All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How did you solve this issue? I am facing same problem.  
You can split it into 2 commands to make it work: ... | eval output=mvappend(field_1, field_2) | stats values(output) as output
coalesce is not the right approach if both fields have a value in the same event as it will only use the value of the first field containing a non-null value...
FWIW, this syntax is not working for me: ... | stats values(mvappend(field_1, field_2)) AS output
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_... See more...
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_week | total_week_day|work day of week| Number of work hours | percent work hours 1                                      |  3                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %                                                                                |Tus                             | 4                                            |     %  2                                      |  2                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %  3                                      |  3                               | Mon                          | 3                                            |     %                                                                                                                              |Tus                             |  5                                           |     %                                                                                |thu                             | 4                                            |     % 
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval comman... See more...
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval command?    
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apolo... See more...
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apologies for the poor job at blurring the data, but the first event should look like the second event, with a whole lot of data after the highlighted field. The field DistPoint itself should have a value of "DEPSY.IM2" and, it got, apparently, truncated at such a weird point. All other subsequent lines in the log were successfully ingested. There were 3 log files landing on the ingestion point in quick succession - seconds apart, so I am not sure if this could have been the issue. I was about to update the truncate value for the sourcetype, but all lines in the logs are 3551 bytes, by default. Any ideas as to what could the problem have been? Thank you.
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is... See more...
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is a trick to it and shouldn't be to hard to sort it out.
We made this change, and it worked fine! Thank you so much for your help.
It worked! thank you!
Hi @redmandba , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_cou... See more...
Hi @CyberWolf , I suppose that you want to check this for each Account_name, you could try with stats: <your_search> | iplocation src | stats dc(city) AS city_count BY Account_name | where city_count>1 use the Account_name field you have in your logs. Ciao. Giuseppe
| streamstats latest(city) as previous current=f
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So ... See more...
When you force a default it will populate the token, as long as the token is populated then the search will return results.  I would remove the default but I feel like you set that for a reason.  So maybe I'm not understanding the full use case.
Here <source>means have you typed exact path of the file or just <source> as is?
If you put that setting under the specific stanza for that sourcetype then changes to default stanza wont impact.  Anything under default stanza is only considered if the same setting has NOT been se... See more...
If you put that setting under the specific stanza for that sourcetype then changes to default stanza wont impact.  Anything under default stanza is only considered if the same setting has NOT been set in a more specific stanza.  
Try making the labels shorter
Hello @JagsP  Please update the [stanza] regex as follows: REGEX = successful\, returned exit code \'0\' Note: Make sure to place the configurations correctly otherwise it will not work . ... See more...
Hello @JagsP  Please update the [stanza] regex as follows: REGEX = successful\, returned exit code \'0\' Note: Make sure to place the configurations correctly otherwise it will not work . For eg: If your data flow is UF->HF->Indexer, parsing occurs at the full enterprise instance, with the HF being the first layer where this takes place.  Additionally, here is the documentation for routing and filtering data, which will help you understand the core concepts. https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Routeandfilterdatad For learning and writing regex for your data, you can use the platform  https://regex101.com/ If this resolves your issue, please accept and upvote the answers. Happy Splunking!
We use json for Zeek, if we change that setting, will it impact Zeek logs?
Hi, I was able to resolve the issue. The issue: You are probably trying to perform vetting in a windows environment. This is causing the file & directories to have improper accesses which do not co... See more...
Hi, I was able to resolve the issue. The issue: You are probably trying to perform vetting in a windows environment. This is causing the file & directories to have improper accesses which do not comply with the App inspect procedures in splunk as they are built around NIX OS. Solution: 1. Dowload CYGWIN (https://www.cygwin.com/setup-x86_64.exe), and install it in your windows machine, and open CYGWIN. 2. Go into /cygdrive/<your app location> and run the following commands: find <your app> -type f -exec chmod 644 '{}' \; find <your app> -type d -exec chmod 700 '{}' \; (Make sure to check the permissions by running the command: ls -lR) 3. Create the .spl file also by using cygwin terminal: tar -zvcf <your_app_name.spl> <app_name> 4. Now try vetting procedure, I did it using postman, and this time it worked.