All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of ... See more...
Hi everyone. I'm really new to Splunk, so I'm confused with what seems to be a simple problem.  I'm using "where row_num > 1" to remove the first row of my search, as I need to calculate lots of metrics based on the whole data without this specific first row. But I'm also supposed to show the value of this first row in a specific field.  My query is of the following structure: my_search... | eval val1=... | sort val1 | streamstats count as row_num | where row_num > 1 | stats avg(...) as metric1, max(...) as metric2, count(...) as metric3 ... | fields metric1, metric2, metric3 But I also need to output the value 'x' that is specifically on field 'y' on row 1.  How would I do this?  Thanks in advance  
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-serv... See more...
Hi @chen.zengming, Thanks for asking your question on the Community. I was digging around for some information on this topic but could not find much.  I see you're also showing up as a self-service trial customer and not part of your main org. Did you create a trial for some specific testing?
It's been a long time. But did any one got any answers. I am stuck with same issue on aix machine. Trying to upgrade my forwarder from 8.2.3 to 9.2.3 version  
Thanks, I figured it out with your help.  Very much appreciated, and I hope you have a great day.
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to sea... See more...
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error -   Encountered the following error while trying to save: Status 401 while sending public key to search peer https://<ip>:8089: Unauthorized
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of ... See more...
Hello, That is awesome, by removing: table alert.message,  And adding the "by alert.id". only the events that are created with no close appear as expected.  Thank you for that.  The last piece of the puzzle is how can I create a table that contains other fields that aren't in the "stats" command? If I add a field from the source, nothing is returned.  Here's the full working "Search" you helped me with, it includes the field entity.source, where nothing is returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose by alert.id, alert.message | where isClose=0 | table entity.source, alert.id, alert.message   I wish I could give you 20 kudos. Thanks again, Tom  
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event ... See more...
Hi @anissabnk, Can you describe what's limited? @PickleRick showed a value length example. The spath command is limited to the first 5,000 bytes of the event by default. What is your maximum event length from | stats max(eval(len(_raw))) as max_len? If you meant the number of results, and the xyseries command returns no more than 50,000 results, you may be hitting a limit in an early search command, although I don't see a limited command in your original example.
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I r... See more...
Thanks  @dural_yyz,  you were right. I tried to copy the files from the Splunk manifest under the $plunk_Home and use the same in the latest version manifest file in the Splunk 9.x and after that I restarted the services and I dont see the error again. Looks like When the splunk starts it reads the manifest file and triggers the error that are not in the manifiest file.  Cheers !!!!
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <quer... See more...
Simple answer, yes, it is possible Here is one way to do it <dashboard version="1.1" theme="light"> <label>URL Drilldown</label> <row> <panel> <table> <search> <query>| makeresults | fields - _time | eval url=split("DESC1,https://community.splunk.com/t5/Dashboards-Visualizations|DESC2,https://www.google.com/|DESC3,https://slack.com/intl/en-gb/blog/collaboration/new-splunk-app-for-slack","|") | mvexpand url | eval Description=mvindex(split(url,","),0) | eval url=mvindex(split(url,","),1)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="Description"> <link target="_blank">$row.url|n$</link> </condition> <condition></condition> </drilldown> </table> </panel> </row> </dashboard>
What happens if you remove the SPL after and including the "where"? I also realised I'm missing the BY statement on the end of the stats command (BY alert.id) - presumably? Hope this helps
Hi @robertlynch2020  I have been able to get these installed previously by opening a support case and requesting installation - rather than through the App Manager/Browser within Splunk Cloud UI. P... See more...
Hi @robertlynch2020  I have been able to get these installed previously by opening a support case and requesting installation - rather than through the App Manager/Browser within Splunk Cloud UI. Please raise a support case and let them know that you want these installed and they should be able to help you out. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
You want to checkout workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Also another workaround https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
You should try this https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Try  https://community.splunk.com/t5/Knowledge-Management/Solutions-quot-Splunk-could-not-get-the-description-for-this/td-p/694752
Hello, Sorry, I found out the "Create" and "Close" is in the "action" field.  I ran the following Search and it for some reason I get 0 results in the table, and all Create and Close events are retu... See more...
Hello, Sorry, I found out the "Create" and "Close" is in the "action" field.  I ran the following Search and it for some reason I get 0 results in the table, and all Create and Close events are returned. index=healthcheck integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" "entity.source"=Meraki, action IN ("Create","Close") | eval Create=IF(action=="Create",1,0) | eval Close=IF(action=="Close",1,0) | stats earliest(_time) as start_time, latest(_time) as end_time, sum(Create) as isCreate, sum(Close) as isClose | where isClose=0 | table alert.message   Sorry for the confusion, and thank you very much for the help.  Thanks, Tom
HI  Can someone please let me know how to open different web URLs by clicking on different rows of a dashboard using drilldown option:  Example : Dashboard is using vlookup file  File.csv with... See more...
