All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

There is no single best practice to writing SPL. Every use case is different and in order to write an effective SPL you must: 1) Know what you want to achieve 2) Know what you have 3) Know how to ... See more...
There is no single best practice to writing SPL. Every use case is different and in order to write an effective SPL you must: 1) Know what you want to achieve 2) Know what you have 3) Know how to "splunkify" your problem And in order to write a good and effective SPL it's good to know what each command does and how/where it works (especially considering the type of the command) and what limitations it has. Writing effective SPL is a bit of an art and it's not unusual that you go back to your search after a year or two and you discover that you simply didn't know a command or two back when you originally wrote your code and it can be rewritten much prettier and more effectively. There are some general rules which are _usually_ true in typical cases like "filter out as much as you can before doing anything serious with your data", "use as little data as you need", "don't overuse wildcards, especially at the beginning of a search term", and "use distributable streaming commands as early as you can" but as with everything - there can be exceptions to those rules simply because your particular use case might call for them. It's just good to know what are the pros and cons of breaking those rules.
I'm thinking the Hipster shop demo environment may be a lot of extra work to get running on MacOS/arm64.  In the following docs, they mention preferred option is to run in GKE. If you run locally, th... See more...
I'm thinking the Hipster shop demo environment may be a lot of extra work to get running on MacOS/arm64.  In the following docs, they mention preferred option is to run in GKE. If you run locally, they did it with ubuntu Linux. https://github.com/GoogleCloudPlatform/microservices-demo/blob/main/docs/development-guide.md
update: We did get this resolved earlier today. The cause was a port conflict as 8125 was already in use. With statsd, this can be tricky to catch because it's UDP--so normal testing methods for TCP ... See more...
update: We did get this resolved earlier today. The cause was a port conflict as 8125 was already in use. With statsd, this can be tricky to catch because it's UDP--so normal testing methods for TCP ports don't work. We found that 8127 was available and used that to get it working. If anyone else encounters this, be sure to check logs (e.g., /var/log/messages or /var/log/syslog) for port conflict error messages.
I'm currently going over our alerts, cleaning them up and optimizing them.  However, I recall there being a "best practice" when it comes to writing SPL. Obviously, there may be caveats to it, bu... See more...
I'm currently going over our alerts, cleaning them up and optimizing them.  However, I recall there being a "best practice" when it comes to writing SPL. Obviously, there may be caveats to it, but what is the usual best practice when structuring your SPL commands? Is this correct or no? search, index, source, sourcetype | where, filter, regex | rex, replace, eval | stats, chart, timechart | sort, sortby | table, fields, transpose | dedup, head | eventstats, streamstats | map, lookup
Hello, I have a .NET Transaction Rule named:  "/ws/rest/api"  The matching Rule is a Regex: /ws/rest/api/V[0-9].[0-9]/pthru A couple of examples of the the URLs that would match this rule are: /w... See more...
Hello, I have a .NET Transaction Rule named:  "/ws/rest/api"  The matching Rule is a Regex: /ws/rest/api/V[0-9].[0-9]/pthru A couple of examples of the the URLs that would match this rule are: /ws/rest/api/V3.0/pthru/workingorders /ws/rest/api/V4.0/pthru/cart /ws/rest/api/V4.0/pthru/cart/items I am splitting the Rule by URI segments, 4, 5, 6.  but the resulting name is:  /ws/rest/api.V4.0pthruCart Is there a way to add "/" between each segment, or is there a better way to do this that give us a better looking Transaction Name? Thanks for your help, Tom
Not sure if it helps as I have not tested it, but I found the error message under: /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/error.py there is a section for 404 in ... See more...
Not sure if it helps as I have not tested it, but I found the error message under: /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/error.py there is a section for 404 in the script which contains: kwargs['message']='Page not found!'
This is the typical "proving the negative" case. https://www.duanewaddle.com/proving-a-negative/ Append (from a lookup or a here-document), sum and you're set.
It seems there is an easier and more elegant solution. Simply transpose back and forth <your search> | transpose 0 include_empty=f | transpose 0 header_field=column | fields - column  
marnall! Thank you for your support in resolving this issue!
Inherited Splunk deployment.  Looks like authentication was setup with proxysso.  I am unfamiliar with this and we are planning on migrating the proxysso authentication to SAML.   In the past, I hav... See more...
Inherited Splunk deployment.  Looks like authentication was setup with proxysso.  I am unfamiliar with this and we are planning on migrating the proxysso authentication to SAML.   In the past, I have used the web UI for authentications like LDAP.  ProxySSO seems to be a backend conf file? Not sure on how to proceed if there will be a conflict of just adding the SAML authentication method and will it simply override the ProxySSO configurations?  Or does the ProxySSO conf need to be removed first and then saml configured?  If that is the case, what methods to remove? Thank you
Thank you @kiran_panchavat . your solution works great.
@dwangfeng  Apply this props.conf  [<sourcetype>] SEDCMD-splunktestdata = s/(?i)(<password>)[^<]+(<\/password>)/\1xxxxxxxxxxxx\2/g
Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I ne... See more...
Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I need to filter out name that contain  "2" and stats count name based on location.  I came up with this search, but the problem is it did not include location A (because the count is zero) Please suggest. I appreciate your help.  Thanks | makeresults format=csv data="location, name location A, name A2 location B, name B1 location B, name B2 location C, name C1 location C, name C2 location C, name C3" | search name != "*2*" | stats count by location Data location name location A name A2 location B name B1 location B name B2 location C name C1 location C name C2 location C name C3   Expected output: location count(name) location A 0 location B 1 location C 2
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="succe... See more...
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="success")) AS Success_Users dc( eval(action="failure")) AS Failure_Users BY Month | sort Month I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,   I am getting below error,    
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could a... See more...
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits ... See more...
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forg... See more...
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,  Here the action has two fields, Success and failure, I need to list success and failure user by month for past one year.
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps y... See more...
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.