All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm working with a query where I'm using a lookup to enrich events based on the work_queue field and then filtering to pass forward only those events with a matching entry in the lookup file. Here... See more...
I'm working with a query where I'm using a lookup to enrich events based on the work_queue field and then filtering to pass forward only those events with a matching entry in the lookup file. Here’s a simplified version of my query: index="acn_ticket_summary" | lookup Master.csv "AssignmentGroup" as work_queue outputnew Desk_Ind, cdl_gs, Support_Team | where isnotnull(work_queue) This filters the events, keeping only those that have a non-null work_queue after the lookup. Requirement: I also need to capture the events that don’t match (i.e., those that result in isnull(work_queue)) for separate calculations. Is there a way to modify my query to keep both the matched and unmatched events? Thank you in advance for your help!
Hello @zksvc ,    Thanks for your prompt response and Thanks for your time!     It works but my token value will be enclosed with  ("token_value"),  Lets say token and results can be Token   ... See more...
Hello @zksvc ,    Thanks for your prompt response and Thanks for your time!     It works but my token value will be enclosed with  ("token_value"),  Lets say token and results can be Token                             Result             Reason ("*")                                  value_1         Since the length of "*" is 1, we need pass value1 ( "abc")                           value_2         Since the length of "abc" is 3, we need pass value2 ("ajd","abc","sd")         value_2         Since the length of "ajd" is 3, we need pass value2 The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases. Thanks!
Maybe you can add all your condition in 1 line ?  | where isnull(cliente) AND isnull(cliente1) AND Call.CallForwardInfo.OriginalCalledAddr="null"  Let me know if it works
Hi @smanojkumar  Maybe you can try this  index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval code_list=split("$code$", ",") | eval x=mvcount(code_list) | eval y=if(x==1, "value_1", "value... See more...
Hi @smanojkumar  Maybe you can try this  index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval code_list=split("$code$", ",") | eval x=mvcount(code_list) | eval y=if(x==1, "value_1", "value_2") | dedup y | table y   Let me know if it works
Hello There,     I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the ... See more...
Hello There,     I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token, index=03_f123456 sourcetype=logs*  (CODE IN ($code$)) | eval x=len($code$) | eval y=if(x=1,"value_1",value_2") |dedup y |table y Thanks in advance!
Hi Rick, Thanks for the response, but just wondering what would be the disadvantages of index-time extractions? Our search head is quite overloaded so we are making changes at the heavy forwarder si... See more...
Hi Rick, Thanks for the response, but just wondering what would be the disadvantages of index-time extractions? Our search head is quite overloaded so we are making changes at the heavy forwarder side and trying to reduce the load by parsing it there. We have also tried to change the TRANSFORMS to EXTRACT instead in the props.conf and put the regex there as well but it is also not working even after restarting splunk for some reason, so we're wondering if any additional config lines are required.
I added it but it doesn't work, it doesn't show results.
Bingo, thanks a lot and it works
Add | where Call.CallForwardInfo.OriginalCalledAddr="null" to the query.
Edit the dashboard source and put in a bigger number for the font size.
Two separate stats commands are unlikely to work because they're transforming commands.  That means the seconds stats won't have the same fields to work with as the first one.  One alternative is to ... See more...
Two separate stats commands are unlikely to work because they're transforming commands.  That means the seconds stats won't have the same fields to work with as the first one.  One alternative is to use eventstats before stats, but it's unnecessary in this case because a single stats can do it all.
I would like for the font size in the table I have made to be much bigger. Currently the largest size you can select in the font size drop down under colour and style is large. How can I make the num... See more...
I would like for the font size in the table I have made to be much bigger. Currently the largest size you can select in the font size drop down under colour and style is large. How can I make the numbers in my table bigger?
Hi,  We currently have a centralized WEF collection server that collects all windows logs across the environment. This includes forwarding sysmon,application,system channels etc... to the collector... See more...
