All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @livehybrid , Thanks for the reply. I have 2 questions 1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, mi... See more...
Hi @livehybrid , Thanks for the reply. I have 2 questions 1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, middle, end of the events "systemd", "rsyslogd" and "auditd" In my case i am looking for the events to be picked to a sourcetype when those keywords are there after the server name server-server-server-server systemd server-server-server-server rsyslogd 2. we need to have below one also right in props.conf to ignore other events getting forwarded to the sourcetype? [sourcetype] TRANSFORMS-set = setnull
Just passed my first cert located in the DC suburbs, any market for a cleared individual in the area??
A couple of things -  Can you confirm there's no event suppression rule? Can you confirm the time range are exactly the same and not being rounded off (for example if it's 24 hours, it's same in b... See more...
A couple of things -  Can you confirm there's no event suppression rule? Can you confirm the time range are exactly the same and not being rounded off (for example if it's 24 hours, it's same in both and not rounded off) Can you confirm the result count difference between index=notable VS `notable` (notable macro) and what's the count difference?
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
I think this is because when no data is returned, you're trying to take a sum of no fields which is Null, however the count value is 0, if that makes sense? You could probably fix this with: | eval... See more...
I think this is because when no data is returned, you're trying to take a sum of no fields which is Null, however the count value is 0, if that makes sense? You could probably fix this with: | eval test = COALESCE(Sum,0) instead of | eval test = Sum Which will mean that if Sum is Null it will use the value 0.  Would this work for you? Will
So sorry, I tested in a time frame with a Create event.  I thought it was working.  If I chose a time frame with no events, I still get an empty "Sum" field.   I've removed the Double Qoutes: (| eva... See more...
So sorry, I tested in a time frame with a Create event.  I thought it was working.  If I chose a time frame with no events, I still get an empty "Sum" field.   I've removed the Double Qoutes: (| eval comparison=IF(isCreate>isClose,1, 0)) Also, changed the Stats count(Create) and count(Close) back to "sum".  I did this during testing, thanks for catching.   Thanks again for the help. Tom  
You came thru again,  twice in one day!!.   Simply awesome, thank you for your help on all of this.  It's working like a charm now. Have a good week. Thanks, Tom
Hi @pedropiin  Im not 100% sure if I'm on the right page...but nevertheless have a look to see if this helps you Ive used some sample data inline to help build out a working query for you to wor... See more...
Hi @pedropiin  Im not 100% sure if I'm on the right page...but nevertheless have a look to see if this helps you Ive used some sample data inline to help build out a working query for you to work with. | makeresults | eval _raw = "[{\"name\":\"SampleMetric\",\"metric\":\"42\",\"xfield\":\"Mickey Mouse\"},{\"name\":\"SampleMetric\",\"metric\":\"17\",\"xfield\":\"Donald Duck\"},{\"name\":\"SampleMetric\",\"metric\":\"36\",\"xfield\":\"Goofy\"},{\"name\":\"SampleMetric\",\"metric\":\"29\",\"xfield\":\"Minnie Mouse\"},{\"name\":\"SampleMetric\",\"metric\":\"48\",\"xfield\":\"Pluto\"}]" | eval events=json_array_to_mv(_raw) | mvexpand events | eval _raw=events | fields _raw | spath | table name metric xfield ``` Sample data Prep work complete ``` | sort metric | streamstats count as row_num | eval xfield=IF(row_num==1,xfield,NULL()) | filldown xfield | where row_num > 1 | stats values(xfield) as xfield, avg(metric) as metric1, max(metric) as metric2, count(metric) as metric3 | fields xfield metric1, metric2, metric3 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
I also noticed another issue, you're using "count" instead of "sum" for: | stats count(Create) as isCreate, count(Close) as isClose by alert.id Should be | stats sum(Create) as isCreate, sum... See more...
I also noticed another issue, you're using "count" instead of "sum" for: | stats count(Create) as isCreate, count(Close) as isClose by alert.id Should be | stats sum(Create) as isCreate, sum(Close) as isClose by alert.id (I might have given you this SPL previously?? If so apologies! Good luck! Will
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below S... See more...
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below SPL to create some sample data and I think it now gives the result expected?   | makeresults | eval _raw = "[{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"ghi789rst\"},\"action\":\"Create\"}]" | eval events=json_array_to_mv(_raw) | mvexpand events | eval _raw=events | fields _raw | spath ``` Prep work complete ``` | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats sum(Create) as isCreate, sum(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum(comparison) as Sum count(comparison) as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"     Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Cl... See more...
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Close" event.   I'm doing this by using an eval IF statement The issue I am having is when using "Sum", I get no results for Sum when there are not any events.  But, if I use "Count", I always get "1" returned. Here's the Search I am using         index="healthcheck" integrationName="Opsgenie Edge Connector - Splunk", "alert.message"="[ThousandEyes] Alert for TMS Core Healthcheck", action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats count(Create) as isCreate, count(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum("comparison") as Sum count("comparison") as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"           In the returned results, I get an empty "test" field and a "1" in test1 field. Thanks again for your help, and please let me know if more details are needed, this has been a huge headache for me. Thanks, Tom  
Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of ... See more...
Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of metrics based on the whole data without this specific first row. But I'm also supposed to show the value of this first row in a specific field.  My query is of the following structure: my_search... | eval val1=... | sort val1 | streamstats count as row_num | where row_num > 1 | stats avg(...) as metric1, max(...) as metric2, count(...) as metric3 ... | fields metric1, metric2, metric3 But I also need to output the value 'x' that is specifically on field 'y' on row 1.  How would I do this?  Thanks in advance  
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-serv... See more...
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-service trial customer and not part of your main org. Did you create a trial for some specific testing?
It's been a long time. But did any one got any answers. I am stuck with same issue on aix machine. Trying to upgrade my forwarder from 8.2.3 to 9.2.3 version  
Thanks, I figured it out with your help.  Very much appreciated, and I hope you have a great day.
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to sea... See more...
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to search peer https://<ip>:8089: Unauthorized
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of ... See more...
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of the puzzle is how can I create a table that contains other fields that aren't in the "stats" command? If I add a field from the source, nothing is returned.  Here's the full working "Search" you helped me with, it includes the field entity.source, where nothing is returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose by alert.id, alert.message | where isClose=0 | table entity.source, alert.id, alert.message   I wish I could give you 20 kudos. Thanks again, Tom  
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event ... See more...
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event length from | stats max(eval(len(_raw))) as max_len? If you meant the number of results, and the xyseries command returns no more than 50,000 results, you may be hitting a limit in an early search command, although I don't see a limited command in your original example.
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I r... See more...
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I restarted the services and I dont see the error again. Looks like When the splunk starts it reads the manifest file and triggers the error that are not in the manifiest file.  Cheers !!!!
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <quer... See more...
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval url=split("DESC1,https://community.splunk.com/t5/Dashboards-Visualizations|DESC2,https://www.google.com/|DESC3,https://slack.com/intl/en-gb/blog/collaboration/new-splunk-app-for-slack","|") | mvexpand url | eval Description=mvindex(split(url,","),0) | eval url=mvindex(split(url,","),1)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="Description"> <link target="_blank">$row.url|n$</link> </condition> <condition></condition> </drilldown> </table> </panel> </row> </dashboard>