All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

below also give same results, please let me know if its right too.. "(?<severity>Severity:\w+;)"
below can extract:  "(?<time>Time:\d+\-\d+\@\d+:\d+:\d+\.\d{1,3})"
You can query all alerts using this REST command.  Filter the results to find the information you seek. | rest splunk_server=local /servicesNS/-/-/saved/searches | search alert_type!="always"
Please try my updated query.
My workaround would be "talk to the people who do have access".
Hi,   How to query scheduled searches and alerts that is not scheduled?
Hi, How can i query Alerts without alert actions and i want to see also the status. 
But how will our indexers accommodate this? That is my question here? We have 6 indexers with 6.9 TB disk space. What happens if we exceed this space in single day? 
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetyp... See more...
Thank you, that's a neat solution. However in my simplified query I have removed some eval conditions and filters. One of them being the caller and caller_party formats are different in the sourcetypes. So below the rename I have `| eval caller_party=substr(caller_party, 2)`. Could you please advise how your solution would change to account for this? Thank you!
Not working , please help    | rex field=_raw "^\S+"    
Not working , But if use single and try for single Country its working  please help  also what is use of  | rex field=_raw "^\S+"  
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it... See more...
Hi @ITWhisperer , Thank you for sharing the details. I configured the same in my source xml and I can modify the colors accordingly. Can you also help me to change the legend color 'forecast' as it is not showing in green.
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at http... See more...
Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at https://www.splunk.com/en_us/resources/splunk-enterprise-license-enforcement-faq.html?locale=en_us Ciao. Giuseppe
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host... See more...
Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host=host1) OR sourcetype=y) | eval caller=coalesce(caller, caller_party) | stats count(eval(sourcetype=x)) AS all_calls count(eval(sourcetype=y)) AS messagebank_calls BY caller | search all_calls=* Ciao. Giuseppe Ciao. Giuseppe
You could try this https://github.com/paychex/Splunk.Conf19 if it helps you to get all KOs on files and then create app on your local environment?
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$ | rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)" | rex field=_raw "records: (... See more...
Perhaps this will help. index=*1644* container_name="ls2-sdp-java" $selected_countries$ | rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)" | rex field=_raw "records: (?P<Recordcount>\w+)" | rex field=_raw "^(?<dateTime>\S+)" | eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval CreatedTime=strftime(DateTime, "%H:%M") | eval CreatedDate=strftime(DateTime, "%Y-%m-%d")
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer.  We are unable to launc... See more...
Hello Team, We have been using Corelight APP for Splunk to ingest Corelight IDS events to our distributed Splunk environment. This app is working absolutely fine on Indexer.  We are unable to launch this app on Search head. Can you please assist us with the details to get the App working on Search Head?   Regards, Prathamesh
I have the following simplified version of the query where for each caller, I need all_calls (from sourcetype=x) and messagebank_calls (from sourcetype=y).  index=sample1 sourcetype=x host=host1 | s... See more...
I have the following simplified version of the query where for each caller, I need all_calls (from sourcetype=x) and messagebank_calls (from sourcetype=y).  index=sample1 sourcetype=x host=host1 | stats values(caller) as caller by callid | stats count as all_calls by caller | rename caller as caller_party | appendcols [ search index=sample1 AND sourcetype=y | stats count as messagebank_calls by caller_party] | search all_calls=*   messagebank_calls value is incorrect and I'm guessing because of the subsearch/appendcols? How do I increase the limit or re-write so I can get the same results caller, all_calls, messagebank_calls?
Please find the below attached screenshot and data sample i need to create 5 felids  problem statement - old splunk query not working as logging pattern got changed 3/28/25 10:04:25.685 PM ... See more...
Please find the below attached screenshot and data sample i need to create 5 felids  problem statement - old splunk query not working as logging pattern got changed 3/28/25 10:04:25.685 PM   2025-03-28T22:04:25.685Z INFO 1 --- [ool-1-thread-11] c.d.t.l.s.s.e.e.NoopLoggingEtlEndpoint : Completed generation for [DE, 2025-03-28, LOAN_EVENT_SDP, 1]. Number of records: 186 host = lonhybridapp03.uk.db.com source = /var/log/pods/ls2_ls2-intraday-sdp-86854ff574-48dgp_830e2ef9-56be-4996-ae21-127366a78515/ls2-intraday-sdp/0.log sourcetype = kube:container:ls2-intraday-sdp   Need below    index=*1644* container_name="ls2-sdp-java" $selected_countries$ | rex field=_raw "country=(?P<country>\w+)"    (DE) | rex field=_raw "sdpType=(?P<sdpType>\w+)"  (LOAN_EVENT_SDP) | rex field=_raw "cobDate=(?P<cobDate>\w+)"  (2025-03-28) | rex field=_raw "record-count: (?P<Recordcount>\w+)" (186) | rex field=_raw "\[(?<dateTime>.*)\] \{Thread"  (2025-03-28T22:04) | eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S,%N") | eval CreatedTime=strftime(DateTime, "%H:%M") | eval CreatedDate=strftime(DateTime, "%Y-%m-%d") above SPL has old query , can you please help me with new rex pattern to extract these fields  For clear understanding i have attached required fields in screenshot    
@bowesmana  Thanks for the response. We are using SVCs model. We have Splunk ES and other resource intensive apps. I am looking for a way to optimize searches as the current indexer memory utilizat... See more...
@bowesmana  Thanks for the response. We are using SVCs model. We have Splunk ES and other resource intensive apps. I am looking for a way to optimize searches as the current indexer memory utilization is 99% since last 2 months.  I used the CMC dashboard and that showing me the DM acceleration searches are the most expensive ones.