rd items