All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

"result":{"devices":[{"mac":"d8:43:ae:40:6a:c3","hostName":"DESKTOP-JDE9R7Q","medium":"ethernet","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:00.811Z","networkId":"defaul... See more...
"result":{"devices":[{"mac":"d8:43:ae:40:6a:c3","hostName":"DESKTOP-JDE9R7Q","medium":"ethernet","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:00.811Z","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.228","ipv6":["2600:6c55:7800:6c::107b","2600:6c55:7800:6c:403d:7bf4:2205:7e59","2600:6c55:7800:6c:90be:13dd:83dd:5ea3","fe80::eacd:8953:9d4f:94ab"],"steering":{},"name":"DESKTOP-JDE9R7Q","icon":"unknown","iconV2":"laptop-windows","category":"Laptop","osName":"Windows","health":{"status":"excellent","score":5,"details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T21:10:06.244Z","capabilities":{"radio24":false,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"windows","type":{"id":"windows","category":"Laptop","name":"Computer","icon":"unknown","iconV2":"laptop-windows","osName":"Windows","osVersion":"10.0","source":"rules","confidence":325},"category":"Laptop","name":"DESKTOP-JDE9R7Q","icon":"unknown","iconV2":"laptop-windows","osName":"Windows","osVersion":"10.0","source":"rules","confidence":325,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"approved"}},{"mac":"90:dd:5d:d5:a1:2e","keyId":1,"hostName":"Living-Room","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:49.071Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":true,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.206","ipv6":["2600:6c55:7800:6c:28e2:7128:e736:a0d7","2600:6c55:7800:6c:359c:ccb9:5198:5c58","2600:6c55:7800:6c:84a9:7a98:bdc1:29a5","2600:6c55:7800:6c:91cb:1c60:d7c1:4320","fd00:f452:465e:e7ac:8a9:3740:fe01:8930"],"channel":44,"freqBand":"5GL","steering":{},"name":"Living-Room","icon":"unknown","iconV2":"smartdevice-apple","brand":"Apple","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"SA91804F4A","nickname":"SA91804F4A","parentId":"f452465ee7ab","radio":"5GU","channel":157,"medium":"wifi"},{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:22.704Z","capabilities":{"radio24":true,"radio50":true,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"apple","type":{"id":"apple","brand":"Apple","icon":"unknown","iconV2":"smartdevice-apple","source":"rules","confidence":100},"brand":"Apple","name":"Living-Room","icon":"unknown","iconV2":"smartdevice-apple","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"48:27:e2:ec:1c:24","keyId":1,"hostName":"espressif","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:56.063Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.70","ipv6":[],"channel":1,"freqBand":"2.4G","steering":{},"name":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","category":"IoT Platform","brand":"Espressif","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:07.254Z","capabilities":{"radio24":true,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"espressif-iotplatform","type":{"id":"espressif-iotplatform","category":"IoT Platform","brand":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","source":"rules","confidence":20},"category":"IoT Platform","brand":"Espressif","name":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","source":"rules","confidence":20,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"c0:48:e6:a5:a5:7b","keyId":1,"hostName":"Samsung-33","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:42:00.362Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.209","ipv6":["2600:6c55:7800:6c::145d","fe80::c248:e6ff:fea5:a57b"],"channel":6,"freqBand":"2.4G","steering":{},"name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","brand":"Samsung","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"SA91804F4A","nickname":"SA91804F4A","parentId":"f452465ee7ab","radio":"5GU","channel":157,"medium":"wifi"},{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-04T05:46:20.274Z","capabilities":{"radio24":true,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"samsung","type":{"id":"samsung","brand":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100},"brand":"Samsung","name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"54:3a:d6:5a:4a:38","keyId":1,"hostName":"Samsung-29","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:46:53.982Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":true,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.125","ipv6":["2600:6c55:7800:6c::18c6","fe80::563a:d6ff:fe5a:4a38"],"channel":157,"freqBand":"5G","steering":{},"name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","brand":"Samsung","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:37.294Z","capabilities":{"radio24":true,"radio50":true,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"samsung","type":{"id":"samsung","brand":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100},"brand":"Samsung","name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}}
2024-11-01 12:25:49,065 +0000 ERROR startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=__init__() got an unexpected keyword argument 'context' 2024-11-01 12... See more...
