All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I need to calculate time difference between start and end times. But I get the difference value as null. Not sure what I am missing. Below is the sample query | makeresults | eval a="27 Mar 2025,0... See more...
I need to calculate time difference between start and end times. But I get the difference value as null. Not sure what I am missing. Below is the sample query | makeresults | eval a="27 Mar 2025,02:14:11" | eval b="27 Mar 2025,03:14:12" | eval stime=strptime(a,"%d %b %Y,%H:%M:%S") | eval etime=strptime(b,"%d %b %Y,%H:%M:%S") | eval diff = eTime - sTime | table a b stime etime diff I get the below result with diff value empty: a b stime etime diff 27 Mar 2025,02:14:11 27 Mar 2025,03:14:12 1743041651.000000 1743045252.000000     Please help in identifying where I am going wrong
Looks like I was not completely true. It's more complicated. But there is a way: From transforms.conf.spec file: NOTE: For KV Store lookups, a setting of 'case_sensitive_match=false' is honored o... See more...
Looks like I was not completely true. It's more complicated. But there is a way: From transforms.conf.spec file: NOTE: For KV Store lookups, a setting of 'case_sensitive_match=false' is honored only when the data in the KV Store lookup table is entirely in lower case. The input data can be in any case. Context: case_sensitive_match = <boolean> * If set to true, Splunk software performs case sensitive matching for all fields in a lookup table. * If set to false, Splunk software performs case insensitive matching for all fields in a lookup table. * NOTE: For KV Store lookups, a setting of 'case_sensitive_match=false' is honored only when the data in the KV Store lookup table is entirely in lower case. The input data can be in any case. * For case sensitive field matching in reverse lookups see reverse_lookup_honor_case_sensitive_match. * Default: true    
KV Store supports only case sensitive content: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/DefineaKVStorelookupinSplunkWeb Tomas
We saw this problem with a customer deployment as well.  It turned out that a different admin, not the main admin who was usually on the box, had set Splunkd some time ago to only be run as a certain... See more...
We saw this problem with a customer deployment as well.  It turned out that a different admin, not the main admin who was usually on the box, had set Splunkd some time ago to only be run as a certain domain user rather than as system. The msi's upgrade at the end restarts splunk but I guess it ends up restarting as the user who ran the msi, so it fails.    Another clue was that restarting splunkd on the command line,  by the administrator user,  failed with "splunk stopped" as the only output. tacking launchsplunk=0 onto the msi invocation was the answer ultimately.  and then the admins set Splunk back to just run as System so it wouldn't cause any unexpected problems going forward
Two small points:  1. I would avoid the usage of the /lib directory in app code. It was intended to work around an issue that no longer exists (outside of persistent custom REST endpoints) and cause... See more...
Two small points:  1. I would avoid the usage of the /lib directory in app code. It was intended to work around an issue that no longer exists (outside of persistent custom REST endpoints) and causes additional issues for extension points that distribute resources to search peers (i.e. certain types of custom search commands and external lookups) - you will need to update .conf files to make sure that the /lib directory is distributed correctly. There are no advantages to using /lib over /bin and /bin is automatically distributed to search peers as required.  2. Similarly, the guidance to do import manipulation using sys.path.insert is also outdated, as it does not prevent import collisions within the context of persistent custom REST endpoints).    e: In the context of a scripted input it shouldn't matter either way. I just want to make sure it's understood where the /lib guidance came from and why it is out of date today.  I'm working to get the old guidance removed from dev.splunk.com and examples on github - appreciate your patience in the meantime. 
Hi @livehybrid  The windbag command worked just fine, but the collect command did not work. How do I use collect command in the Splunk report that appended |summaryindex automatically? Perhaps... See more...
Hi @livehybrid  The windbag command worked just fine, but the collect command did not work. How do I use collect command in the Splunk report that appended |summaryindex automatically? Perhaps screenshot below will explain better. Thank you for your help I have a Splunk report that generates summary index daily The search query will be index=summary report=json_test When the report run daily, the search will be appended with "| summary index" command below: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | summaryindex spool=t uselb=t addtime=t index="summary" file="RMD[random characters].stash_new" name="json_test" marker="hostname=\"https://aa.test.com/\",report=\"json_test\"    
Hi @LearningGuy  Yes you can use output_mode=hec - see below: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"stat... See more...
Hi @LearningGuy  Yes you can use output_mode=hec - see below: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" | eval source="answersDemo" | collect index=main output_format=hec Then when I search index=main source=answersDemo: Note - you need to ensure you have the run_collect capability for your role and also access to the index you are collecting in to.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @LearningGuy  Ah yes you do need access to the index you search but it can be any index.  You might actually be able to use the "windbag" command instead like this: | windbag | head 1 | eval _r... See more...
Hi @LearningGuy  Ah yes you do need access to the index you search but it can be any index.  You might actually be able to use the "windbag" command instead like this: | windbag | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @ITWhisperer  Will a JSON format with a tree structure be supported if I create a summary index using a Splunk report? The Splunk report automatically generated  summary index using the "summa... See more...
Hi @ITWhisperer  Will a JSON format with a tree structure be supported if I create a summary index using a Splunk report? The Splunk report automatically generated  summary index using the "summaryindex" command , rather than  the "collect" command.  According to the documentation you sent, using output_format=hec to get JSON-formatted output. Thank you
Not being admin, you might not have access to _internal which is why you get no events which you can override the _raw field. So, yes, try using one of the indexes you do have access to (with a corre... See more...
