All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction ... See more...
I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction is prepaid or postpaid,index A contains(customer ID, Type(Prepaid or Postpaid). In indexB we have two logs one is request log and other is response log. With help of customer ID from Index A I need to find the transaction ID from Request log since customer ID is not available in response log. Once we get the transaction ID, we need to substract the time stamp (Response log time- Request log time). Index A. Log pattern---> _timestamp, customerID,type Index B----> contains request and response log. Request log pattern---> timestamp, transactionID, customer ID Response log pattern--->timestamp, transactionID,status.   Method to measure --> From index A we need to get customerID and then go to index B to find out the transaction ID from Request log. With help of transactionID need to subtract the timestamp between response and request log from index B Please help us how we can proceed,in SPL query.
Any news on PHP8.3 support please ? Also will ARM cpu support be coming ? Thanks.
This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)   index=mail "*tanium*" |spath body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |... See more...
This is the query i am using in my search. I need my output into mutiple rows.(snippet provided)   index=mail "*tanium*" |spath body |rex field=body max_match=0 "\"(?<Computer_name>.*)\",\"ACN" |rex field=body max_match=0 "\"(?<Computer_name1>.*)\",\"\[n" |rex field=Computer_name1 max_match=0 "(?<Computer_name2>.*)\",\"\[n" |rex field=body max_match=0 "\,(?<Patch_List_Name1>.*)\"\[" |rex field=Patch_List_Name1 max_match=0 "\"(?<Patch_List_Name>.*)\",\"" |rex field=Patch_List_Name1 max_match=0 "\",\""(?<Compliance_status>.*)\" |eval Computer_name=mvappend(Computer_name,Computer_name2) |table Computer_name Compliance_status Patch_List_Name
Please just post your current query inside code block "</>" button when you write your post. Then mockup what and how you want too see the result. One picture is usually better than thousand words.
Hi at least some older splunk versions (e.g. 7.3.x) there was (probably) bug which leads this kind of behavior when you are using REST with a increased storage areas like increased filesystem. The f... See more...
Hi at least some older splunk versions (e.g. 7.3.x) there was (probably) bug which leads this kind of behavior when you are using REST with a increased storage areas like increased filesystem. The fix was restart splunkd. r. Ismo
Did you check the results which the initial rest command yields?
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i w... See more...
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i want to display 2 text boxes. And later i would like to provide input in those text boxes and search for the logs.       <dashboard version="1.1" script="customview.js" theme="dark"> <label>Search Dashboard</label> <row> <panel> <html> <h1 style="text-align: center;">Choose from the below options to get started :)</h1> <!-- Centered button container --> <div style="display: flex; justify-content: center; align-items: center; gap: 10px; margin-top: 20px;"> <button id="proxySearch" onclick="showTextBoxes()" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Proxy Search</button> <button id="WAFsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">WAF Search</button> <button id="DNSsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">DNS Search</button> <button id="Emailsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Email Search</button> </div> <div id="mychart"></div> </html> </panel> </row> </dashboard>       I first wanted to know how to show text boxes upon clicking any of the button. I know we have to use js for this kind of activity, but can anyone suggest how it needs to be done?   
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://develo... See more...
I haven't used it, but based on docs I suppose that it works also for HW based environments? https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/centos-migration https://developers.redhat.com/articles/2023/04/11/how-use-convert2rhel-migrate-centos-rhel#7_steps_to_migrate_centos_to_rhel_using_convert2rhel
Have you SPL-xxxx code for fix it? It will helps other to add this in their support cases.
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to d... See more...
I agree with @PickleRick about data optimization of bucket. Those warm and cold buckets are identically. Of course you could additionally configure tsindex reduction there, but it hasn't anything to do with warm -> cold movements. Here is one old, but still mostly valid presentation about event lifecycle. https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf After one have read it, one probably understand this better.
Case created.
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from ... See more...
Its on monitoring console, Disk Usage part. If we see there, there is a bar show the storage used. I already restart the service too, but the value still like the picture. I also inspect search from the panel, and the value are same, i copy it on excel like this one.  
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains ... See more...
Ouch. This is a very ugly data. It's not only unnecessarily complicated and needs a lot of "untangling" to get it parsed properly (so that you cannot write reasonable extractions) it also contains a huge blob of stuff that is effectively separate data points. So if you want to search for just one pf those hosts, you still have to make Splunk dig through whole load of completely irrelevant data. Additionally, you are doing something to your data because the body field if simply extracted from the json would have just have a long string, not separate fields. So maybe just post your search as it is. My glass orb is being fixed as we speak.
Hi, I cannot "login", truth is that after login I get 500 error and UI will only show following screenshot so Web UI is unusable.     
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectiv... See more...
Yes. It does look as if the SHC members weren't properly communicating with one another. What is interesting though is that the captain is responsible for scheduling searches. So if you had connectivity problems you should also have problems with captain election. But your behaviour suggests that each cluster node works independently, What does your "splunk show shcluster status" say on each node?
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of... See more...
Hi @Nawab , the correct action is that the Correlation Search is runned on only one of the SHs and only one Notable is created. If more than one Notable is created, means that the Cluster is out of sync, as @aasabatini said. In this case, you have to check the sync and restart the members and eventually rebuild the configurations. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.1/DistSearch/SHCdeploymentoverview Ciao. Giuseppe
I'm looking for a query to display a list of jobs stuck in queue (the past 7 days). Does anyone knows the query?  
Hi @mackey  If you have ES, it has a framework called "THREAT INTELLIGENCE" for managing threat feeds, detecting threats, and sending alerts. You should explore this functionality, as it can be quit... See more...
Hi @mackey  If you have ES, it has a framework called "THREAT INTELLIGENCE" for managing threat feeds, detecting threats, and sending alerts. You should explore this functionality, as it can be quite beneficial. Additionally, there are several other high-quality sources of threat data available in that  which just need to be activated if required OR if you have your own custom feeds, you can also integrate them as custom lookups in threat intelligence. As mentioned by @gcusello you have two options , explore it as per your requirement.  For more info on this , please refer the below docs:  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/threatintelligenceframework/ https://www.splunk.com/en_us/pdfs/feature-brief/splunk-threat-intelligence-management.pdf   If this helps, accept the answer by upvoting !! Happy Splunking !!  
I have access to ES yes. 
Hello @PickleRick , Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giv... See more...
Hello @PickleRick , Yes, this is the search on the basis of email logs which is giving me one result and i need that search to be multivalued not single valued as you can see in my snippet its giving statistics 1 rather than 3131 which is actually there in the data. LOGS: I need this 3131 to be spiltted into mutiple rows with my other following fields as shown in the previous screenshot. when i am doing mvexpand Computer_name its coming 3131 but as soon as i am applying other fields its not showing the data.