All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am trying to simply break down a url to extract the region and chart the use of specific urls over time. but i just get a NULL count of everything. How do i display the counts as separate values? ... See more...
I am trying to simply break down a url to extract the region and chart the use of specific urls over time. but i just get a NULL count of everything. How do i display the counts as separate values?   [query] | eval region=case(url like "%region1%","Region 1",url like "%region2%","Region 2") | timechart span=1h count by region
Hi Rick, When you mean to search for the field::value, do you mean at the rex part or during search? Apologies if my wording was confusing but the rex part managed to work and we did see the fields ... See more...
Hi Rick, When you mean to search for the field::value, do you mean at the rex part or during search? Apologies if my wording was confusing but the rex part managed to work and we did see the fields when we just searched the index (index= index_name) using verbose mode. However, we did not manage to see those fields when just using the props and transforms.conf.
Can you put a number on "taking a longer time"?  How much longer than 15-20 seconds?  Again I ask, how many events are being processed?  Millions of events will take a long time to process no matter ... See more...
Can you put a number on "taking a longer time"?  How much longer than 15-20 seconds?  Again I ask, how many events are being processed?  Millions of events will take a long time to process no matter how efficient the search is.  How many indexers are searching this data?  The more indexers that participate in the search (assuming the events are evenly distributed among them), the faster the search will be. Adding a sourcetype to the base search may help.  It may also help to add a fields command immediately after the base search.  That may reduce the number of fields being transported. resulting in a faster search.  Place the search after the first spath to help reduce the number of events the second spath needs to process. index=asvservices sourcetype=foo "authenticateByRedirectFinish" | fields metadata_endpoint_service_name protocol_response_detail | spath "metadata_endpoint_service_name" | search "metadata_endpoint_service_name"=authenticateByRedirectFinish | spath "protocol_response_detail" | rename "protocol_response_detail" as response  
See https://community.splunk.com/t5/Knowledge-Management/Persistent-queue-problems/td-p/703859
See https://community.splunk.com/t5/Knowledge-Management/Persistent-queue-problems/td-p/703859
See SPL-248479 in release notes. If you are using persistent queue and see following errors in splunkd.log.    ERROR TcpInputProc - Encountered Streaming S2S error 1. "Cannot register new_chann... See more...
See SPL-248479 in release notes. If you are using persistent queue and see following errors in splunkd.log.    ERROR TcpInputProc - Encountered Streaming S2S error 1. "Cannot register new_channel" 2. "Invalid payload_size" 3. "Too many bytes_used" 4. "Message rejected. Received unexpected message of size" 5. "not a valid combined field name/value type for data received"   Other S2S streaming errors as well.   You should upgrade your HF/IHF/IUF/IDX instance (if using persistent queue ) to following patches. 9.4.0/9.3.2/9.2.4/9.1.7 and above. This patch also fixes all the known PQ related crashes and other PQ issues. 
If you are asking for splunkcloud, you can download  private connectivity universal forwarder app.  https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Security/Privateconnectivityenable ... See more...
If you are asking for splunkcloud, you can download  private connectivity universal forwarder app.  https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Security/Privateconnectivityenable https://docs.splunk.com/File:PC4.png If this helps, Please Upvote.
To troubleshoot your sources failing to lastchanceindex, I recommend checking if your REGEX pattern is too strict. If this helps, Please Upvote.
@PickleRick @yuanliu @yuanliu  So, I did the following tests: 1) User A logged in to Splunk with his user ID using Google Chrome on User A's PC. The result was that Splunk displayed extra space... See more...
@PickleRick @yuanliu @yuanliu  So, I did the following tests: 1) User A logged in to Splunk with his user ID using Google Chrome on User A's PC. The result was that Splunk displayed extra spaces correctly using Google Chrome on User A's PC. 2) I login to Splunk with my userID using Google Chrome on my PC. The result was that Splunk does not display extra space correctly using Google Chrome on my PC. 3) User A logged in to Splunk with his user ID using Google Chrome on my PC. The result was that Splunk displayed extra spaces correctly using Google Chrome on my PC. So, it is not an issue with Google Chrome on my PC. 4) I login to Splunk with my userID using Google Chrome on User A's PC. The result was that Splunk does not display extra space correctly using Google Chrome on User A's PC. So, the issue follows my User ID. The conclusion is: The problem follows my User ID, and it is not an issue with my Google Chrome or my PC.  I am following up with Splunk. Assuming I am User B, the issue follows User B: User Splunk Browser PC Result User A User A User A User A No Space issue User B User B User B User B Space issue User A User B user B User B No Space issue User B User A User A User A Space issue Thanks
This is similar to a question I asked earlier today that was quickly answered, however I'm not sure if I can apply that solution to this due to the transpose.  Not sure how to reference the data corr... See more...
