All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is a better answer than mine.  $results$ will only pick up the first result rather than the row clicked.
Splunk fields are case sensitive but given the opportunity for confusion it's typically not best practice to overlap spellings.  Unless the app specifically overlaps fields with case issues then I wo... See more...
Splunk fields are case sensitive but given the opportunity for confusion it's typically not best practice to overlap spellings.  Unless the app specifically overlaps fields with case issues then I would avoid that. However, it appears the SPL is all based from a field specifically referenced as "LastLogon".  I would look to see if that field still exists after the updated application.  It's possible the information still exists but is not being extracted into the previous field name which the SPL is relying on. If so then you have the option to update the field extraction to that field name or update your SPL to reference any new fields that contain the information you require.
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fsysinfo | rest /services/server/sysinfo | table splunk_server transparent_hugepage.effective_state The above will ... See more...
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fsysinfo | rest /services/server/sysinfo | table splunk_server transparent_hugepage.effective_state The above will get you the THP status per server, usually best to run from the DMC in a multi server environment - most if not all devices should be reported there.  Running from a SH or SHC may be limited to SH and IDX. https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fstatus.2Fresource-usage.2Fhostwide | rest /services/server/status/resource-usage/hostwide | table splunk_server *cpu* *mem*
That is a Splunk internal index so any documentation (if it exists) would be internal to Splunk.  You may be able to find some useful information in the Troubleshooting Manual or the REST API Referen... See more...
That is a Splunk internal index so any documentation (if it exists) would be internal to Splunk.  You may be able to find some useful information in the Troubleshooting Manual or the REST API Reference Manual.
| ldapsearch domain=mine search="objectClass=user)" | where isnull(isCriticalSystemObject) | eval Enabled=if(match(userAccountControl,".*ACCOUNTDISABLE.*"),"False","True") | eval expires=if(userAccou... See more...
| ldapsearch domain=mine search="objectClass=user)" | where isnull(isCriticalSystemObject) | eval Enabled=if(match(userAccountControl,".*ACCOUNTDISABLE.*"),"False","True") | eval expires=if(userAccountControl="DONT_EXPIRE_PASSWD","True","False") | eval "Last Logon"=strftime(strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ"),"%Y%m%d %H:%M:%S") | eval lastLogon=strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ") | eval daysSincelogon=round((now()-lastlogon)/86400, 0) | table sAMAccountName,Enabled,daysSinceLogon,"Last Logon",expires   When I upgraded to version 9 I had pulled all the latest add-ons from Splunk directly. The new instance was stood up and then add-ons were installed, I pulled over lookups, etc. after the fact. I inherited this system and very green to Splunk (1 month of experience).
Hi @tdavison76 , please try this regex: | rex field="alert.message" "On-Prem - (?<your_field>[^\"]+)" that you can test at https://regex101.com/r/RWQr9a/1 Ciao. Giuseppe
1) Can you share the exact SPL search 2) Did you upgrade/refresh the Add On when you upgrade from v8 to v9
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for price... See more...
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com" included.     {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "46f22bab-2964-4294-885e-2a7bd12ddd19", "action": "Close", "productSource": "Opsgenie", "customerDomain": "domain", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "", "type": "ThousandEyes"}, "type": "oec", "receivedAt": 1720795936606, "params": {"type": "oec", "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Close", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "domain", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "receivedAt": 1720795936606, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "", "type": "ThousandEyes"}, "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}}     Here's the actual Search I am running:     Just let me know if more details are needed, and thanks again. Tom  
Awesome information - thank you for demo and tips.
Almost there - try something like this | rex field='alert.message' "On Prem - (?<Name>.*)"
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | ... See more...
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | rex field="alert.message" "\<\=On Prem - (?<Name>.*)" Ciao. Giuseppe
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this?... See more...
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this? I see there is an HTTP alert action that can make a POST, however with this being a lookup (csv) i am not sure it will work correctly. 
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this at... See more...
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this attribute will not return anything. lastLogontimestamp works but is too far out of sync for my requirements on reporting. I have LDAP configuration in the Active Directory add-on set to 3269 and everything else works fine except this one attribute. I setup delegation to read lastLogonTimestamp and then everything so its not a permissions issue from what I can see. Any help would be appreciated. 
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able t... See more...
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.   I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query: source="udp:514" host="$host$.doman.com" but, of course failed, it just get's replaced with "*". I'm sure I'm probably way off on how to do this, but any help would be awesome.   Thanks in advance. Tom
How to identify Stream_event function is called at time interval or during create/edit data input. 
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this i... See more...
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this in regex101 with: (?<=On-Prem - ).* But, I know in splunk we have to give it a field name.  I can't figure out the correct syntax to add the field name so it would work. In example of one I've tried without success: rex field="alert.message" "\?(?<Name><=On Prem - ).*" If possible, could someone help me out with this one ? Thanks for any help, Tom  
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware... See more...
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware) etc. I couldnt find any solid documentation for _introspection index as to under which source, component these variables will be stored also what all data is available in the index.  Can someone please point me to a doumented list of all the data points in the index if any docs exists. Also any specific component/source I can find the KPIs I mentioned above.
Hi @Sailesh6891 , it's a best practive to create a custom add-on containing all the parsing rules for your data, also because I suppose that there are other parsing rules that you need to add. but ... See more...
Hi @Sailesh6891 , it's a best practive to create a custom add-on containing all the parsing rules for your data, also because I suppose that there are other parsing rules that you need to add. but anyway you can also put this two lines in another props.conf. Ciao. Giuseppe