All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "packa... See more...
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "package": "ABC", "tests": 0, "name": "ABC_test", "id": 0, "time": 0, "errors": 0, "testcase": [ { "classname": "xyz", "name": "foo1", "time": 0, "status": "Passed" }, { "classname": "pqr", "name": "foo2", "time": 0, "status": "Passed" }, . . . ] } ] } This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work. |spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL | spath output=suite path=suite{}.name | spath output=case path=suite{}.case{}.name | spath output=Build_Num path=JenkinsMetaData.buildnumber | spath output=Status path=suite{}.case{}.status | fields - _raw | eventstats max(Build_Num) as Latest_Build by Job_Name | where Latest_Build=Build_Num | stats values(Build_Num) as Build_Num count(eval(Status="Execution Failed" OR Status="Testcase_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server When i do this Total_cases and Total suite are are correct, but other values are not correct. But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value. But my requirement is to create a table for all the projects. Anyone know how to handle this?
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the in... See more...
Hi @Alex_Rus , so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true? If yes, the inputs.conf is correct, otherwise there's an error i the input path. In addition, from the photo I cannot read the label in the first row, the one before the files, is it another folder or what else? Ciao. Giuseppe
Hi @Real_captain , if fieldA is extracted for the data set, in this way you can use it. Ciao. Giuseppe
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> ... See more...
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>fieldA</fieldForLabel> <fieldForValue>fieldA</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>
as in the photo, files in which events are stored
Hi @Alex_Rus , and what if yourun the cmd command? Ciao. Giuseppe
Yes, I'm sure. I checked on Deployment-server there are no such folders for monitoring
Hi @Alex_Rus , what if you run from cmd: dir C:\ExchData\MessageTracking\* ? Are you sure that there isn't another Splunk input that reads these logs? Ciao. Giuseppe 
Hi, @gcusello ! [monitor://C:\ExchData\MessageTracking\*] disabled = 0 index = MyIndex sourcetype = MySourcetype #FcrcSalt = <SOURCE
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in th... See more...
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in the input search outputs. Ciao. Giuseppe
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Pane... See more...
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Panels --> <query>index=ABC | eval fieldA =  If (fieldB = "ABC" ,  fieldB , fieldA )</query> I want to use the value of the fieldA in the dropdown of the input POH_Group. Below query is not working and i am not getting the values of fieldA in the dropdown of POH_Group: <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>POH_Group1</fieldForLabel> <fieldForValue>POH_Group1</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>   Can you please help to fix this issue. 
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line ... See more...
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line 2: token (value: xyznkbejrfhrekfjrltjgltrkgltrkgtkhgythytlhmylth).
@Bracha could you pls accept it as solution, thanks. 
Hi @Alex_Rus , if you're sure about grants, please, could your share your inputs.conf and the full path of the unread files? Ciao. Giuseppe
thanks @inventsekar  it solved!
Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 yea... See more...
Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 years ago!). You have to correlate different events to extract e.g. the timestamps of logins and logouts and find the duration of a transaction. So please, see my approach and adapt it to your requirements: index=allsessions ("*login*" OR "*logout*") | stats earliest(eval(if(searchmatch("*login*"),_time,"") AS earliest latest(eval(if(searchmatch("*logout*"),_time,"") AS latest BY SESSION.ID | eval earliest=strgtime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strgtime(latiest,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration unde... See more...
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration under Manage jenkins --> System --> Splunk for Jenkins Configuration. I am trying to store it as a credential or environment variable and then use it in Jenkinsfile but it does not work, Is there any work around for this? Please let me know. Thanks.
Hi @Bracha Pls check this: | makeresults | eval end_time="2024-09-24 08:17:13.014337+00:00" |eval end_timeepoch = strptime(end_time, "%Y-%m-%d %H:%M:%S.%6Q+00:00") |eval _time = now() |eval diff = (... See more...
Hi @Bracha Pls check this: | makeresults | eval end_time="2024-09-24 08:17:13.014337+00:00" |eval end_timeepoch = strptime(end_time, "%Y-%m-%d %H:%M:%S.%6Q+00:00") |eval _time = now() |eval diff = (end_timeepoch-_time)/60 | table end_time end_timeepoch _time diff  
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(e... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60  
@ITWhisperer After executing  suggested command I am getting below results. The count should 2 only. 1 for the storage and 1 for the retrieval.