All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If you want / need help, all discussions will be public here in answers. Here is @yuanliu ’s excellent description what and how you need to describe your issue, so we can help you after that. Withou... See more...
If you want / need help, all discussions will be public here in answers. Here is @yuanliu ’s excellent description what and how you need to describe your issue, so we can help you after that. Without basic information it’s really hard and frustrating to make guesses to solve your problem. ——8<______ Let me repeat the four commandments of asking answerable questions in this forum: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
Hi, Thanks for your response, sadly I am still not able to achieve this. Can we connect over gmail or any other platform where I describe you  scenario and get it done.  I don't understand that w... See more...
Hi, Thanks for your response, sadly I am still not able to achieve this. Can we connect over gmail or any other platform where I describe you  scenario and get it done.  I don't understand that what needs to replace below value with: <search filters for website status=ok> and <search for website status = NOT OK> my index name is main and sourcetype is "web_ping". 
Is there a way to hide the tooltip when I hover on a pie chart in Splunk Dashboard studio and customize what shows? For example when I hover on this chart, I see weighted_sum: 9,946 But I w... See more...
Is there a way to hide the tooltip when I hover on a pie chart in Splunk Dashboard studio and customize what shows? For example when I hover on this chart, I see weighted_sum: 9,946 But I would like to only show the weighted_sum% and not the value     
Where is that installed? By the sounds of it, you've probably put it in the cloud if you are creating rules. Do you know if Splunk is running? If it's installed in some cloud instance have you tried... See more...
Where is that installed? By the sounds of it, you've probably put it in the cloud if you are creating rules. Do you know if Splunk is running? If it's installed in some cloud instance have you tried SSH to the host to see if Splunk is running. Can you ping or traceroute to the host - that won't necessarily mean anything if you can't if there are firewall rules in place. Anyway, if you could originally login to Splunk and now you can't then it seems likely that a) Splunk is not running or b) Someone (if not you) has put some kind of firewall restrictions in place between you and it  
I have a Splunk Dashboard table with data.  This is the JSON below:             { "type": "splunk.table", "dataSources": { "primary": "ds_zn4Nlcdc" }, "title": "Some... See more...
I have a Splunk Dashboard table with data.  This is the JSON below:             { "type": "splunk.table", "dataSources": { "primary": "ds_zn4Nlcdc" }, "title": "Some title", "options": { "columnFormat": { "name": { "width": 109 }, "team": { "width": 60 } }, "headerVisibility": "fixed" }, "description": "Some description.", "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.url.value$", "newTab": true } } ], "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }             I have Event Handlers to reroute to the correct URL when drilling down. BUT the hyperlink is applied to the whole row. I want the hyperlink to be applied to only a specific column so I can have multiple hyperlinks for one row.  At the moment, I can click any value on the row and I will be routed to $row.url.value$ but I want to click on a specific column and then be routed to that hyperlink specific to that column   
Thanx, I usually rename those fields as remove spaces. In that way it’s much easier to use those.
So, you do  | stats count by user group "connection method" if those are the names of your fields. 
Hello and help.  I've downloaded Splunk enterprise and initially was able to connect to the dashboard then all of a sudden I started to receive the Message "This site can't be reached". I've deleted ... See more...
Hello and help.  I've downloaded Splunk enterprise and initially was able to connect to the dashboard then all of a sudden I started to receive the Message "This site can't be reached". I've deleted cache and cookies per support then was nicely led to community support. Also, I deleted and added inbound rules for Splunk 9997 and splunk web. Thanks  
@isoutamo actually no, in stats for that type of field name it requires double quotes. It's eval that requires single quotes on RHS of expression.
If all you want is a single integer that is the total of all file_count values then stats is the way to go. | rex "..." ``` more query stuff ``` | stats sum(file_count) as Total_Count  
I just want to check an index for the following information and it to be displayed in a chart  I looking for help with the structure of the search the username, the group and the connection method ... See more...
I just want to check an index for the following information and it to be displayed in a chart  I looking for help with the structure of the search the username, the group and the connection method  
If you have a field called “connection method” you must surround it with ’ (use single ‘ in both side of field name). This told to splunk that those are field name, not two separate fields. |stats c... See more...
If you have a field called “connection method” you must surround it with ’ (use single ‘ in both side of field name). This told to splunk that those are field name, not two separate fields. |stats count by username, group, 'connection method'  
What does that mean and what have you tried that you need help with and what is not doing what you expect?
I need help with the structure of this search index=indexname I need help with the structure of this search I would like to display the username, the group and the connection method |stats coun... See more...
I need help with the structure of this search index=indexname I need help with the structure of this search I would like to display the username, the group and the connection method |stats count by username, group, connection method |sort -count
There are 3 apps I have used for network graphs - all good https://splunkbase.splunk.com/app/3767 https://splunkbase.splunk.com/app/4611 https://splunkbase.splunk.com/app/4438 The first two are g... See more...
There are 3 apps I have used for network graphs - all good https://splunkbase.splunk.com/app/3767 https://splunkbase.splunk.com/app/4611 https://splunkbase.splunk.com/app/4438 The first two are good network graphs, one does 3D, and the last allows custom icons. I use all 3 for slightly different purposes. All for classic dashboards
Have you check that this REGEX and also your TIME_PREFIX is working? Try those e.g. regex101.com. I’m not sure what all you could have in TIME_PREFIX? This seems to be working at least on regex101.c... See more...
Have you check that this REGEX and also your TIME_PREFIX is working? Try those e.g. regex101.com. I’m not sure what all you could have in TIME_PREFIX? This seems to be working at least on regex101.com, but check that it works also with splunk rex command. Btw which HEC endpoint you are using? Some of those are not extracting timestamp!
Hey Rich that works and I get the total at the bottom but it shows every single column also. Example I had 98 Events and total was 157,000 but it shows every single event and the columns
One way is with addcoltotals | rex "..." ``` more query stuff``` | addcoltotals file_count  
Thanks This helps extracting the number - how do I do the sum at the end ? in 24 hours I could have 96 * 2000 file uploads
It would help to know what you've tried so far, but getting the other field is just a matter of extending the regex. "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+):\s*(?<file_count>\d+)"