mvfilter can only reference one field at a time Description This function filters a multivalue field based on an arbitrary Boolean expression. The Boolean expression can reference ONLY ONE field at...
See more...
mvfilter can only reference one field at a time Description This function filters a multivalue field based on an arbitrary Boolean expression. The Boolean expression can reference ONLY ONE field at a time. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvfilter.28.26lt.3Bpredicate.26gt.3B.29 Try like this: | makeresults count=1
| eval timestamps = mvappend("1700000000", "1800000020")
| foreach mode=multivalue timestamps
[| eval older=if(<<ITEM>> < _time, mvappend(older,<<ITEM>>),older)]
I onboarded one production logs to splunk but after restarting the UF I am not able to see the recent logs also I am not able to see the recent internal logs. How to fix this issue please help?
I need to filter a list of timestamps which are less than _time. this works: | makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval older = mvfilter(timestamps < 1570...
See more...
I need to filter a list of timestamps which are less than _time. this works: | makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval older = mvfilter(timestamps < 1570000010) but the compared value is whatever is in _time. this does not work: | makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval _time = 1570000010
| eval older = mvfilter(timestamps < _time) I know timestamps work, because this does work: | makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval older = mvfilter(timestamps < now()) Why does now() and static values work, but this does not: | makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval now_time = now()
| eval older = mvfilter(timestamps < now_time) How can i get a variable in there to compare, since i need to compare the list to _time?
On some our Windows UF hosts, we were getting System events but no Security events. Our Windows admin noticed that the Splunk service account was running as an NT service. After changing the servic...
See more...
On some our Windows UF hosts, we were getting System events but no Security events. Our Windows admin noticed that the Splunk service account was running as an NT service. After changing the service account to LocalSystem, the Windows UF hosts started sending their security events.
Hi Community, I'm exploring ways to ingest data into Splunk Cloud from a Amazon s3 Bucket which has multiple directories and multiple files to be ingested onto Splunk. Now, I have assessed the Gene...
See more...
Hi Community, I'm exploring ways to ingest data into Splunk Cloud from a Amazon s3 Bucket which has multiple directories and multiple files to be ingested onto Splunk. Now, I have assessed the Generic s3, SQS-s3 and the Data Manager Inputs for AWS available on Splunk but am not getting the required outcome. My use case is given below: There's a s3 bucket named as exampledatastore, in that there's a directory named as statichexcodedefinition, in that there're multiple message Ids and Dates. The s3 example structure is given below: s3://exampledatastore/statichexcodedefinition/{messageId}/functionname/{date}/* - functionnameattribute Where the {messageId} and the {date} values are dynamic. And I have a start date to begin with but the messageId varies. Please can you assist me on this on how to get the data into Splunk. Many Thanks!
Hello Splunkers, The hardcoded time parameters inside a simple search don't work with v9.4.3. It only takes the input from the time presets. Do you also experience a similar issue? index=index e...
See more...
Hello Splunkers, The hardcoded time parameters inside a simple search don't work with v9.4.3. It only takes the input from the time presets. Do you also experience a similar issue? index=index earliest="-7d@d" latest="-1m@m" and my preset is last 15 mins, then I get this output. earliestTime latestTime 07/25/2025 10:40:01.636 07/25/2025 10:52:59.564 Very strange. Nothing mentioned on this in the release notes.
Can anyone please confirm if appdynamics machine agent supports TLS 1.3 or not ? We are using java agent 25.4.0.37061 on Linux X64 platform ; If anyone can suggest an answer or point me towards rele...
See more...
Can anyone please confirm if appdynamics machine agent supports TLS 1.3 or not ? We are using java agent 25.4.0.37061 on Linux X64 platform ; If anyone can suggest an answer or point me towards relevant documentation ? Thanks
But service field is not an indexed field. I am writing rex to extract that field from original index and then giving collect command to feed it in summary index. Still srchFilter fails in this case?...
See more...
But service field is not an indexed field. I am writing rex to extract that field from original index and then giving collect command to feed it in summary index. Still srchFilter fails in this case? It should be indexed field from the original index as well? Please confirm
Yes it should allow full access to waf_123456_prod and restrict access to opco_yes_summary only where service=JUNIPER-HBEU-ACCESS. Yes, you can add more services. Make sure service is an indexed fi...
See more...
Yes it should allow full access to waf_123456_prod and restrict access to opco_yes_summary only where service=JUNIPER-HBEU-ACCESS. Yes, you can add more services. Make sure service is an indexed field in opco_yes_summary. If it’s extracted at search time, srchFilter may not work. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. Below is authorise.con...
See more...
extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. Below is authorise.conf what I have given. [role_opco_yes_123456_prod]
importRoles = user
srchIndexesAllowed = waf_123456_prod, opco_yes_summary
srchIndexesDefault = waf_123456_prod
srchFilter = (index::waf_123456_prod) OR (index::opco_yes_summary service::JUNIPER-HBEU-ACCESS) Will this help me or any issue or any changes need to do? Sometimes need to add 1 or 2 services. Is it possible? Note - Try to give = in srchFilter while testing in UI, but it thrown error like we can't give = can only give :: can I still give = in backend ultimately I need to write and push it from the backend not from UI.
[role_appA] srchFilter = index=opco_yes_summary app_name="AppA" Just confirming, user already had access to this app index=A assigned. If I give this in srchFilter can he still access the normal in...
See more...
[role_appA] srchFilter = index=opco_yes_summary app_name="AppA" Just confirming, user already had access to this app index=A assigned. If I give this in srchFilter can he still access the normal index=A data normally right?
Hi Frank, I just found a quick-fix with inline-code enhancements in file but appreciate it using a configfile as mentioned. /opt/splunk/etc/apps/TA_oui-lookup/bin/get-oui-table.py proxy_host = 'lo...
See more...
Hi Frank, I just found a quick-fix with inline-code enhancements in file but appreciate it using a configfile as mentioned. /opt/splunk/etc/apps/TA_oui-lookup/bin/get-oui-table.py proxy_host = 'localhost:1234' # host and port of your proxy OUI_URL = "https://standards-oui.ieee.org" req = urllib.request.Request(OUI_URL) req.set_proxy(proxy_host, 'http') req.add_header("User-agent", USER_AGENT) Enjoy your vacation! Lothar from Germany