HI  Can someone please let me know how to open different web URLs by clicking on different rows of a dashboard using drilldown option:  Example : Dashboard is using vlookup file  File.csv with below 2 columns:  DESC1 , LINK1 DESC2 , LINK2 DESC3 , LINK3  I've used the below code , but it is taking me always to the same link even when i click on DESC1 or DESC2 or DESC3.  <row> <panel> <table> <search> <query>| inputlookup File.csv | fields * </query> <earliest>1722776400.000</earliest> <latest>1722865326.000</latest> <sampleRatio>1</sampleRatio> <done> <set token="schedule">$result.Schedule$</set> </done> </search> <drilldown> <link target="_blank">https://community.splunk.com/</link> </drilldown> </table> </panel> </row> Is it possible , then if i click  DESC1 , it will take me to the link  "https://community.splunk.com/t5/Dashboards-Visualizations"  DESC2 , it will take me to the link  "https://www.google.com/"  DESC3 , it will take me to the link  "https://blog.avotrix.com/embed-splunk-dashboard-into-external-website/?force_isolation=true"   
First of all, thanks @livehybrid for your suggestion. It worked perfectly. Now, regarding what @richgalloway and @ITWhisperer proposed, you are both right as well. I'm not sure if I was able to un... See more...
First of all, thanks @livehybrid for your suggestion. It worked perfectly. Now, regarding what @richgalloway and @ITWhisperer proposed, you are both right as well. I'm not sure if I was able to understand everything on the job inspector, but I ran multiple test queries, and using my previous approach and the "new" approach doesn't make any difference. Both take the same amount of time while not having a big difference in the number of invocations of each "function"/"method". So thanks for the heads up! 
Thanks again Rich, Changing it to "search" got me past the error.   Sorry, I didn't give all the details, I found out the "Create" "Close" is in the "action" field.  So an example event is: {"act... See more...
Thanks again Rich, Changing it to "search" got me past the error.   Sorry, I didn't give all the details, I found out the "Create" "Close" is in the "action" field.  So an example event is: {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "dc4c0970-e1fa-492a-999b-10979478d980", "action": "Create", "productSource": "Opsgenie", "customerDomain": "siteone", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "Meraki", "type": "Zapier"}, "type": "oec", "receivedAt": 1739802456801, "params": {"type": "oec", "alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Create", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "siteone", "alertDetails": {}, "alertAlias": "STORE_674_BOXONE_MX_674", "receivedAt": 1739802456801, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "Meraki", "type": "Zapier"}, "alert": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "entity": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "alertAlias": "STORE_674_BOXONE_MX_674", "alertDetails": {}, "entity": {"alertId": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "id": "af912c6d-fabd-4df5-ab5b-1669d0908518-1739802456706", "type": "alert", "message": "STORE_674_BOXONE - MX_674 - WAN Packet Loss", "tags": [], "tinyId": "52615", "entity": "{\"alertConfigId\":636696397319904332,\"configType\":\"AlertConfigs::MiWanPacketLossConfig\",\"condition\":{\"type\":\"wanPacketLoss\",\"window\":600,\"duration\":300,\"interface\":\"wan1\",\"lossRatio\":0.3},\"networkId\":636696397319556753,\"nodeId\":48649290476856,\"status\":\"on\",\"recipients\":{\"emails\":[],\"httpServerIds\":[\"aHR0cHM6Ly9wcm9kLTkxLndlc3R1cy5sb2dpYy5henVyZS5jb206NDQzL3dvcmtmbG93cy9iOTM1ZjU5ODZkMmQ0Njg0YTVjYzUxNGQ2NmNmYmU0OS90cmlnZ2Vycy9tYW51YWwvcGF0aHMvaW52b2tlP2FwaS12ZXJzaW9uPTIwMTYtMDYtMDEmc3A9L3RyaWdnZXJzL21hbnVhbC9y", "alias": "STORE_674_BOXONE_MX_674", "createdAt": 1739802456706, "updatedAt": 1739802457456000000, "username": "Alert API", "team": "Network Support", "responders": [{"id": "830235c6-2402-4c11-9e10-eca616e83acf", "type": "team", "name": "Network Support"}], "teams": ["830235c6-2402-4c11-9e10-eca616e83acf"], "actions": [], "priority": "P2", "source": "Meraki"}}   When I run the following Search, it gives me every event that has an action of "Create", but I need it to return only the "Create" that doesn't have a corresponding "Close".   The alert.id would be unique with each Create and Close event. index=healthcheck ("Create","Close") integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" | dedup alert.id, action | search NOT "Close" | table alert.message Really appreciate the help, going crazy trying to figure this one out Thanks, Tom
Hi Can Archived Apps be installed onto Splunk Cloud? For example, below there are 2 apps   “This app is archived” https://splunkbase.splunk.com/app/3120 60K downloads https://splunkbase.splunk... See more...
Hi Can Archived Apps be installed onto Splunk Cloud? For example, below there are 2 apps   “This app is archived” https://splunkbase.splunk.com/app/3120 60K downloads https://splunkbase.splunk.com/app/3119 30K downloads Archived – but not supported The apps have been moved to classic Splunk https://classic.splunkbase.splunk.com/app/3119/ https://classic.splunkbase.splunk.com/app/3120/ I don't have a cloud license, so I can't test this out. Does this mean I can't install them into Splunk Cloud? Cheers Robert