All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

extract the new messages is fine. tried 'Extract New Fields', not easy to work
You can use "rule_description" as the field for the above description.
I want to extract the 'description' field. it can be for the new messages
ah yes, this example needs to run on its own and will create sample events. but see my other reply this needs more logic
Just noticed that will not work will ned some loop hooping to get months and then days ....
Hi Mus  Thanks for help However when i run the query i am getting an error message  Error in 'makeresults' command: This command must be the first command of a search.  
Hi there, try this :   | makeresults | eval alert_value=1060, BatteryAge=strftime(alert_value, "%m months %d days")   this will return: but not sure you then can use it in a single value pa... See more...
Hi there, try this :   | makeresults | eval alert_value=1060, BatteryAge=strftime(alert_value, "%m months %d days")   this will return: but not sure you then can use it in a single value panel. Just give it a try. Hope this helps ... Cheers, MuS Update: This is based on the simple assumption every month has 4 weeks, because I'm not a mathematician nor scientist | makeresults | eval alert_value=1060, secs=alert_value*86400, months=round(secs/604800), days=round(alert_value - ((secs- (secs/604800)) / 60 /60 /24)) , alert_value = months ." months ". days ." days"  
Hi, @sainag_splunk  I entered your search command on my splunk search app, the results were not shown. No results in your command from my source type, "my_json". I have confused how to resolve this... See more...
Hi, @sainag_splunk  I entered your search command on my splunk search app, the results were not shown. No results in your command from my source type, "my_json". I have confused how to resolve this issue, It may cause critical errors for analysing our data.  Is there anything to try to resolve the issue? I have tried that,  the data has line breaking after ':', so the parsing error was caused, in my think. I treid to change the value "LINE_BREAKER=[}|,]+[\r\n]+", this means if the end of line is ":\r\n", UF will don't break the line. But though changing the LINE_BREAKER value, the parsing errors are still raised.  24/10/23 12:02:22.193   10-23-2024 12:02:22.193 +0900 ERROR JsonLineBreaker [7804 structuredparsing] - JSON StreamId:15916142412051242565 had parsing error:Unexpected character: ':' - data_source="C:\splunk\<my_path>.bin", data_host="<my_host>", data_sourcetype="my_json"
Hi @gcusello, Thank you for sharing the formula for the storage, but is it applicable to Splunk Cloud? Also the average license consumption, is it the data ingestion or the storage entitlement we a... See more...
Hi @gcusello, Thank you for sharing the formula for the storage, but is it applicable to Splunk Cloud? Also the average license consumption, is it the data ingestion or the storage entitlement we are talking about? Thanks in advance!
Hi @afeng You want to extract at for the already ingested/existing logs at Splunk indexer(search time)  or for the new logs yet to be ingested to splunk (are you using any addons, TA's.. are you us... See more...
Hi @afeng You want to extract at for the already ingested/existing logs at Splunk indexer(search time)  or for the new logs yet to be ingested to splunk (are you using any addons, TA's.. are you using UF and/or HF?)  
I allowed Windows Firewall port 8000. And I got firewall log. Then at local server browser I accessed https://192.168.0.8:8000. This browser access was timeout. And in firewall log access log didn... See more...
I allowed Windows Firewall port 8000. And I got firewall log. Then at local server browser I accessed https://192.168.0.8:8000. This browser access was timeout. And in firewall log access log didn't remain. I think before Windows firewall allow or block, browser access is being blocked by anyone. But I don't know local access is denied without Windows firewall. I use Windows defender. I don't use firewall application without it. What does stop browser access in local server. Who do have any idea? Thank you.
Over a decade later but here is my RPI info and which forwarder worked on it: @raspberrypi:/opt# uname -a Linux raspberrypi 6.1.53-v8+ #1680 SMP PREEMPT Wed Sep 13 18:09:06 BST 2023 aarch64 GNU/Lin... See more...
Over a decade later but here is my RPI info and which forwarder worked on it: @raspberrypi:/opt# uname -a Linux raspberrypi 6.1.53-v8+ #1680 SMP PREEMPT Wed Sep 13 18:09:06 BST 2023 aarch64 GNU/Linux From previous releases page: Splunk Universal Forwarder 8.1.9 / ARMv6 / 2.6+, 3.x+, 4.x+, or 5.x+ kernel Linux distributions 32-bit
Hi  I am building dashboard for UPS monitoring and i would like to convert a specific metric which is battery age.  Which give us some information about last battery changed however i would like ... See more...
Hi  I am building dashboard for UPS monitoring and i would like to convert a specific metric which is battery age.  Which give us some information about last battery changed however i would like to see the result in month , days like below  Expected outcome - 1 month 20 days. current outcome  below image  Spl query -  index="ups" indexed_is_service_aggregate=1 kpi=BatteryAge| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title AS service_name | search service_name="MainUPS" |stats latest(alert_value) AS BatteryAge Can anyone help me on this 
I tried removing the stats and have: | mstat min(df_metric.*) WHERE (host=myhost) span=1h index="linux_os_metric" BY MountedOn |table MountedOn Still nothing in the dropdown It would be useful ... See more...
I tried removing the stats and have: | mstat min(df_metric.*) WHERE (host=myhost) span=1h index="linux_os_metric" BY MountedOn |table MountedOn Still nothing in the dropdown It would be useful to understand a bit more about how these results are returned as it seems you are implying that these results are not suitable for a <query> in dropdown? Is there a way of converting the resultset to be non-multi value? If I run the Search in Search & reporting I just get a list of Filesystems. appreciate your input - thanks!
