All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You are looking at the wrong tool in the box.  Do not use rex to extract fields from structure data like JSON which your event contains.  Instead, extract the JSON object then use tools like spath to... See more...
You are looking at the wrong tool in the box.  Do not use rex to extract fields from structure data like JSON which your event contains.  Instead, extract the JSON object then use tools like spath to extract data fields.    | rex "^[^{]+(?<message_body>.+})" | spath input=message_body | table *.alias *.responders{}.name   Your sample data will give alert.alias entity.alias params.alert.alias params.entity.alias alert.responders{}.name entity.responders{}.name params.alert.responders{}.name params.entity.responders{}.name FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, Monitoring_Admin Monitoring_Admin Monitoring_Admin Monitoring_Admin Additional pointers: The sample JSON contains 4 different leaf nodes all named alias.  There is no inherent logic to say they are all the same. The sample JSON contains 4 different arrays that all contain leaf nodes that are all named name.  There is no inherent logic to say they are all the same. What this means is that you need to ask your developer which node you need data from. Lastly, this JSON has a deep structure.  If you are only interested in select few nodes, you can also use a JSON function if your server is 8.2 or later.  For example,   | rex "^[^{]+(?<message_body>.+})" | eval alias = json_extract(message_body, "alert.alias"), name = json_extract(message_body, "alert.responders{}.name") | table alias name   The output will be alias name FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777, Monitoring_Admin Here is an emulation of your sample data.  Play with it and compare with real data   | makeresults | eval _raw = "[36mINFO[0m[2024-11-13T13:37:23.9114215-05:00] Message body: {\"actionType\":\"custom\",\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"ownerDomain\":\"integration\",\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"discardScriptResponse\":true,\"sendCallbackToStreamHub\":false,\"requestId\":\"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a\",\"action\":\"Close\",\"productSource\":\"Opsgenie\",\"customerDomain\":\"siteone\",\"integrationName\":\"Opsgenie Edge Connector\",\"integrationId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"customerTransitioningOrConsolidated\":false,\"source\":{\"name\":\"\",\"type\":\"system\"},\"type\":\"oec\",\"receivedAt\":1731523037863,\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"params\":{\"type\":\"oec\",\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"action\":\"Close\",\"integrationId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\",\"integrationName\":\"Opsgenie Edge Connector\",\"integrationType\":\"OEC\",\"customerDomain\":\"siteone\",\"alertDetails\":{\"Raw\":\"\",\"Results Link\":\"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now\",\"SuppressClosed\":\"True\",\"TeamsDescription\":\"True\"},\"alertAlias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"receivedAt\":1731523037863,\"customerConsolidated\":false,\"customerTransitioningOrConsolidated\":false,\"productSource\":\"Opsgenie\",\"source\":{\"name\":\"\",\"type\":\"system\"},\"alert\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"entity\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"mappedActionDto\":{\"mappedAction\":\"postActionToOEC\",\"extraField\":\"\"},\"ownerId\":\"8b500163-8476-4b0e-9ef7-2cfdaa272adf\"},\"integrationType\":\"OEC\",\"alert\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"},\"customerConsolidated\":false,\"customerId\":\"3a1f4387-b87b-4a3a-a568-cc372a86d8e4\",\"action\":\"Close\",\"mappedActionDto\":{\"mappedAction\":\"postActionToOEC\",\"extraField\":\"\"},\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"alertAlias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"alertDetails\":{\"Raw\":\"\",\"Results Link\":\"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now\",\"SuppressClosed\":\"True\",\"TeamsDescription\":\"True\"},\"entity\":{\"alertId\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"id\":\"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697\",\"type\":\"alert\",\"message\":\"[Splunk] Load Balancer Member Status\",\"tags\":[],\"tinyId\":\"14585\",\"entity\":\"\",\"alias\":\"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,\",\"createdAt\":1731522737697,\"updatedAt\":1731523038582000000,\"username\":\"System\",\"responders\":[{\"id\":\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\",\"type\":\"team\",\"name\":\"Monitoring_Admin\"}],\"teams\":[\"f8c9079d-c7bb-4e58-ac83-359cb217a3b5\"],\"actions\":[],\"priority\":\"P3\",\"oldPriority\":\"P3\",\"source\":\"Splunk\"}} [36mmessageId[0m=7546739e-2bab-414d-94b5-b0f205208932" ``` data emulation above ```  
@ITWhisperer , I want to make one table where we have date on one column and counts on other column
Sparklines are numeric, so will only show numbers You could use drilldown to open a panel to show the errors, but as for a tooltip type hover, you'd probably have to implement that yourself in Javas... See more...
