All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below S... See more...
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below SPL to create some sample data and I think it now gives the result expected?   | makeresults | eval _raw = "[{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"ghi789rst\"},\"action\":\"Create\"}]" | eval events=json_array_to_mv(_raw) | mvexpand events | eval _raw=events | fields _raw | spath ``` Prep work complete ``` | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats sum(Create) as isCreate, sum(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum(comparison) as Sum count(comparison) as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"     Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Cl... See more...
Hello, Thanks in advance for any help and Karma will be on the way :). So I'm trying to create a Table that uses a "Sum" field that would show how many "Create" events exist that doesn't have a "Close" event.   I'm doing this by using an eval IF statement The issue I am having is when using "Sum", I get no results for Sum when there are not any events.  But, if I use "Count", I always get "1" returned. Here's the Search I am using         index="healthcheck" integrationName="Opsgenie Edge Connector - Splunk", "alert.message"="[ThousandEyes] Alert for TMS Core Healthcheck", action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats count(Create) as isCreate, count(Close) as isClose by alert.id | eval comparison=IF(isCreate>isClose,"1", "0") | stats sum("comparison") as Sum count("comparison") as Count | eval Application = "TMS_API" | eval test = Sum | eval test1 = Count | eval test2 = Application | eval "Monitor Details" = "Performs a Health Check " | table test, test1, test2 , "Monitor Details"           In the returned results, I get an empty "test" field and a "1" in test1 field. Thanks again for your help, and please let me know if more details are needed, this has been a huge headache for me. Thanks, Tom  
Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of ... See more...
Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of metrics based on the whole data without this specific first row. But I'm also supposed to show the value of this first row in a specific field.  My query is of the following structure: my_search... | eval val1=... | sort val1 | streamstats count as row_num | where row_num > 1 | stats avg(...) as metric1, max(...) as metric2, count(...) as metric3 ... | fields metric1, metric2, metric3 But I also need to output the value 'x' that is specifically on field 'y' on row 1.  How would I do this?  Thanks in advance  
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-serv... See more...
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-service trial customer and not part of your main org. Did you create a trial for some specific testing?
It's been a long time. But did any one got any answers. I am stuck with same issue on aix machine. Trying to upgrade my forwarder from 8.2.3 to 9.2.3 version  
Thanks, I figured it out with your help.  Very much appreciated, and I hope you have a great day.
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to sea... See more...
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to search peer https://<ip>:8089: Unauthorized
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of ... See more...
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of the puzzle is how can I create a table that contains other fields that aren't in the "stats" command? If I add a field from the source, nothing is returned.  Here's the full working "Search" you helped me with, it includes the field entity.source, where nothing is returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose by alert.id, alert.message | where isClose=0 | table entity.source, alert.id, alert.message   I wish I could give you 20 kudos. Thanks again, Tom  
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event ... See more...
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event length from | stats max(eval(len(_raw))) as max_len? If you meant the number of results, and the xyseries command returns no more than 50,000 results, you may be hitting a limit in an early search command, although I don't see a limited command in your original example.
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I r... See more...
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I restarted the services and I dont see the error again. Looks like When the splunk starts it reads the manifest file and triggers the error that are not in the manifiest file.  Cheers !!!!
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <quer... See more...
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval url=split("DESC1,https://community.splunk.com/t5/Dashboards-Visualizations|DESC2,https://www.google.com/|DESC3,https://slack.com/intl/en-gb/blog/collaboration/new-splunk-app-for-slack","|") | mvexpand url | eval Description=mvindex(split(url,","),0) | eval url=mvindex(split(url,","),1)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="Description"> <link target="_blank">$row.url|n$</link> </condition> <condition></condition> </drilldown> </table> </panel> </row> </dashboard>
What happens if you remove the SPL after and including the "where"? I also realised I'm missing the BY statement on the end of the stats command (BY alert.id) - presumably? Hope this helps
Hi @robertlynch2020  I have been able to get these installed previously by opening a support case and requesting installation - rather than through the App Manager/Browser within Splunk Cloud UI. P... See more...
Hi @robertlynch2020  I have been able to get these installed previously by opening a support case and requesting installation - rather than through the App Manager/Browser within Splunk Cloud UI. Please raise a support case and let them know that you want these installed and they should be able to help you out. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
You want to checkout workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Also another workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
You should try this https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Try  https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hello, Sorry, I found out the "Create" and "Close" is in the "action" field.  I ran the following Search and it for some reason I get 0 results in the table, and all Create and Close events are retu... See more...
Hello, Sorry, I found out the "Create" and "Close" is in the "action" field.  I ran the following Search and it for some reason I get 0 results in the table, and all Create and Close events are returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose | where isClose=0 | table alert.message   Sorry for the confusion, and thank you very much for the help.  Thanks, Tom
HI  Can someone please let me know how to open different web URLs by clicking on different rows of a dashboard using drilldown option:  Example : Dashboard is using vlookup file  File.csv with... See more...
HI  Can someone please let me know how to open different web URLs by clicking on different rows of a dashboard using drilldown option:  Example : Dashboard is using vlookup file  File.csv with below 2 columns:  DESC1 , LINK1 DESC2 , LINK2 DESC3 , LINK3  I've used the below code , but it is taking me always to the same link even when i click on DESC1 or DESC2 or DESC3.  <row> <panel> <table> <search> <query>| inputlookup File.csv | fields * </query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> <done> <set token="schedule">$result.Schedule$</set> </done> </search> <drilldown> <link target="_blank">https://community.splunk.com/</link> </drilldown> </table> </panel> </row> Is it possible , then if i click  DESC1 , it will take me to the link  "https://community.splunk.com/t5/Dashboards-Visualizations"  DESC2 , it will take me to the link  "https://www.google.com/"  DESC3 , it will take me to the link  "https://blog.avotrix.com/embed-splunk-dashboard-into-external-website/?force_isolation=true"   
First of all, thanks @livehybrid for your suggestion. It worked perfectly. Now, regarding what @richgalloway and @ITWhisperer proposed, you are both right as well. I'm not sure if I was able to un... See more...
First of all, thanks @livehybrid for your suggestion. It worked perfectly. Now, regarding what @richgalloway and @ITWhisperer proposed, you are both right as well. I'm not sure if I was able to understand everything on the job inspector, but I ran multiple test queries, and using my previous approach and the "new" approach doesn't make any difference. Both take the same amount of time while not having a big difference in the number of invocations of each "function"/"method". So thanks for the heads up!