All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\... See more...
Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\"(?<AllDskID>[^\"]+)" in instead you'r issue is that from the "Message.Rogue.AllDskID{}" field you have more that you want, you could try with: | rex field=Message.Rogue.AllDskID{} "^\"(?<AllDskID>[^\"]+)" Ciao. Giuseppe
Mvmap has different results on different versions left screen is 9.3.1 version right is 9.0.5  if field will have more then one value result will be equal    
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":... See more...
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":{"Lane91":"InTermHandler","Lane50":"InTermHandler"},"Time":{"Timezone":"Mountain Standard Time","DaylightSavings":"True","LocalClock":"10/23/2024 11:15:24 AM","Status":{"LastSuccessfulSync":"10/23/2024 11:13:57 AM","LastSyncSource":"pool.ntp.org"},"Peers":{"TimeServer#1":"pool.ntp.org","TimeServer#2":"time.windows.com"}},"MarketingTimeStamp":{"MarketingTimeStamp":"2024-10-11T20:29:09.000"},"TaskInfo":{"AI Restart DAILY":{"ScheduledTaskState":"Enabled","StartTime":"1:30:00 AM","LastRunTime":"10/23/2024 1:30:01 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"AI Restart Weekly":{"ScheduledTaskState":"Enabled","StartTime":"4:30:00 AM","LastRunTime":"10/23/2024 4:30:00 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"CarHop Backup":{"ScheduledTaskState":"Enabled","StartTime":"4:45:00 AM","LastRunTime":"10/23/2024 4:45:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"D Drive Temp Folder Clean Up":{"ScheduledTaskState":"Enabled","StartTime":"2:30:00 AM","LastRunTime":"10/23/2024 2:30:01 AM","LastResult":"1","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"LANDESK Agent Health":{"ScheduledTaskState":"Enabled","StartTime":"9:00:00 PM","LastRunTime":"10/22/2024 9:00:01 PM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineCore{5E85796F-9899-4CC1-B3A0-4D719B6B80C5}":{"ScheduledTaskState":"Enabled","StartTime":"11:48:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineUA{74A7D1C8-E2E1-498A-B5E2-2E132A3C29ED}":{"ScheduledTaskState":"Enabled","StartTime":"11:18:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"PAYS Restart Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"PCDiskClean":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart DPC - Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Interceptor Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart SIS After Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 4:11:19 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Splunk":{"ScheduledTaskState":"Enabled","StartTime":"12:00:00 AM","LastRunTime":"10/23/2024 6:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"SISRestart":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"-2147024894","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"System To FOH On Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 11:12:27 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"69GB","FreeSpaceBytes":"73613537280","PercentFree":"47%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," "],"AllVlmName":["Sonic","Micros"]},
Hi,   in getting a 201 token error on Splunk cloud maintenance dashboard.   just wondered if anyone has seen this before.
Hi @Robwhoa78 , could you share a sample of your logs? Ciao. Giuseppe
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
How did you solve this issue? I am facing same problem.  
You can split it into 2 commands to make it work: ... | eval output=mvappend(field_1, field_2) | stats values(output) as output
coalesce is not the right approach if both fields have a value in the same event as it will only use the value of the first field containing a non-null value...
FWIW, this syntax is not working for me: ... | stats values(mvappend(field_1, field_2)) AS output
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_... See more...
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_week | total_week_day|work day of week| Number of work hours | percent work hours 1                                      |  3                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %                                                                                |Tus                             | 4                                            |     %  2                                      |  2                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %  3                                      |  3                               | Mon                          | 3                                            |     %                                                                                                                              |Tus                             |  5                                           |     %                                                                                |thu                             | 4                                            |     % 
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval comman... See more...
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval command?    
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apolo... See more...
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apologies for the poor job at blurring the data, but the first event should look like the second event, with a whole lot of data after the highlighted field. The field DistPoint itself should have a value of "DEPSY.IM2" and, it got, apparently, truncated at such a weird point. All other subsequent lines in the log were successfully ingested. There were 3 log files landing on the ingestion point in quick succession - seconds apart, so I am not sure if this could have been the issue. I was about to update the truncate value for the sourcetype, but all lines in the logs are 3551 bytes, by default. Any ideas as to what could the problem have been? Thank you.
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is... See more...
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is a trick to it and shouldn't be to hard to sort it out.
We made this change, and it worked fine! Thank you so much for your help.
It worked! thank you!
Hi @redmandba , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_cou... See more...
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_count>1 use the Account_name field you have in your logs. Ciao. Giuseppe
| streamstats latest(city) as previous current=f
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So ... See more...
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So maybe I'm not understanding the full use case.