All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @jaibalaraman , you have to use the table command and the field containing the date to display: <your_search> | table timestamp There's on ly one problem I can see: having a long string like th... See more...
Hi @jaibalaraman , you have to use the table command and the field containing the date to display: <your_search> | table timestamp There's on ly one problem I can see: having a long string like the one you shared, chars in the Single Value will be very small. Maybe you could use more than one Single Value displaying parts of the timestamp. Ciao. Giuseppe
Wineventlog inputs have been known for having performance problems above certain EPS threshold. It usually doesn't manifest itself in local events ingestion but shows when pulling WEF-ed logs. Adding... See more...
Wineventlog inputs have been known for having performance problems above certain EPS threshold. It usually doesn't manifest itself in local events ingestion but shows when pulling WEF-ed logs. Adding additional pipelines doesn't help. The way around it (other than setting up more WEC hosts and splitting WEF subscriptions among them is to create more eventlog channels and split your subscription into several channels. The performance problems for eventlog inputs seem to be at single input level so if you're getting stuck around 10k EPS with single input you should be able to get up to 40k EPS if you split your ForwardedLogs into 4 channels. Unfortunately, it's a bit of work to set it up and you need to create custom dll for that. https://learn.microsoft.com/en-gb/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs https://github.com/palantir/windows-event-forwarding/blob/master/windows-event-channels/README.md  
I have setup Cluster master, indexer cluster & Search head cluster. I have a new environment for monitoring console. When I go to  Settings > Monitoring Console > Settings > General Setup  & switch t... See more...
I have setup Cluster master, indexer cluster & Search head cluster. I have a new environment for monitoring console. When I go to  Settings > Monitoring Console > Settings > General Setup  & switch to Distributed mode servers are not showing up under remote instances. Can someone help me on it.
This explanation is the simplest of all. Thank you.  
Hello @zksvc ,     Thanks again!     I'm facing error in this line "unbalanced quotes" | eval lengths = mvmap(code_list, len(trim('code_list', '"'))) So ihave modified this as  | eval lengths... See more...
Hello @zksvc ,     Thanks again!     I'm facing error in this line "unbalanced quotes" | eval lengths = mvmap(code_list, len(trim('code_list', '"'))) So ihave modified this as  | eval lengths = mvmap(code_list, len(trim('code_list', "\""))) though eval is not accepting "*" as a token value in code. Thanks!
Hi, It was added in the following way and it did not work, it does not show results. index="cdr_cfs_index" | search Call.OrigParty.TrunkGroup.TrunkGroupId=2601 | lookup ClientesSymSipdfntion1 Cal... See more...
Hi, It was added in the following way and it did not work, it does not show results. index="cdr_cfs_index" | search Call.OrigParty.TrunkGroup.TrunkGroupId=2601 | lookup ClientesSymSipdfntion1 Call.OrigParty.CallingPartyAddr OUTPUT cliente | lookup ClientesSymSipdfntion2 Call.OrigParty.CallingPartyAddr OUTPUT cliente1 | fillnull value=null Call.CallForwardInfo.OriginalCalledAddr | where isnull(cliente) AND isnull(cliente1) AND Call.CallForwardInfo.OriginalCalledAddr="null" | stats count by Call.OrigParty.CallingPartyAddr Call.CallForwardInfo.OriginalCalledAddr | sort - Call.CallForwardInfo.OriginalCalledAddr    
Hi @smanojkumar  According in your information what if we create new field, let say max_length. put that field in condition then run the query like this index=03_f123456 sourcetype=logs* (CODE IN (... See more...
Hi @smanojkumar  According in your information what if we create new field, let say max_length. put that field in condition then run the query like this index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval code_list = split(trim("($code$)", "()"), ",") | eval lengths = mvmap(code_list, len(trim('code_list', '"'))) | eval max_length = if(mvfind(lengths, 1) >= 0, "value_1", "value_2") | table code_list max_length   Let me know if it works   Danke!      
Hi    How to display the day / month / time / year like the below format using simple format    Ex- | make result   
as i know, the result is same
I'm working with a query where I'm using a lookup to enrich events based on the work_queue field and then filtering to pass forward only those events with a matching entry in the lookup file. Here... See more...
I'm working with a query where I'm using a lookup to enrich events based on the work_queue field and then filtering to pass forward only those events with a matching entry in the lookup file. Here’s a simplified version of my query: index="acn_ticket_summary" | lookup Master.csv "AssignmentGroup" as work_queue outputnew Desk_Ind, cdl_gs, Support_Team | where isnotnull(work_queue) This filters the events, keeping only those that have a non-null work_queue after the lookup. Requirement: I also need to capture the events that don’t match (i.e., those that result in isnull(work_queue)) for separate calculations. Is there a way to modify my query to keep both the matched and unmatched events? Thank you in advance for your help!
Hello @zksvc ,    Thanks for your prompt response and Thanks for your time!     It works but my token value will be enclosed with  ("token_value"),  Lets say token and results can be Token   ... See more...
Hello @zksvc ,    Thanks for your prompt response and Thanks for your time!     It works but my token value will be enclosed with  ("token_value"),  Lets say token and results can be Token                             Result             Reason ("*")                                  value_1         Since the length of "*" is 1, we need pass value1 ( "abc")                           value_2         Since the length of "abc" is 3, we need pass value2 ("ajd","abc","sd")         value_2         Since the length of "ajd" is 3, we need pass value2 The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases. Thanks!
Maybe you can add all your condition in 1 line ?  | where isnull(cliente) AND isnull(cliente1) AND Call.CallForwardInfo.OriginalCalledAddr="null"  Let me know if it works
Hi @smanojkumar  Maybe you can try this  index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval code_list=split("$code$", ",") | eval x=mvcount(code_list) | eval y=if(x==1, "value_1", "value... See more...
Hi @smanojkumar  Maybe you can try this  index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval code_list=split("$code$", ",") | eval x=mvcount(code_list) | eval y=if(x==1, "value_1", "value_2") | dedup y | table y   Let me know if it works
Hello There,     I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the ... See more...
Hello There,     I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token, index=03_f123456 sourcetype=logs*  (CODE IN ($code$)) | eval x=len($code$) | eval y=if(x=1,"value_1",value_2") |dedup y |table y Thanks in advance!
Hi Rick, Thanks for the response, but just wondering what would be the disadvantages of index-time extractions? Our search head is quite overloaded so we are making changes at the heavy forwarder si... See more...
Hi Rick, Thanks for the response, but just wondering what would be the disadvantages of index-time extractions? Our search head is quite overloaded so we are making changes at the heavy forwarder side and trying to reduce the load by parsing it there. We have also tried to change the TRANSFORMS to EXTRACT instead in the props.conf and put the regex there as well but it is also not working even after restarting splunk for some reason, so we're wondering if any additional config lines are required.
I added it but it doesn't work, it doesn't show results.
Bingo, thanks a lot and it works
Add | where Call.CallForwardInfo.OriginalCalledAddr="null" to the query.
Edit the dashboard source and put in a bigger number for the font size.