All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Return message [logs] when the previous 'n' messages [logs] are identical

by SplunkTrust in Splunk Search
‎08-31-2023 01:04 AM
1 Karma
‎08-31-2023 01:04 AM
1 Karma
Assuming the field you are looking at is called message, you could try something like this | streamstats count reset_on_change=t by message | where count>2

Re: How to make a search for some analytics with SPL?

by in Getting Data In
‎08-31-2023 12:32 AM
‎08-31-2023 12:32 AM
I tried below search for 2nd question but didn't work. P.S: In my environment we parsed EventID as EventCode | rest /services/saved/searches | search is_scheduled=1 OR alert_type=1 | table title,... See more...
I tried below search for 2nd question but didn't work. P.S: In my environment we parsed EventID as EventCode | rest /services/saved/searches | search is_scheduled=1 OR alert_type=1 | table title, actions | mvexpand actions | rex field=actions ".*EventCode=(?<EventCode>\d+).*" | stats count by EventCode, title   Please help me..

How do i resolve this Error while setting Default SLA

by in Splunk Mission Control
‎08-31-2023 12:22 AM
‎08-31-2023 12:22 AM
I am getting this error when trying to set the Default SLA on a newly installed Mission control app  
Labels

Re: How to make a search for some analytics with SPL?

by in Getting Data In
‎08-31-2023 12:17 AM
‎08-31-2023 12:17 AM
I found 1. item with this search. index=wineventlog | stats count by EventCode, host | where count > 1 | sort -count | table EventCode, host, count   I need 2 and 3rd items

Is it possible for a search string to pick up instances where the last [say] 3 logs are identical?

by in Splunk Search
‎08-31-2023 12:14 AM
‎08-31-2023 12:14 AM
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identica... See more...
Hi All We have a couple of jobs that occasionally loop around same code returning same message/log - is it possible for a search string to pick up instances where the last [say] 3 logs are identical? Kinds regards Mick  
Labels

How to make a search for some analytics with SPL?

by in Getting Data In
‎08-31-2023 12:04 AM
‎08-31-2023 12:04 AM
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which... See more...
Hi, I need some analytics result in Splunk but i couldn't achieve. Here what i need. 1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count 2) Which EventIDs is used in which alerts (correleation searches and saved searches)? EventID, Alert Name 3) Which EventIDs triggered which alerts? EventID, Alert Name and count
Labels

Re: Why am I Not receiving data on indexer (Splunk Enterprise trial license)?

by SplunkTrust in Installation
‎08-30-2023 11:56 PM
‎08-30-2023 11:56 PM
Hi @splunk_learn, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @splunk_learn, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated

Re: How to match partial values of field a with partial values of field b ?

by SplunkTrust in Splunk Search
‎08-30-2023 11:53 PM
‎08-30-2023 11:53 PM
Looks like there is also a trailing "$" in field a. <your_search> | rex field=b "^A\=(?<A>[^,]*)" | where a=A."$" Something like that. 

Re: How to insert image on a rectangle inside the svg

by SplunkTrust in Other Usage
‎08-30-2023 11:46 PM
‎08-30-2023 11:46 PM
So, you want to change the svg generated by the viz / chart? You can do this by creating a custom visualisation. Custom visualizations API | Documentation | Splunk Developer Program

Re: How to split comma separated values in single event and make each value as one row of table with individual values

by SplunkTrust in Splunk Search
‎08-30-2023 11:38 PM
‎08-30-2023 11:38 PM
Your logs look like compliant XML.  I am guessing that you already have the field "Message Text".  If so, you can apply @bowesmana's technique   | eval SequenceNumber = mvindex(split('Message Text'... See more...
Your logs look like compliant XML.  I am guessing that you already have the field "Message Text".  If so, you can apply @bowesmana's technique   | eval SequenceNumber = mvindex(split('Message Text', " : "), 1) | eval SequenceNumber = split(SequenceNumber, ",") | mvexpand SequenceNumber   (Replace 'Message Text' with MessageText if that's the field name.)  Your sample logs should give you something like SequenceNumber _time 00000000000000875119 2023-08-30 21:45:02.212 00000000000000875120 2023-08-30 21:45:02.212 00000000000000875121 2023-08-30 21:45:02.212 00000000000000875122 2023-08-30 21:45:02.212 00000000000000875123 2023-08-30 21:45:02.212 00000000000000875124 2023-08-30 21:45:02.212 00000000000000875115 2023-08-30 20:45:02.083 00000000000000875116 2023-08-30 20:45:02.083 00000000000000875117 2023-08-30 20:45:02.083 00000000000000875118 2023-08-30 20:45:02.083 00000000000000875114 2023-08-30 19:45:01.909 00000000000000875112 2023-08-30 18:45:02.703 00000000000000875113 2023-08-30 18:45:02.703 Here is an emulation that you can play with and compare with real data   | makeresults | eval data = split("<Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text> <Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text> <Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text> <Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>", " ") | mvexpand data | rename data as _raw | spath | rename "Create./Create.Message" AS "Message Text" | eval _time = strptime(Create, "%FT%H:%M:%S.%3Q%Z") | rename Create AS "Create Timestamp" ``` data emulation above ```  

