All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ITWhisperer thanks for taking the time to reply when using init -it only initializes the first time but doesn't update accordingly when fieldset is changed
Use an init block <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="drop... See more...
Use an init block <form version="1.1" theme="light"> <label>Hosts</label> <init> <set token="host">eks-prod-saas-ue1-*</set> </init> <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label="dev-platform-postgres"> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label="dev-platform-postgres-eu"> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> <row> <panel> <html> <p>$host$ $connection$</p> </html> </panel> </row> </form>
I am working om creating a dashboard to display data from my app-I have a dropdown where you select which environment you want to see data for-I need to set 2 values based on this dropdown: 1.connec... See more...
I am working om creating a dashboard to display data from my app-I have a dropdown where you select which environment you want to see data for-I need to set 2 values based on this dropdown: 1.connection for db queries 2. host for logs based queries I searched many option but couldn't get any to work:I am trying to do  <fieldset submitButton="false"> <input type="dropdown" token="connection"> <label>Select Region</label> <default>dev-platform-postgres</default> <choice value="dev-platform-postgres">US</choice> <choice value="dev-platform-postgres-eu">EU</choice> <change> <condition label = 'dev-platform-postgres'> <set token="host">eks-prod-saas-ue1-*</set> </condition> <condition label = 'dev-platform-postgres-eu'> <set token="host">prd-shared-services-eu-eks*</set> </condition> </change> </input> </fieldset> and then be able to use both $host$ and $connection$ tokens in the dashboard but I cant get $host$ initialized correctly any help would be appreciated also -side note I am getting a warning "Expected at most 1 children of fieldset in dashboard, instead saw 2"-how am I supposed to handle a case where I want 2 selections -one of date and one of connection?
Could you please share the sample raw logs and how are those looking in Splunk once they are ingested? Issues with Line breaking, timestamp assignment, field extraction?
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.... See more...
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==fiel... See more...
Let me now if below query helps - | makeresults count=3 | streamstats count as field1 | eval field2=field1+0 | eval field2=if(field2=3, Null(), field2) | fields - _time | eval field3=if(field1==field2, null(), field1)    
If you have wildcards in your lookup, just use the lookup command
| eval field_c=if(field_a == field_b, null(), field_a)
.
Good morning Marnall! Thank you very much for your support....with your help I managed to solve this problem!!!
could you please help with SPL syntax to match wild card entry.
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I ... See more...
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I believe the warning can be safely removed.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
these are seperated events not a multivalue fields
The wildcard need to be defined in the lookup e.g. abc* will match abc and abc_123
Again, are these separate events or multi-value fields in the same event?
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data ... See more...
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data is represented in your events, there could be a number of ways to do this.
Hi @RSS_STT , in the same option of the same section try with WILDCARD instead CIDR. Ciao. Giuseppe
what if i want to match host_name= abc & host_name=abc_123 which is in lookup file.
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Add... See more...
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration Ciao. Giuseppe
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add... See more...
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add wildcard (*) for match and i should get two entry.