Sparklines are numeric, so will only show numbers You could use drilldown to open a panel to show the errors, but as for a tooltip type hover, you'd probably have to implement that yourself in Javascript.
Is it possible to dispaly any dynamic values when we hover over sparkline in splunk dashboard. In my case, the sparkline shows the success count. So in case of failure is it possible to dispaly all t... See more...
Is it possible to dispaly any dynamic values when we hover over sparkline in splunk dashboard. In my case, the sparkline shows the success count. So in case of failure is it possible to dispaly all the hourly error message while hovering over the graph.
Your earliest= statement is wrong, it should be earliest=-1y@y You have an extra @ sign (-1@y@y)
If you want to use different policies for different correlation searches, You should add some filtering criteria in your second Notable Event Aggregation Policy (NEAP). For example you can use search... See more...
If you want to use different policies for different correlation searches, You should add some filtering criteria in your second Notable Event Aggregation Policy (NEAP). For example you can use search_name (or source) matches correlation_search2 in include the events if section of Filtering Criteria and Instructions tab in your second NEAP.
Hi everyone, I’m working with Splunk IT Service Intelligence (ITSI) and want to automate the creation of maintenance windows using a scheduled search in SPL. Ideally, I’d like to use the rest comman... See more...
Hi everyone, I’m working with Splunk IT Service Intelligence (ITSI) and want to automate the creation of maintenance windows using a scheduled search in SPL. Ideally, I’d like to use the rest command within SPL to define a maintenance window, assign specific entities and services to it, and have it run on a schedule. Is it possible to set up maintenance windows with entities and services directly from SPL? If anyone has sample SPL code or guidance on setting up automated maintenance windows, it would be very helpful! Thanks in advance!
I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pre... See more...
I am on Splunk 8.2.12. I am trying to get a distinct count of incidents that have happened in each month, year to date. I'd like to compare that to the year prior.  I feel like this should be pretty easy, but my results aren't showing the current year in comparison to the previous year. This shows the current year data (2024) (earliest=-1@y@y AND latest=now()) | eval date_month=strftime(_time, "%mon") | eval date_year = strftime(_time, "%Y") | timechart span=1mon dc(RMI_MastIncNumb) as "# of Incidents" When I add | timewrap 1year series=exact time_format=%Y it ends up just showing me 2023  
As @MuS said, you must as that your account team add rights to you to download it after you have bought it.
Hi shortly Nope.  There are quite many answers which this has already discussed earlier. Main point here is that bucket is manage by youngest event inside it. As there are several bucket which _ti... See more...
Hi shortly Nope.  There are quite many answers which this has already discussed earlier. Main point here is that bucket is manage by youngest event inside it. As there are several bucket which _time can differ heavily to each other _time:s in that bucket, you cannot get exactly 1 month time period in hot+warm+cold. It's always defined by combination of several parameters. You can found those from older answers or docs. r. Ismo
Hi if your company is Splunk Partner and your company fulfills some defined requirements, then there is possibility to get Splunk Cloud Sandbox environment for 12 months. I cannot recall those requi... See more...
