I can manually count and see that there are x # of sensors setup per hostname. You need to show volunteers here HOW do you count number of sensors from logs (without using SPL). Here are four co...
See more...
I can manually count and see that there are x # of sensors setup per hostname. You need to show volunteers here HOW do you count number of sensors from logs (without using SPL). Here are four commandments to help you ask answerable questions in this forum: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
You can't count non-existence of a field value if that value does not exist unless you know what values are expected - that is generally termed the 'proving the negative' in these forums. You would ...
See more...
You can't count non-existence of a field value if that value does not exist unless you know what values are expected - that is generally termed the 'proving the negative' in these forums. You would typically have a lookup file of the expected values for field 2, e.g. if you have a csv with field2 having 2 values 666 and 999 and in your search you get field2 for value 999 has N results but no 666 results, then this at the end will add a 0 for all missing expected values | inputlookup append=t field2.csv
| stats max(count) as count by field2
| fillnull field2
Lets say I have a dashboard setup with 5 hosts (serverA, serverB, serverC, serverD, serverE), for each host there are 5-10 queries setup to pull data using the same index=idx_sensors. I can manually...
See more...
Lets say I have a dashboard setup with 5 hosts (serverA, serverB, serverC, serverD, serverE), for each host there are 5-10 queries setup to pull data using the same index=idx_sensors. I can manually count and see that there are x # of sensors setup per hostname. How would I create a query to check how many sensors are being monitored by hostname? (I've got 7 diff dashboards w/ multiple hosts monitoring X number of sensors. I need to get metrics for which host has how many sensors that are currently being monitored.)
You can use rex, but your example is not entirely clear - you are expecting - and | and / characters in your output? See the rex statement in this example with your data. | makeresults format=csv d...
See more...
You can use rex, but your example is not entirely clear - you are expecting - and | and / characters in your output? See the rex statement in this example with your data. | makeresults format=csv data="raw
00012243asdsfgh - No recommendations from System A. Message - ERROR: System A | No Matching Recommendations
001b135c-5348-4arf-b3vbv344v - Validation Exception reason - Empty/Invalid Page_Placement Value ::: Input received - Channel1; ::: Other details - 001sss-445-4f45-b3ad-gsdfg34 - Incorrect page and placement found: Channel1;
00assew-34df-34de-d34k-sf34546d :: Invalid requestTimestamp : 2025-01-21T21:36:21.224Z
01hg34hgh44hghg4 - Exception while calling System A - null"
| rex field=raw max_match=0 " (?<words>[A-Za-z]+)"
| eval words = mvjoin(words, " ")
Calculating metrics. I need to count the number of sensors that are created and monitored for each host. I have the index and sourcetype. I created about 7 different dashboards with multiple host on...
See more...
Calculating metrics. I need to count the number of sensors that are created and monitored for each host. I have the index and sourcetype. I created about 7 different dashboards with multiple host on each dashboard and I need to get a count on the number of sensors that are being monitored by each host. index=idx_sensors sourcetype = sensorlog | stats count by host the above query is giving me all the hostnames that are being monitored but the count is giving me all the events... I just need the # of sensors per host.
@jkamdar Yes, please replace the user while using chown. If you still face issues, it might be necessary to check with the OS team to determine if there are any permission-related problems
Hi everyone, I'm running a query in Splunk using the dbxquery command and received the following error: Error in 'script': Getinfo probe failed for external search command 'dbxquery'. When I...
See more...
Hi everyone, I'm running a query in Splunk using the dbxquery command and received the following error: Error in 'script': Getinfo probe failed for external search command 'dbxquery'. When I check Apps -> Manage Apps -> Splunk DB Connect, I see the version is 2.4.0. Please help me identify the cause and how to fix this error. Thank you!
Not sure if I fully understand the requirement. But in general, you can assign a non-null string to those fields. For example, | eval MX = coalesce(MX, "MX is null") The issue, I suspect, is when...
See more...
Not sure if I fully understand the requirement. But in general, you can assign a non-null string to those fields. For example, | eval MX = coalesce(MX, "MX is null") The issue, I suspect, is when you transpose, all those values representing null will collapse and skew format. Is this the problem? If so, you can force these values to be different, e.g., | eval MX = coalesce(MX, "MX is null for " . FQDN) Hope. this helps.
Try using the match function to test the field value. index=XXX_XXX_XXX
| eval job_status=if(match('MSGTXT', "ABEND"),"ko","ok")
| where job_status="ko"
Hi, Can any one please help in creating regex to extract 12 words(Words with characters/letters only) from beginning of the field? Sharing few samples with required output: 1)00012243asdsfgh - N...
See more...
Hi, Can any one please help in creating regex to extract 12 words(Words with characters/letters only) from beginning of the field? Sharing few samples with required output: 1)00012243asdsfgh - No recommendations from System A. Message - ERROR: System A | No Matching Recommendations
Required Output - No recommendations from System A. Message - ERROR: System A | No Matching Recommendations
2)001b135c-5348-4arf-b3vbv344v - Validation Exception reason - Empty/Invalid Page_Placement Value ::: Input received - Channel1; ::: Other details - 001sss-445-4f45-b3ad-gsdfg34 - Incorrect page and placement found: Channel1;
Required Output - Validation Exception reason - Empty/Invalid Page_Placement Value ::: Input received - Channel1;
3)00assew-34df-34de-d34k-sf34546d :: Invalid requestTimestamp : 2025-01-21T21:36:21.224Z
Required Output:Invalid requestTimestamp
4)01hg34hgh44hghg4 - Exception while calling System A - null
Required Output:Exception while calling System A - null
Hello,
I have a question about sh deployer and search heads. We have three search heads within a cluster and for some reason at some point of time deployer connection got disconnected and now I am ...
See more...
Hello,
I have a question about sh deployer and search heads. We have three search heads within a cluster and for some reason at some point of time deployer connection got disconnected and now I am trying to connect it. Let me know what need to be done ? Is it just we need to match password of all search heads with deployer.
Configurations I currently see:
On Search head(1/2/3): /opt/splunk/etc/system/localserver.conf
[shclustering]
conf_deploy_fetch_url = https://XXXXXX:8089
disabled = 0
mgmt_uri = https://XXXXXXX:8089
replication_factor = 2
shcluster_label = shcluster1
id = 1F81D83B
manual_detention = off
Deployer : /opt/splunk/etc/system/localserver.conf
[shclustering]
shcluster_label = shcluster1
pass4SymmKey = XXXXXXX
Thanks in advance for your help!
We have a lookup that has all kinds of domain (DNS) information in it with about 60 fields like create date, ASN, name server IP, MX IP, many of which are usually populated. But there are several f...
See more...
We have a lookup that has all kinds of domain (DNS) information in it with about 60 fields like create date, ASN, name server IP, MX IP, many of which are usually populated. But there are several fields which have no data - 10 to 20 on any given search (assuming that they are 'null'). The empty fields are likely to vary on each search. In other words some domains will have an MX record, some will not, but if they are in this lookup, they will always have a create-date. I am presenting this data on a domain lookup dashboard, using "|transpose" so that you have a table with the field name and value on a dashboard. I would like to just show a field and a value where this is returned data and filter out or not show a field which is null. Is there a way to do this?