All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Just reads what HLLs are, so I’m not familiar with those and don’t really understand the whole math behind those, but I believe that I understand enough? I think that you must replace the whole stat... See more...
Just reads what HLLs are, so I’m not familiar with those and don’t really understand the whole math behind those, but I believe that I understand enough? I think that you must replace the whole stats command with your custom command and do those calculations on python and just return answer with approximate boundaries. Maybe there is already some libraries or examples, how you could create your own stats replacement for count and a mergeHLL part to it?  
What do I need to change in order to convert HEC on HTTP to HEC on HTTPS?
Hi @BrianLam, I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:   https://splunk:8089/servicesN... See more...
Hi @BrianLam, I recommend enabling the Add to Triggered Alerts action and then using the /services/alerts/fired_alerts/{name} endpoint to get the most recent alert:   https://splunk:8089/servicesNS/-/-/alerts/fired_alerts/foo?output_mode=json&count=1&sort_dir=desc&sort_key=published   Then use the related job link at .entry[0].links.job to construct a results URI:   { /* ... */ "entry": [ /* ... */ "links": { /* ... */ "job": "/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx", /* ... */ } ], /* ... */ }   →   https://splunk:8089/servicesNS/admin/search/search/jobs/scheduler__admin__search__xxx_at_xxx_xxx/results?output_mode=json   In this example, the search named foo is owned by the admin user in the search app. You can find more information on using namespaces at https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace.
Hi @welcomerrr, You can often get creative with alternative SPL without restoring to custom commands. See https://community.splunk.com/t5/Splunk-Search/Product-of-a-Column/m-p/707749 for a recent ex... See more...
Hi @welcomerrr, You can often get creative with alternative SPL without restoring to custom commands. See https://community.splunk.com/t5/Splunk-Search/Product-of-a-Column/m-p/707749 for a recent example of calculating a product over a list. Depending on the algorithm your hypothetical function implements, a solution may also be possible using a combination of an existing aggregation function and a nested eval.
Thank you folks !! it helps. Here is what I am trying to acheive, I want to use https://datasketches.apache.org/ Data Sketches to deserailize the skecth written into splunk. While I was able to de... See more...
Thank you folks !! it helps. Here is what I am trying to acheive, I want to use https://datasketches.apache.org/ Data Sketches to deserailize the skecth written into splunk. While I was able to deserailize the sketch itself but we need to merge sketches. For example I would like to merge the skecthes based on something like  Selected fields | stats sum(total_clicks), mergeHll(unique_visitor_sketch) as merged_unique_visitors group by country My core problem is how I could define mergeHll(unique_visitor_sketch) as in command.  import sys import base64 from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option from datasketches import hll_sketch @Configuration() class CreateHLLCommand(StreamingCommand): field = Option(require=True) def stream(self, records): """Process the streaming records and get estimate from sketch.""" for record in records: # Deserialize the HLL sketch sketch_bytes = base64.b64decode(record[self.field]) hll = hll_sketch.deserialize(sketch_bytes) record['hll_estimate'] = hll.get_estimate() yield record # Dispatch the command dispatch(CreateHLLCommand, sys.argv, sys.stdin, sys.stdout) My custom command to deserialize the sketch. 
@uthornander_spl- Kindly please accept your own answer, so future Splunk Community users gets benefited from it.
I've facing this issue also, and currently it solved. First, need to see what actually is running, go to the console monitoring in the master. run bellow to find the search query/name. | rest ... See more...
I've facing this issue also, and currently it solved. First, need to see what actually is running, go to the console monitoring in the master. run bellow to find the search query/name. | rest /services/search/jobs | search isRealTimeSearch=1 | table sid, dispatchState, runDuration, search, eventCount, resultCount, title, provenance, label   And i found the what is search indicated high CPU Go to the job console in the top right side, and stop or delete the job.    Hopefully will be help.    
You can add a prefix and suffix to the token and use a change handler on your input to reset the token to be empty if the user has not put anything in the text field. <input type="text" token="a... See more...
You can add a prefix and suffix to the token and use a change handler on your input to reset the token to be empty if the user has not put anything in the text field. <input type="text" token="attachment"> <label>Attachment search $attachment$</label> <default></default> <change> <eval token="attachment">if($form.attachment$ == "","",$attachment$)</eval> </change> <prefix>attachments="</prefix> <suffix>"</suffix> </input> You then use the token in your search index=email source=/var/email_0.log $attachment$ sha256=$hash$
Right. Didn't notice the columns were not named the same in both sourcetypes.
Combining everyone's suggestions, here is a command that is ready to go if that string is all you need: | rex "Setting connector (<myfield>\S+)" How strictly or loosely you want to set anchors and ... See more...
Combining everyone's suggestions, here is a command that is ready to go if that string is all you need: | rex "Setting connector (<myfield>\S+)" How strictly or loosely you want to set anchors and matches heavily depends on actual data and use case.  This is just something to get you started.
As with any good languages, there are many ways to do this.  A simple and semantically expressive method is to use coalesce. sourcetype IN (tableA, tableB) | eval col2 = coalesce(col2, colA) | stats... See more...
