All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw di... See more...
is your | collect mode=hex also showing an empty _raw {} in your summary index?  mine is   index=orig | collect mode=hec | table _raw displays {some stuff in here} index=summary | table _raw displays {} nothing inside (but all the fields are search time present...just not the original _raw json {})  
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot ... See more...
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"64GB","FreeSpaceBytes":"69178445824","PercentFree":"44%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," ","F:","G:"],"AllVlmName":["Sonic","Micros","Sonic","Micros"]},"Stall":{"12":"GENERIC","16":"GENERIC","10":"POPS4","06":"POPS4","26":"GENERIC","100":"POPS4","11":"POPS4","07":"GENERIC","05":"POPS4","32":"GENERIC","94":"DriveThru","02":"POPS4","04":"POPS4","08":"POPS4","25":"GENERIC","56":"GENERIC","09":"POPS4","01":"POPS4","03":"POPS4"},"ErrorPCG":"No recent PCG Install errors detected","Ddrive":{"DriveName":"Micros","TotalFriendlySize":"91GB","TotalSizeBytes":"98123640832","FriendlyFreeSpace":"33GB","FreeSpaceBytes":"35223568384","PercentFree":"36%","ChkDskNeeded":"NotAvailable"},"RAIDinfo":{"DriverVersion":"15.9.0.1015","ToolVersion":"15.9.0.1015"},"RAIDtest":{"SystemType":"UnableToQuery","RAIDstatus":"UnableToQuery","ErrorMessage":"Provider failure "},"VigilixRegistry":"VigilixRegistryCorrect"}}
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Cia... See more...
Hi @Robwhoa78 , in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract? highlighting in bold the values to extract? Ciao. Giuseppe
Wait a second. Does your raw data contain the string in quotes or without them?
I tried this and it still showed results for a stats or timechart output.
I need this to show the AllDskID which is C,D,E,F, or G.  Examples are below.    "Rogue":{"AllDskID":["C:","D:","E","F"] "Rogue":{"AllDskID":["C:","D:","F","G"] "Rogue":{"AllDskID":["C:","D:"]  
Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\... See more...
Hi @Robwhoa78 , if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command. As last choice, you could use rex: | rex "\"Rogue\":\{\"AllDskID\":\[\"(?<AllDskID>[^\"]+)" in instead you'r issue is that from the "Message.Rogue.AllDskID{}" field you have more that you want, you could try with: | rex field=Message.Rogue.AllDskID{} "^\"(?<AllDskID>[^\"]+)" Ciao. Giuseppe
Mvmap has different results on different versions left screen is 9.3.1 version right is 9.0.5  if field will have more then one value result will be equal    
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":... See more...
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":{"Lane91":"InTermHandler","Lane50":"InTermHandler"},"Time":{"Timezone":"Mountain Standard Time","DaylightSavings":"True","LocalClock":"10/23/2024 11:15:24 AM","Status":{"LastSuccessfulSync":"10/23/2024 11:13:57 AM","LastSyncSource":"pool.ntp.org"},"Peers":{"TimeServer#1":"pool.ntp.org","TimeServer#2":"time.windows.com"}},"MarketingTimeStamp":{"MarketingTimeStamp":"2024-10-11T20:29:09.000"},"TaskInfo":{"AI Restart DAILY":{"ScheduledTaskState":"Enabled","StartTime":"1:30:00 AM","LastRunTime":"10/23/2024 1:30:01 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"AI Restart Weekly":{"ScheduledTaskState":"Enabled","StartTime":"4:30:00 AM","LastRunTime":"10/23/2024 4:30:00 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"CarHop Backup":{"ScheduledTaskState":"Enabled","StartTime":"4:45:00 AM","LastRunTime":"10/23/2024 4:45:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"D Drive Temp Folder Clean Up":{"ScheduledTaskState":"Enabled","StartTime":"2:30:00 AM","LastRunTime":"10/23/2024 2:30:01 AM","LastResult":"1","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"LANDESK Agent Health":{"ScheduledTaskState":"Enabled","StartTime":"9:00:00 PM","LastRunTime":"10/22/2024 9:00:01 PM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineCore{5E85796F-9899-4CC1-B3A0-4D719B6B80C5}":{"ScheduledTaskState":"Enabled","StartTime":"11:48:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineUA{74A7D1C8-E2E1-498A-B5E2-2E132A3C29ED}":{"ScheduledTaskState":"Enabled","StartTime":"11:18:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"PAYS Restart Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"PCDiskClean":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart DPC - Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Interceptor Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart SIS After Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 4:11:19 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Splunk":{"ScheduledTaskState":"Enabled","StartTime":"12:00:00 AM","LastRunTime":"10/23/2024 6:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"SISRestart":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"-2147024894","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"System To FOH On Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 11:12:27 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"69GB","FreeSpaceBytes":"73613537280","PercentFree":"47%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:"," "],"AllVlmName":["Sonic","Micros"]},
Hi,   in getting a 201 token error on Splunk cloud maintenance dashboard.   just wondered if anyone has seen this before.
Hi @Robwhoa78 , could you share a sample of your logs? Ciao. Giuseppe
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
How did you solve this issue? I am facing same problem.  
You can split it into 2 commands to make it work: ... | eval output=mvappend(field_1, field_2) | stats values(output) as output
coalesce is not the right approach if both fields have a value in the same event as it will only use the value of the first field containing a non-null value...
FWIW, this syntax is not working for me: ... | stats values(mvappend(field_1, field_2)) AS output
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_... See more...
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_week | total_week_day|work day of week| Number of work hours | percent work hours 1                                      |  3                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %                                                                                |Tus                             | 4                                            |     %  2                                      |  2                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %  3                                      |  3                               | Mon                          | 3                                            |     %                                                                                                                              |Tus                             |  5                                           |     %                                                                                |thu                             | 4                                            |     % 
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval comman... See more...
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval command?    
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apolo... See more...
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apologies for the poor job at blurring the data, but the first event should look like the second event, with a whole lot of data after the highlighted field. The field DistPoint itself should have a value of "DEPSY.IM2" and, it got, apparently, truncated at such a weird point. All other subsequent lines in the log were successfully ingested. There were 3 log files landing on the ingestion point in quick succession - seconds apart, so I am not sure if this could have been the issue. I was about to update the truncate value for the sourcetype, but all lines in the logs are 3551 bytes, by default. Any ideas as to what could the problem have been? Thank you.
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is... See more...
I've done something similar but put it as a saved search in an app and shared that.  The app contained a dashboard that would load the results from the saved search.  I forget the syntax but there is a trick to it and shouldn't be to hard to sort it out.