All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I need to show time for all present events. 
Which time do you want - there are 4 events with different times!
I got expected result using your solution , rest I will change condition according to my requirement.  index=ABC source=XYX | extract | fillnull value="Sending message to Common Booked topic" ty... See more...
I got expected result using your solution , rest I will change condition according to my requirement.  index=ABC source=XYX | extract | fillnull value="Sending message to Common Booked topic" type | stats values(type) as types by displayId | where mvcount(types) = 4 Just one more help I need how to add Time also in table. Tried adding this but time is not printing.  |table _time, displayId, types
No, it's a custom configured syslog-ng instance. that I set up. After looking at the logs arriving, I saw that the logs that previously had the metadata part included, now have nothing instead and t... See more...
No, it's a custom configured syslog-ng instance. that I set up. After looking at the logs arriving, I saw that the logs that previously had the metadata part included, now have nothing instead and the separators (~~~EM~~~ and ~~~SM~~~) are missing too.
What do you get if you add the fillnull and the first part of the where condition?
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results : index=app_shared source=aws.config | stats... See more...
I have attached the raw data to the post. I am trying the following query to identify the ResourceTypes and the count but it is not giving me any results : index=app_shared source=aws.config | stats count by resourceType | table resourceType I think we can also narrow down to only -  "detail-type": "Config Configuration Item Change"
If I am using below query I am getting all Ids in output which are having all 3 types.  index=ABC source=XYX | stats values(type) as types by displayId | where mvcount(types) = 3 displayId... See more...
If I am using below query I am getting all Ids in output which are having all 3 types.  index=ABC source=XYX | stats values(type) as types by displayId | where mvcount(types) = 3 displayId types ABC0000001;  Posting Transfer Message ABC0000001;  Posting Transfer Message ABC0000003;  Posting Transfer Message But if I am adding this 2 condition ,  not getting any result.   |fillnull value="SENDING" type where mvcount(types) != 4 or types != "SENDING"
I am forwarding the logs from the Splunk HF to a syslog-ng instance, that I configured myself so it doesn't matter here.
Hi scelikok, Thanks, that is a possible solution but not one feasible right now, partly because as you say it is expensive. I am working on testing the manual download, a conversion to CSV and th... See more...
Hi scelikok, Thanks, that is a possible solution but not one feasible right now, partly because as you say it is expensive. I am working on testing the manual download, a conversion to CSV and then upload to ES. I will update this post with my results.
Hi more changes needs to be done to fix wrong installation. In file $SPLUNK_HOME/etc/system/local/outputs.conf [indexAndForward] index = true selectiveIndexing = true [tcpout] forwardedindex.2.... See more...
Hi more changes needs to be done to fix wrong installation. In file $SPLUNK_HOME/etc/system/local/outputs.conf [indexAndForward] index = true selectiveIndexing = true [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker) original wrong is: forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)
Thank you for confirming.
Assuming your events are as you showed, try using extract | makeresults | fields - _time | eval _raw="[13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [A... See more...
Assuming your events are as you showed, try using extract | makeresults | fields - _time | eval _raw="[13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [Application_name]- Updating DB record with displayId=ABC0000000; type=TRANSFER [13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [Application_name]- Updating DB record with displayId=ABC0000000; type=MESSAGES [13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [Application_name]- Updating DB record with displayId=ABC0000000; type=POSTING [13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [Application_name]- Sending message to topic ver. 2.3 with displayId=ABC0000000" | multikv noheader=t | fields _raw ``` The lines above emulate the data you have shared and are unnecessary for your real data ``` | extract | fillnull value="SENDING" type | stats values(type) as types by displayId | where mvcount(types) != 4 or types != "SENDING"  
Does  index=WhatEverIndexTheseLogsAreIn type OR displayId   produce any of the logs you want?
Assuming type and displayId are already extracted, NO .. I am not able to join All 3 condition together for 1 id.  So I need full query to get the ids which are updating in all 3 DB but not updat... See more...
Assuming type and displayId are already extracted, NO .. I am not able to join All 3 condition together for 1 id.  So I need full query to get the ids which are updating in all 3 DB but not updating in kafka topic. 
Assuming type and displayId are already extracted, you could try something like this | fillnull value="SENDING" type | stats values(type) as types by displayId | where mvcount(types) != 4 or types !... See more...
Assuming type and displayId are already extracted, you could try something like this | fillnull value="SENDING" type | stats values(type) as types by displayId | where mvcount(types) != 4 or types != "SENDING"
Have you set-up any eventtypes or tagging?
If you re trying to do this in a dashboard, try setting a token to the variable part of the search and using that
In my logs I am getting 4 events for 1 id.  1)Updating DB record with displayId=ABC0000000; type=TRANSFER 2)Updating DB record with displayId=ABC0000000; type=MESSAGES 3)Updating DB record with ... See more...
In my logs I am getting 4 events for 1 id.  1)Updating DB record with displayId=ABC0000000; type=TRANSFER 2)Updating DB record with displayId=ABC0000000; type=MESSAGES 3)Updating DB record with displayId=ABC0000000; type=POSTING 4)Sending message to  topic ver. 2.3 with displayId=ABC0000000 Sample logs: [13.01.2025 15:45.50] [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] [XXXXXXXXXXXXXXXXXXXXXX] [INFO ] [Application_name]- Updating DB record with displayId=ABC0000000; type=TRANSFER I want to get the list of all those ids which have all 3 events like "Updating DB........." but missing "Sending message to  topic ........."
We deleted Python 2.7.
No matter which version you upgrade to you can always reference the manifest file.  If the manifest does not list the file in the warning then it can be deleted.