All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Firstly join is almost never a solution to a Splunk problem.  Secondly, you do not have Column1 as an output of your tstats search, so how can it match up Col1+Col2 with the start/end times. Genera... See more...
Firstly join is almost never a solution to a Splunk problem.  Secondly, you do not have Column1 as an output of your tstats search, so how can it match up Col1+Col2 with the start/end times. Generally if you want to enrich the start/end times with info from a lookup, you would run the tstats, then lookup the common fields (Column1)  from the lookup and output the other fields (Column2) If you want to end up with all the rows from the lookup in the output, even where there is no data for some of the rows, you would then do a final couple of commands, i.e. | inputlookup File.csv append=t | stats values(*) as * by Column1 which would then give you all the rows from the lookup and start/end times from data for Column1 found in the tstats search.
Technically you could use both base searches, but it's a bit fiddly and isn't really going to save you anything as the searches have to run anyway. You would get the job ids of each base search and t... See more...
Technically you could use both base searches, but it's a bit fiddly and isn't really going to save you anything as the searches have to run anyway. You would get the job ids of each base search and then in your panel search you would use loadjob to load each of the jobs.  However, you're still going to have to load the second job in some kind of subsearch (join?) so not sure where you're trying to go with this. If you are simply trying to speed up a join search, you can't achieve this with two base searches, as you are simply not changing anything and it will take the time it takes. The solution for a poor performing search using join is to remove the use of join and rewrite the search in another way. Looking at your existing searches I'm not sure why you are trying to combine these in the first place, because you have appcode in your first search and you simply want appcode to get the list of details from the lookup. You are doing a lookup in the primary search but doing nothing with the retrieved data. Why don't you just do the lookup in your primary search after the chart, i.e. index=serverdata | rex "host_name=\"(?<server_host_name>[^\"]*)" |chart dc(host_name) over appcode by host_environment | eval TOTAL_servers=DEV+PAT+PROD | table appcode DEV PAT PROD TOTAL_servers | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group  
@alanzchan  Were you able to find a solution to your problem ?
Hi @gcusello , Unfortunately, I am not in control of the application layer. Web logs could be in any directory on any drive. With a script to check and overwrite the inputs.conf, that will only req... See more...
Hi @gcusello , Unfortunately, I am not in control of the application layer. Web logs could be in any directory on any drive. With a script to check and overwrite the inputs.conf, that will only require a local splunk restart if the location changes so. That usually happens rarely, but we need to capture it. 1. check log location 2. compare with current setting in inputs.conf 3. if different only - update & restart Kind Regards Andre
Yeh for reference I've got that kinda thing, it's super simple. What I'm wondering is, if theres an easy way or even any way, to replicate the popup bubble, so that it'd look like this: C... See more...
Yeh for reference I've got that kinda thing, it's super simple. What I'm wondering is, if theres an easy way or even any way, to replicate the popup bubble, so that it'd look like this: Cause that would be a million times better. It's clear enough I could forget the 5x1m rows... and it's like being handed out for free instantly when clicking on any field in a search...
I don't know CloudWatch but from what I'm reading it uses either its own agent or you're pushing data to its API endpoint. Splunk's UF is obviously not a CloudWatch agent and it can only send out a s... See more...
I don't know CloudWatch but from what I'm reading it uses either its own agent or you're pushing data to its API endpoint. Splunk's UF is obviously not a CloudWatch agent and it can only send out a simple syslog (or syslog-like) output. So your best bet would be probably using two separate agents. Watching the same file should not be that much of a problem (except for rare situations when monitoring a file with just one agent would be problematic).
I'm trying to install the Qualys Technology Add-on (TA) (https://splunkbase.splunk.com/app/2964)  into Splunk Cloud.  I tried downloading from splunkbase and uploading to splunkcloud but received an ... See more...
