All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @splunk_learn, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @splunk_learn, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Looks like there is also a trailing "$" in field a. <your_search> | rex field=b "^A\=(?<A>[^,]*)" | where a=A."$" Something like that. 
So, you want to change the svg generated by the viz / chart? You can do this by creating a custom visualisation. Custom visualizations API | Documentation | Splunk Developer Program
Your logs look like compliant XML.  I am guessing that you already have the field "Message Text".  If so, you can apply @bowesmana's technique   | eval SequenceNumber = mvindex(split('Message Text'... See more...
Your logs look like compliant XML.  I am guessing that you already have the field "Message Text".  If so, you can apply @bowesmana's technique   | eval SequenceNumber = mvindex(split('Message Text', " : "), 1) | eval SequenceNumber = split(SequenceNumber, ",") | mvexpand SequenceNumber   (Replace 'Message Text' with MessageText if that's the field name.)  Your sample logs should give you something like SequenceNumber _time 00000000000000875119 2023-08-30 21:45:02.212 00000000000000875120 2023-08-30 21:45:02.212 00000000000000875121 2023-08-30 21:45:02.212 00000000000000875122 2023-08-30 21:45:02.212 00000000000000875123 2023-08-30 21:45:02.212 00000000000000875124 2023-08-30 21:45:02.212 00000000000000875115 2023-08-30 20:45:02.083 00000000000000875116 2023-08-30 20:45:02.083 00000000000000875117 2023-08-30 20:45:02.083 00000000000000875118 2023-08-30 20:45:02.083 00000000000000875114 2023-08-30 19:45:01.909 00000000000000875112 2023-08-30 18:45:02.703 00000000000000875113 2023-08-30 18:45:02.703 Here is an emulation that you can play with and compare with real data   | makeresults | eval data = split("<Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text> <Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text> <Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text> <Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>", " ") | mvexpand data | rename data as _raw | spath | rename "Create./Create.Message" AS "Message Text" | eval _time = strptime(Create, "%FT%H:%M:%S.%3Q%Z") | rename Create AS "Create Timestamp" ``` data emulation above ```  
The SVG is used on a splunk dashboard and inside this I needed to add a picture on a rectangles, so thought someone maybe have some experience with this.
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing th... See more...
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing that analytics agent is not reporting the data not sure what is triggering this. I am suspecting when application  pods are restarted since then it is not reporting (just my suspicion). When this happens,  until we restart both analytics and nodejs agents, the data is not resuming. Any help around this would be much appreciated.
Assuming you have already extracted Message Text into a field called MessageText, try this | rex field=MessageText max_match=0 "(?<SequenceNumber>\d+)" | mvexpand SequenceNumber | table SequenceNumber
If I understand the requirements correctly, an alert sequence is one in which task_id is equal but a later event_id is greater than an earlier one, you can say that conceptually, you need a temporary... See more...
If I understand the requirements correctly, an alert sequence is one in which task_id is equal but a later event_id is greater than an earlier one, you can say that conceptually, you need a temporary storage.  But like most languages, SPL commands RAM for such transient needs. From your sample log, is the following what you are looking for? event_name task_id _time event_id server_state 0 2023-08-01 15:41:40.395,2023-08-01 15:10:40.395 1545468 1545467 server_state 1 2023-08-01 15:45:40.395,2023-08-01 15:15:40.395 1135465 1135464 server_state 2 2023-08-01 15:50:40.395,2023-08-01 15:25:40.395 1201257 1201256 server_state 3 2023-08-01 15:52:40.395,2023-08-01 15:36:40.395 1223681 1223680 You can achieve this with the following assuming that event_name, task_id, and event_id are already extracted:   | stats list(_time) as _time list(event_id) as event_id by event_name task_id | where mvindex(_time, 0) > mvindex(_time, -1) AND mvindex(event_id, 0) > mvindex(event_id, -1) OR mvindex(_time, 0) < mvindex(_time, -1) AND mvindex(event_id, 0) < mvindex(event_id, -1) | fieldformat _time = strftime(_time, "%F %H:%M:%S.%3Q")   Here is an emulation of your sample data that you can play with and compare with real data.   | makeresults | eval data = split("8/01/2023 3:52:40.395 PM server_state|3 1223681 5 8/01/2023 3:50:40.395 PM server_state|2 1201257 3 8/01/2023 3:45:40.395 PM server_state|1 1135465 2 8/01/2023 3:41:40.395 PM server_state|0 1545468 5 8/01/2023 3:36:40.395 PM server_state|3 1223680 0 8/01/2023 3:25:40.395 PM server_state|2 1201256 2 8/01/2023 3:15:40.395 PM server_state|1 1135464 3 8/01/2023 3:10:40.395 PM server_state|0 1545467 8", " ") | mvexpand data | rename data as _raw | rex "(?<ts>(\S+\s){3}) (?<event_name>\w+)\|(?<task_id>\d+) (?<event_id>\d+)" | eval _time = strptime(ts, "%m/%d/%Y %I:%M:%S.%3Q %p") ``` data emulation above ```    Hope this helps.