2024-11-01 12:25:49,065 +0000 ERROR startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=__init__() got an unexpected keyword argument 'context' 2024-11-01 12:25:49,066 +0000 INFO startup:148 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True productType=splunk instanceType=UNKNOWN 2024-11-01 12:25:49,066 +0000 INFO decorators:130 - loading uri: /en-US/ 2024-11-01 12:25:49,068 +0000 INFO error:342 - GET /en-US/ 127.0.0.1 8065 2024-11-01 12:25:49,068 +0000 INFO error:345 - 500 Internal Server Error The server encountered an unexpected condition which prevented it from fulfilling the request. 2024-11-01 12:25:49,068 +0000 ERROR error:346 - Traceback (most recent call last): File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond response.body = self.handler() File "/opt/splunk/lib/python3.9/site-packages/cherrypy/lib/encoding.py", line 219, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 78, in wrapper resp = handler(*args, **kwargs) File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__ return self.callable(*self.args, **self.kwargs) File "</opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1740>", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 52, in rundecs return fn(*a, **kw) File "</opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1738>", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 134, in check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1737>", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 185, in validate_ip return fn(self, *a, **kw) File "</opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1736>", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 264, in preform_sso_check update_session_user(sessionKey, remote_user) File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 207, in update_session_user en = splunk.entity.getEntity('authentication/users', user, sessionKey=sessionKey) File "/opt/splunk/lib/python3.9/site-packages/splunk/entity.py", line 276, in getEntity serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) File "/opt/splunk/lib/python3.9/site-packages/splunk/rest/__init__.py", line 573, in simpleRequest h = httplib2.Http(timeout=timeout, proxy_info=None, context=ctx) TypeError: __init__() got an unexpected keyword argument 'context'
Hello team, I’ve developed a custom command script that works perfectly when executed through the CLI, but it fails to run in the Splunk Web UI. I suspect this may be due to permissions or configura... See more...
Hello team, I’ve developed a custom command script that works perfectly when executed through the CLI, but it fails to run in the Splunk Web UI. I suspect this may be due to permissions or configuration issues, as both environments might not be using the same settings. Details Environment: Splunk Enterprise 9.2.2 Script: A custom Python script located in the bin directory of my app. The script runs successfully when executed via the CLI, but in the UI, it either returns errors or no results. Troubleshooting Steps Taken Verified that the script is in the correct bin directory with appropriate execution permissions. Checked commands.conf, authorization.conf, app.conf files for any configuration inconsistencies. Ensured that roles in the UI environment have the necessary permissions. Could this issue be related to role-based restrictions or specific configurations in the UI? Any insights on additional configuration checks or steps to align CLI and UI permissions would be greatly appreciated. Thank you in advance!
Hi @mackey , this solution is if you don't have Enterprise Security. If you have ES, you can add your IOC list to the threat intelligence lookups. Ciao. Giuseppe
You can also check out two nice commands - xyseries and untable which can be used to (de)tabularize such data series.
Ok, the only thing we know for sure is that for this particular event timestamp has not been extracted from the event itself. There can be several reasons for it: 1) Props for this sourcetype, sourc... See more...
Ok, the only thing we know for sure is that for this particular event timestamp has not been extracted from the event itself. There can be several reasons for it: 1) Props for this sourcetype, source or host specify assuming ingestion time, not the event time 2) Timestamp format for extraction is wrongly defined and doesn't match the event 3) The event is ingested with a method bypassing timestamp extraction (HEC /event endpoint) 4) Timestamp has been extracted but was out of limits so Splunk assumed timestamp from previous event (but that's relatively unlikely, you'd probably either see many events with the same timestamp or mostly well-extracted time and single exceptions). This can be connected with 2). 5) You have another timestamp within your event which Splunk extracts time from (but I suppose you'd notice that). Usually the most probable causes are 2, 1 and 3 (in order of frequency).
Hi @mackey  Is your Org using Enterprise Security of Splunk?
Hi @tbessie , as also @sainag_splunk said, maybe there's a timestamp extraction error. Could you share some sample of your events and the props.conf related to the sourcetype of these events? Ciao... See more...
Hi @tbessie , as also @sainag_splunk said, maybe there's a timestamp extraction error. Could you share some sample of your events and the props.conf related to the sourcetype of these events? Ciao. Giuseppe
Hi @mwolfe , don't use sum but count: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | ev... See more...
