All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Labuser43  if i understand your requirement correctly, you may not need the join at all. simply try the OR option: index=allsessions "*login*" OR "*logout*"  
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID va... See more...
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID values where within the session the user performs a login and logout operation. Coming from the relational database world, my first step was to write some sort of join operation but I quickly found out that joins are not the best thing to do in Splunk.  This is what I tried:   index=allsessions "*login*" | join type=inner left=L right=R where L.SESSION_ID=R.SESSION_ID [search index=allsessions "*logout*"]   Can someone help me write a better query for the above problem? Thanks!
Hi @LearningGuy  the sendemail command reference:  https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Sendemail#Examples updated your command with "to=" and message. thanks.  | se... See more...
Hi @LearningGuy  the sendemail command reference:  https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Sendemail#Examples updated your command with "to=" and message. thanks.  | search1 | join [search2 | stats count | where count > 50000 | eval this = "search 2"] | sendemail to="test@testemail.com" message="50k reached"  
1) >>> I am trying to find out Server Up time & Downtime or offline  the logs got a field "Uptime", may i know if the unit is seconds?  2) how to find out the downtime or offline? 3)  this command... See more...
1) >>> I am trying to find out Server Up time & Downtime or offline  the logs got a field "Uptime", may i know if the unit is seconds?  2) how to find out the downtime or offline? 3)  this command will give you number of hours before the logline was received | eval Uptime = round((now() - _time) / (60 * 60), 1)  pls suggest us how you like to use this value 4)  may i know why you use the  | search Uptime="4.0"  
  Sorry what information are you looking for  
Hi @jaibalaraman  You have a field "Uptime" and then using the eval you are calculating the same field.  Could you pls suggest us with more details, thanks.  | mstats max(System.System_Up_Time) AS... See more...
Hi @jaibalaraman  You have a field "Uptime" and then using the eval you are calculating the same field.  Could you pls suggest us with more details, thanks.  | mstats max(System.System_Up_Time) AS "Uptime" WHERE index="permon_metrics" host=system1* BY host span=1m | dedup host | rex field=host "\w{6}(?<function_abbr>\w{4})" | search function_abbr=ADDS | sort Uptime asc | eval UptimeNew = round((now() - _time) / (60 * 60), 1) | table Uptime UptimeNew function_abbr host  
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime... See more...
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime" WHERE index="permon_metrics" host=system1* BY host span=1m | dedup host | rex field=host "\w{6}(?<function_abbr>\w{4})" | search function_abbr=ADDS | sort Uptime asc | eval Uptime = round((now() - _time) / (60 * 60), 1) | search Uptime="4.0" I would like to see the output in a single tile like HH:MM:SS
Hi @PickleRick  The data is actually also available in Splunk using an index=contact, but it's a time based combined with other data, it makes the data even larger. It is derived from the original D... See more...
Hi @PickleRick  The data is actually also available in Splunk using an index=contact, but it's a time based combined with other data, it makes the data even larger. It is derived from the original DB, so it's better off obtain the data directly from DB. Either way, both cases (data pulling dbxquery and index) will face the same problem  (see below) We are aware that permanent solution is to join the data in the backend, but for now as a workaround I need to pull the data using SPL join subsearch. I only need to find a way to alert me if it exceeds 50k. Thanks Same problem 50k: | search1 | join [search index=contact | ip="10.0.0.0/16" | eval source=search2] | join [search index=contact | ip="10.1.0.0/16" | eval source=search3] | join [search index=contact | ip="10.2.0.0/16" | eval source=search4] | join [search index=contact | ip="10.3.0.0/16" | eval source=search5]  
Hi @yuanliu  1) a)  I got this when using sendemail.  I think the reason is I am not an admin command="sendemail", 'rootCAPath' while sending mail to:       b)   This is the search, correct? | ... See more...
