All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Actually it's not that much of an outlier. Assuming 2s split between first and second event you have 2/3 chance of splitting them into two separate bins.
Tokens ($something$) cannot be used in SPL except in the map command.  They're not necessary, however.  Just use a field. index=windows_logs | eval userid=johnsmith | where in(userid,member_dn, me... See more...
Tokens ($something$) cannot be used in SPL except in the map command.  They're not necessary, however.  Just use a field. index=windows_logs | eval userid=johnsmith | where in(userid,member_dn, member_id, Member_Security_ID, member_user_name)  Notice I changed the where command since it does not support the IN operator.
Now you can tag HEC events for any HEC end point ( including s2s) without paying for third party software. https://community.splunk.com/t5/Getting-Data-In/Splunk-HTTP-Event-Collector-support-for-c... See more...
Now you can tag HEC events for any HEC end point ( including s2s) without paying for third party software. https://community.splunk.com/t5/Getting-Data-In/Splunk-HTTP-Event-Collector-support-for-custom-metadata-tags/m-p/703131/highlight/true#M116292
Try this | stats count as Count, first(Field-B) as Example by Field-A
There are many non-native speakers (including myself) here so don't wory. As long as you're making an effort to be at least somewhat understandable it's great! Every event has several fields or "... See more...
There are many non-native speakers (including myself) here so don't wory. As long as you're making an effort to be at least somewhat understandable it's great! Every event has several fields or "metafields" (like index - it's technically not a field indexed with an event, it's a "selector" but it's treated like a field when you're processing results). And each event has the holy trinity of source, sourcetype and host. I have another suspicion - you have an indexer cluster, right? Quoting https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventcount Running in clustered environments Do not use the eventcount command to count events for comparison in indexer clustered environments. When a search runs, the eventcount command checks all buckets, including replicated and primary buckets, across all indexers in a cluster. As a result, the search may return inaccurate event counts.
HaHA, I was answering based on the provided information not trying to work around every single possible outlier  
That was my initial reaction but as usual - binning has issues when your events cross the bin boundary. For example - one event at :11, another at :14. They will be binned into separate buckets and w... See more...
That was my initial reaction but as usual - binning has issues when your events cross the bin boundary. For example - one event at :11, another at :14. They will be binned into separate buckets and won't match.
Hi there, like in most cases a simple 'stats' will do the trick. Try something like this  index=printserver OR index=printlogs | bin _time span=3s | stats values(*) AS * by _time username | table ... See more...
Hi there, like in most cases a simple 'stats' will do the trick. Try something like this  index=printserver OR index=printlogs | bin _time span=3s | stats values(*) AS * by _time username | table _time prnt_name username location directory file   Hope this helps ... cheers, MuS
First of all, English isn't my native language, so I apologize in advance for any error I could write in this support topic. I encounter a problem I'm a bit lost with : I'm indexing a lot of differe... See more...
First of all, English isn't my native language, so I apologize in advance for any error I could write in this support topic. I encounter a problem I'm a bit lost with : I'm indexing a lot of different data with different sourcetypes (mostly CSV and JSON data, but with a bit of unstructured data here and there), and the eventcount and tstats commands are returning a whole lot different count of events. I know the eventcount command doesn't care about the time window, so I tried increasing the time window in the future until the maximum supported by Splunk, but to no avail. To talk numbers, in my instance the command "eventcount index=XXX*  " returns a number of 160 millions events in my indexes. When I try to do a command "| tstats count where index=XXX* by sourcetype", the command only find about 59 millions of events. Even increasing the time window with a "latest=+4824d" to reach the maximum supported by the software doesn't yield more events. I thought about frozen data, so I increased the time window before freezing events just for debugging, deleted all my data, reindexed them all, but to no avail. Is it possible for a event to be indexed without a sourcetype ? Or is there technological wizardry i'm not aware about ?
Join on _time doesn't make sense if the time is off in one of data sets. You noticed it yourself. This transaction doesn't make sense either since you don't have a field called src which could conta... See more...
Join on _time doesn't make sense if the time is off in one of data sets. You noticed it yourself. This transaction doesn't make sense either since you don't have a field called src which could contain one of those strings. If this is indeed all the data you have it's a very tricky problem in general. Because what if the same user requests two print jobs within a second? How can you tell which one went to which printer if the only common field is the username? If you can make some assumptions about the data the problem can be solved one way or another. You can use transaction on username field and indeed maxspan=3s or something like that (maybe add a startswith="index=printserver" endswith="index=printlogs". But transaction is a relatively resource-intensive command and is best avoided if possible. So if you can make some other assumptions maybe the solution could be better.
Same results I get the IP address but no country in the Geo Location. I have noticed that I have a space at the end of the IP address using this REX command.  Ended up using the following command to ... See more...
Same results I get the IP address but no country in the Geo Location. I have noticed that I have a space at the end of the IP address using this REX command.  Ended up using the following command to remove the ending space and that resolved my problem. | eval ip_address=trim(ip_address)
I signed up for the Splunk Cloud Platform free trial as part of an online class. However, I'm unable to access my instance. I see that an instance has been created, but nothing happens when I click t... See more...
I signed up for the Splunk Cloud Platform free trial as part of an online class. However, I'm unable to access my instance. I see that an instance has been created, but nothing happens when I click the "Access instance" button. I also got an email with a temporary password for the instance, but the login fails, and I got locked out after several attempts. Anyone know how to resolve this? Update: I was able to log in after resetting the password and waiting for the lockout to expire, but the "Access instance" button is still unresponsive.