<form version="1.1"> <label>Multiselect</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="packetsize" searchWhenChanged="true"> <label>Packet Size<... See more...
<form version="1.1"> <label>Multiselect</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="packetsize" searchWhenChanged="true"> <label>Packet Size</label> <search> <query> ``` Query to generate packet sizes dynamially ``` | makeresults | eval packetsize=split("40,128,520",",") | mvexpand packetsize </query> </search> <fieldForValue>packetsize</fieldForValue> <fieldForLabel>packetsize</fieldForLabel> <delimiter>,</delimiter> <change> <eval token="firstpacketsize">mvindex('form.packetsize',0)</eval> <eval token="secondpacketsize">mvindex('form.packetsize',1)</eval> <eval token="thirdpacketsize">mvindex('form.packetsize',2)</eval> <eval token="fourthpacketsize">mvindex('form.packetsize',3)</eval> <eval token="fifthpacketsize">mvindex('form.packetsize',4)</eval> </change> </input> </fieldset> <row> <panel depends="$firstpacketsize$"> <title>Packet size = $firstpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$firstpacketsize$" </query> </search> <option name="drilldown">cell</option> </table> </panel> <panel depends="$secondpacketsize$"> <title>Packet size = $secondpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$secondpacketsize$" </query> </search> </table> </panel> <panel depends="$thirdpacketsize$"> <title>Packet size = $thirdpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$thirdpacketsize$" </query> </search> </table> </panel> <panel depends="$fourthpacketsize$"> <title>Packet size = $fourthpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$fourthpacketsize$" </query> </search> </table> </panel> <panel depends="$fifthpacketsize$"> <title>Packet size = $fifthpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$fifthpacketsize$" </query> </search> </table> </panel> </row> </form>
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dyn... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dynamically-depends-on-selection/m-p/655457/highlight/false#M53927   The panels can be displayed dynamically by the user selection. However, I need to display the title or the description according to the dymical selection. That is, if the user select packet_size="32,40,128" from the filter. Three panels will be displayed and I wish to display the title = "Packet size=xx", where xx represent the analyzed packet_size value.   ex. Table 1 with title = "Packet size=32", Table 2 with title = "Packet size=40", Table 3 with title = "Packet size=128" I refer to these history but I am unable to find a successful solution. How do I display _time on dashboard panel's title field?  Dynamic value display in the Panel Title?  How do you display the date in a dashboard title?  Does anyone know how to display the title or description with a variable in code or a value in filter selection? Thank you so much.
thank you so much. This works!
SAMPLE LOGS: <Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,0000000000000... See more...
SAMPLE LOGS: <Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text> <Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text>   <Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text>   <Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>
Hi @gcusello  & @bowesmana ,   Thanks for the prompt responses.   You both gave answers for static set of numbers. What if this set of field values are dynamically changing and combined with stri... See more...