Hi @yuanliu  1) a)  I got this when using sendemail.  I think the reason is I am not an admin command="sendemail", 'rootCAPath' while sending mail to:       b)   This is the search, correct? | search1 | join [search2 | stats count | where count > 50000 | eval this = "search 2"] | sendemail test@testemail.com   2)  I found another option is to use "alerts" I did some tests, but it didn't work.  I have total counts about 40k Under "Trigger Conditions", I set Trigger alert when number of results is greater than 30,000.   Please suggest. Thanks
One approach is to have a separate panel for each search then have the selected token make the appropriate panel appear. 
I am getting the same error as the original post and tried your suggestions.  I am still getting an email alert with this error.  My Splunk search has only has Python 3.9.18 installed.  Any other sug... See more...
I am getting the same error as the original post and tried your suggestions.  I am still getting an email alert with this error.  My Splunk search has only has Python 3.9.18 installed.  Any other suggestions to fix this error?
Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Verification-of-SAML/m-p/322376... See more...
Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Verification-of-SAML/m-p/322376#M12073 If this is a brand new implementation, you can also use Splunk's "ondemand services" for help. The Professional Services ( experts can "shoulder surf" this and help get it resolved.  
Looking for the best/easiest way to retrieve or reconstruct a splunk url to an event retrieved using python to then post into browser and view the event though the web ui. Thanks!
Figured it out:   *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the... See more...
Figured it out:   *** File Extension Pie Chart:  Works *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files"  | rex field="document" "\.(?<extension>[^\.]*$$)" | where extension = "$token$" | table ... Thanks PickleRick for given a response in helping figure this out.  Much appreciate. 
Realizing I need to run the rex command in my table because Splunk doesn't have any value in that search fin the raw data to associated with the token.  Going to try some alternative queries for now ... See more...
Realizing I need to run the rex command in my table because Splunk doesn't have any value in that search fin the raw data to associated with the token.  Going to try some alternative queries for now to see if I can come up with the solution now considering that. 
That was a type, copy and pasted.   My token I am using in my search string is (source=$token$)  Not sure where/why I added the (*) in the token name. 
Python is the least important thing here. The question is a about the overall architecture of your solution. What exactly do you want to achieve technically? Because, you know, Splunk dashboards are ... See more...
Python is the least important thing here. The question is a about the overall architecture of your solution. What exactly do you want to achieve technically? Because, you know, Splunk dashboards are not something you can "pull" out of Splunk and use without Splunk. So what are you trying to do?
It's no confusion. I meant to show you that you're trying to use a token named "*token". Even if it was syntactically correct which I doubt - I think the token name syntax is more restricted - it wou... See more...
It's no confusion. I meant to show you that you're trying to use a token named "*token". Even if it was syntactically correct which I doubt - I think the token name syntax is more restricted - it would still be a different token than the one you have defined. If you define a token named "token" you use it as $token$, not $*token$, not $my_token$,  not $token_I_forgot_about$. These are all different literals.
The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $cli... See more...
The token value I am trying to carry over in my table is the(token=$click.value$) using the field extracted In the drilldown editor.  I have my values/parameters set to: on click  set "token"= $click.value$.  I named my token name "Token" in the drilldown editor for simplicity.  In initial post I stated ***User Pie Chart with the drilldown token: token_user=$click.value$ ***              but  should by  ***User Pie Chart with the drilldown token: "token"=$click.value$ *** *** File Extension Pie Chart with the drilldown token: "token"=$click.value$ *** index="user_files" | rex field="document" "\.(?<extension>[^\.]*$$)" | stats count(extension) by extension However, when I call on the token "source = $token$" after declaring the index to display records based on pie chart selection, there is no search results. *** Records by file type selected in Pie Chart: No Records found with selection from Pie Chart ** index="user_files" source=$*token$ | table _time, user_name, computer_name, source_directory, document Apologize for the confusion.  Hope that clears it up a little.  
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first g... See more...
You must explicitly add an action to add an alert to triggered alerts. So if your only action was email, you must check why the email wasn't delivered (look in _internal for sendemail.py). At first glance your logs suggest that the alert notifier was actually dispatched.