All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So far pretty useful to my dashboard but do you know how to add conditions  as such :   LogLevel : INFO -> Blue LogLevel : WARRNING -> Yellow LogLevel : Error -> Red
Thank you. It worked. One small doubt, will it be worked for upcoming new events also right? Is there any way to hide this in search rather than creating macro?  and can we do it during on-boarding ... See more...
Thank you. It worked. One small doubt, will it be worked for upcoming new events also right? Is there any way to hide this in search rather than creating macro?  and can we do it during on-boarding itself during index or search time extraction? Please help me
It's not about Splunk components' config as much as your network config.
| rex "(?<json>\{.*\})" | spath input=json
Hi,  please check now
The sample event that you posted does not contain valid json. I presume this is a copy/paste error or other typo. Please repost the raw data from your event (anonymised as required) in a code block (... See more...
The sample event that you posted does not contain valid json. I presume this is a copy/paste error or other typo. Please repost the raw data from your event (anonymised as required) in a code block (using the </> button above) to preserve formatting details.
Please help me to get these logs in a way that it provides all the fields please... Nov 9 17:34:28 128.160.82.28 [local0.warning] <132>1 2024-11-09T17:34:28.436542Z AviVantage v-epswafhic2-wdc.hc.cl... See more...
Please help me to get these logs in a way that it provides all the fields please... Nov 9 17:34:28 128.160.82.28 [local0.warning] <132>1 2024-11-09T17:34:28.436542Z AviVantage v-epswafhic2-wdc.hc.cloud.uk.hc-443 NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-4583863f-48a3-42b9-8115-252a7fb487f5","report_timestamp":"2024-11-09T17:34:28.436542Z","service_engine":"GB-DRN-AB-Tier2-se-vxeuz","vcpu_id":0,"log_id":10181,"client_ip":"128.12.73.92","client_src_port":44908,"client_dest_port":443,"client_rtt":1,"http_version":"1.1","method":"HEAD","uri_path":"/path/to/monitor/page/","host":"udg1704n01.hc.cloud.uk.hc","response_content_type":"text/html","request_length":93,"response_length":94,"response_code":400,"response_time_first_byte":1,"response_time_last_byte":1,"compression_percentage":0,"compression":"","client_insights":"","request_headers":3,"response_headers":12,"request_state":"AVI_HTTP_REQUEST_STATE_READ_CLIENT_REQ_HDR","significant_log":["ADF_HTTP_BAD_REQUEST_PLAIN_HTTP_REQUEST_SENT_ON_HTTPS_PORT","ADF_RESPONSE_CODE_4XX"],"vs_ip":"128.160.71.14","request_id":"61e-RDl6-OZgZ","max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":1,"source_ip":"128.12.73.92","vs_name":"v-epswafhic2-wdc.hc.cloud.uk.hc-443","tenant_name":"admin"}
hi @gcusello  I have shared the details, could you check   
thank you for explaining much appreciated 
That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this | stats count ... See more...
That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this | stats count by techGroupLevel problem_detail | eventstats sum(count) as total by techGroupLevel | stats list(problem_detail) as problem_detail list(count) as count values(total) as total by techGroupLevel Note that problem_detail and count are now multivalue fields and you have to visually align the count with the problem detail rather than them being in separate events and therefore in alternating background colours. Btw, total is also technically a multivalue field but since there is only one value per techGroupLevel, this isn't immediately obvious!
Each input has effectively two tokens, one for what the user has chosen on the form, and one for the result of the selection. Try something like this <change> <condition value="reset_all_field_searc... See more...
Each input has effectively two tokens, one for what the user has chosen on the form, and one for the result of the selection. Try something like this <change> <condition value="reset_all_field_search"> <unset token="form.search"></unset> <set token="form.search">*</set> <unset token="form.search2"></unset> <set token="form.search2">*</set> <unset token="form.search12"></unset> <set token="form.search12">*</set> <unset token="form.field4"></unset> <set token="form.field4">*</set> <unset token="form.field5"></unset> <set token="form.field5">*</set> </condition>  
thanks  i used the first line and that looks better the second line just repeats the total on each line like this    
It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level | stats count by techGroupLevel problem_detai... See more...