Hi,  We currently have a centralized WEF collection server that collects all windows logs across the environment. This includes forwarding sysmon,application,system channels etc... to the collector. Everything ends up in ForwardedEvents on the WEF collection server. I've installed a UF on this host.  I have the windows TA deployed with the following input stanza       #[WinEventLog://ForwardedEvents] #disabled = 0 #index = wef #start_from = oldest #current_only = 0 #batch_size = 50 #checkpointInterval = 15 #renderXml=true #host=WinEventLogForwardHost       I have 2 problems currently.  The splunk universal forwarder doesn't appear to be keeping up with the number of windows event logs coming to the WEF collector. ~1000 hosts. Another (different) SIEM collector for WEF keeps up fine on the same host and collects all logs. i'm able to compare what one collector is collecting vs the Splunk UF. I've tried adjusting the batch_size and checkpoint interval as above.   I want to split certain windows channels in the ForwardedEvents channel to different indexes. I have tried deploying the microsoft sysmon TA and adding a new input with the following configuration.       #[WinEventLog://ForwardedEvents] #disabled = true #index = wef-sysmon #start_from = oldest #current_only = 0 #batch_size = 50 #checkpointInterval = 15 #renderXml=true #host=WinEventLogForwardHost #whitelist = $XmlRegex='Microsoft-Windows-Sysmon'​       i then add  blacklist = $XmlRegex='Microsoft-Windows-Sysmon' to the windows TA. Then everything seems to stop. I stop receiving all events on my indexer. I've also tried adding multiple inputs with differing indexes and whitelist/blacklists in the windows TA to no avail. Would someone be able to point me in the right direction?      
I work in the Healthcare industry and our customer base can have product versions that range from 6 to 18.  For this dashboard, sites with versions less than 15 I have to use one data source.  Sites ... See more...
I work in the Healthcare industry and our customer base can have product versions that range from 6 to 18.  For this dashboard, sites with versions less than 15 I have to use one data source.  Sites that have versions 15 and over, I have a different set of data sources.   For this dashboard, I have one query for versions below 15 and another query for version 15 and above.  I have built a dropdown that lists the Site Name for choices.  There is also a time picker to choose date ranges.  In order to choose the correct query to run, I need to somehow pass the product version so it knows which one to run and display.  How do I create the product version as a token to pass down to decide which query to use?   Here is the start of my dashboard code.  Below it is just the two queries I will be choosing from. <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="false"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="time" token="field1" searchWhenChanged="false"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> With the query above I end up with three fields:  propertyId, FullHospitalName, version. The 'FullHospitalName' is what is displayed in the dropdown.   The 'propertyId' is what needs to be passed to the query itself to know what data to collect.  How do I use the 'version' field to determine which of the two queries to use?
How can I make it show me only what appears as null in the Call.CallForwardInfo.OriginalCalledAddr field? Right now I have this result, you can help me.  
Oh, that could explain it. I'll try to erase all events, clean the data partition of the instance entirely and restart clean, to see if the behavior is the same. Thanks for your help !
There is another possible explanation. Someone was trigger-happy with the delete command. Deleted events are physically still in the index files so eventcount sees them but are marked as not searcha... See more...
There is another possible explanation. Someone was trigger-happy with the delete command. Deleted events are physically still in the index files so eventcount sees them but are marked as not searchable so tstats (and other search commands) don't use them.
  Does anyone have AWS EC2 instance dashboard sample? Also I am looking for EC2 instance OS/EBS/networking error code list to build the dashboard and query. Thanks, Muhammad
That worked great! I was trying to use two different 'stats' and could not get both of the values.   Thanks for your help!!
I have another suspicion - you have an indexer cluster, right? I forgot to mention it ! I'm currently running a standalone instance, not connected to anything else. I checked just in case, but... See more...
I have another suspicion - you have an indexer cluster, right? I forgot to mention it ! I'm currently running a standalone instance, not connected to anything else. I checked just in case, but the monitoring console of the instance does see the 160 million events, on the local instance, without replication. I also checked the inputs, and it is consistent with the returned number. What's more confusing is that the events seems to be "seen" by some commands, but not others. For example, I tried to directly search "index=XXX host=YYY sourcetype=ZZZ" (so every field used should be indexed and retrievable even without search time extractions, and should not conflict with anything), and that search returns 2300 events over multiples hosts. If I pipe a "| stats count by host" behind it, the search returns 0, and doesn't see any events. I don't know why, but there seems to be a part of my events I cannot aggregate against. That would explain the inconsistency, but as for the root cause, I'm at a loss of words.