All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the... See more...
@ITWhisperer I am using lookup file with single column, multiple entries which contains filenames. I am trying to match that names with the Filename field in query to obtain results which matches the value.
LOL...so you formatted the data as json then used |collect mode=raw i ended up just editing the limits.conf to enable mv mode for raw mode collect and didnt end up using the json at all
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions... See more...
Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions or temporarily disable caching in your browser's dev tools. To prevent splunkweb from caching source files during development, you can disable caching in web.conf and restart Splunk:  # $SPLUNK_HOME/etc/system/local/web.conf [settings] cacheBytesLimit = 0 The example I provided can be expanded as needed. If you're still having issues after clearing all caches, reply with a reduced SimpleXML and JavaScript example, and we'll take another look.
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps ..... See more...
Hi there, we worked around this problem by having the same 'splunk.secret' file on all instances, this enables you to have encrypted passwords or secrets in your deployment apps. Hope this helps ... cheers, MuS
Hi there, I worked around that problem by using `tojson` before the `collect` | tojson | collect index=schnafu   Hope this helps ... cheers, MuS
I believe I was over think it. I was able to get what I needed with this.     index=store source="softwareinventory" host="SNC****" | dedup host | rex field=host "(SNC|POPS)(?<Store>\d+)" | searc... See more...
I believe I was over think it. I was able to get what I needed with this.     index=store source="softwareinventory" host="SNC****" | dedup host | rex field=host "(SNC|POPS)(?<Store>\d+)" | search "Message.Rogue.AllDskID{}"="E:" OR "Message.Rogue.AllDskID{}"="F:" OR "Message.Rogue.AllDskID{}"="G:" | rename Message.Rogue.AllDskID{} as Drive_Letter | rename Message.Rogue.AllVlmName{} as Volume_Name | table Store Drive_Letter Volume_Name    
Oddly - no. In the other (non orig) index, '...|table myField,_raw' shows nothing for myField, and the _raw data is there, represented as full JSON, including myField with the expected value.  
I don't think we can change that in the JSON code. Looks like a bug to me. I can check internally and see what I can do.
is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw di... See more...
is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw displays {} nothing inside (but all the fields are search time present...just not the original _raw json {})  
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot ... See more...
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"64GB","FreeSpaceBytes":"69178445824","PercentFree":"44%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," ","F:","G:"],"AllVlmName":["Sonic","Micros","Sonic","Micros"]},"Stall":{"12":"GENERIC","16":"GENERIC","10":"POPS4","06":"POPS4","26":"GENERIC","100":"POPS4","11":"POPS4","07":"GENERIC","05":"POPS4","32":"GENERIC","94":"DriveThru","02":"POPS4","04":"POPS4","08":"POPS4","25":"GENERIC","56":"GENERIC","09":"POPS4","01":"POPS4","03":"POPS4"},"ErrorPCG":"No recent PCG Install errors detected","Ddrive":{"DriveName":"Micros","TotalFriendlySize":"91GB","TotalSizeBytes":"98123640832","FriendlyFreeSpace":"33GB","FreeSpaceBytes":"35223568384","PercentFree":"36%","ChkDskNeeded":"NotAvailable"},"RAIDinfo":{"DriverVersion":"15.9.0.1015","ToolVersion":"15.9.0.1015"},"RAIDtest":{"SystemType":"UnableToQuery","RAIDstatus":"UnableToQuery","ErrorMessage":"Provider failure "},"VigilixRegistry":"VigilixRegistryCorrect"}}
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Cia... See more...
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Ciao. Giuseppe
Wait a second. Does your raw data contain the string in quotes or without them?
I tried this and it still showed results for a stats or timechart output.
I need this to show the AllDskID which is C,D,E,F, or G.  Examples are below.    "Rogue":{"AllDskID":["C:","D:","E","F"] "Rogue":{"AllDskID":["C:","D:","F","G"] "Rogue":{"AllDskID":["C:","D:"]  
Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\... See more...
Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\"(?<AllDskID>[^\"]+)" in instead you'r issue is that from the "Message.Rogue.AllDskID{}" field you have more that you want, you could try with: | rex field=Message.Rogue.AllDskID{} "^\"(?<AllDskID>[^\"]+)" Ciao. Giuseppe
Mvmap has different results on different versions left screen is 9.3.1 version right is 9.0.5  if field will have more then one value result will be equal    
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":... See more...
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":{"Lane91":"InTermHandler","Lane50":"InTermHandler"},"Time":{"Timezone":"Mountain Standard Time","DaylightSavings":"True","LocalClock":"10/23/2024 11:15:24 AM","Status":{"LastSuccessfulSync":"10/23/2024 11:13:57 AM","LastSyncSource":"pool.ntp.org"},"Peers":{"TimeServer#1":"pool.ntp.org","TimeServer#2":"time.windows.com"}},"MarketingTimeStamp":{"MarketingTimeStamp":"2024-10-11T20:29:09.000"},"TaskInfo":{"AI Restart DAILY":{"ScheduledTaskState":"Enabled","StartTime":"1:30:00 AM","LastRunTime":"10/23/2024 1:30:01 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"AI Restart Weekly":{"ScheduledTaskState":"Enabled","StartTime":"4:30:00 AM","LastRunTime":"10/23/2024 4:30:00 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"CarHop Backup":{"ScheduledTaskState":"Enabled","StartTime":"4:45:00 AM","LastRunTime":"10/23/2024 4:45:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"D Drive Temp Folder Clean Up":{"ScheduledTaskState":"Enabled","StartTime":"2:30:00 AM","LastRunTime":"10/23/2024 2:30:01 AM","LastResult":"1","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"LANDESK Agent Health":{"ScheduledTaskState":"Enabled","StartTime":"9:00:00 PM","LastRunTime":"10/22/2024 9:00:01 PM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineCore{5E85796F-9899-4CC1-B3A0-4D719B6B80C5}":{"ScheduledTaskState":"Enabled","StartTime":"11:48:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineUA{74A7D1C8-E2E1-498A-B5E2-2E132A3C29ED}":{"ScheduledTaskState":"Enabled","StartTime":"11:18:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"PAYS Restart Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"PCDiskClean":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart DPC - Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Interceptor Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart SIS After Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 4:11:19 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Splunk":{"ScheduledTaskState":"Enabled","StartTime":"12:00:00 AM","LastRunTime":"10/23/2024 6:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"SISRestart":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"-2147024894","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"System To FOH On Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 11:12:27 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"69GB","FreeSpaceBytes":"73613537280","PercentFree":"47%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," "],"AllVlmName":["Sonic","Micros"]},
Hi,   in getting a 201 token error on Splunk cloud maintenance dashboard.   just wondered if anyone has seen this before.
Hi @Robwhoa78 , could you share a sample of your logs? Ciao. Giuseppe
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.