Hello, I am trying to join two indexes to display data from our local printers.  I have an index getting data from our printer server that contains the following data:    index=prntserver _time,   ... See more...
Hello, I am trying to join two indexes to display data from our local printers.  I have an index getting data from our printer server that contains the following data:    index=prntserver _time,                                   prnt_name     username   location 2024-11-04 11:05:32    Printer1           jon.doe         Office 2024-11-04 12:20:56    Printer2           tim.allen       FrontDesk   I have an index getting data from our DLP software that contains the following data:    index=printlogs _time                                    usersname     directory                          file 2024-11-04 11:05:33    jon.doe             c:/desktop/prints/     document1.doc 2024-11-04 12:20:58    tim.allen  c:/documents/files/   document2.xlsx   I am trying to join the two indexes to give me time, printer name, user name and location from the Print Server Index and then give me directory and file name that was recorded from my Print Log Index.  I am wanting to use time to join the two indexes but my issues is that the timestamp is off by 1 if not 2 seconds between the two index records.  I was trying to use the transaction command with a maxspan=3s to be safe but cannot get it to work.  Here is what I have been trying to work with   index=printserver | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS servtime    | join type=inner _time       [ search index=printlogs         | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS logtime       ] | transaction startswith=eval(src="<servtime>") endswith=eval(src="<logtime>") maxspan=3s | table servtime prnt_name username location directory file   Thanks for any assistance given on this one. 
I have data similar to: Field-A Field-B A1           B1 A1           B2 A1           B3 A2           B4 A3           B5 A2           B6 Where Field-A will repeat but Field-B is unique values.... See more...
I have data similar to: Field-A Field-B A1           B1 A1           B2 A1           B3 A2           B4 A3           B5 A2           B6 Where Field-A will repeat but Field-B is unique values.  I am using | stats count by Field-A to give me the number of occurrences of A1, A2, A3 and am trying to include a single example of Field-B.  Something like: Field-Count-Example A1 -- 3 -- B2 A2 -- 2 -- B6 A3 -- 1 -- B5 Thank you for any suggestions.  
I have a working dashboard where a token is used as a variable. But now I am trying to use the same concept when making a direct search within "Search & Reporting app".  I have Windows events that ha... See more...
I have a working dashboard where a token is used as a variable. But now I am trying to use the same concept when making a direct search within "Search & Reporting app".  I have Windows events that have multiple fields that produce a common value. In this example, the following search will give me usernames.   ...base search (member_dn=* OR member_id=* OR Member_Security_ID=* OR member_user_name=*)   I would like to declare a variable that I can use as a value to search all four aforementioned fields. I tried the following with no luck:   index=windows_logs | eval userid=johnsmith | where $userid$ IN (member_dn, member_id, Member_Security_ID, member_user_name)    
Hey @dswoff , AFAIK there is a problem in your logic. The | iplocation command accepts a few arguments, but not like key:value pair as the IP. I believe in your case you want to pass the IP and... See more...
Hey @dswoff , AFAIK there is a problem in your logic. The | iplocation command accepts a few arguments, but not like key:value pair as the IP. I believe in your case you want to pass the IP and get the Country as result, then try this: index="eventlog" EventCode=1309 | rex field=Message "User host address:\s(?<ip_address>.*)" | iplocation ip_address | table ip_address, Country OR for fixed IP index="eventlog" EventCode=1309 | iplocation "<your_ip_here>" | table ip_address, Country The iplocation accepts an IP and will give you as response the fields: City, Continent, Country, MetroCode, Region, Timezone, lat and lon. Give it a try and let me know
HI roshnadabala Wondering if you are able to resolve it..I am seeing the same issue across multiple SH clusters.
@scelikok regex is correct but below if it is applied then timestamp wont be there in the event. Splunk will take as current time which completely misleads. I want to have 2 events for a single log e... See more...
@scelikok regex is correct but below if it is applied then timestamp wont be there in the event. Splunk will take as current time which completely misleads. I want to have 2 events for a single log entry. first event should have till 2024-11-04T19:05:46.323Z [INFO] ContentGenerator  second event should have full JSON and even the JSON wont have timestamp in it but first event timestamp is written to this JSON.
So I am trying to find the geo location for some IP addresses that keep crashing our webserver when they crawl it.  I am getting the information from the event logs. The IP addresses are coming in on... See more...
So I am trying to find the geo location for some IP addresses that keep crashing our webserver when they crawl it.  I am getting the information from the event logs. The IP addresses are coming in on a generic field called message that contains a lot of text, so I am pulling that using a rex command, but the iplocation command shows no country code. I have used the iplocation command to get geo information about IP addresses in the past several hours on another search, so I know that works in my system.  When I use the where | where ip_address='ip-address' command it shows no data. So I'm guessing that Splunk doesn't see the text in the created field of ip_address as actual IP addresses.  Anyone know how I can make it see this data as an IP address? Or is it that there might be a leading space or something like that that is causing the issue and if so how do I get rid of that noise? index="eventlog" EventCode=1309 | rex field=Message "User host address:\s(?<ip_address>.*)" | iplocation ip_address=Country | table ip_address, Country
Hi @Harinder.Rana, Thanks for asking your question on the Community. Did you happen to find out anymore information or a solution you can share here? If you are still looking for help, you can c... See more...
Hi @Harinder.Rana, Thanks for asking your question on the Community. Did you happen to find out anymore information or a solution you can share here? If you are still looking for help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM)