All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Real_captain , if fieldA is extracted for the data set, in this way you can use it. Ciao. Giuseppe
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> ... See more...
@gcusello :  I want to use FieldA :  Will the below query works??  <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>fieldA</fieldForLabel> <fieldForValue>fieldA</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>
as in the photo, files in which events are stored
Hi @Alex_Rus , and what if yourun the cmd command? Ciao. Giuseppe
Yes, I'm sure. I checked on Deployment-server there are no such folders for monitoring
Hi @Alex_Rus , what if you run from cmd: dir C:\ExchData\MessageTracking\* ? Are you sure that there isn't another Splunk input that reads these logs? Ciao. Giuseppe 
Hi, @gcusello ! [monitor://C:\ExchData\MessageTracking\*] disabled = 0 index = MyIndex sourcetype = MySourcetype #FcrcSalt = <SOURCE
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in th... See more...
Hi @Real_captain , there an error: in the input search you have as output only the fieldA field, but in the FieldForLabel and FieldForValue tags you want to use the POH_Group1 field that isn't in the input search outputs. Ciao. Giuseppe
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Pane... See more...
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Panels --> <query>index=ABC | eval fieldA =  If (fieldB = "ABC" ,  fieldB , fieldA )</query> I want to use the value of the fieldA in the dropdown of the input POH_Group. Below query is not working and i am not getting the values of fieldA in the dropdown of POH_Group: <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>POH_Group1</fieldForLabel> <fieldForValue>POH_Group1</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>   Can you please help to fix this issue. 
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line ... See more...
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line 2: token (value: xyznkbejrfhrekfjrltjgltrkgltrkgtkhgythytlhmylth).
@Bracha could you pls accept it as solution, thanks. 
Hi @Alex_Rus , if you're sure about grants, please, could your share your inputs.conf and the full path of the unread files? Ciao. Giuseppe
thanks @inventsekar  it solved!
Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 yea... See more...
Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 years ago!). You have to correlate different events to extract e.g. the timestamps of logins and logouts and find the duration of a transaction. So please, see my approach and adapt it to your requirements: index=allsessions ("*login*" OR "*logout*") | stats earliest(eval(if(searchmatch("*login*"),_time,"") AS earliest latest(eval(if(searchmatch("*logout*"),_time,"") AS latest BY SESSION.ID | eval earliest=strgtime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strgtime(latiest,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration unde... See more...
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration under Manage jenkins --> System --> Splunk for Jenkins Configuration. I am trying to store it as a credential or environment variable and then use it in Jenkinsfile but it does not work, Is there any work around for this? Please let me know. Thanks.
Hi @Bracha Pls check this: | makeresults | eval end_time="2024-09-24 08:17:13.014337+00:00" |eval end_timeepoch = strptime(end_time, "%Y-%m-%d %H:%M:%S.%6Q+00:00") |eval _time = now() |eval diff = (... See more...
Hi @Bracha Pls check this: | makeresults | eval end_time="2024-09-24 08:17:13.014337+00:00" |eval end_timeepoch = strptime(end_time, "%Y-%m-%d %H:%M:%S.%6Q+00:00") |eval _time = now() |eval diff = (end_timeepoch-_time)/60 | table end_time end_timeepoch _time diff  
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(e... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60  
@ITWhisperer After executing  suggested command I am getting below results. The count should 2 only. 1 for the storage and 1 for the retrieval.  
Sure @Labuser43 , got it now.. pls try this inner join (or if you want to test other two joins, "type=left" or "type=outer")     index=allsessions "*login*" | join type=inner SESSION_ID [search in... See more...
Sure @Labuser43 , got it now.. pls try this inner join (or if you want to test other two joins, "type=left" or "type=outer")     index=allsessions "*login*" | join type=inner SESSION_ID [search index=allsessions "*logout*"]     still, the join can be avoided i feel. maybe pls check: EDIT - included the OR portion   index=allsessions "*login*" OR "*logout*" | stats list(OPERATION) by SESSION_ID OR index=allsessions "*login*" OR "*logout*"| stats values(OPERATION) by SESSION_ID  
@inventsekar my requirement is to get SESSION_IDs where both login AND logout occur in that session. To explain more, let's use an example of a session that would fit this criteria:   OPERATION S... See more...
@inventsekar my requirement is to get SESSION_IDs where both login AND logout occur in that session. To explain more, let's use an example of a session that would fit this criteria:   OPERATION SESSION_ID login 1234 add_to_cart 1234 checkout 1234 logout 1234   If I use OR, I think it may return a session that only has login or logout.