All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Khalid.Rehan, Thank you for updating the thread and letting us know. 
@gcusello that worked great, thank you. Do you also happen to know the best way to add the totals for each carrier like on line 5 and 9 on my example chart? Like appendpipe?
I have the Microsoft Teams Add-on for Splunk installed and setup the inputs for the webhook.  When I tried to curl the webhook using the internal ip and the port that I have it set to, I get a faile... See more...
I have the Microsoft Teams Add-on for Splunk installed and setup the inputs for the webhook.  When I tried to curl the webhook using the internal ip and the port that I have it set to, I get a failed to connect error. Possibly, part of the issue could be that I don't have the webhook set to a HTTPS. Unfortunately, I'm not sure how to make the webhook accessible to a HTTPS. This isn't something I typically do. I've tried looking up how to make a my webhook accessible, but I haven't had any luck or nothing that made clear sense to me.
Hi @belleke , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @YuliyaVassilyev , at first Splunk isn't Excel! anyway you could try something like this: <your_search> | eval col=Region."|".Director | bin span=1mon _time | chart count OVER col BY _time | re... See more...
Hi @YuliyaVassilyev , at first Splunk isn't Excel! anyway you could try something like this: <your_search> | eval col=Region."|".Director | bin span=1mon _time | chart count OVER col BY _time | rex field=col "^(?<Region>[^\|]+)\|(?<Director>.*)" | fields - col | table Region Director * | addcoltotals | addtotals  then to add partial totals. Ciao. Giuseppe
Hi there! I want to create a scorecard by Manager and Region counting my Orders over Month. So the chart would look something like:  I have all the fields: Region, Director, Month and Order_Numb... See more...
Hi there! I want to create a scorecard by Manager and Region counting my Orders over Month. So the chart would look something like:  I have all the fields: Region, Director, Month and Order_Number to make a count. Please let me know if you have an efficient way to do this in SPL. Thank you very much!    
I've solved the issue, thanks for your help! @richgalloway 
Hi @lukasmecir , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma ... See more...
Hi @lukasmecir , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Yep, good point, thank you.
Hi @lukasmecir , remember to copy indexes.conf on the new machines. Ciao. Giuseppe
Hi @belleke , install on the UF the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742 ), remembering that, by default all the inputs are disabled, so you have to create a new folder called "... See more...
Hi @belleke , install on the UF the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742 ), remembering that, by default all the inputs are disabled, so you have to create a new folder called "local" and copy the inputs.conf from the  default folder and modifying disabled=1 to disabled=0 for all the inputs you need. Then install, the above Add-On also on the Splunk Server. Ciao. Giuseppe
Hi, I tried my process: Clear install of new IDX Run new IDX for the first time Crate index on new IDX Stop the new IDX Stop the old all-in-one instance Copy (by rsync -a command) desired WAR... See more...
Hi, I tried my process: Clear install of new IDX Run new IDX for the first time Crate index on new IDX Stop the new IDX Stop the old all-in-one instance Copy (by rsync -a command) desired WARM buckets (db_... dirs) from the old instance to new IDX Delete copied buckets from old all-in-one instance Start both instances Add new IDX as search peer on the old instance Reconfigure outputs.conf on forwarders to add new ID Everything seems OK now, I let it running for some time and check again.
Thank you for hint, sounds interesting, I will try. Redundancy is not desired in this case, so its no problem.
Hello Zubair, I tested this on the sample data that you put and it seems to work. Give it a shot and tell me if it works for you   [json_test] SHOULD_LINEMERGE=false LINE_BREAKER=([,\r\n]+){ C... See more...
Hello Zubair, I tested this on the sample data that you put and it seems to work. Give it a shot and tell me if it works for you   [json_test] SHOULD_LINEMERGE=false LINE_BREAKER=([,\r\n]+){ CHARSET=AUTO TIME_PREFIX="event_time"\:\s MAX_TIMESTAMP_LOOKAHEAD=13 SEDCMD-removestart=s/^{[\s\S]*?\s*\[// SEDCMD-removeend=s/],\r\n"count[\s\S]*\r\n}// kv_mode=json
@richgalloway  Thanks for your reply, unfortunately I still have no luck. By the looks of it I'm not receiving any sourcetypes in splunk. I saw my typo mistake later but still wasn't able to receive... See more...
@richgalloway  Thanks for your reply, unfortunately I still have no luck. By the looks of it I'm not receiving any sourcetypes in splunk. I saw my typo mistake later but still wasn't able to receive any kind of data regarding wineventlogging.  Any other suggestions what could be the issue?
This got me on the right track and let me to the following:
Thanks for your response @isoutamo and @PickleRick and totally agree, there is more to Splunk deployment than just initial configuration. This is for a small lab (10-15 UFs) and can't afford to hire ... See more...
Thanks for your response @isoutamo and @PickleRick and totally agree, there is more to Splunk deployment than just initial configuration. This is for a small lab (10-15 UFs) and can't afford to hire help. For now, I want compile list of steps one should do to have a initial configuration ready.  BTW, I read somewhere, FIPS for Splunk is only supported on Linux systems and not on Windows, is that correct?
I mean the default value option is literally right at the bottom of the image you posted.  So that is how you set the default value of that token before any event can manipulate the expected outcome ... See more...
I mean the default value option is literally right at the bottom of the image you posted.  So that is how you set the default value of that token before any event can manipulate the expected outcome value. I'm hoping you are actually experiencing something more complicated and that maybe I don't fully understand your use case yet.  But really any other outcome means the value is conditionally set due to some other event occurring so I don't know how to advise.
It looks like there's a typo in the hostname in the query.  Try host=*.  You can confirm a sourcetype was received using this search index=_internal component=Metrics group=per_sourcetype_thruput se... See more...
It looks like there's a typo in the hostname in the query.  Try host=*.  You can confirm a sourcetype was received using this search index=_internal component=Metrics group=per_sourcetype_thruput series="WinEventLog:Security" Just change the 'series' value to the sourcetype you're looking for.
Firstly, if this "works", it must be by mistake. LINE_BREAKER must contain a capturing groups to find the breaker. Secondly, don't use SHOULD_LINEMERGE=true. Unless you know why you shouldn't do it.... See more...
Firstly, if this "works", it must be by mistake. LINE_BREAKER must contain a capturing groups to find the breaker. Secondly, don't use SHOULD_LINEMERGE=true. Unless you know why you shouldn't do it. Thirdly, TIME_PREFIX should as closely match the prefix as possible so Splunk doesn't have to guess. Fourthly, TRANSFORMS defines index-time extractions. You could try to approach it with  line breaker similar to yours and then trimming it with SEDCMD but it is a bad idea as a whole. Don't process structured data this way. Are you absolutely sure that your json structures will _always_ be rendered starting with this field? And they will always end with that another field? If so, then why are you using structured data? Process your data with external tool before ingesting and split it properly using json-based logic, not plain regexes.