All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat. The problem is in this line - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fn... See more...
Is Fname is a multivalue field having 3 values : mdmdat, omsdat and promodat. The problem is in this line - (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) It is giving the count of src incorrect, it is reading all the 3 fnames as one. I am trying to break them in 3 conditions using Fname so that it counts the individual Fname at once. eg. (src="retailautonomyfileage" AND Fname="mdmdat" AND Age>240) lly for other 2 Fnames.   Hope I am able to explain.  
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to... See more...
Dear Splunk experts, Just want to ask about the general upside/downside of creating a large number of indexes. Thinking to create a Splunk index per application/service so we may end up with 3K to 5K indexes But this would allow us to target <<inputs.conf>> based on application/service Just not sure of the downside of that many indexes... Appreciate your advice.
Hi @Thulasinathan_M, if you always have a special char in the beginning of the token, you could add a backslash "\" as prefix to the token. Ciao. Giuseppe
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is... See more...
Hi Splunk Experts, I've a table and based on a click, I'm holding the value of field in token and using it in a different panel with search command. If there are any special characters the search is getting failed. I've tried replacing it with '*', but that gives me unexpected results. So I'm thinking of escaping all possible special characters in the token value. Please advice!! Ex: !@#$%^&*(){}|";:<>/\[] I want them as below: \!\@\#\$\%\^\&\*\(\)\{\}\|\"\;\:\<\>\/\\\[\]  
Hi @man03359 , let me understand: the Fname field is a single value or a multivalue field, before the stats command? If it's a multivalue, you have to separate them using "mvexpand" command (https:... See more...
Hi @man03359 , let me understand: the Fname field is a single value or a multivalue field, before the stats command? If it's a multivalue, you have to separate them using "mvexpand" command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MvexpandCommandOverview#:~:text=The%20mvexpand%20command%20creates%20individual,productId%20which%20has%20multiple%20values.). If it's a single value field there isn't no reasong to have the described behaviour. Anyway, (I cannot test but it should work), if it's a single value field, you could try to use separated evals: | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")),"Down",""), (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")),"Down",""), (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")),"Down",""), (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain Ciao. Giuseppe
Thankyou!  The code with case statement is working for me. To consider the value '2' also, I can use  value &lt;= 02  
It really helped me understand the SPL. 
I want to offload some logs into MinIO using smartstore to reduce volume consumption in license, but I cannot find reference if smartstore will still count against the license volume
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTi... See more...
Hi All, I am trying to build a search query for an alert and below is the condition- | eval status=if(((src="DB_Rebuild_Indexes_UpdateStats_MDM" OR src="DB_Stop_IndexRebuild_Jobs") AND (JobExecTime>39600 OR message="failed")) OR (src="RetailAutonomyDataSync" AND (JobExecTime>21600 OR message="failed")) OR (src="RetailAutonomyPromotionsDataSync" AND (JobExecTime>4000 OR message="failed")) OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120))) OR (src="retaillineitemdup" AND Count>0) OR (src="esbmessagecount" AND MsgCount>5),"Down","Up") | stats count count(eval(status="Down")) AS Down latest(_time) as _time BY Device Store src host Chain StoreNum Domain  But I am facing difficulty at line 4- OR (src="retailautonomyfileage" AND (((Fname="mdmdat" OR Fname="omsdat") AND Age>240) OR (Fname="promodat" AND Age>120)))It is reading all 3 filenames as one (Fname). It is taking all 3 file names (Fname=mdmdat,omsdat,promodat) as one and hence I am getting the incorrect count for the src=retailautonomyfileage I am trying to break the condition of line no 4 into 3 parts within the eval condition itself.   Thanks in advance.
By the way, you conditions do not take account of the value being 2 <format type="color"> <colorPalette type="expression">case(isnull(value),"#c1fa9b", value &lt; 02, "#c1fa9b", va... See more...
By the way, you conditions do not take account of the value being 2 <format type="color"> <colorPalette type="expression">case(isnull(value),"#c1fa9b", value &lt; 02, "#c1fa9b", value &gt; 02, "#ff9c9c")</colorPalette> </format>
Hi @Kingsly007, Anyway, it's still not clear what you mean with "Dynamic"? if you have comma divided values, the number of them isn't relevant. Could you share a sample of your logs? Ciao. Giuse... See more...
Hi @Kingsly007, Anyway, it's still not clear what you mean with "Dynamic"? if you have comma divided values, the number of them isn't relevant. Could you share a sample of your logs? Ciao. Giuseppe
Hi @Mostafa3081, let me understand: you want to extract a part of a field in a summary index, is it correct? If this is your requirement and if you can, the easiest way is to save the field to extr... See more...
