All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi there, Kara here, Splunk Community Manager. Thanks for your reply, but if you have an additional question, I recommend posting a new question for more visibility.  Cheers!
Hi @aditsss, is "Thread-83" a common key to correlate events? if yes, you could try something like this: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp... See more...
Hi @aditsss, is "Thread-83" a common key to correlate events? if yes, you could try something like this: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" | rex "^[^\[]*\[[^\]]*\]\s+\[(?<key>[^\]]*)" | rex "ReadFileImpl\s+-\s+(?<PHRASE>.*)\s+for\s+filename\s+(?<FILENAME>.*)" | rex "GfpEbncImpl - statusList detail with status (?<PHRASE>.*)" | stats values(PHRASE) AS PHRASE values(FILENAME) AS FILENAME BY key Ciao. Giuseppe  
Hello, Thank you for the help,  I am just using a Count for the column the Threshold is changing colors on for me.  But, I can't find a way to change the text color thru the GUI or anywhere else sad... See more...
Hello, Thank you for the help,  I am just using a Count for the column the Threshold is changing colors on for me.  But, I can't find a way to change the text color thru the GUI or anywhere else sad to say.  I would love to remove the number from being displayed. Here's the Query I am using:   integrationName="Opsgenie Edge Connector - Splunk" "[ThousandEyes] Alert for https://httpURL.com" action != "AddNote" action !="Acknowledge" | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | table _time, alert.updatedAt, alert.message, "alertDetails.Alert Details URL", alert.alias, alert.id, action, _raw, closed_txn, _time, source, Component | where closed_txn=0 | stats values("alertDetails.Alert Details URL") as "Source Link", count("closed_txn") as Count | eval Application = "ApplicationName" | eval "Monitor Details" = "Performs an HTTP call to Boomi Gateways, Load Balancer, and Molecule servers to verify they are functioning" | eval Contact = "ContactName" | eval Component = Count."|".Application | fields Count, Application, "Monitor Details", "Contact", "Source Link", Component   Thanks again, Tom  
Hi! Kara here, Splunk Community Manager. Thanks for your question, but I see this post is from 2016. I recommend you post a new question to gain more visibility and current answers.   Cheers!
@gcusello  when I run the below query: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" I see these three results: 2023... See more...
@gcusello  when I run the below query: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" I see these three results: 2023-08-27 07:11:46.885 [INFO ] [Thread-83] ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 2023-08-27 07:11:46.885 [INFO ] [Thread-83] GfpEbncImpl - statusList detail with status UNBALANCED with description No Source Event found but Destination Event is present. 2023-08-27 07:11:46.885 [INFO ] [Thread-83] GfpEbncImpl - balancerResponse received - response EventBalancerResponse [aggregateStatus=UNBALANCED, correlationId=null, statusList=[com.amex.fundingplatform.ebnc.response.StatusList@2f6e3e4b]]
Hi @aditsss, the problem is that I don't see any field that can be used to correlate the two events: is there any other part of the logs, e.g. timestamp, ip address, or something else, because with ... See more...
Hi @aditsss, the problem is that I don't see any field that can be used to correlate the two events: is there any other part of the logs, e.g. timestamp, ip address, or something else, because with these logs there isn't any common information to use for the correlation. When you run your search, are thre as results only these two events or also other events? Ciao. Giuseppe
HI @gcusello these are only complete logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with des... See more...
HI @gcusello these are only complete logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Source Event found but Destination Event is present. From the first log I want to fetch like this: PHRASE                                                                                       FILENAME ebnc event unbalanced event occurred               TRIM.DEMO.D082623.T070035 For second logs I want to fetch the descrition of UNBALANCED EVENT   UNBALANCED with description No Source Event found but Destination Event is present. @gcusello could you please guide
Hi @aditsss, this seems yo be a json format, did you tried to use the "INDEXED_EXTRACTIONS = json" in the props.conf aor the spath command in your search? check if after this command you have all t... See more...
Hi @aditsss, this seems yo be a json format, did you tried to use the "INDEXED_EXTRACTIONS = json" in the props.conf aor the spath command in your search? check if after this command you have all the fields you need: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]" | spath | table something.phrase something.status something.description Surely the fields to use in the following table command will have some prefixes that I cannot know, but that you can find in the interesting fields. Ciao. Giuseppe
Hi @aditsss, could you share the full logs? because with only these two partial logs, there isn't any key to use for correlate them. Ciao. Giuseppe
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path ... See more...
Hello, there is a requirement to add mail hyperlink to the dashboard studio. I tried to give "mailto:abc.com " in the link to URL. but it is saying that provide the link is relative/ absolute path only. Can someone help here.   Thanks Sudha A
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Sour... See more...
