All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=... See more...
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=Domain,C=AB,D=XXX,E=NET Now my results should return  field a = field b ABC    = ABC DCE    = DCE Could someone pls help me on this?
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to pla... See more...
Hi Everyone, Is it possible to create a button similar to edit button and place it near edit button using html and css? I was able to create a button, but it is big and also i was not able to place it near edit button. can anyone help me?
Assuming you have this data in Splunk and the field names are A_ X Y Z W, this examples shows how using your data, which you can copy/paste into a search | makeresults | eval _raw="A X Y Z W A8 2 ... See more...
Assuming you have this data in Splunk and the field names are A_ X Y Z W, this examples shows how using your data, which you can copy/paste into a search | makeresults | eval _raw="A X Y Z W A8 2 B12 7 5 C14 5 D24 2 3" | multikv forceheader=1 | table A_ X Y Z W ``` Above reproduces your table ``` ``` Get the multiplier from the first field ``` | rex field=A_ "[A-Z](?<mul>\d+)" ``` Now Multiuply the field value by the multiplier ``` | foreach X Y Z W [ eval <<FIELD>>=<<FIELD>>*mul ] | fields - mul ``` and create the column totals ``` | addcoltotals  I am assuming your final column total for col W is not correct, but should read 5 * 12?  
Will give it a go. thanks for the feedback!  
This statement | eval down=$down$ is not a search statement - it is just creating a field called down with the value held by the token $down$ Maybe you mean you want to search for an existing fiel... See more...
This statement | eval down=$down$ is not a search statement - it is just creating a field called down with the value held by the token $down$ Maybe you mean you want to search for an existing field called down that has a value of the token, i.ei | search down=$down$ or one of these two statements depending if your token value is numeric (first option) or string (second) | where down=$down$ OR | where down=$down|s$  
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I se... See more...
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I set in the drop down. Data is being pulled/returned but does not seem to be using the eval correctly. Any help would be greatly appreciated. Thanks!    Code is search:   source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")` | eval down=$down$   I also cannot get it to restrict based on down in a search: source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")`| eval down=1    
Hi Ryan, and what about setting up a .net app that accesses AS400 DB. Is there an AppD agent for AS400?
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+... See more...
here is an example of the table.        X Y Z W A8 2       B12   7   5 C14 5       D24   2 3   Total 2*8+5*14 7*12+2*24 3*24 5*24    What is the SPL (formula or command) for calculating the total number as listed in the table?      Thanks,    
What do you mean 'download a csv for each row'? Where is this CSV coming from? Is this data in Splunk already?
The stats command will not return results for a groupBy field that is empty or null.  Use the fillnull command or enhance the eval statement to ensure the joiner field always has a value.
I assume you're referring to your splunk.com account.  I went through the same thing a few years ago.  You have to create a new account and ask the certification (certification@splunk.com) and educat... See more...
I assume you're referring to your splunk.com account.  I went through the same thing a few years ago.  You have to create a new account and ask the certification (certification@splunk.com) and education (education_amer@splunk.com) teams to transfer your records to the new account.
I would enable KVStore on search heads and disable it everywhere else.  HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.
This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials an... See more...
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials and they seem to be correct.   any idea why i am unable to update the app? i am able to update other apps fine
It’s just an example. I have like 60 rows of a different data set and I need to download csv for each row. just like here, one for each country.  I need a way to do all of these in one go.  USA. ... See more...
It’s just an example. I have like 60 rows of a different data set and I need to download csv for each row. just like here, one for each country.  I need a way to do all of these in one go.  USA.                   DC, NY                             4.8
There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement | eval (FailurePercentage = Failure/Sucess)*100 i... See more...
There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement | eval (FailurePercentage = Failure/Sucess)*100 is not a valid Splunk eval statement and Sucess is also spelt incorrectly compared to the calculation in your stats command Note that your approach to appendcols if not a good way to approach this problem and can be done more efficiently like this index=dl* ("Error_MongoDB") OR ("inserted Record") | eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success") | timechart span=1d count as Total by Status | eval FailurePercentage = (Failure/Success)*100 | fillnull FailurePercentage so you don't need a subsearch and can do it in one timechart and the fillnull will take care if the value of Success is 0 Note that the eval Status line may be improved if you have a field that can indicate success/failure better than by matching _raw
Of those figures, what do you want to end up with? Generally you would do | stats _calc_something_here by Country to get what you want by each country
If data is not in an index, Splunk cannot create what is not there, so to solve this type of problem you have to a) get the data of events for hosts that DO write to the index b) append a list of h... See more...
If data is not in an index, Splunk cannot create what is not there, so to solve this type of problem you have to a) get the data of events for hosts that DO write to the index b) append a list of hosts you want to know about from a lookup file i.e. your search will look something like this index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" "Detection!" earliest=-45m latest=now | stats count by host ``` This bit gets all the hosts you want to know about and just contains a field called host ``` | append [ | inputlookup list_of_wanted_hosts.csv | eval count=0 ] ``` now this joins all together, so you have a list with the counts found and 0 where no data is present ``` | stats max(count) as count by host
transaction command is not a good command to use for long transactions if you have a reasonable volume of data, as it will silently run out of memory and your results will be incomplete/wrong. It is... See more...
transaction command is not a good command to use for long transactions if you have a reasonable volume of data, as it will silently run out of memory and your results will be incomplete/wrong. It is often better to use stats, e.g. | stats min(_time) as Start max(_time) as Finish by CARS_ID | eval duration=Finish-Start or if you have lots of events for the same ID that come before and after you could do | stats min(eval(if(match(_raw, "Reading Control-File"), _time, null))) as Start max(eval(if(match(_raw, "Completed Settlement file processing"), _time, null))) as Finish by CARS_ID but it will depend on your events - but this will be reliable
Your Thread value is not extracted in the first data line and even if it was, it has a different value to the ending line. The first has 'thread-1' and the second Thread-34 although the first is actu... See more...
Your Thread value is not extracted in the first data line and even if it was, it has a different value to the ending line. The first has 'thread-1' and the second Thread-34 although the first is actually pool-3-thread-1 Can you not use the D082823 ID in the CARS file description, e.g. | rex "CARS\.HIER(CTR)?\.(?<CARS_ID>\w+)" | transaction CARS_ID startswith="Reading Control-File /absin/CARS.HIERCTR." endswith="Completed Settlement file processing, CARS.HIER." | table duration