Hi @gcusello  & @bowesmana ,   Thanks for the prompt responses.   You both gave answers for static set of numbers. What if this set of field values are dynamically changing and combined with string as well. In that case,How Can I separate this dynamic set of numbers from string and display them individually instead of comma separated in table format. We crossed half of the solution,You already responded to split comma separated values and display them in table format. I need to solution for below two case: 1. What if this set of numbers are dynamically logging into splunk using one fields(MessageText)? 2. These dynamic set of numbers combined with text like(Sequence Numbers processed during this transaction in the field (MessageText).How can I separate only numbers and display them in above mentioned format like: 00000000000000872510 00000000000000872511 00000000000000872512 00000000000000872513 00000000000000872514   instead of 00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514 (these set of numbers are not static keeps on changing for each transaction and logging into splunk as individual event in (message text) field.)
Hi Pshangguan,   After I modity time into $result.time$, the actual time still doesn't appear on the title. Do you succesfully make the actual time appear in your panel title ?   Thanks.
You can do this by turning your number to a sequence of one or two spaces and then use a colorPalette expression to set the colours. This example will turn a count of either 0 or 1 to 1 space or 2 sp... See more...
You can do this by turning your number to a sequence of one or two spaces and then use a colorPalette expression to set the colours. This example will turn a count of either 0 or 1 to 1 space or 2 spaces and then in the colorPalette expression it just makes a double space red (#ff0000) otherwise green. Unless you actually need the number for drilldown purposes this should do it. <dashboard> <label>colour2</label> <row> <panel> <table> <search> <query>| makeresults count=6 | fields - _time | eval count=random() % 2, orig_count=count | eval count=substr(" ", 1, count + 1) | table count orig_count</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="count"> <colorPalette type="expression">if (value == " ", "#FF0000", "#00FF00")</colorPalette> </format> </table> </panel> </row> </dashboard>  
Is there a way to pass these values from a file? -d name=firstApiTest \ -d disabled=1 \ -d owner=nobody \ -d description=descritionText \ -d search="index=main" \ -d dispatch.index_earliest=-7... See more...
Is there a way to pass these values from a file? -d name=firstApiTest \ -d disabled=1 \ -d owner=nobody \ -d description=descritionText \ -d search="index=main" \ -d dispatch.index_earliest=-7d \ -d dispatch.index_latestlatest=now
Hello Folks, Good Morning to one and all, I have Trend Micro Cloud one service, and i want to integrate those service with Splunk instance which has been placed on cloud. Kindly suggest the mechan... See more...
Hello Folks, Good Morning to one and all, I have Trend Micro Cloud one service, and i want to integrate those service with Splunk instance which has been placed on cloud. Kindly suggest the mechanism for this, as i have checked there is no add on available for this. As i know trend Micro Cloud one have the ability to forward the logs via Syslog mechanism & the Splunk instance on cloud, then what will be the Splunk interface for syslog on cloud for this integration. Please share your opinion on this.   Regards, Gautam Khillare(GK)
Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the result... See more...
Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results. The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid. The problem is shown in the internal log:   07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status. 07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.   The theory on the failure is: The token authentication works with (within) Splunk; But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication; However, when there is no valid, live SAML session, the AQR fails. (AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles. I wonder if anyone has been able to get token authentication to work for a SAML account? [Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?
Glad that you have managed to resolve the issue like me. I went through high & low searching for the solutions as well. Luckily managed to Google out the link I sent you and resolved the issue. @d... See more...
Glad that you have managed to resolve the issue like me. I went through high & low searching for the solutions as well. Luckily managed to Google out the link I sent you and resolved the issue. @dwthomas16 Happy Splunking.
Hi    I want to know that what will happen after splunk universal forwarder reached throughput limit, because i found my universal forwarder is stop ingest the data at a certain monment every day, a... See more...
Hi    I want to know that what will happen after splunk universal forwarder reached throughput limit, because i found my universal forwarder is stop ingest the data at a certain monment every day, and i don't know waht happend here, and i just set up the thruput in limits.conf, and restart the UF, the remain data will be collected,  although i'm not sure if it will still be effective next time... so the throughput limit reached, the Splunk UF will stop collecting data until next restart?