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button with below query ...But without selecting the env test or prod the query get search based on... See more...
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button with below query ...But without selecting the env test or prod the query get search based on the default dropdown applies to the query if it is test  index as "np-ap" and sets stageToken as test. I want  the submit button to work even for the env selection ...along with data entity and date index="np-ap" AND source="--a-test" <query>index=$indexToken$ AND source="-a-$stageToken$"   <form version="1.1" theme="dark"> <label> stats</label> <fieldset submitButton="true"> <input type="dropdown" token="indexToken1"> <label>Environment</label> <choice value="pd-ap,prod">PROD</choice> <choice value="np-ap,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> <default>np-ap,test</default> </input> <input type="dropdown" token="entityToken"> <label>Data Entity</label> <choice value="aa">aa</choice> <choice value="bb">bb</choice> <choice value="cc">cc</choice> <choice value="dd">dd</choice> <choice value="ee">ee</choice> <choice value="ff">ff</choice> <default>aa</default> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html id="APIStats"> <style> #user{ text-align:center; color:#BFFF00; } </style> <h2 id="user">API</h2> </html> </panel> </row> <row> <panel> <table> <title>Unique</title> <search> <query>index=$indexToken$ AND source="-a-$stageToken$" | stats count </query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button ...But without selecting the env test or prod the query get search based on the default drop... See more...
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button ...But without selecting the env test or prod the query get search based on the default dropdown applies to the query if it is test  index as "np-ap" and sets stageToken as test. I want  the submit button to work even for the env selection ...along with data entity and date index="np-ap" AND source="--a-test" <query>index=$indexToken$ AND source="-a-$stageToken$"   <form version="1.1" theme="dark"> <label> stats</label> <fieldset submitButton="true"> <input type="dropdown" token="indexToken1"> <label>Environment</label> <choice value="pd-ap,prod">PROD</choice> <choice value="np-ap,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> <default>np-ap,test</default> </input> <input type="dropdown" token="entityToken"> <label>Data Entity</label> <choice value="aa">aa</choice> <choice value="bb">bb</choice> <choice value="cc">cc</choice> <choice value="dd">dd</choice> <choice value="ee">ee</choice> <choice value="ff">ff</choice> <default>aa</default> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html id="APIStats"> <style> #user{ text-align:center; color:#BFFF00; } </style> <h2 id="user">API</h2> </html> </panel> </row> <row> <panel> <table> <title>Unique</title> <search> <query>index=$indexToken$ AND source="-a-$stageToken$" | stats count </query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
Oct 22 14:20:45 10.5.0.200 DNAC {"version":"1.0.0","instanceId":"20fd8163-4ca8-424b-a5a9-1e4018372abb","eventId":"AUDIT_LOG_EVENT","namespace":"AUDIT_LOG","name":"AUDIT_LOG","description":"Executing... See more...
Oct 22 14:20:45 10.5.0.200 DNAC {"version":"1.0.0","instanceId":"20fd8163-4ca8-424b-a5a9-1e4018372abb","eventId":"AUDIT_LOG_EVENT","namespace":"AUDIT_LOG","name":"AUDIT_LOG","description":"Executing command terminal width 0\nconfig t\nFailed to fetch the preview commands.\n","type":"AUDIT_LOG","category":"INFO","domain":"Audit","subDomain":"","severity":1,"source":"NA","timestamp":1729606845043,"details":{"requestPayloadDescriptor":"terminal width 0\nconfig t\nFailed to fetch the preview commands.\n","requestPayload":"\n"},"ciscoDnaEventLink":null,"note":null,"tntId":"630db6e989269c11640abd49","context":null,"userId":"system","i18n":null,"eventHierarchy":{"hierarchy":"20fd8163-4ca8-424b-a5a9-1e4018372abb","hierarchyDelimiter":"."},"message":null,"messageParams":null,"additionalDetails":{"eventMetadata":{"auditLogMetadata":{"type":"CLI","version":"1.0.0"}}},"parentInstanceId":"9dde297d-845e-40d0-aeb0-a11e141f95b5","network":{"siteId":"","deviceId":"10.7.140.2"},"isSimulated":false,"startTime":1729606845055,"dnacIP":"10.5.0.200","tenantId":"SYS0"} host = 10.5.0.200 sourcetype = syslog   how do I extract : seperated fields?
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in... See more...
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in Splunk. Unfortunately, using the link returns "Permission Denied" because the SID hasn't actually been shared.   Does anyone know how to make the results of a search run by the Splunk app shareable?
No. It doesn't work like that. A bucket doesn't "roll to smartstore". A bucket rolls to warm and cache manager uploads it to smartstore when it can. So if you: 1) Didn't give Splunk a chance to uplo... See more...
No. It doesn't work like that. A bucket doesn't "roll to smartstore". A bucket rolls to warm and cache manager uploads it to smartstore when it can. So if you: 1) Didn't give Splunk a chance to upload the bucket to smartstore and 2) Didn't have more copies of a bucket (or just destroyed all instances at once) yes, you might have experienced data loss.  
Searching for both "AuthenticationResult=passed" as well as "Authentication failed" at the same time seems counterintuitive. Are you sure your data matches those conditions. Also if you can think of... See more...
Searching for both "AuthenticationResult=passed" as well as "Authentication failed" at the same time seems counterintuitive. Are you sure your data matches those conditions. Also if you can think of reorganizing your search to not include negation, that would be a significant performance benefit.