All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @livehybrid  It worked perfectly!  Thank you so much
Hi    I have a kv store lookup which populated automatically and it contains arrays . How can make it like a normal lookup that is searchable  or how to make it as a proper file    current csv: ... See more...
Hi    I have a kv store lookup which populated automatically and it contains arrays . How can make it like a normal lookup that is searchable  or how to make it as a proper file    current csv:     I want the above kv store as a searchable lookup with proper segregation between each rows     
Anyone happen to know the following message? When i trigger a customize application, i get the follow message   ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify fai... See more...
Anyone happen to know the following message? When i trigger a customize application, i get the follow message   ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c1106)
I understood that but once it added to dashboard and drilldown enabled for respective field values, if users click on any of the value search should be there. But here when I give above search it is ... See more...
I understood that but once it added to dashboard and drilldown enabled for respective field values, if users click on any of the value search should be there. But here when I give above search it is empty events just showing time. I removed _raw from fields - . But I want to understand why we given spath command here?
Try using the Save as button and save it to a dashboard. There is a tutorial on how to do this https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
After giving this in search how to create a dashboard with single panel including all request headers?
Hi @sureshkumaar  The value within the match command is actually a regular expressions (I used a pipedelimited list) so you could update this with a regex to match the filter you are looking for (e.... See more...
Hi @sureshkumaar  The value within the match command is actually a regular expressions (I used a pipedelimited list) so you could update this with a regex to match the filter you are looking for (e.g. hostname space keyword)? You will only need the single INGEST_EVAL because it uses an IF statement and sets the queue to nullQueue if the match is not met. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @Jtru88  Congrats on passing your cert! I dont think you will get much from here in terms of job availability but I would recommend checking LinkedIn, if you are on there, and other local job res... See more...
Hi @Jtru88  Congrats on passing your cert! I dont think you will get much from here in terms of job availability but I would recommend checking LinkedIn, if you are on there, and other local job resources as there is no job functionality within the forum. Be sure to also update Credly with your achievement so you can share a verified link on LinkedIn etc and to potential customers Best of luck! Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
The only solution is to take logs using an rsyslog and writing logs in files, then preparse the logs using a script, but it's very heavy for the system. --> Can you please describe more about this an... See more...
The only solution is to take logs using an rsyslog and writing logs in files, then preparse the logs using a script, but it's very heavy for the system. --> Can you please describe more about this and the script I need to use ?
Hi @livehybrid , Thanks for the reply. I have 2 questions 1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, mi... See more...
Hi @livehybrid , Thanks for the reply. I have 2 questions 1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, middle, end of the events "systemd", "rsyslogd" and "auditd" In my case i am looking for the events to be picked to a sourcetype when those keywords are there after the server name server-server-server-server systemd server-server-server-server rsyslogd 2. we need to have below one also right in props.conf to ignore other events getting forwarded to the sourcetype? [sourcetype] TRANSFORMS-set = setnull
Just passed my first cert located in the DC suburbs, any market for a cleared individual in the area??
A couple of things -  Can you confirm there's no event suppression rule? Can you confirm the time range are exactly the same and not being rounded off (for example if it's 24 hours, it's same in b... See more...
A couple of things -  Can you confirm there's no event suppression rule? Can you confirm the time range are exactly the same and not being rounded off (for example if it's 24 hours, it's same in both and not rounded off) Can you confirm the result count difference between index=notable VS `notable` (notable macro) and what's the count difference?
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
I think this is because when no data is returned, you're trying to take a sum of no fields which is Null, however the count value is 0, if that makes sense? You could probably fix this with: | eval... See more...
I think this is because when no data is returned, you're trying to take a sum of no fields which is Null, however the count value is 0, if that makes sense? You could probably fix this with: | eval test = COALESCE(Sum,0) instead of | eval test = Sum Which will mean that if Sum is Null it will use the value 0.  Would this work for you? Will
So sorry, I tested in a time frame with a Create event.  I thought it was working.  If I chose a time frame with no events, I still get an empty "Sum" field.   I've removed the Double Qoutes: (| eva... See more...
So sorry, I tested in a time frame with a Create event.  I thought it was working.  If I chose a time frame with no events, I still get an empty "Sum" field.   I've removed the Double Qoutes: (| eval comparison=IF(isCreate>isClose,1, 0)) Also, changed the Stats count(Create) and count(Close) back to "sum".  I did this during testing, thanks for catching.   Thanks again for the help. Tom  
You came thru again,  twice in one day!!.   Simply awesome, thank you for your help on all of this.  It's working like a charm now. Have a good week. Thanks, Tom
Hi @pedropiin  Im not 100% sure if I'm on the right page...but nevertheless have a look to see if this helps you Ive used some sample data inline to help build out a working query for you to wor... See more...
Hi @pedropiin  Im not 100% sure if I'm on the right page...but nevertheless have a look to see if this helps you Ive used some sample data inline to help build out a working query for you to work with. | makeresults | eval _raw = "[{\"name\":\"SampleMetric\",\"metric\":\"42\",\"xfield\":\"Mickey Mouse\"},{\"name\":\"SampleMetric\",\"metric\":\"17\",\"xfield\":\"Donald Duck\"},{\"name\":\"SampleMetric\",\"metric\":\"36\",\"xfield\":\"Goofy\"},{\"name\":\"SampleMetric\",\"metric\":\"29\",\"xfield\":\"Minnie Mouse\"},{\"name\":\"SampleMetric\",\"metric\":\"48\",\"xfield\":\"Pluto\"}]" | eval events=json_array_to_mv(_raw) | mvexpand events | eval _raw=events | fields _raw | spath | table name metric xfield ``` Sample data Prep work complete ``` | sort metric | streamstats count as row_num | eval xfield=IF(row_num==1,xfield,NULL()) | filldown xfield | where row_num > 1 | stats values(xfield) as xfield, avg(metric) as metric1, max(metric) as metric2, count(metric) as metric3 | fields xfield metric1, metric2, metric3 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
I also noticed another issue, you're using "count" instead of "sum" for: | stats count(Create) as isCreate, count(Close) as isClose by alert.id Should be | stats sum(Create) as isCreate, sum... See more...
I also noticed another issue, you're using "count" instead of "sum" for: | stats count(Create) as isCreate, count(Close) as isClose by alert.id Should be | stats sum(Create) as isCreate, sum(Close) as isClose by alert.id (I might have given you this SPL previously?? If so apologies! Good luck! Will
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below S... See more...
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below SPL to create some sample data and I think it now gives the result expected?   | makeresults | eval _raw = "[{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"ghi789rst\"},\"action\":\"Create\"}]" | eval events=json_array_to_mv(_raw) | mvexpand events | eval _raw=events | fields _raw | spath ``` Prep work complete ``` | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats sum(Create) as isCreate, sum(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum(comparison) as Sum count(comparison) as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"     Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Cl... See more...
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Close" event.   I'm doing this by using an eval IF statement The issue I am having is when using "Sum", I get no results for Sum when there are not any events.  But, if I use "Count", I always get "1" returned. Here's the Search I am using         index="healthcheck" integrationName="Opsgenie Edge Connector - Splunk", "alert.message"="[ThousandEyes] Alert for TMS Core Healthcheck", action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats count(Create) as isCreate, count(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum("comparison") as Sum count("comparison") as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"           In the returned results, I get an empty "test" field and a "1" in test1 field. Thanks again for your help, and please let me know if more details are needed, this has been a huge headache for me. Thanks, Tom