Re: How to insert image on a rectangle inside the svg

by in Other Usage
‎08-30-2023 11:32 PM
‎08-30-2023 11:32 PM
The SVG is used on a splunk dashboard and inside this I needed to add a picture on a rectangles, so thought someone maybe have some experience with this.

Restart of Analytics agent and node js app agent in containers

by in Splunk AppDynamics
‎08-30-2023 11:27 PM
‎08-30-2023 11:27 PM
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing th... See more...
Dears, I would like to know if we need to follow any sequence in restarting the agents. We have analytics agents and node.js app agent for Node.js application. Several times we have been noticing that analytics agent is not reporting the data not sure what is triggering this. I am suspecting when application  pods are restarted since then it is not reporting (just my suspicion). When this happens,  until we restart both analytics and nodejs agents, the data is not resuming. Any help around this would be much appreciated.
Labels

Re: How to split comma separated values in single event and make each value as one row of table with individual values

by SplunkTrust in Splunk Search
‎08-30-2023 11:16 PM
1 Karma
‎08-30-2023 11:16 PM
1 Karma
Assuming you have already extracted Message Text into a field called MessageText, try this | rex field=MessageText max_match=0 "(?<SequenceNumber>\d+)" | mvexpand SequenceNumber | table SequenceNumber

Re: Tempory output storage

by SplunkTrust in Splunk Search
‎08-30-2023 11:04 PM
‎08-30-2023 11:04 PM
If I understand the requirements correctly, an alert sequence is one in which task_id is equal but a later event_id is greater than an earlier one, you can say that conceptually, you need a temporary... See more...
If I understand the requirements correctly, an alert sequence is one in which task_id is equal but a later event_id is greater than an earlier one, you can say that conceptually, you need a temporary storage.  But like most languages, SPL commands RAM for such transient needs. From your sample log, is the following what you are looking for? event_name task_id _time event_id server_state 0 2023-08-01 15:41:40.395,2023-08-01 15:10:40.395 1545468 1545467 server_state 1 2023-08-01 15:45:40.395,2023-08-01 15:15:40.395 1135465 1135464 server_state 2 2023-08-01 15:50:40.395,2023-08-01 15:25:40.395 1201257 1201256 server_state 3 2023-08-01 15:52:40.395,2023-08-01 15:36:40.395 1223681 1223680 You can achieve this with the following assuming that event_name, task_id, and event_id are already extracted:   | stats list(_time) as _time list(event_id) as event_id by event_name task_id | where mvindex(_time, 0) > mvindex(_time, -1) AND mvindex(event_id, 0) > mvindex(event_id, -1) OR mvindex(_time, 0) < mvindex(_time, -1) AND mvindex(event_id, 0) < mvindex(event_id, -1) | fieldformat _time = strftime(_time, "%F %H:%M:%S.%3Q")   Here is an emulation of your sample data that you can play with and compare with real data.   | makeresults | eval data = split("8/01/2023 3:52:40.395 PM server_state|3 1223681 5 8/01/2023 3:50:40.395 PM server_state|2 1201257 3 8/01/2023 3:45:40.395 PM server_state|1 1135465 2 8/01/2023 3:41:40.395 PM server_state|0 1545468 5 8/01/2023 3:36:40.395 PM server_state|3 1223680 0 8/01/2023 3:25:40.395 PM server_state|2 1201256 2 8/01/2023 3:15:40.395 PM server_state|1 1135464 3 8/01/2023 3:10:40.395 PM server_state|0 1545467 8", " ") | mvexpand data | rename data as _raw | rex "(?<ts>(\S+\s){3}) (?<event_name>\w+)\|(?<task_id>\d+) (?<event_id>\d+)" | eval _time = strptime(ts, "%m/%d/%Y %I:%M:%S.%3Q %p") ``` data emulation above ```    Hope this helps.