This is similar to a question I asked earlier today that was quickly answered, however I'm not sure if I can apply that solution to this due to the transpose.  Not sure how to reference the data correctly for that. We have data with 10-15 fields in it and we are doing a transpose like the below.  What we are looking to accomplish is to display only the rows where the values are the same, or alternatively where they are different.   index=idx1 source="src1" | table field1 field2 field3 field4 field5 field6 field7 field8 field9 field10 | transpose header_field=field1 column    sys1    sys2 field2       a            b field3       10         10 field4       a           a field5       10         20 field6       c           c field7       20         20 field8       a           d field9      10         10 field10    20        10
We just upgraded from 9.2.2 to 9.2.3 and started getting the python integrity warnings.   File path                              Check result                                File path    ... See more...
We just upgraded from 9.2.2 to 9.2.3 and started getting the python integrity warnings.   File path                              Check result                                File path                                         Check result /opt/splunk/bin/jp.py present_but_shouldnt_be /opt/splunk/bin/python2.7 present_but_shouldnt_be   
Just wanted to add that we experienced this issue as well with splunk 9.1.4 and 9.1.5.  Thanks for this info this was down for over a month for us!
This helped us find a hint of the problem in another environment - thank you for the post!
Hello, We have two clustered Splunk platforms. Several sources are sent to both platforms (directly to clustered indexers) as index app-idx1, then on 2nd platform we use different target index name... See more...
Hello, We have two clustered Splunk platforms. Several sources are sent to both platforms (directly to clustered indexers) as index app-idx1, then on 2nd platform we use different target index name using props.conf/transforms.conf to have application_idx2 For unknown reason few sources are failing to lastchanceindex.   props.conf [source::/path/to/app_json.log] TRANSFORMS-app-idx1 = set_idx1_index transforms.conf [set_idx1_index] SOURCE_KEY = _MetaData:Index REGEX = app-idx1 DEST_KEY = _MetaData:Index FORMAT = application_idx2   Thanks for your help.    
Ok I had fun with this one.  I've never embedded JavaScript before so this was brand new for me.  I will tell you that if you change the js code you likely need to restart Splunk and I had to add a r... See more...
Ok I had fun with this one.  I've never embedded JavaScript before so this was brand new for me.  I will tell you that if you change the js code you likely need to restart Splunk and I had to add a reset all button cause I did find some odd token behavior if you edit the xml on the fly. JavaScript   require([ "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function(mvc) { // Get your div var var_proxysearch = $("#btn_proxysearch"); var var_wafsearch = $("#btn_wafsearch"); var var_dnssearch = $("#btn_dnssearch"); var var_emailsearch = $("#btn_emailsearch"); var var_resetall = $("#btn_resetall"); // lets play hide and seek var_proxysearch.on("click", function(f_proxysearch) { var tokens = mvc.Components.get("submitted"); tokens.set("tok_proxysearch","TRUE"); tokens.unset("tok_wafsearch"); tokens.unset("tok_dnssearch"); tokens.unset("tok_emailsearch"); }); var_wafsearch.on("click", function(f_wafsearch) { var tokens = mvc.Components.get("submitted"); tokens.unset("tok_proxysearch"); tokens.set("tok_wafsearch","TRUE"); tokens.unset("tok_dnssearch"); tokens.unset("tok_emailsearch"); }); var_dnssearch.on("click", function(f_dnssearch) { var tokens = mvc.Components.get("submitted"); tokens.unset("tok_proxysearch"); tokens.unset("tok_wafsearch"); tokens.set("tok_dnssearch","TRUE"); tokens.unset("tok_emailsearch"); }); var_emailsearch.on("click", function(f_emailsearch) { var tokens = mvc.Components.get("submitted"); tokens.unset("tok_proxysearch"); tokens.unset("tok_wafsearch"); tokens.unset("tok_dnssearch"); tokens.set("tok_emailsearch","TRUE"); }); var_resetall.on("click", function(f_resetall) { var