All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same ba... See more...
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same base search but augment each with a unique timechart command.
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the inp... See more...
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the input not to close files that have been updated in the past 'time_before_close' seconds. * Default: 3 Is it possible that the file is not producing an EOF marker? or that something keeps chatting to the file?
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the sa... See more...
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the same timechart of the same search, but with a dedup of one specific field in the search.   Hope it clarifies a bit my request.   Thanks
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you ... See more...
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you need is. Do the timechart to 'count by field' and then eventstats to calculate the total.
I hope I can find this trick in the future if I ever need this.
Morning everyone, i want to display for my search two timecharts, one with and one without dedup of a certain field. Thanks!
How long has it been?  Sometimes it takes a day or two.
Can you help with spath 
This looks like JSON - you might be better off using spath to parse the event.
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH",... See more...
I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} So if i use | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student.  Also as i stated earlier position of  "country":"*" is not same for all logs. its coming between anywhere Student:{*}
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance ... See more...
Hello to everyone! I planned to ingest *.csv files using Universal Forwarder from Windows Server 2019 in batch mode. It sounds pretty trivial, but I collided with the problem. After an appearance of a new file, I observe new events through a search head, and in the end, expecting that file will be deleted by Splunk UF, but the file is still remaining. It seemed that the problem was related to file access, but I can't find any related errors in the logs of this UF instance. So, what can be the root of this behavior? inputs.conf   [batch://C:\ProgramData\ScriptLog\spl_export_vmtools_status\vmtools_stats_*.csv] disabled = false index = vsi crcSalt = <SOURCE> move_policy = sinkhole sourcetype = vsi_file_vmtools-stats   props.conf   [vsi_file_vmtools-stats] ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = true INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1 SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = Time    
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part lo... See more...
hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part looks for "country":". (?<country>[^\"]+): (?<country>...): Creates a group named country. [^\"]+: Matches any character other than ". This part extracts the country value. Finally, the country value (for example, IND) is stored in a new field named country. This structure helps extract the word country wherever it appears. | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" You can test with this structure in regex101 (country":"([^"]+))
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix a... See more...
Hi Rick, thanks for reply. Many customers are using this app as final product from Splunk.  We would like to enable injections as easy as possible and not break connections between Splunk_TA_nix and our custom app. You can see my example in article.  Only think what is needed for this  to work is small change in scripts. Here is very easy and dirty example how the script could be improved: diff cpu_metric.sh cpu_metric_new.sh 4a5,11 > # OPTIONS > if [ "$#" -eq 1 ]; then > OPTIONS="$1" > else > OPTIONS="-P ALL 1 1" > fi > 24c31,32 < CMD='sar -P ALL 1 1' --- > #CMD='sar -P ALL 1 1' > CMD="sar $OPTIONS" I hope I am not the only one who will appreciate this.
Hi all, Is it possible to get informations on the cluster manager config bundle through rest api? I am specifically looking for active bundle hash/Active Bundle ID.
Hi Team, I am Firewall engineer and working on creation of some dashboard. I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Dow... See more...
Hi Team, I am Firewall engineer and working on creation of some dashboard. I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Down" in Guage format. However I would like to set up the dashboard in this way : 1) whenever firewall failover and it is in "down state"  the guage color should be red 2) whenever firewall failover and it is in "Active state"  the guage color should be Green 3) whenever firewall failover and it is in "Standby state"  the guage color should be Amber   Does anyone know about it and help me with some sample examples to understand
Hi Team, I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to creat... See more...
Hi Team, I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ? sample1 Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} sample2 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu} sample3 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"} so its mean, "country":"IND" anywhere in Student":{} should catch by regex
hi    i have registered for Splunk cloud and clicked start free trail, but still didn't receive the email with Splunk cloud free trail account details, like creds and link.
Hi @Nraj87 , in my opinion, you could use the searches that you can find in [Settings > License > License Usage > Last 30 days > Split by sourcetype] more than MLTK. eventually you could train a mo... See more...
Hi @Nraj87 , in my opinion, you could use the searches that you can find in [Settings > License > License Usage > Last 30 days > Split by sourcetype] more than MLTK. eventually you could train a model in MLTK starting from the previous search. Bur anyway, the most important activity is an analysis, starting from the above search so you can analyze your data flow and identify the sources responsible fo the data growth, so you can decide if enlarge the license or filter some events. Ciao. Giuseppe
Hi @M2024X_Ray , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma P... See more...
Hi @M2024X_Ray , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
@mpc7zh  OpenSSL 1.0.2zj-fips 30 Jan 2024