Re: How to display dynamic values in the panel title?

by SplunkTrust in Dashboards & Visualizations
‎08-30-2023 11:00 PM
‎08-30-2023 11:00 PM
<form version="1.1"> <label>Multiselect</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="packetsize" searchWhenChanged="true"> <label>Packet Size<... See more...
<form version="1.1"> <label>Multiselect</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="packetsize" searchWhenChanged="true"> <label>Packet Size</label> <search> <query> ``` Query to generate packet sizes dynamially ``` | makeresults | eval packetsize=split("40,128,520",",") | mvexpand packetsize </query> </search> <fieldForValue>packetsize</fieldForValue> <fieldForLabel>packetsize</fieldForLabel> <delimiter>,</delimiter> <change> <eval token="firstpacketsize">mvindex('form.packetsize',0)</eval> <eval token="secondpacketsize">mvindex('form.packetsize',1)</eval> <eval token="thirdpacketsize">mvindex('form.packetsize',2)</eval> <eval token="fourthpacketsize">mvindex('form.packetsize',3)</eval> <eval token="fifthpacketsize">mvindex('form.packetsize',4)</eval> </change> </input> </fieldset> <row> <panel depends="$firstpacketsize$"> <title>Packet size = $firstpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$firstpacketsize$" </query> </search> <option name="drilldown">cell</option> </table> </panel> <panel depends="$secondpacketsize$"> <title>Packet size = $secondpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$secondpacketsize$" </query> </search> </table> </panel> <panel depends="$thirdpacketsize$"> <title>Packet size = $thirdpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$thirdpacketsize$" </query> </search> </table> </panel> <panel depends="$fourthpacketsize$"> <title>Packet size = $fourthpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$fourthpacketsize$" </query> </search> </table> </panel> <panel depends="$fifthpacketsize$"> <title>Packet size = $fifthpacketsize$</title> <table> <search> <query> ``` Query to generate results based on packet size ``` | makeresults | eval packetsize="$fifthpacketsize$" </query> </search> </table> </panel> </row> </form>

How to display dynamic values in the panel title?

by in Dashboards & Visualizations
‎08-30-2023 10:45 PM
‎08-30-2023 10:45 PM
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dyn... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dynamically-depends-on-selection/m-p/655457/highlight/false#M53927   The panels can be displayed dynamically by the user selection. However, I need to display the title or the description according to the dymical selection. That is, if the user select packet_size="32,40,128" from the filter. Three panels will be displayed and I wish to display the title = "Packet size=xx", where xx represent the analyzed packet_size value.   ex. Table 1 with title = "Packet size=32", Table 2 with title = "Packet size=40", Table 3 with title = "Packet size=128" I refer to these history but I am unable to find a successful solution. How do I display _time on dashboard panel's title field?  Dynamic value display in the Panel Title?  How do you display the date in a dashboard title?  Does anyone know how to display the title or description with a variable in code or a value in filter selection? Thank you so much.
Labels

Re: How to display panels dynamically depends on selection ?

by in Dashboards & Visualizations
‎08-30-2023 10:33 PM
‎08-30-2023 10:33 PM
thank you so much. This works!

Re: How to split comma separated values in single event and make each value as one row of table with individual values

by in Splunk Search
‎08-30-2023 10:27 PM
‎08-30-2023 10:27 PM
SAMPLE LOGS: <Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,0000000000000... See more...
SAMPLE LOGS: <Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text> <Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text>   <Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text>   <Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>

Re: How to split comma separated values in single event and make each value as one row of table with individual values

by in Splunk Search
‎08-30-2023 10:20 PM
‎08-30-2023 10:20 PM
Hi @gcusello  & @bowesmana ,   Thanks for the prompt responses.   You both gave answers for static set of numbers. What if this set of field values are dynamically changing and combined with stri... See more...
Hi @gcusello  & @bowesmana ,   Thanks for the prompt responses.   You both gave answers for static set of numbers. What if this set of field values are dynamically changing and combined with string as well. In that case,How Can I separate this dynamic set of numbers from string and display them individually instead of comma separated in table format. We crossed half of the solution,You already responded to split comma separated values and display them in table format. I need to solution for below two case: 1. What if this set of numbers are dynamically logging into splunk using one fields(MessageText)? 2. These dynamic set of numbers combined with text like(Sequence Numbers processed during this transaction in the field (MessageText).How can I separate only numbers and display them in above mentioned format like: 00000000000000872510 00000000000000872511 00000000000000872512 00000000000000872513 00000000000000872514   instead of 00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514 (these set of numbers are not static keeps on changing for each transaction and logging into splunk as individual event in (message text) field.)

Re: How do I display _time on dashboard panel's title field?

by in Dashboards & Visualizations
‎08-30-2023 10:17 PM
‎08-30-2023 10:17 PM
Hi Pshangguan,   After I modity time into $result.time$, the actual time still doesn't appear on the title. Do you succesfully make the actual time appear in your panel title ?   Thanks.