All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer did you mean the final splunk query would look like as below? index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _tim... See more...
@ITWhisperer did you mean the final splunk query would look like as below? index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort limit=10 +_time -count | sort 0 _time | streamstats latest(count) as previous by Table_Name window=1 global=f current=f | eval increase=round(100*(count-previous)/previous,0)
Optimisation will usually depend on the data set(s) you are dealing with, which you haven't provided. Having said that, the dedup by Ordernumber and movement_category will mean that there is only one... See more...
Optimisation will usually depend on the data set(s) you are dealing with, which you haven't provided. Having said that, the dedup by Ordernumber and movement_category will mean that there is only one event with each unique combination of the values in these fields, which means the count from the stats will always be 1, so what is the point of doing the stats? Your join is to an inputlookup, can this be replaced by a simple lookup?
Hi @hazem , now I don't find the parameter, also because I try to avoid to change it, the default value usually is the best solution. Ciao. giuseppe
Hi @neerajs_81 , good for you, see next time! maybe you could try the hint from @ITWhisperer  to put inputs in different rows, bat always one by one in each panel. Ciao and happy splunking Giusep... See more...
Hi @neerajs_81 , good for you, see next time! maybe you could try the hint from @ITWhisperer  to put inputs in different rows, bat always one by one in each panel. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @gcusello  could you please provide me with the stanza to change the interval required to read logs from the log file?   ,EX MSSQL-  ERROR.log file 
Please provide more detail - what is the source of your dashboard? how are you using the tokens? if the tokens both have the same value, can you not just use one token?
Hello Splunker!! Could you please help me to optimize below query ? Customer saying dedup is taking so much resource consumption. So what should I change in the query so that the complete query get... See more...
Hello Splunker!! Could you please help me to optimize below query ? Customer saying dedup is taking so much resource consumption. So what should I change in the query so that the complete query gets optimized? index=abc sourcetype=abc _tel type=TEL (trigger=MFC_SND OR trigger=FMC_SND) telegram_type=CO order_type=TO area=D10 aisle=A01 *1000383334* | rex field=_raw "(?P<Ordernumber>[0-9]+)\[ETX\]" | fields _time area aisle section source_tel position destination Ordernumber | join area aisle [ inputlookup isc where section="" | fields area aisle mark_code | rename area AS area aisle AS aisle] | lookup movement_type mark_code source AS source_tel position AS position destination AS destination OUTPUT movement_type | fillnull value="Unspecified" movement_type | eval movement_category = case( movement_type like "%IH - LH%", "Storage", movement_type like "%LH - R%", "Storage", movement_type like "%IH - IH%", "Storage", movement_type like "%R - LH%", "Retrieval", movement_type like "%LH - O%", "Retrieval", 1 == 1, "Unknown" ) | fields - source_tel position destination | dedup Ordernumber movement_category | stats count AS orders by area aisle section movement_category movement_type Ordernumber _raw
You could put them in panels in different rows <form version="1.1" theme="light"> <label>Inputs</label> <row> <panel> <input type="text" token="src_ip"> <label>Source IP</label... See more...
You could put them in panels in different rows <form version="1.1" theme="light"> <label>Inputs</label> <row> <panel> <input type="text" token="src_ip"> <label>Source IP</label> </input> <input type="text" token="dest_ip"> <label>Destination IP</label> </input> </panel> </row> <row> <panel> <input type="radio" token="srcIPcondition"> <label>SrcIP Condition</label> <choice value="=">Equal</choice> <choice value="!=">Not Equal</choice> </input> <input type="radio" token="destIPcondition"> <label>DestIP Condition</label> <choice value="=">Equal</choice> <choice value="!=">Not Equal</choice> </input> </panel> </row> </form>
Hi @hazem , it's usually continouslòy monitored every 30 seconds, but you can cheange this frequency, even fi I'didn't do it. Ciao. Giuseppe
If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (a... See more...
If your file is already external to Splunk, you could write a script to send it to your external system for enrichment, and place the returned file somewhere so that it can be ingested into Splunk (assuming that's where you want the enriched data).
Hi @gcusello  what about reading log from application log files? is it continuously monitoring or can we make it interval?  
| sort 0 _time | streamstats latest(count) as previous by Table_Name window=1 global=f current=f | eval increase=round(100*(count-previous)/previous,0)
Hi, there were average values due to time period too large.
Ok , I see your point. Yes easiest way would be as you suggested to filter within the analytics data but another option which we have done for this exact purpose was to just a create a little script ... See more...
Ok , I see your point. Yes easiest way would be as you suggested to filter within the analytics data but another option which we have done for this exact purpose was to just a create a little script which queries the SEP's data, and just inserted it into analytics on a schedule. Did a similar thing for Remote services Ciao
Hello,  I would like to know if it's possible to setup a "lot" of automation broker in a single instance within the same tenant ? Or is it only 1 by "tenant" ? My main usecase would be to have ... See more...
Hello,  I would like to know if it's possible to setup a "lot" of automation broker in a single instance within the same tenant ? Or is it only 1 by "tenant" ? My main usecase would be to have access and act upon a lot of "Onprem" client with a few SOAR cloud instance (client are already merge by "group of client", therefore I do not want to re-split with 1 tenant = 1 client)  PSA : I did not manage to find the details about the possibility to have multiple "automation broker" in both Splunk SOAR and Splunk Automation Broker, I assume it's possible based on the API and the "id" for the broker, I just want to confirm it, thanks ! 
Thank you very much for your time and effort. I have created both a support ticket and an idea.   Kind regards
Hi Husnain Don't believe there is an official documented API, What we did was just open developer tools in your browser and create a new test metric, check the way the payload is structured, you ... See more...
Hi Husnain Don't believe there is an official documented API, What we did was just open developer tools in your browser and create a new test metric, check the way the payload is structured, you can then automate or build them using Curl or any scripting method of your choice. Ciao
@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that fi... See more...
@PickleRick , File can be in any format. So, basically we have file in our local system or if a email consist any file, we would like to take that file as an input via custom command and send that file to third party TI providers API as the query param.
Hi @neerajs_81 , as I said, there's no way to intervene on Classic Dashboards Inputs layout, you can only use Dashboard Studio. Ciao. Giuseppe
ok thanks, how about is there a way to increase gap between two input boxes?   How can i add more space between Source IP and DestIP Condition as shown below ?