It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level | stats count by techGroupLevel problem_detail | eventstats sum(count) as total by techGroupLevel
Hello Splunkers!! Splunk is receiving the data from my Qracle database table from DBconnect. All of the events are being created correctly when the query is run in the SQL editor. Some events are ... See more...
Hello Splunkers!! Splunk is receiving the data from my Qracle database table from DBconnect. All of the events are being created correctly when the query is run in the SQL editor. Some events are missing when they arrive in Splunk. What can be done if certain occurrences are missed? Please assist me in determining possible causes. Note : My current "Max Rows to Retrieve" is on 10000.
2. Search head must be able to contact CM, indexers and LM could you please tell me where to check the search head is connected with CM, indexers and LM in the existing old server  and when we ... See more...
2. Search head must be able to contact CM, indexers and LM could you please tell me where to check the search head is connected with CM, indexers and LM in the existing old server  and when we are migrating to the new server where to make the configurations changes  to contact  CM, indexers and LM
Hi @jan , as also @PickleRick said: it seems that you want to configure a CM as a slave and it isn't possible, maybe you runned the wrong command. Ciao. Giuseppe
Morning All    appreciate some guidance on a spl i'm working on and just cant get the information i require my dataset is tickets on our helpdesk . Im looking for the total number of ticket each t... See more...
Morning All    appreciate some guidance on a spl i'm working on and just cant get the information i require my dataset is tickets on our helpdesk . Im looking for the total number of ticket each team has for each different request type.  team is called techGroupLevel request type is call problem_detail here's my search so far and it's just note right.  | table _time id displayClient location_Name problem_detail detail bookmarkableLink status priority techGroupId techGroupLevel tech_Name reportDateUtc lastUpdated closeDate | stats values(problem_detail) as problem_detail count(problem_detail) as total by techGroupLevel under the i'm getting the following      you can see that the figure returned on total is the combined total for all problem_details for each team  i'd prefer to see a separate figure for each problem detail and then perhaps a total sum under each team but dont know how to go about this  for example techGroupLevel                                        problem_detail         Sub-Total                   Total  Systems & Network                                 Email                               10                                     20                                                                           Server                               5                                                                          Shared Drive                   5     appreciate some guidance  thanks    Paula   
One of the SFR from Security Target of https://www.niap-ccevs.org/products/11330 claims the below. FIA_X509_EXT.1 X.509 Certificate Validation . . The application shall validate the extendedKeyUsage... See more...
One of the SFR from Security Target of https://www.niap-ccevs.org/products/11330 claims the below. FIA_X509_EXT.1 X.509 Certificate Validation . . The application shall validate the extendedKeyUsage (EKU) field according to the following rules: . . Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the EKU field.   So, I am assuming that this validation is handled only in Splunk enterprise's  common criteria mode.   
Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console ... See more...
Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console 1- License Master is it possible to have the Search head in 9.0.3 version and the remaining Splunk server to be upgrade to 9.1.0  the search head role is provided to other servers also in our environment
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the value... See more...
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the values that were passed to the search but I weren't unable to change the values that were present in input dropdown. <input type="radio" token="field3" searchWhenChanged="true"> <label>Condition_1</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search" searchWhenChanged="true"> <label>All Fields Search_1</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field4"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field6" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Condition_2</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search2" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>All Fields Search_2</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field14" depends="$field4$"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field15" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field16" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Condition_3</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search12" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>All Fields Search_3</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="reset_all_field_search" searchWhenChanged="true"> <label>Reset All field search</label> <choice value="reset_all_field_search">Yes</choice> <delimiter> </delimiter> <change> <condition value="reset_all_field_search"> <unset token="search"></unset> <set token="search">*</set> <unset token="search2"></unset> <set token="search2">*</set> <unset token="search12"></unset> <set token="search12">*</set> <unset token="field4"></unset> <set token="field4">*</set> <unset token="field5"></unset> <set token="field5">*</set> </condition> </change> </input> please help me to fix this. Thanks!