Not being admin, you might not have access to _internal which is why you get no events which you can override the _raw field. So, yes, try using one of the indexes you do have access to (with a corresponding timeframe so that you find at least 1 event). Assuming you have access/permissions, you can add to a summary index with the collect command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect
I've done this little app in order to adress this specific use case : https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security
Hello @livehybrid  If I literally used your query, I got no result, but if I changed the index name to one of my existing indexes, I got the same output. 1. Should I use one of my existing indexe... See more...
Hello @livehybrid  If I literally used your query, I got no result, but if I changed the index name to one of my existing indexes, I got the same output. 1. Should I use one of my existing indexes for testing?  (As I am not an admin, I don't have the ability to import JSON and create an index) 2. How do I create a summary index in JSON format with a tree structure? Thank you so much for your help  
Hi all, I’m planning to deploy the Splunk Attack Range in a cloud-based lab environment, likely in AWS or Azure. I need to provide my team with clear guidance on the resource requirements for provis... See more...
Hi all, I’m planning to deploy the Splunk Attack Range in a cloud-based lab environment, likely in AWS or Azure. I need to provide my team with clear guidance on the resource requirements for provisioning multiple virtual machines or instances as part of the full deployment. From the documentation I see the Attack Range includes: Splunk Enterprise Server,  Splunk SOAR, Windows Domain Controller, Windows Server, Windows Workstation, Kali Linux, Nginx server, a general-purpose Linux server, Zeek server, and Snort server (IDS). I’m looking for recommendations on the following: Compute — vCPU and RAM requirements for each component when deployed on separate VMs. What instance types have worked well in AWS or Azure? Storage — Minimum and recommended disk space per instance. Are SSD-backed volumes necessary for performance? What IOPS or throughput is required for log-heavy components like Splunk or Zeek? Deployment tips — Has anyone successfully deployed this in AWS or Azure? Any suggestions on instance sizing, storage configuration, or common bottlenecks when running all components concurrently? Appreciate any best practices or real-world guidance you can share to help with efficient provisioning. Thanks in advance!  
Does Splunk integrate with WebEx Calling (not WebEx Meetings or WebEx Contact Center) for CDR reporting, similar to how it integrates with CUCM?
Hi all, I'm trying to dynamically replace single backslashes with double backslashes in a search string and use the result to search across a field (e.g., FileSource). Here's what I’ve tried: |... See more...
Hi all, I'm trying to dynamically replace single backslashes with double backslashes in a search string and use the result to search across a field (e.g., FileSource). Here's what I’ve tried: | eval text_search="*\\Test\abc\test\abc\xxx\OUT\*" | eval text_search_escaped=replace(text_search, "\\\\", "\\\\\\\\") | search FileSource=text_search_escaped The output of text_search_escaped looks correct (with double backslashes), and if I run a manual search like below, I do get results: index=... FileSource="*\\Test\\abc\\test\\abc\\xxx\\OUT\\*" However, when I try to use the text_search_escaped variable inside search, I get no results. Am I missing something in how Splunk treats dynamic fields inside search? Is there a better way to pass an escaped Windows-style path to a search clause?
@jkat54 Hello, I find out I get lastTime tstats metadata from export api endpoint ran from CLI and not getting this lastTime field on web search with same query, even if lastTime info is from last ye... See more...
@jkat54 Hello, I find out I get lastTime tstats metadata from export api endpoint ran from CLI and not getting this lastTime field on web search with same query, even if lastTime info is from last year from offline UF. I guess there is maybe web filtering. This only applies to single result though. Results can be different I guess due to different user/role, app context, api endpoint which may be my case. Thanks.
In splunk _raw is only one line, but it can contains e.g. \n character. You could see it e.g. “table _raw”
Hi @LearningGuy  When using makeresults which is a report-generating command you get a table output. When I want to get a JSON tree view you need it to be an eventbased output, I use this little tr... See more...
Hi @LearningGuy  When using makeresults which is a report-generating command you get a table output. When I want to get a JSON tree view you need it to be an eventbased output, I use this little tricky to get an event and then override with eval _raw like this: index=_internal | head 1 | eval _raw="{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}"    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, How to create sample JSON data and display it in tree structure? I used makeresults to create sample JSON data below | makeresults | eval data = "{\"name\":\"John Doe\",\"age\":30,\"addres... See more...
Hello, How to create sample JSON data and display it in tree structure? I used makeresults to create sample JSON data below | makeresults | eval data = "{\"name\":\"John Doe\",\"age\":30,\"address\":{\"street\":\"123 Main St\",\"city\":\"Anytown\",\"state\":\"CA\",\"zip\":\"12345\"},\"interests\":[\"reading\",\"hiking\",\"coding\"]}" The search result is below. My expected output is below. I have the option to select "list" from the drop down, but this option is only available if I import the data to an index.  Please help. Thanks   JSON data: { "name": "John Doe", "age": 30, "address": { "street": "123 Main St", "city": "Anytown", "state": "CA", "zip": "12345" }, "interests": [ "reading", "hiking", "coding" ] }  
Thank you, @livehybrid, @richgalloway, I'll get screenshots but, a related question, how do I access the second line of _raw?