All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type... See more...
I need help building a proper rex expression to extract the bold text from the following raw data {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: 500°F, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: 500°F, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}  I have tried; rex field=message "(?=[^h]*(?:hw_state:|h.*hw_state:))^(?:[^\(\n]*\(){2}\w+:\s+(?P<set_temp>\d+) rex field=message ".*hw_state: Elements\(temp:(?<set_temp>\d+),.*"|  with no results yielded. What is the proper rex expression to extract 500 from the message field
Hello, Does anyone know when this app will become cloud compliant?
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"... See more...
here is the raw event    {"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_co... See more...
Hi @Raja_Selvaraj , use delta command ( https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delta ). <your_search> | timechart span=1d count BY column | delta columnA AS new_columnA | delta columnB AS new_columnC | delta columnC AS new_columnC | eval deltaA=new_columnA-columnA, deltaB=new_columnB-columnB, deltaC=new_columnC-columnC Ciao. Giuseppe  
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummer... See more...
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}]   Reagrds, Harry
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time r... See more...
Hi Everyone, Can someone please help me with Splunk query to show difference of two values in timechart for the period of time. The sample result which i get from the query with Column A with time range and other columns with the respective host values. Column A Column B Column C Column D 02/22/2025  10         12               14 02/23/2025   11         13               15 02/24/2025   12         15               17  02/25/2025    16         20              21 I need the difference of values of Column B C D from previous time period and show it one time chart. Let me know if any other details are required.
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you,... See more...
@omcollia- On Splunk Cloud -> You are not allowed to update JS from some other JS file in any way (programatically or manually not allowed). So the only option you have is: If App is build by you, you can update the JS and publish the new version of the App. If the App is built by someone else, ask the Developer for the change if they can do that.   I hope this helps!!!
Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modif... See more...
Hi @Gil , as also @livehybrid said, it isn't relevant the sharing level of your dashboards, but only if a role has or not has the grant to write the dashboard. If you want that some users can modify some dashboards, you have to create a role, assign those users to this role and enable writing in dashboards to this new role. Ciao. Giuseppe
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if t... See more...
Hi @KJ10 , could you share your inputs.conf file? anyway, in general, the option index=<your_index> in inputs.conf, if the index is really existent, shouldn't have any issue. Didi you checked if the index is really existent and if you gave the correct grants to it? Anyway, if you restore the original index name in inputs.conf, and restart Splunk on the Forwarder, logs should arrive to the original index; did you restarted the UF after restored the original index? Are you using a Deployment Server to deploy configurations on UF or did you manually modified them? Ciao. Giuseppe
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in S... See more...
How I can repair Data input index to normal state. I created Data input as per my Technical Add on , for some reason I changed my index in inputs.conf to new index, which apparently doesnt work in Splunk 9.3 though I created new index from UI. Later I changed my index to original but somehow that Data input stuck and never executing at all. I tried reinstalling my TA app and splunk restart multiple time but no luck and no error in spulnkd.log. Same scenario happened at client end. Can anybody please guide me for this repair or what can be RCA though we reverted all inputs to normal.
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvsto... See more...
Thank you for your suggestions. We do not have a test server to restore before restoring it on to prod server.    On a separate note, is it possible to schedule a report or a script to backup kvstore on a daily basis to avoid restoring from  backup of /opt/splunk/var/lib/splunk/backup  directory
It depends on your complete raw event - spath is likely to be part of the solution. Please share your raw event (anonymised appropriately) in a code block using the </> button.
No how would i do that? spath?
Hi @harryvdtol  Ive just tried that sample data and props config locally and it seems to work. Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the source... See more...
Hi @harryvdtol  Ive just tried that sample data and props config locally and it seems to work. Please can you confirm the stanza name (the text between the [ and ]) in the props.conf and the sourcetype that this is indexed into Splunk as? These should match but want to double check as it looks like it hasnt applied the props.conf Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
i tried to avoid give them the write permission to that app. so it will probably work but wont answer all my desires.
Hi @Gil  When you say public - Do you mean shared within the app for other app users? If so, the user will need to be in a role which has write permissions to that app (and dashboard) so they can sh... See more...
Hi @Gil  When you say public - Do you mean shared within the app for other app users? If so, the user will need to be in a role which has write permissions to that app (and dashboard) so they can share it within the app. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
| sort 0 _time host
i see what you say, but it does not help me with the fact that those users cannot change their dashboards to public.
Hi @Anit_Mathew  Did you get to the bottom of this?  This looks like the "Traffic Over Time By Protocol" panel which is broken? Which version of ES are you on? In ES 7.3.2 the search it runs is so... See more...
Hi @Anit_Mathew  Did you get to the bottom of this?  This looks like the "Traffic Over Time By Protocol" panel which is broken? Which version of ES are you on? In ES 7.3.2 the search it runs is something like this: | `tstats` count from datamodel=Network_Traffic.All_Traffic where * by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")` Which doesnt look like it has a map command anywhere, unless you have altered any macros? Please can you confirm the ES and CIM app versions you are using and if any changes have been made to the macros? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Thanks @ITWhisperer , This seems to work.  How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example: host _time Name L... See more...
Thanks @ITWhisperer , This seems to work.  How can I display results where all the names, locations, and descriptions from the same event are displayed together. For example: host _time Name Location Description host1 9:06 Name1 Location1 Description1 host1 9:06 Name2 Location2 Description2 host2 8:02 Name1 Location1 Description1 host2 8:02 Name2 Location2 Description2 If the event is sent at 9:02 lets say for a specific host. I want to make sure all names, locations, and descriptions are displayed below each other. I hope that makes sense. I would really appreciate your help.