As with any good languages, there are many ways to do this.  A simple and semantically expressive method is to use coalesce. sourcetype IN (tableA, tableB) | eval col2 = coalesce(col2, colA) | stats values(col1) as col1 values(colB) as colB by col2  
Splunk uses different colors for different numeric fields.  Your stats command results in only one, count.  There are many ways to make a field named Pass and another named Fail.  As your output only... See more...
Splunk uses different colors for different numeric fields.  Your stats command results in only one, count.  There are many ways to make a field named Pass and another named Fail.  As your output only contains a 2x2, the easiest is probably just transpose the output. index="sampleindex" source="samplesource" test_name="IR Test" serial_number="TC-7" | stats count by result | transpose header_field=result Additional tips: Do not use screenshot to share text data.  Share raw text. Do not cascade filters that can be performed in initial index search. Format Splunk searches with pipe sign at beginning of line, not end.  You can enable "Search auto-format" in preferences to help you create readable searches.
It's not really clear how you want your dashboard to behave.  If I have to guess, do you mean to say if a user specifies $file$ value as "thisfile", you want to return Emails with attachment named "t... See more...
It's not really clear how you want your dashboard to behave.  If I have to guess, do you mean to say if a user specifies $file$ value as "thisfile", you want to return Emails with attachment named "thisfile" as well as Emails with no attachment?  If so, you can tell the search command to do so using OR logic. index=email source=/var/email_0.log (attachments=$file$ OR NOT attachments=*) OR sha256=$hash$
@divyanshbinjola  Step 1: Stop Splunk Navigate to system “Services” >> Click on “Splunkd service” >> Click “Stop” the service Step 2 : Uninstall Splunk Navigate to “Control Panel” >> “Prog... See more...
@divyanshbinjola  Step 1: Stop Splunk Navigate to system “Services” >> Click on “Splunkd service” >> Click “Stop” the service Step 2 : Uninstall Splunk Navigate to “Control Panel” >> “Programs” >> “Programs and Features” >> Click on “Splunk Enterprise” >> Accept the check box “Yes”.
@divyanshbinjola  Stop the services first and uninstall the package. 
@divyanshbinjola  Hello Divya, The first thing to keep in mind is that Splunk Enterprise is not officially supported on Windows 11. System requirements for use of Splunk Enterprise on-premises - S... See more...
@divyanshbinjola  Hello Divya, The first thing to keep in mind is that Splunk Enterprise is not officially supported on Windows 11. System requirements for use of Splunk Enterprise on-premises - Splunk Documentation But check this documentation for uninstallation: https://docs.splunk.com/Documentation/Splunk/9.4.0/Installation/UninstallSplunk 
Hi, guys i am unable to install splunk enterprise on my win 11, when clicking on installer it say it prematurly ended pleas
I totally agree what @PickleRick said. This is technically doable, but there isn’t any sense to do it. I know that there are some sites who want that internal logs are seen also e.g. power user, but I... See more...
I totally agree what @PickleRick said. This is technically doable, but there isn’t any sense to do it. I know that there are some sites who want that internal logs are seen also e.g. power user, but I don’t say that this is the perfect solution as it also generates some other concerns!
Good day,   I'm having an issue with an email dashboard I'm attempting to create in Splunk. This dashboard filters on the various email headers fields such as sender, recipient, subject, etc. One o... See more...
Good day,   I'm having an issue with an email dashboard I'm attempting to create in Splunk. This dashboard filters on the various email headers fields such as sender, recipient, subject, etc. One of these fields is the attachments field. The issue is that there is *alwasy* a sender, recipient, and subject....but not all emails have attachments nor do I always want to filter by it. In the dashboard, I'm using a text field with a default value of '*' . The problem with this is shown in the extract below.     index=email source=/var/email_0.log attachments=$file$ OR sha256=$hash$       This search will find all emails with attachments, but filter emails without any. However, what if I want search an email just by its subject while ignoring attachments? I'd love to be able to change the dashboard so that filtering by these fields could be turned on and off, but I haven't found a way to do that. I thought I could use isnotnull(attachments) inside a case() or if() function to test if the field exists, but those expressions don't appear to work in the base search. Does anyone have any insight into how I could change the search(or dashboard) so that I'm not always filtering by attachments? Perhaps by changing the default values? Or perhaps the regex command?
While I do understand that compliance people (I suppose that's where the idea ultimately comes from) sometimes have their reasons, sometimes they are a bit overzealous. Remember that _internal is - ... See more...
While I do understand that compliance people (I suppose that's where the idea ultimately comes from) sometimes have their reasons, sometimes they are a bit overzealous. Remember that _internal is - as the name says - Splunk's internal index. There should be only things relevant to Splunk's inner workings there. This index is not meant for non-admins access. So there should not be data there which is not obtainable by the admins anyway. So while technically, you should be able to mask some data out of your events, it might make troubleshooting more difficult (also supportability point raised by @isoutamo is a very good one). You must also remember that parsing (and all associated activities like SEDCMD) are done on first heavy component in event's path so you'd need to place the props/transforms on the search-head(s) which is(are) generating those alerts. And this is a very unintuitive place to look for such settings in case someone inherits your environment in the future. So while it is technically possible, I'd be hard pressed to call this a good idea.