All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try. | rest splunk_server=local /servicesNS/-/... See more...
Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try. | rest splunk_server=local /servicesNS/-/search/saved/searches | rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=search"
Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpf... See more...
Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpful. 
Your URL is short. https://http-inputs-<customer>.splunkcloud.com/services/collector/raw or https://mysplunkserver.example.com:8088/services/collector/event
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that commu... See more...
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other. Let me be more specific. I know that, for such kind of search, the base string is: | rest splunk_server=local /servicesNS/-/-/saved/searches | table title Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case). So, if I execute above search, I got more or less 450 results. So, what about if I need to filter? Very simple: | rest splunk_server=local /servicesNS/-/<app name here>/saved/searches | table title That should return all and only saved searches for requested app (a custom one in my cases).  Problem: app I need info has 119 saved searches (checked on GUI in related page) Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps.  Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need.  So, my question is: what can be the root cause of this behavior, if searches ownership is correct?
Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/
I'm assuming DATATYPE_CONFIG=CURRENT is a typo and the real setting is DATETIME_CONFIG=CURRENT. Try changing the props stanza name to [csv] (the sourcetype). FWIW, Splunk recommends not changing th... See more...
I'm assuming DATATYPE_CONFIG=CURRENT is a typo and the real setting is DATETIME_CONFIG=CURRENT. Try changing the props stanza name to [csv] (the sourcetype). FWIW, Splunk recommends not changing the source value in inputs.conf.  
Hi @hahhhaxin , for csv files, put the props.conf and transforms.conf  also on UF. Ciao. Giuseppe
Hi @msalghamdi , if you have the list of names to check, you can put them in a lookup (called e.g. names.csv and with one field "name") and run a search like the following: index=brandprotection na... See more...
Hi @msalghamdi , if you have the list of names to check, you can put them in a lookup (called e.g. names.csv and with one field "name") and run a search like the following: index=brandprotection name IN (ali, ahmad, elias,moayad) | stats count BY name | append [ | inputlookup names.csv | eval count=0 | fields name count ] | stats sum(count) AS count BY name Ciao. Giuseppe
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | sta... See more...
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | stats count by brand however sometimes in the logs Elias and Moayad names isn't there but i need to have it in the table, so i need the output to be like this   user count ahmad 7 ali 4 elias 0 moayad 0   i need a search that would show the results like the table above.     thanks
You can add the dependency in your app's lib folder and import it from there or you can create a requirements.txt file and declare it there and ensure its installed before installing the app. 
In the salesforce app for splunk, there's a lookup you can use to get the mapping of user ids and user names. Use the following apps for ingestion of Salesforce events & objects. For stream events, u... See more...
In the salesforce app for splunk, there's a lookup you can use to get the mapping of user ids and user names. Use the following apps for ingestion of Salesforce events & objects. For stream events, use the streaming app. Splunk Add-on for Salesforce -> https://splunkbase.splunk.com/app/3549  Splunk Add-on for Salesforce Streaming API -> https://splunkbase.splunk.com/app/5689 Splunk App for Salesforce -> https://splunkbase.splunk.com/app/1931 
@ITWhisperer  I tried MAX_TIMESTAMP_LOOKAHEAD value with 0 , -1 to disable the timestamp processor as per splunk docs on props.conf and also tried increasing the lookahead value to 350. But nothin... See more...
@ITWhisperer  I tried MAX_TIMESTAMP_LOOKAHEAD value with 0 , -1 to disable the timestamp processor as per splunk docs on props.conf and also tried increasing the lookahead value to 350. But nothing seems to be working. 
Yes the search covers all 4 sources, when I run the search manually and check the events I see all the 4 sources present.
Exactly what I was saying, you have missed a space between the "-" and the number. Try this: index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total recor... See more...
Exactly what I was saying, you have missed a space between the "-" and the number. Try this: index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed - (?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount
Is your search wide enough to cover events from all four sources? Does the alert trigger if you reduce it to 3?
Hi @ITWhisperer . PFB search string in code block index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records proces... See more...
Hi @ITWhisperer . PFB search string in code block index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount
As I said before, there appears to be a space between "Total records processed -" and 27846 which doesn't appear to have been catered for in your regex Total records processed - 27846  Please share... See more...
As I said before, there appears to be a space between "Total records processed -" and 27846 which doesn't appear to have been catered for in your regex Total records processed - 27846  Please share the search also in a code block (as above) so we can check.
I have a index with 7 sources of which I utilize 4 sources. The alert outputs data to a lookup file as its alert function and is written something like this. index=my_index  source=source1 OR s... See more...
I have a index with 7 sources of which I utilize 4 sources. The alert outputs data to a lookup file as its alert function and is written something like this. index=my_index  source=source1 OR source=source2 OR source=source3 OR source=source4 stats commands eval commands table commands etc. I want to configure the alert to run only when all the four sources are present. I tried doing this. But the alert isnt running even when all 4 sources are present. Please help me on how to configure this.
@ITWhisperer  I tried below query but still not able to fetch record   index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "... See more...
@ITWhisperer  I tried below query but still not able to fetch record   index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)" | timechart span=1d values(processed) AS ProcessedCount   Please find below raw logs  2024-10-29 20:39:55.900 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 27846 host = lgposput50341.gso.aexp.com source = /amex/app/abs-upstreamer/logs/abs-upstreamer.log sourcetype = 600000304_gg_abs_ipc2
No, it is on the HF and indexer, UF here is only targeted for getting data in. the configuration in HF&indexer is - [source::asr:report] DATATIME_CONFIG = CURRENT