tokens = mvc.Components.get("submitted"); tokens.unset("tok_proxysearch"); tokens.unset("tok_wafsearch"); tokens.unset("tok_dnssearch"); tokens.unset("tok_emailsearch"); });   Here is the XML   <form script="btn_hide_n_seek.js" version="1.1" theme="dark"> <label>Answers - Classic - Hide and Seek</label> <fieldset submitButton="false"> <input type="text" token="tok_field1" depends="$tok_proxysearch$"> <label>Proxy</label> </input> <input type="text" token="tok_field2" depends="$tok_wafsearch$"> <label>WAF</label> </input> <input type="text" token="tok_field3" depends="$tok_dnssearch$"> <label>DNS</label> </input> <input type="text" token="tok_field4" depends="$tok_emailsearch$"> <label>Email</label> </input> </fieldset> <row> <panel> <html> <h1 style="text-align: center;">Choose from the below options to get started :)</h1> <!-- Centered button container --> <div style="display: flex; justify-content: center; align-items: center; gap: 10px; margin-top: 20px;"> <button class="btn btn-primary" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;" id="btn_proxysearch">Proxy Search</button> <button class="btn btn-primary" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;" id="btn_wafsearch">WAF Search</button> <button class="btn btn-primary" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;" id="btn_dnssearch">DNS Search</button> <button class="btn btn-primary" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;" id="btn_emailsearch">Email Search</button> <button class="btn btn-primary" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;" id="btn_resetall">Reset All</button> </div> </html> </panel> </row> <row id="rows_proxy" depends="$tok_proxysearch$"> <panel> <html> <h1 style="text-align: center;">Proxy Row(s)</h1> </html> </panel> </row> <row id="rows_waf" depends="$tok_wafsearch$"> <panel> <html> <h1 style="text-align: center;">WAF Row(s)</h1> </html> </panel> </row> <row id="rows_dns" depends="$tok_dnssearch$"> <panel> <html> <h1 style="text-align: center;">DNS Row(s)</h1> </html> </panel> </row> <row id="rows_email" depends="$tok_emailsearch$"> <panel> <html> <h1 style="text-align: center;">Email Search</h1> </html> </panel> </row> </form>      
Yes,  I attempted to use this: index="stuff" (msgTxt="Request recd." OR StatusCd="400" OR msgDtlTxt="Validation err*") | eval msgTxt=substr(msgTxt, 1, 100) | stats values(_time) as DateT... See more...
Yes,  I attempted to use this: index="stuff" (msgTxt="Request recd." OR StatusCd="400" OR msgDtlTxt="Validation err*") | eval msgTxt=substr(msgTxt, 1, 100) | stats values(_time) as DateTime values(msgTxt) as Message values(StatusCd) as code BY userSesnId | eval DateTime=strftime(DateTime , "%m-%d-%Y %I:%M:%S %p") but its returning additional logs that I do not need or its only returning one specific log such as Request recd  I need it to gather all the logs within a single userSesnId and return only if it contains these logs (see highlighted below) and count as 1. msgTxt="Request recd." OR StatusCd="400" OR msgDtlTxt="Validation err*")    
In case anyone is still looking here for the answer, this page is publically accessible, outside of the splunk.com login:  https://www.splunk.com/en_us/products/system-status.html  
If I run the query for 20 hours time frame taking longer time and calling events are 2,72,000 .I need the search results in lesser time like 20 seconds.How to simplify the query for getting the resul... See more...
If I run the query for 20 hours time frame taking longer time and calling events are 2,72,000 .I need the search results in lesser time like 20 seconds.How to simplify the query for getting the result in 15 to 20 seconds.
What have you tried so far and how have those efforts not met expectations?
I asked five questions to get more information to better help and you chose to answer none.  We're not off to a good start. The join command appears to do nothing.  The alternative to such a comm... See more...
I asked five questions to get more information to better help and you chose to answer none.  We're not off to a good start. The join command appears to do nothing.  The alternative to such a command is to remove it.