Hi Team, I have two logs: ReadFileImpl - ebnc event unbalanced event occurred for filename TRIM.DEMO.D082623.T070035 GfpEbncImpl - statusList detail with status UNBALANCED with description No Source Event found but Destination Event is present. I want to show data like this: phrase                                                                                filename                                                       description ebnc event unbalanced event occurred             TRIM.DEMO.D082623.T070035        No Source Event found but Destination Event is present. current query: index="abc" sourcetype =600000304_gg_abs_ipc1 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Unbalanced" please guide
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create ... See more...
Hi Team, I have below row logs: CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] I want to create one table like this phrase                                                                                        status                     description  CARS_HIERARCHY event published to ebnc                SUCCESS              "Event saved to database successfully. can someone help me with query. My current query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"             
I understand @VatsalJagani , but my question is, I have to set web.conf manually, right? Is there any way that my app do that automatically?
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols... See more...
I am using below query to get search result and calculate the failure percentage but not getting the expected result.   index=dl* ("Error_MongoDB") | timechart span 1d count as Failure | appendcols [search index=dl* ("inserted Record") | timechart span=1d count as Success | eval (FailurePercentage = Failure/Sucess)*100 | field _time,Failure,Sucess,FailurePercentage   I am getting all the values except FailurePercentage. What could be the reason ?  
Hi @mninansplunk, sorry but there's somethig that I don't understand: the "#" char is present only in the code and it's used in some options to identify the color, it isn't usually displayed in the... See more...
Hi @mninansplunk, sorry but there's somethig that I don't understand: the "#" char is present only in the code and it's used in some options to identify the color, it isn't usually displayed in the dashboard, could you share a screenshot and the code you're using to have it? Anyway, you can configure colours based on threshold by GUI opening a dashboard in Edit Mode and clicking on the pencil in the top right corner of the column you want in your panel (not of the dashboard), then choose the way to use colours in the column. Ciao. Giuseppe
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed. ... See more...
Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed.  Is there a way to either change the text color based on the same Threshold I am using to change the Cell color or maybe a way to just hide the values being displayed? Here's what I currently have in the Dashboard Source <format type="color" field="Monitor"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <format type="color" field="Count"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <drilldown>   Here's the column I am referring too.   Thank you for any help on this one, much appreciated Tom  
Hi @cedSplunk2023, your question is just a little vague! failed password on which opeating system (windows, Linux, etc...) or application or appliance? Anyway to answer to this question you don't ... See more...
Hi @cedSplunk2023, your question is just a little vague! failed password on which opeating system (windows, Linux, etc...) or application or appliance? Anyway to answer to this question you don't need a Splunk expert but of someone that knows the target environment. e.g. to find the failed password on windows, you have to search for EventCode=4625, for Splunk, you have to search "ERROR AuthenticationManagerSplunk - Login failed". In addition you need to know in which index data are stored, e.g. Splunk logs are in "_internal", winevenlogs are usualli in "wineventlog", in conclusion to find the failed logins in windows, you have to search: index=wineventlog EventCode=4625 to find the failed logins in Splunk, you have to search: index=_internal "ERROR AuthenticationManagerSplunk - Login failed" Remember that finding something in Splunk depends on the 70% on your knowledge of the target and 30% on your Splunk knowledge. Ciao. Giuseppe
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add... See more...
Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC   Thanks for any help on this one, Tom
Hi @Pikta, you need an eval - case command, something like this: <your_search> | eval OS=case( like('operating-system',"Microsoft Windows Server%"), "Windows Server", like('operating-system',... See more...
Hi @Pikta, you need an eval - case command, something like this: <your_search> | eval OS=case( like('operating-system',"Microsoft Windows Server%"), "Windows Server", like('operating-system',"Microsoft Windows%"), "Windows OS", 'operating-system'="Linux", "Linux", 'operating-system'="CentOS", "Linux", 'operating-system'="Ubuntu", "Linux") obviously, you can enlarge the command also with other options. Next time, if possible, don't use "-" (or spaces) in field names, use underscore (_) because Splunk uses "-" as an operator, so you have to use quotes in the field name. Ciao. Giuseppe
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to ren... See more...
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to rename to windows server, all linux versions and distributions to linux and so on for example: operating-system                                    |    OS Microsoft Windows 10                          | Windows OS Microsoft Windows 8                             | Windows OS Linux                                                              | Linux Microsoft Windows Server 2019       | Windows Server Microsoft Windows Server 2012       | Windows Server CentOS                                                         | Linux Ubuntu                                                          | Linux Microsoft Windows Server 2016      | Windows Server