All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run t... See more...
Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run this report for and that list is 100+ names.  I also needs this list to be dynamic so when new customers are onboarded, they automatically appear in the list.  Now the names correspond to a "propertyId" which is what I have to send to the query to use on the data itself.  (Pairing of the names and propertyId's are brought in from an external source and not Splunk event data.)  The people I am designing this dashboard for will not have knowledge of what version that site has so they won't know whether to choose a > or < option.  That's why I want to set up in the background for the dashboard to choose which query to run based on the name chosen from the dropdown box.   I've started looking at some examples of using "choice value=" and pair that with <change> and <condition label=..> but that appears to either force me to create a value= for every since customer name or only have the choice of < versions and >versions.  I'm beginning to think that what I am trying to accomplish cannot be done or at least not done in a dynamic way so that new customers are automatically added.  But I will continue my online research and hopefully there will be an example out there that will spark an idea of another way to accomplish this.   Even though I am not yet successful, I do appreciate your response and attempt to help me out!
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (... See more...
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (longer values are missed without a wildcard). Perhaps you only need to truncate the Message for display purposes.  If so, drop the subsearch and run the eval as a separate command.
I agree.  The combination of stats max(uptime) and where Uptime=0 should show only hosts with zero up time. Is there something pertinent that is not being shared?
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  ... See more...
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  The Message field is very large and I only need the first sentence of the Message.  How can I do this?  We want it in a sub-search to show the sub-search function for our users. This is Splunk Cloud implementation.
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) ... See more...
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) I think I'm very close, but my decoded string has a space between every character looking something like this: \ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *  
There doesn't appear (from what you have shared) to be anything that you are doing wrong
| bin span=3h _time | stats max(uptime) AS Uptime BY _time, component_hostname | where Uptime=0
Please share your full search which is not working for you
Thank you for feedback but yet again this will return uptimes regardless length (0,  1 or more). If I use where Uptime=0 it shows me uptime lengths taking 0 but it does not necessarily mean there ar... See more...
Thank you for feedback but yet again this will return uptimes regardless length (0,  1 or more). If I use where Uptime=0 it shows me uptime lengths taking 0 but it does not necessarily mean there are no 1, 2 or any different lengths while span.    I need my result to return those component_hostnames which had no different length except of 0 nothing else (no 1 or 2 or any different).  This is how I would know component is UP or DOWN during my span. 
Thanks for the reply. I'll check this out and report back!
Does it have to be via REST API?  If not, you can use the ACS API to install and manage apps.  See https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Config/ACSreqs
Hi, thank you for your reply.  I ran the following query: index=_internal source="*.log" "jsm-splunk-plugin", and here is the result.   Correct me if I ran a wrong query.    Thanks
Yes, you said that in the OP, but what is the logic behind that matching?  The query needs an algorithm it can use to pair servers with teams.  Otherwise, you're looking at creating a lookup table th... See more...
Yes, you said that in the OP, but what is the logic behind that matching?  The query needs an algorithm it can use to pair servers with teams.  Otherwise, you're looking at creating a lookup table that does the matching.
It might be helpful if you shared some sample (anonymised) events from your searches, preferably in raw format in codeblocks (using the </> button above)
What is it that you are trying to chart? The values() aggregate function with give you a multivalue field of strings with unique values from your events for each time bucket. You cannot chart strings... See more...
What is it that you are trying to chart? The values() aggregate function with give you a multivalue field of strings with unique values from your events for each time bucket. You cannot chart strings on the y-axis, they need to be numbers.
Hello, Thanks for your help,  I am hoping for a way in the search to say something like if name from first query = servername1 then name from second query = teamname1.  But, have no idea how to achi... See more...
Hello, Thanks for your help,  I am hoping for a way in the search to say something like if name from first query = servername1 then name from second query = teamname1.  But, have no idea how to achieve that. Thanks, Tom
The API reference mentions how to install an app that is already local to the splunk instance with apps/local. We can already upload an app manually in the Web console by going Apps->Manage Apps->In... See more...
The API reference mentions how to install an app that is already local to the splunk instance with apps/local. We can already upload an app manually in the Web console by going Apps->Manage Apps->Install App from File. However, for detection-as-code purposes, I need to be able to do that in a programmatic way, using an API, for CI/CD purposes. I have seen no documented way to do that, which can't be true. Surely if we can do that from the web console, there is a way to do that programmatically using an API. How do I install an app outside the Splunk instance from the REST API? Thanks
Did you, or anyone, figure this one out?
The two searches have no obvious relationship to each other.  How is Splunk to know how to match a server name to a team name?
Unless you're doing something different, sparklines show numeric values over time so there are no error messages to display.