Hi if your company is Splunk Partner and your company fulfills some defined requirements, then there is possibility to get Splunk Cloud Sandbox environment for 12 months. I cannot recall those requirement now, but you or your company's partner manager can check those and if those are fulfilled then order that sandbox to your use. r. Ismo
Basically it's possible that they create a report which use |rest to indexer if they also set it run as owner. That way it can execute those rest queries and return correct responses.
As I said earlier if you want to use hashed password instead of plain text, then you must use same splunk.secret on both nodes.
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which... See more...
Here's what I ended up doing:  Created a dropdown for the versions and added conditions in that to pass to the panels with the queries.  Then I added a row at the top that displays for the user which version to pick from the dropdown.  This wasn't what I had in mind but for now it works.  Below is the dashboard code in case anyone smarter and more experienced happens to notice something I could improve on. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new ... See more...
This is old question, but I still comment here if someone needs it later. When you are using hashed password in user-seed.conf you mast hash it with same splunk.secret string as you have in your new server! If you have hashed it with some other random splunk.secret and in a new server you have something else in splunk.secret those didn't match as hash keys have been different.
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which... See more...
Here's what I've ended up doing until I can find another solution.  I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which one to display.  I added two panels at the top that tell the user which version to choose from the Marina Version dropdown. <form version="1.1" theme="light"> <label>Education Title Report</label> <search> <query>| inputlookup HealthcareMasterList.csv | search propertyId=$propertyId$ | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$ | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion</query> <preview> <eval token="MarinaVersion">$result.version$</eval> </preview> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="propertyId" searchWhenChanged="true"> <label>Site</label> <fieldForLabel>FullHospitalName</fieldForLabel> <fieldForValue>propertyId</fieldForValue> <search> <query>| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | table propertyId FullHospitalName MarinaVersion | join type=left propertyId [ search sourcetype=sysconfighost-v* [| inputlookup HealthcareMasterList.csv | search ITV=1 AND ITV_INSTALLED&gt;1 | fields propertyId | format] | dedup propertyId hostId sortby -dateTime | stats max(coreVersion) as coreVersion by propertyId] | eval version=if(isnull(coreVersion),MarinaVersion,coreVersion) | eval version=substr(version,1,2) | eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version) | fields - MarinaVersion coreVersion | sort FullHospitalName</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="WhichVersion"> <label>Marina Version</label> <choice value="Pre15">Pre15</choice> <choice value="Post15">Post15</choice> <choice value="NA">NA</choice> <change> <condition value="Post15"> <unset token="NoAssignments"></unset> <set token="IncludesAssignments">true</set> <unset token="NoInfo"></unset> </condition> <condition value="Pre15"> <set token="NoAssignments">true</set> <unset token="IncludesAssignments"></unset> <unset token="NoInfo"></unset> </condition> <condition value="NA"> <unset token="NoAssignments"></unset> <unset token="IncludesAssignments"></unset> <set token="NoInfo">true</set> </condition> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Date Picker</label> <default> <earliest>-1mon@mon</earliest> <latest>@mon</latest> </default> </input> </fieldset> <row> <panel> <html>Please select the following for the Marina Version dropdown:</html> </panel> <panel> <html>$MarinaVersion$</html> </panel> </row>   Having the user have to use the version dropdown what not what I wanted to do but this at least works for now until stumble upon a better method.  
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_li... See more...
As @ITWhisperer says, you can use selections. See the documentation here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#selection_.28area.2C_column.2C_and_line_charts.29  
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have qu... See more...
One additional comments which haven't mentioned yet. There is upper limits for buckets in clusters (if I recall right both per node and per cluster). Normally this is not an issue, but if you have quite active site which have hundreds/thousands sources and TB/PB ingesting per day, you could hit those limits.
I think that currently it is used XMLWinEventLog at least that is used on those nodes which I can check now.
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an a... See more...
Are you able to show that query? Using subsearches will not work for datasets where the subsearch has more than 50k results - not sure what your meaning of a 'large' dataset is. If you can show an anonymised version of each of the data sets and show the relationships it will help us provide a solution.