Hi @Mostafa3081, let me understand: you want to extract a part of a field in a summary index, is it correct? If this is your requirement and if you can, the easiest way is to save the field to extract in the summary generating search. Anyway, you can extract the part of the "text" field using a rex command: | rex field=text "href\=\\\"(?<url>[^ ]*)" that you can test at https://regex101.com/r/6jptux/1 Ciao. Giuseppe  
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a hre... See more...
I have an event log that looks like this search_name=x, search_now=3.000, info_min_time=1692741600.000, info_max_time=1692828000.000, info_search_time=1692847620.636, app=Digital, text="<a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc ", info_log=l use the command ... | table text to extract the 'text' field, you get the expected result  <a href=\"https://support.vodafone.co.uk/1627646512 \" target=\"_blank\"> ...etc  However, when I attempt to extract the same 'text' field from the same event, but this time from a summary index, I  get a different result <a href=\  and the whole value is presented in the event tap when i enable the verbose mode so the whole value is in the summary index but i can't show it.  how to prevent splunk from truncating the result if it is in the summary index     
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to ... See more...
I have my table panel with the column field as Month-year and this is a dynamic fields populated from my panel query. One more column is a text field and it is a static field. (This does not need to be color coded.) I want to color code the cell values in all the dynamic field, based on the below condition if the cell value is less than 2 - the cell should be coded in green if the cell value is more than 2 - the cell should be coded in red. Other cells with text values - the cell should not be color coded. I tried to use multiple conditions with color palatte expression but that does not work <format type="color"> <colorPalette type="expression">if(isnull(value), "#c1fa9b", if(value&lt;02, "#c1fa9b", "#ff9c9c"), if(value&gt;02, "#ff9c9c", "#c1fa9b"))</colorPalette> </format>   I did the two conditions similar, just to filter the fields with text values. So that all the numeric fields with values less than 2 will be displayed as green and the greater than 2 will be displayed as red. I am aware of writing JS scripts for this but would like to make this with SimpleXML. Could anyone please help me on this?
Hi @pagillar, Please see here for instructions on how to troubleshoot further: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#.... Cheers,    ... See more...
Hi @pagillar, Please see here for instructions on how to troubleshoot further: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#.... Cheers,     - Jo.
Hello @gcusello , Regarding as per Subject, Sequence number will be differ on every transaction log's , so how can we write log's for  Values are all Dynamic ( not a same numbers on every transac... See more...
Hello @gcusello , Regarding as per Subject, Sequence number will be differ on every transaction log's , so how can we write log's for  Values are all Dynamic ( not a same numbers on every transaction's)  Every transaction logs( sequence number is different ) 1 to n(last number) if missed any number's between  1 to N, can you help on this, really thanks in advance
Hi @Kingsly007, please, next time, open a new question, even if on the same topic: you'll have a faster and probably better answer to your question! in addition, at the end of the analysis, you can... See more...
Hi @Kingsly007, please, next time, open a new question, even if on the same topic: you'll have a faster and probably better answer to your question! in addition, at the end of the analysis, you can accept the answer and give more information for the other people of Community. Anyway, could you better describe what you mean with "Dynamic"? if you have comma divided values, the number of them isn't relevant. Could you share a sample of your logs? Ciao. Giuseppe
Hello @gcusello Thanks for your approach, I appreciate it , and  i have another question , if number's are Dynamic mean's how we can split comma separated values and display them individually in ta... See more...
Hello @gcusello Thanks for your approach, I appreciate it , and  i have another question , if number's are Dynamic mean's how we can split comma separated values and display them individually in table
Use CSS to set the font size to zero. (You will need to give your panel an id.) Try something like this <panel depends="$stayhidden$"> <html> <style> #hiddentext td { ... See more...
Use CSS to set the font size to zero. (You will need to give your panel an id.) Try something like this <panel depends="$stayhidden$"> <html> <style> #hiddentext td { font-size: 0 !important; } </style> </html> </panel> <panel> <table id="hiddentext">  
We've looked a bit more into this case. The error is coming from the script "identity_manager.py" in the app "SA-IdentityManagement". The error is generated in the following "for" loop. for url, pat... See more...
We've looked a bit more into this case. The error is coming from the script "identity_manager.py" in the app "SA-IdentityManagement". The error is generated in the following "for" loop. for url, path, size, last_updated in update_times: if path and last_updated: lookup[url] = last_updated else: logger.error('status="Lookup file error, unknown path or update time" name=%s', url) The "update_times" array comes from the method "get_lookup_table_file_update_times", which again comes ultimately from the Python package "importlib.util.spec_from_file_location". We were thinking that this error might be from this package, and not from Splunk per se, but when we look at the actual lookup file CSV in the Linux OS, it is there and has the last modified time value sat, so that is not the cause either. So, still haven't figured this out.