All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try this | spath | search message="*Unit state update from cook client target*"
Hi @alucarddjin  I have the same issue as you. Did you solve this problem? If so, could you share how you fixed it? I’d really appreciate your help. Thanks! #universal configuration console (UC... See more...
Hi @alucarddjin  I have the same issue as you. Did you solve this problem? If so, could you share how you fixed it? I’d really appreciate your help. Thanks! #universal configuration console (UCC) #UCC framework
No data extracted at all, and the data is JSON formatted. I normally start my rex expressions with field=message "(rex expression)"
I would like to get a count of events of all data ingested for 2024.  I have hundreds of indexes and all data over 90 days goes to DDAA.  I can use "eventcounts" for the searchable data and just mult... See more...
I would like to get a count of events of all data ingested for 2024.  I have hundreds of indexes and all data over 90 days goes to DDAA.  I can use "eventcounts" for the searchable data and just multiply by 4 for an estimate.   Using:  | eventcount summarize=false index=* | stats sum(count) as total_events by index | fieldformat total_events=tostring(total_events,"commas") | addcoltotals   Is there a way to get eventcounts for archived data?
Hi @nkavouris , what's the behavior of this regex: it extract too data or nothing? it seems to be correct using the sample you shared. Anyway, this seems to be a log in json format, did you tried ... See more...
Hi @nkavouris , what's the behavior of this regex: it extract too data or nothing? it seems to be correct using the sample you shared. Anyway, this seems to be a log in json format, did you tried to use INDEXED_EXTRACTIONS=JSON or spath? Ciao. Giuseppe  
Grazie giuseppe, but this does not work in splunk unfortunately  
Hi @nkavouris, please try this: | rex "hw_state:\sElements\(temp:\s(?<temp>\d+)" that you can test at https://regex101.com/r/FhThZf/1 Ciao. Giuseppe
I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type... See more...
I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: 500°F, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: 500°F, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}  I have tried; rex field=message "(?=[^h]*(?:hw_state:|h.*hw_state:))^(?:[^\(\n]*\(){2}\w+:\s+(?P<set_temp>\d+) rex field=message ".*hw_state: Elements\(temp:(?<set_temp>\d+),.*"|  with no results yielded. What is the proper rex expression to extract 500 from the message field
Hello, Does anyone know when this app will become cloud compliant?
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"... See more...
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_co... See more...
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_columnA | delta columnB AS new_columnC | delta columnC AS new_columnC | eval deltaA=new_columnA-columnA, deltaB=new_columnB-columnB, deltaC=new_columnC-columnC Ciao. Giuseppe  
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummer... See more...
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]   Reagrds, Harry
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time r... See more...
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time range and other columns with the respective host values. Column A Column B Column C Column D 02/22/2025  10         12               14 02/23/2025   11         13               15 02/24/2025   12         15               17  02/25/2025    16         20              21 I need the difference of values of Column B C D from previous time period and show it one time chart. Let me know if any other details are required.
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you,... See more...
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you, you can update the JS and publish the new version of the App. If the App is built by someone else, ask the Developer for the change if they can do that.   I hope this helps!!!
Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modif... See more...
Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modify some dashboards, you have to create a role, assign those users to this role and enable writing in dashboards to this new role. Ciao. Giuseppe
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if t... See more...
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if the index is really existent and if you gave the correct grants to it? Anyway, if you restore the original index name in inputs.conf, and restart Splunk on the Forwarder, logs should arrive to the original index; did you restarted the UF after restored the original index? Are you using a Deployment Server to deploy configurations on UF or did you manually modified them? Ciao. Giuseppe
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in S... See more...
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in Splunk 9.3 though I created new index from UI. Later I changed my index to original but somehow that Data input stuck and never executing at all. I tried reinstalling my TA app and splunk restart multiple time but no luck and no error in spulnkd.log. Same scenario happened at client end. Can anybody please guide me for this repair or what can be RCA though we reverted all inputs to normal.
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvsto... See more...
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvstore on a daily basis to avoid restoring from  backup of /opt/splunk/var/lib/splunk/backup  directory
It depends on your complete raw event - spath is likely to be part of the solution. Please share your raw event (anonymised appropriately) in a code block using the </> button.
No how would i do that? spath?