All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The general way to "join" is to use stats by X and in your case you are searching two data sets, so you could do something like this index=provisioning_index sourcetype=PCF:log source_type=APP/PROC/... See more...
The general way to "join" is to use stats by X and in your case you are searching two data sets, so you could do something like this index=provisioning_index sourcetype=PCF:log source_type=APP/PROC/WEB message_type=OUT cf_org_name=org1 cf_app_name=APP1 (LOG_LEVEL="ERROR" service=service1 errorCd="DOC-MGMT*" OR (NOT letterId=null operation=generateInstantDocument) | rex field=_raw "errorDetails=(?<errorDetails>.*?)\s*:" | fields _time errorCd errorDetails stateCode letterId documentId | stats values(*) as * by documentId and depending on what output you are trying to achieve, you can add in BY fields to split by. Not sure which data is coming from which data source as your fields statements are the same for both cases. Not sure why you originally had the errorDetails field in the fields statement BEFORE the rex statement if you are extracting that fields in the rex.
If something "should work" but gives permission denied, the first culprit to check is SELinux
Thanks @livehybrid . I've written some new props/transforms to try to get the same result, however now Im running into trouble again.  So my real issue is that there are alot of logs coming in to... See more...
Thanks @livehybrid . I've written some new props/transforms to try to get the same result, however now Im running into trouble again.  So my real issue is that there are alot of logs coming in to ID: 32605 that do not have 'successfully' in them that I need to send to the null queue/get rid of. But I dont seem to be able to both get the logs I want to the new sourcetype and get rid of these unwanted ones. Seems no matter the order I put the transforms in below, it does not work. I also tried creating a transform where I specifically target id = 32605 and the log not having the word 'successfully'. That doesnt seem to work either.  Transforms: [ORIGIN1] REGEX = (?:\"id\":\"32605\".*successfully) FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [ORIGIN2] REGEX = (?:successfully.*\"id\":\"32605\") FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [SAVE_OTHERS2] REGEX =(?:"id":"(?!32605\b)\d+") DEST_KEY = queue FORMAT = indexQueue [JUNK] REGEX = (?:"id":"32605") DEST_KEY = queue FORMAT = nullQueue Props: [test] TRANSFORMS-rename_sourcetype = ORIGIN1, ORIGIN2, JUNK, SAVE_OTHERS2 SHOULD_LINEMERGE = false  
All, Is there an API to export JMX config?  I see APIs for exporting dashboards, transaction detection rules, alerts, etc, but nothing for JMX. This is where I'm looking: https://docs.appdynamics.... See more...
All, Is there an API to export JMX config?  I see APIs for exporting dashboards, transaction detection rules, alerts, etc, but nothing for JMX. This is where I'm looking: https://docs.appdynamics.com/appd/24.x/latest/en/extend-splunk-appdynamics/splunk-appdynamics-apis/configuration-import-and-export-api   thanks  
Hello, I'm trying to join based on a common field using a similar query like below, however, the in the result i only get partial results from the right side, probably because the search volume ( i ... See more...
Hello, I'm trying to join based on a common field using a similar query like below, however, the in the result i only get partial results from the right side, probably because the search volume ( i guess), or may be my query is not right, can we do this without join or properly use join ? TIA index=provisioning_index sourcetype=PCF:log source_type=APP/PROC/WEB message_type=OUT cf_org_name=org1 cf_app_name=APP1 LOG_LEVEL="ERROR" service=service1 errorCd="DOC-MGMT*" |fields _time errorCd errorDetails stateCode letterId documentId |rex field=_raw "errorDetails=(?<errorDetails>.*?)\s*:" |join left=lerr right=rlkp type=left where lerr.documentId = rlkp.documentId max=0 [search index=provisioning_index sourcetype=PCF:log source_type=APP/PROC/WEB message_type=OUT cf_org_name=org1 cf_app_name=APP1 NOT letterId=null operation=generateInstantDocument |fields _time errorCd errorDetails stateCode letterId documentId] | table _time lerr.errorCd lerr.errorDetails rlkp.stateCode rlkp.letterId lerr.documentId
Getting a new error after trying your idea. New error:    Expecting value: line 1 column 1 (char 0) my search string:    index=network | ipextrainfo ip=src_ip | table src_ip country
I am trying to change the color of a result based on its deviation from zero. the numbers can be both positive and negative. The range I am trying to implement is as follows, (-10) <- 0 -> 10 should... See more...
I am trying to change the color of a result based on its deviation from zero. the numbers can be both positive and negative. The range I am trying to implement is as follows, (-10) <- 0 -> 10 should be #ff0000 (-15) <- (-10) and 10->15 should be #ff8c00 <- (-15) and 15-> should be #ff0000 basically any result from 0 to plus/minus 10 should be green, anything between plus/minus 10 and plus/minus15 should be orange and anything past plus/minus 15 should be red.  Is this possible?  
