All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Could you please share the sample raw logs and how are those looking in Splunk once they are ingested? Issues with Line breaking, timestamp assignment, field extraction?
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.... See more...
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==fiel... See more...
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==field2, null(), field1)    
If you have wildcards in your lookup, just use the lookup command
| eval field_c=if(field_a == field_b, null(), field_a)
.
Good morning Marnall! Thank you very much for your support....with your help I managed to solve this problem!!!
could you please help with SPL syntax to match wild card entry.
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I ... See more...
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I believe the warning can be safely removed.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
these are seperated events not a multivalue fields
The wildcard need to be defined in the lookup e.g. abc* will match abc and abc_123
Again, are these separate events or multi-value fields in the same event?
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data ... See more...
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data is represented in your events, there could be a number of ways to do this.
Hi @RSS_STT , in the same option of the same section try with WILDCARD instead CIDR. Ciao. Giuseppe
what if i want to match host_name= abc & host_name=abc_123 which is in lookup file.
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Add... See more...
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration Ciao. Giuseppe
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add... See more...
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add wildcard (*) for match and i should get two entry.  
That's it! I hadn't even considered that. Thank you so much!   But given Where only works one event at a time, does that mean it can't be used to compare fields in two different sourcetypes?
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a          field_b rohan               rohan rahul            ... See more...
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a          field_b rohan               rohan rahul                rahul raj now i need to have the difference of the above to field field_c raj
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any m... See more...
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any matches.