Hi @mwolfe , don't use sum but count: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats count(failure) AS fail_count count(success) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate otherwise, you could insert the eval in the stats: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | stats count(eval(status=400)) AS fail_count count(eval(status=200)) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate Ciao. Giuseppe
Hi @mackey , if you have these IOCs in a lookup table you can run a very simple search: if your lookup is called my_ioc.csv and the ip list is in a column alled ip, you could run: index=* [ | inpu... See more...
Hi @mackey , if you have these IOCs in a lookup table you can run a very simple search: if your lookup is called my_ioc.csv and the ip list is in a column alled ip, you could run: index=* [ | inputlookup my_ioc.csv | rename ip AS query | fields query ] in this way you execute a search for all the ips listed in your lookup in full text search on all your events. If instead you want to search these ips in pre-defined fields, you have only to change the field name in the subsearch, es. if you want to search in the src field, you could run: index=* [ | inputlookup my_ioc.csv | rename ip AS src | fields src ] Ciao. Giuseppe
It is difficult to advise without seeing your events. Please share some anonymised events which demonstrate the issue. Please share the raw event in a code block (using the </> button above) to prese... See more...
It is difficult to advise without seeing your events. Please share some anonymised events which demonstrate the issue. Please share the raw event in a code block (using the </> button above) to preserve formatting.
Try this | rex max_match=0 field=tags "(?<namevalue>[^:,]+:[^, ]+)" | mvexpand namevalue | rex field=namevalue "(?<name>[^:]+):(?<value>.*)" | eval {name}=value
We deal with hundreds of iocs ( mostly flagged IP's) that come in monthly, and we need to check them for hits in our network. We do not want to continue using summary search one at a time. Is it poss... See more...
We deal with hundreds of iocs ( mostly flagged IP's) that come in monthly, and we need to check them for hits in our network. We do not want to continue using summary search one at a time. Is it possible to use lookup table ( or any other way) to search hundreds at a time or does this have to be done one at a time. I am very new to splunk and still learning. I am needing to see if we have had any traffic from these or to these IP's. 
Hi, i made changes on my indexer storage but when i see on monitoring console part disk usage, the value is negative. Have anyone face this?. I already refresh the asset with monitoring console refre... See more...
Hi, i made changes on my indexer storage but when i see on monitoring console part disk usage, the value is negative. Have anyone face this?. I already refresh the asset with monitoring console refresh and restart the instance but nothing changed.  
Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue.  I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be sol... See more...
Idk where to ask, that's why i'm asking here. And still don't know how to solve this issue.  I'm just Path Finder splunk and don't have access to open ticket to Splunk principle, maybe it can be solved if you have Splunk Principle. 
I think I got it  | eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats sum(failure) as fail_sum, sum(success) as success_sum by app | eval success_rate=round((success_sum / (s... See more...
I think I got it  | eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats sum(failure) as fail_sum, sum(success) as success_sum by app | eval success_rate=round((success_sum / (success_sum + fail_sum))*100,1) | table app, success_rate
Thanks - this is very close to what I'm looking for (I do want to perform this extraction at search time), but may need a couple tweaks. 1) All of the dept's have a space in them (some more than one... See more...
Thanks - this is very close to what I'm looking for (I do want to perform this extraction at search time), but may need a couple tweaks. 1) All of the dept's have a space in them (some more than one)and the rex is only picking up the first word of that dept. Examples: "support services", "xyz operations r&d" 2) Also - when I look into each event to see that the Tags fields are extracted,  only one actually gets extracted. But it's not the same one each time?? The "name" and "namevalue" fields match the one field that does get extracted. Hope that makes sense?    
I've got data so: "[clientip]  [host] - [time] [method] [uri_path] [status] [useragent]" ..   and do the following search:   index=web uri_path="/somepath" status="200" OR status="400" | rex f... See more...
I've got data so: "[clientip]  [host] - [time] [method] [uri_path] [status] [useragent]" ..   and do the following search:   index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version   I've split up the useragent just fine and verified the output. I want to now compare status  by "app". So I've added the following:   | stats count by app, status   Which gives me: app status count android app 1.0 200 5000 ios app 2.0 400 3 android app 1.1 200 500 android app 1.0 400 12 ios app 2.0 200 3000 How can I compare, for a given "app" (combo of platform, name, version) the rate of success where success is when the response = 200 and failure if 400. I understand that I need to take success and divide by success + failure count.. But how do I combine this data?  Also note that I need to consider that some apps may not have any 400 errors. 
It was worked to me! Thanks a lot! 
Did you manage to find resolution to this issue. I am also facing same issues