Hi @mikefg  Despite this being usable without an API Key, it seems that the code is expecting an empty value for the API Key if you are using the free tier. I found the same issue as you when instal... See more...
Hi @mikefg  Despite this being usable without an API Key, it seems that the code is expecting an empty value for the API Key if you are using the free tier. I found the same issue as you when installing the app, to fix the issue I set the API key to a random value (e.g abc), then hit Save API Key. Then once saved click the Reset API Key button.   After this the command works Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
After consulting with team we are currently unavailable to upgrade version and need to stay on version 9.3.2. Is there any workaround for the German Umlauts to display on older version 9.3.2.. mayb... See more...
After consulting with team we are currently unavailable to upgrade version and need to stay on version 9.3.2. Is there any workaround for the German Umlauts to display on older version 9.3.2.. maybe some option we can add in the source code?
I am not using an api key, just free tier. I get this error when used in search: External search command 'ipextrainfo' returned error code 1. Script output = "error_message=TypeError at "/opt/sp... See more...
I am not using an api key, just free tier. I get this error when used in search: External search command 'ipextrainfo' returned error code 1. Script output = "error_message=TypeError at "/opt/splunk/etc/apps/ip_extrainfo/bin/ipextrainfo.py", line 47 : 'Message' object is not subscriptable ".
Hi @livehybrid  For "set sslVerifyServerCert and sslVerifyServerName," there are 5 stanzas in server.conf that has these keys available. Do I need set these to true for all 5?
Thanks much. I got it worked using below modifier URL format: $token_name|u$
@hummingbird81  Why the if(): To handle cases where _time might be missing in the CSV, using end_Date as a fallback. Why strptime: To convert end_Date from a string to a numeric epoch timesta... See more...
@hummingbird81  Why the if(): To handle cases where _time might be missing in the CSV, using end_Date as a fallback. Why strptime: To convert end_Date from a string to a numeric epoch timestamp for proper sorting. Why in append: Because the CSV’s timestamp situation is less certain than Okta’s
I am facing same issue, got any fix for this one?
can you pls confirm why are you doing a " mod_time=if(isnull(_time), strptime(end_Date, "%Y-%m-%dT%H:%M:%S.%2Q%z"), _time)"  in the append portion ?  What is the need to do a strptime here ?
Hello,   I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.   Search 1 - Chart Span: ... See more...
Hello,   I am creating a dashboard with below searches to customize number of data points and time span displayed (using timechart) when different timerange is selected.   Search 1 - Chart Span: based on, custom timerange token, this returns span period and top values to be used in Search 3, given below.       | makeresults | eval spantime=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","1h",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","1d",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","1h",true(),"1d") | eval startOfMonth=relative_time(now(),"@mon") | eval noOfDays=round((now()-startOfMonth)/86400) | eval startOfDay=relative_time(now(),"@d") | eval noOfHours=round((now()-startOfDay)/3600-1) | eval topvalues=case($timerange|s$="| where calldate>=relative_time(now(),\"@mon\") AND calldate<relative_time(now(),\"@d\")",$noOfDays$,$timerange|s$="| where calldate>=relative_time(now(),\"@d\") AND calldate<relative_time(now(),\"@m\")","$noOfHours$",$timerange|s$="| where calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\")","30",$timerange|s$="| where calldate>=relative_time(now(),\"-7d@d\") AND calldate<relative_time(now(),\"@d\")","7",$timerange|s$="| where calldate>=relative_time(now(),\"-24h@h\") AND calldate<relative_time(now(),\"@h\")","24",true(),"1d")     Search 2 - Saved Search: this is a report returning below fields:       | table Date Duration "Handled by" Queue _time     Search 3 - Chart: using Search 2 as base search and search result token values from Search 1:       | timechart span=$Chart Span:result.spantime$ count as HourlyCalls | sort $Chart Span:result.topvalues$ -_time     now, when I load the dashboard, default timerange is calldate>=relative_time(now(),\"-30d@d\") AND calldate<relative_time(now(),\"@d\") , based on this I would expect Search 3 as,       | timechart span=1d count as HourlyCalls | sort 30 -_time     but it shows below error message:       Set token value to render visualization $noOfDays$ $noOfHours$ $spantime$ $topvalues$     can someone please suggest what is wrong here and how can I fix this?   Thank you.
@hummingbird81 Sounds good! Please test it and let me know. If everything works fine, kindly accept the solution.
Hi @a1bg503461  I will see if I can try a lower version to test on - In the meantime, what happens if you use something like https://www.svgviewer.dev/svg-to-data-uri to capture the base64 url strin... See more...
Hi @a1bg503461  I will see if I can try a lower version to test on - In the meantime, what happens if you use something like https://www.svgviewer.dev/svg-to-data-uri to capture the base64 url string for the image, then paste that into the Dashboard Image link   This is what I see  Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will  
Thank you so much. Let me test it out in detail but it looks promising.