All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@mvasquez21  Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable fo... See more...
@mvasquez21  Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01"). index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") | chart count over user by month | sort + sort_month
Thanks for your inputs here Kiran, however, it does look like that integration guide is for Beyond Trust Remote Support integration   regards, Mohammed.
the query is not getting expected result,  I need to get the list of index which is not used by anyone
one last thing. this is listing the months alphabetically. any way to do it chronologically?  
perfect! you are a geniius
@mvasquez21  Don't append makeresults in your query:- Use this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval mo... See more...
@mvasquez21  Don't append makeresults in your query:- Use this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
OK. So the TA you're trying to remove is disabled or enabled?
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succe... See more...
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month  
@mvasquez21  You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b ... See more...
@mvasquez21  You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
@mvasquez21  makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query... See more...
@mvasquez21  makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query.   
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" ... See more...
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month my results don't show the username:  
I have tried this option, no luck. Can we have a call to discuss this ?
@mvasquez21  Try this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart cou... See more...
@mvasquez21  Try this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month  
@mvasquez21  | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval... See more...
@mvasquez21  | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month
could i ask of you to paste that so my bad typing doesn't mess it up? Thanks so much!  
@mvasquez21   
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instru... See more...
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instrumentation won't work with .NET6 or .NET7--you'd have to try downgrading to 1.8. "OTEL_SERVICE_NAME": "MyDotNet6WebApi"
I have this search to see logins to our splunk environment:   index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of ... See more...
I have this search to see logins to our splunk environment:   index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing. Here is an example of the individual entry: Audit:[timestamp=03-03-2025 09:10:52.577, user=xxxxxx, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" clientip=xxx.xxx.xxx.x" method=LDAP" session=17a169464fada764a1bac7310cac4c47] columns should be:  user   monthA    monthB   monthc with the counts under each month Thanks!
In my case I disabled PYTHONHTTPSVERIFY on splunk-launch.conf and this fixed my issue. In case it helps, a positive Karma is appreciated.
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working... See more...
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working to remove.