I'm trying to install the Qualys Technology Add-on (TA) (https://splunkbase.splunk.com/app/2964)  into Splunk Cloud.  I tried downloading from splunkbase and uploading to splunkcloud but received an error stating "This app is available for installation directly from Splunkbase. To install this app, use the App Browser page in Splunk Web." When I try the "Browse More Apps" method, I cannot locate the Qualys TA.  I DO see other Qualys apps such as Qualys FIM, Qualys VM, Qualys CSAM, etc., but I don't see the TA.   What am I missing?
1. Be careful with the append command. It spawns a subsearch and therefore is limited by subsearch constraints (and can get finalized silently without producing full results). In your case you could ... See more...
1. Be careful with the append command. It spawns a subsearch and therefore is limited by subsearch constraints (and can get finalized silently without producing full results). In your case you could either use multisearch since you have only streaming comands or a single search with conditional assignment or evaluation to get EventId properly assigned. index=index1 OR (index=index2 sourcetype=something) | eval EventId=coalesce(EventId,Number__c) (That's assuming that when you have Number__c in your event, you don't have EventId; if it's not the case, you have to use if() or case() with your eval). 2. To not only find if there are two matching events but which of them is missing if there is only one, you have to do it slightly differently. Firstly classify your events | eval classifier=if(index=index1,1,2) Now you can do | stats sum(classifier) by EventId This way you'll get a value of 3 when there are both events, 1 if there is only an event from index1 or 2 if there is only an event from index2.  
Tenable is a company. The right add-on depends on which Tenable products/services you are using.
It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But ... See more...
It doesn't work like that. Parentheses group search conditions only. You can't spawn separate post-processing command for part of your data this way. You would need to use multisearch or append. But in your case it's probably not needed. Just do your rex command after the initial search. Unrelated note - don't use wildcards at the beginning of your search term unless you really can't avoid it.
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex... See more...
Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex "app_code=\"(?<application_code>[|w.\"]*)" ) OR (index="hostapp" source=hostDB_Table dataasset="*host_Data*") i have tried to use escape characters but its still not working thanks     
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. Yo... See more...
I would recommend the Tenable TA at https://splunkbase.splunk.com/app/4060 for getting the data in to Splunk which uses Splunk Modular Inputs to connect to your Tenable service and pull the data. You can also download the Tenable App (https://splunkbase.splunk.com/app/4061) which is different to the TA in that it is more focussed on visualising the Tenable data. This utilises the data in the TA and the data you have ingested. Both of these Splunk apps are built and supported by Tenable themselves but assume you but assumes you're using Tenable's feature products - there are separate Splunkbase apps made by Tenable for WAS / EASM if you are using these products. Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by ... See more...
Hi @tkwaller1 , You should be able to your search as follows:     (index=index1) OR (index=index2 sourcetype="api") | eval EventId=COALESCE(Number__c, EventId) | stats dc(index) as indexCount by EventId | where indexCount>1     Please let me know how you get on and consider upvoting/karma this answer if it has helped. Regards Will
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on ... See more...
Hello, I have 2 questions about Splunk AI Assistant(Cloud Version). If Customers sign the EULA and receive notification that app can be installed on their Stack, is the app possible for install on all the customer stacks. In case Stack has premium products like ITSI and ES can app be used from Premium Search heads or it needs to be installed only on Adhoc SH and used only from there for its purposes? Thanks! Regards Darina Stoyanova-Mateva
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure... See more...
Hi @secure as @gcusello stated you can have only one base search. What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together? I am not sure if this helps but you can have a base search use another base search.
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is sear... See more...
Hello I have a search like     index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2     What it does is search 2 indexes for ids and counts them, expecting 2(1 from each index). What I would like to ensure is that when the count is less than the expected 2 that its only source is from the first search. Meaning that if there is only 1 record it is from the first portion of the search and not found in the second. In the table however I only want to show the EventId.   Thanks for the assistance!
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put ... See more...
@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put down support case to get more help.
Yes new builds old cluster. Appreciate the info that was helpful.
Hi @danielbb  I used the TA below for a long time and it worked well. https://splunkbase.splunk.com/app/4060