All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This YouTube video on Search Optimization in Splunk is highly useful https://www.youtube.com/watch?v=U3A1zxag_lc ------ If you find this solution helpful, please consider accepting it and awarding... See more...
This YouTube video on Search Optimization in Splunk is highly useful https://www.youtube.com/watch?v=U3A1zxag_lc ------ If you find this solution helpful, please consider accepting it and awarding karma points !!  
Hi All, We Are using earliest and latest commands in splunk test environment search and those are working fine but in production environment earliest and latest commands are not working in SPL query... See more...
Hi All, We Are using earliest and latest commands in splunk test environment search and those are working fine but in production environment earliest and latest commands are not working in SPL query due to some reason. Can you please help me with alternative commands for those commands and provide the solution to fix this issue why earliest and latest commands are not working in production environment.   Thanks, Srinivasulu S
Try this : <your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)" ------ If you find this solution helpful, please consid... See more...
Try this : <your_search>|rex field=source "\/audit\/logs\/(?<environment>[^\/]*)\/(?<hostname>[^-]*)\-(?<component>[^-]*)\-(?<filename>.*$)" ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hi @karthi2809 , you can use this regex: | rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)" you can test this regex at https://regex101.com/r/0VJvAw/1 ... See more...
Hi @karthi2809 , you can use this regex: | rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)" you can test this regex at https://regex101.com/r/0VJvAw/1 Ciao. Giuseppe
Adding sourcetype additionally in props.conf fulfilled my requirement. Thanks
How to extract fields from below source. /audit/logs/QTEST/qtestw-core_server4-core_server4.log I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as ... See more...
How to extract fields from below source. /audit/logs/QTEST/qtestw-core_server4-core_server4.log I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename
Great thanks, it works with classic IR view
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below. search_name!=*TEST* ------ If you find this solution helpful, please consider accepting it and awarding... See more...
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below. search_name!=*TEST* ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hi @jawahir007  we don't want to suppress them just hide them based on saved filter.
You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details. https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and... See more...
You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details. https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and_manage_notable_event_suppressions ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help
In this case it is asking for an „Episode State“. Do you try to set episode state by an info in the event?
Take a look into the index itsi_grouped_alerts and try to find your alert which should fire the alert action. Check if you can find the field you are referring to in this event and if there is content.
Hello @fernan2ruiz Since its not supported driver you have to get Driver from vendor from this link : https://documentation.softwareag.com/adabas/cxx146/install/CONNXInstall/Connecting_to_CONNX_JDBC_... See more...
Hello @fernan2ruiz Since its not supported driver you have to get Driver from vendor from this link : https://documentation.softwareag.com/adabas/cxx146/install/CONNXInstall/Connecting_to_CONNX_JDBC_Server.htm  and create server class something like below: [ADABAS] displayName = adabas serviceClass = com.splunk.dbx2.DefaultDBX2JDBC jdbcDriverClass = com.Connx.jdbc.TCJdbc.TCJdbcDriver jdbcUrlFormat = jdbc:adabas://:/   Splunk doc for not supported driver server class creation : https://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Installdatabasedrivers#:~:text=on%20Windows%20hosts).-,Add%20the%20custom%20database%20to%20db_connection_types.conf,For%20more%20information%2C%20see%20Configuration%20file%20reference.,-Database%20connection%20validation 
As far as I know the only way is to build this by yourself. An idea would be to establish this with a correlation search which detects the change, will create a notable event which will be added to t... See more...
As far as I know the only way is to build this by yourself. An idea would be to establish this with a correlation search which detects the change, will create a notable event which will be added to the episode because the neap will fetch it and trigger the event you want to have. As a common way to do this, this event should have a specific field like send_email=yes and email_content=>YOURCINTENT< so you can use this field as trigger and preconfigured the content of your email.
Hi,   maybe you are searching for this: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens   please take also a look into index=_internal if there is a hint why your... See more...
Hi,   maybe you are searching for this: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens   please take also a look into index=_internal if there is a hint why your emails aren’t send. Have you tried if a normal spl query with the command „sendemail“ works? Email server settings are correct? 
Hello @bulbulator For sure you have to check internal logs, there can be multiple reason behind this issue.
Hi @Devinz , as all the tokens in Splunk, the field to pass as token to the Correlation Search Title must be in the results of the Correlation Search itself, so, in your first example you would use ... See more...
Hi @Devinz , as all the tokens in Splunk, the field to pass as token to the Correlation Search Title must be in the results of the Correlation Search itself, so, in your first example you would use the $description$ field bu you don't have this field after the stats count BY rule_title command. You have to add to your CS the fields to display in the title. Ciao. Giuseppe
Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performan... See more...
Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performant storage (at least 800 IOPS bettere much more!). Then, if you have a large set of data you can use some acceleration methods that you can find described at  https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Knowledge/Aboutdatamodels https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Knowledge/Usesummaryindexing https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Report/Acceleratereports https://www.youtube.com/watch?v=c13phau6zxg https://docs.splunk.com/Documentation/Splunk/9.3.1/Knowledge/Acceleratetables and so on searching "accelerate" on Google. In few words, you can use a summary index in which you store the results of a scheduled search, so you can search on a reducted record or already grouped data. Or, if you have to search on structured data, you could use accelerated Data Models. Ciao. Giuseppe
Hi @Kenny_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @Kenny_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors