All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It returns a blank table. 
Have you tried this with the join being replaced by a lookup?
Unfortunately, it didn't pick up the policy ID.  It returns a blank table
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Co... See more...
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML? Is token generation the only secure way to make these API calls, or are there alternative methods? Thanks  Manish Kumar  
@ITWhisperer  After apply your suggested command I also replaced lookup command and now search is taking 10.5 seconds to complete the results. Thanks for your help.
I have this exact same issue, i can prove that it works fine matching the linux os but does not match windows. in fact windows will get matched as linux
I've downloaded latest Splunk installation package, extracted app files and replaced old files in my installation. But it does not hepl.
@ITWhisperer  Although this method is correct, it takes one second longer than the dedup command. Thanks in advance.  
| stats dc(Ordernumber) as count first(movement_type) as movement_type by area aisle section movement_category Ordernumber
Regular expressions are very literal - they match exactly what they are told to match or they don't match at all.  In the attempted SPL, the rex command expects to find the letters 'm', 's',  'g', a ... See more...
Regular expressions are very literal - they match exactly what they are told to match or they don't match at all.  In the attempted SPL, the rex command expects to find the letters 'm', 's',  'g', a space, and '=' in that order, but they are not present in the sample events so no policyId field can be extracted.  Try this   | rex field=msg "policyId\\\":\\\"(?<policyId>\w+)"  
Hi @H2ck1ngPr13sT , if you want your count for one day, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*... See more...
Hi @H2ck1ngPr13sT , if you want your count for one day, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | rename text1.value AS text1_value | stats count(eval(searchmatch(text1_value,"Load Balancer"))) AS LoadBalancer count(eval(searchmatch(text1_value,"Endpoints"))) AS Endpoints if instead yu want the values for each day in the last 7 days, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-17 latest=now | rename text1.value AS text1_value | eval type=if(searchmatch(text1_value,"Load Balancer"),"LoadBalancer", "Endpoints") | timechart span=1d count BY type Ciao. Giuseppe
@ITWhisperer  Thanks for your response. With dedup command it is giving expected 2 results. 1 for storage and 2 for retrieval. Without dedup command it is giving me 5 results. Note : The... See more...
@ITWhisperer  Thanks for your response. With dedup command it is giving expected 2 results. 1 for storage and 2 for retrieval. Without dedup command it is giving me 5 results. Note : There are no such impact seen after removing the join inputlookup with "lookup command".
| rex "\"policyId\":\"(?<policyId>\w+)\""
Hello @PickleRick  Thats an interesting topic, I will dig more information about it. I let you know here If I found something interesting Thanks ! Nicolas
Can you give an example of an event which generates the incorrect values? (Perhaps with the correct field names too?)
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a str... See more...
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.  Is this possible? index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"
Remove _raw from the by clause
Hi @RAVISHANKAR , the best approach is to create an Indexer Cluster that automatically replicate indexes between Indexers, but it requests an additional machine as Cluster Manager, in this way you h... See more...
Hi @RAVISHANKAR , the best approach is to create an Indexer Cluster that automatically replicate indexes between Indexers, but it requests an additional machine as Cluster Manager, in this way you have HA on your data and you don't pay twice the indexed logs. Otherwise, you could forward logs to the two Indexers: in this way you pay twice the logs and you don't have HA, but you don't need an additional machine. Ciao. Giuseppe
I highly doubt that you managed to 1) Run DBConnect on UF 2) Send data from UF to Logstash (logstash doesn't have Splunk input plugin and UF cannot send anything except S2S or S2S over HTTP).
OK. Short story is Splunk has no means for native inbuilt HA when we're talking about inputs (regardless of whether we're talking UFs or HFs). Period. So the only thing you can do is use external me... See more...
OK. Short story is Splunk has no means for native inbuilt HA when we're talking about inputs (regardless of whether we're talking UFs or HFs). Period. So the only thing you can do is use external means to replicate config and state between nodes and make sure that only one node is actually active. That's not a trivial issue. While replicating config is usually relatively easy (maybe except for some border cases when you - for example - need to authenticate with a private key and don't want the key to leave the box), the other two points are tricky. Different inputs keep their state using different methods. Some store checkpoints as simple text files, some use kvstore, some (monitor input) use fishbucket. So you have to find where the state is being stored and replicate it to the passive node. You also need to have a way to make sure only one input is active at a time. It's not a trivial task and there are several different approaches to this. From some rsync-based handcrafted scripts to simply migrating whole VMs with a forwarder between separate hypervisors (with several other possible solutions "in between"). I think there was a .conf presentation about this topic but I can never find it