All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is a bit vague. Can you give an example of the type of search you are trying / wanting to do with your lookup?
What is it you are trying to achieve? Can you still get what you want if you try these changes? | sort 0 sourcetype | stats list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Even... See more...
What is it you are trying to achieve? Can you still get what you want if you try these changes? | sort 0 sourcetype | stats list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index, sourcetype
@gcusello - You were correct, bad code I hadn't understood the requirement for <fieldForValue>MountedOn</fieldForValue>  Once set, the drop down populates Thank you very much !!
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index      | map maxsearches=1500 search="| metadata t... See more...
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index      | map maxsearches=1500 search="| metadata type=sourcetypes index=\"$index$\"     | eval Retention=tostring(abs(lastTime-firstTime), \"duration\")     | convert ctime(firstTime) ctime(lastTime)     | sort lastTime     | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\"     | eval index=\"$index$\""     | fields index  sourcetype TotalEvents FirstEvent LastEvent Retention     | sort sourcetype     | stats list(sourcetype) AS SourceTypes list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index     | append [| rest /services/data/indexes | dedup title | fields title | rename title AS index]     | dedup index | fillnull value=null SourceTypes TotalEvents "First Event" "Last Event" Retention | sort index | search index=* (SourceTypes=*) However, when i first ran it, some of the "lastevent" values appeared correctly. Ever since then, "LastEvent" and "Retention" have allways been "Null". I cant figure out why i dont get any return values on these fields. I got an error saying the limit on "list" command of 100 was surpassed. So i tried replacing "list()" with "values()" in the search, but the result is the same, just without the error. 
Are you sure you're not using any proxy server? (Is this your home setup or a company network?)
It is important where you put your settings. Parsing is done on the first "heavy" component in event's path to indexers. So if you have a HF as an intermediate forwarder, you need to put your props/... See more...
It is important where you put your settings. Parsing is done on the first "heavy" component in event's path to indexers. So if you have a HF as an intermediate forwarder, you need to put your props/transforms there. Of course you will still be getting already indexed events during searching index-time transforms are applied only for the new events.
OK. But do you have just one column with multiple values? Or do you have multiple columns? How would your lookup contents match the data you want to search for?
It highly depends on the components involved. But this is a fairly normal functionality for SOAR playbook to get an artifact, manipulate it, check it using configured external services and return a r... See more...
It highly depends on the components involved. But this is a fairly normal functionality for SOAR playbook to get an artifact, manipulate it, check it using configured external services and return a report or use the result of suhch check to modify behaviour in further part of a playbook. You can download the community version of Splunk SOAR and see for yourself.
Thank you for your response! Could you please share your insights on how we can achieve this in a Splunk SOAR environment? Additionally, if there are any apps on Splunkbase that provide similar funct... See more...
Thank you for your response! Could you please share your insights on how we can achieve this in a Splunk SOAR environment? Additionally, if there are any apps on Splunkbase that provide similar functionality, I would greatly appreciate your recommendations.
I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names Example: lookupname : test.csv ... See more...
I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names Example: lookupname : test.csv column name: column1 fieldname: field1
Yes , Heavy forwarders are being used but how it will impact the data filtration ?
Hi @redmandba , if a search gives results, can be used in a dropdown. Can you share the code of your dropdown? maybe the issue is in the other parameters. Ciao. Giuseppe
Hi @shoaibalimir , the formula is always the same, but anyway, on Splunk Cloud, you don't need to think to the required storage, because you have only to think about how many logs must be indexed ev... See more...
Hi @shoaibalimir , the formula is always the same, but anyway, on Splunk Cloud, you don't need to think to the required storage, because you have only to think about how many logs must be indexed every day, required storege is a problem of Splunk Cloud administrators. In your contract you shoudl have defined the daily indexed volume and the retention period, storage isn't your problem. The license consuption and the storage entitlement are two related but different values, you have to put attention only one license consuption to avoid to exceed the limit too times. Ciao. Giuseppe
extract the new messages is fine. tried 'Extract New Fields', not easy to work
You can use "rule_description" as the field for the above description.
I want to extract the 'description' field. it can be for the new messages
ah yes, this example needs to run on its own and will create sample events. but see my other reply this needs more logic
Just noticed that will not work will ned some loop hooping to get months and then days ....
Hi Mus  Thanks for help However when i run the query i am getting an error message  Error in 'makeresults' command: This command must be the first command of a search.  
Hi there, try this :   | makeresults | eval alert_value=1060, BatteryAge=strftime(alert_value, "%m months %d days")   this will return: but not sure you then can use it in a single value pa... See more...
Hi there, try this :   | makeresults | eval alert_value=1060, BatteryAge=strftime(alert_value, "%m months %d days")   this will return: but not sure you then can use it in a single value panel. Just give it a try. Hope this helps ... Cheers, MuS Update: This is based on the simple assumption every month has 4 weeks, because I'm not a mathematician nor scientist | makeresults | eval alert_value=1060, secs=alert_value*86400, months=round(secs/604800), days=round(alert_value - ((secs- (secs/604800)) / 60 /60 /24)) , alert_value = months ." months ". days ." days"