All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Sorry, i am new to Splunk. Yes, I have only being able to connect mySql to DBConnect but i am not able to configure it to logstash. Any idea how can i get the audit logs on logstash  though TCP? U... See more...
Sorry, i am new to Splunk. Yes, I have only being able to connect mySql to DBConnect but i am not able to configure it to logstash. Any idea how can i get the audit logs on logstash  though TCP? UF can forward the log to TCP and logstash has a input plugin for TCP.
Without knowledge of your data, I can't see any further optimisations you might try
@ITWhisperer Yes, I replace join with lookup command. Do you want me to try something more to optimize further?
If the rex isn't working, it is probably because it doesn't match precisely to the event you have. Please repost your events in a code block </> to preserve the formatting which will be important to ... See more...
If the rex isn't working, it is probably because it doesn't match precisely to the event you have. Please repost your events in a code block </> to preserve the formatting which will be important to getting the rex correct.
It returns a blank table. 
Have you tried this with the join being replaced by a lookup?
Unfortunately, it didn't pick up the policy ID.  It returns a blank table
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Co... See more...
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML? Is token generation the only secure way to make these API calls, or are there alternative methods? Thanks  Manish Kumar  
@ITWhisperer  After apply your suggested command I also replaced lookup command and now search is taking 10.5 seconds to complete the results. Thanks for your help.
I have this exact same issue, i can prove that it works fine matching the linux os but does not match windows. in fact windows will get matched as linux
I've downloaded latest Splunk installation package, extracted app files and replaced old files in my installation. But it does not hepl.
@ITWhisperer  Although this method is correct, it takes one second longer than the dedup command. Thanks in advance.  
| stats dc(Ordernumber) as count first(movement_type) as movement_type by area aisle section movement_category Ordernumber
Regular expressions are very literal - they match exactly what they are told to match or they don't match at all.  In the attempted SPL, the rex command expects to find the letters 'm', 's',  'g', a ... See more...
Regular expressions are very literal - they match exactly what they are told to match or they don't match at all.  In the attempted SPL, the rex command expects to find the letters 'm', 's',  'g', a space, and '=' in that order, but they are not present in the sample events so no policyId field can be extracted.  Try this   | rex field=msg "policyId\\\":\\\"(?<policyId>\w+)"  
Hi @H2ck1ngPr13sT , if you want your count for one day, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*... See more...
Hi @H2ck1ngPr13sT , if you want your count for one day, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | rename text1.value AS text1_value | stats count(eval(searchmatch(text1_value,"Load Balancer"))) AS LoadBalancer count(eval(searchmatch(text1_value,"Endpoints"))) AS Endpoints if instead yu want the values for each day in the last 7 days, you could use something like this: index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-17 latest=now | rename text1.value AS text1_value | eval type=if(searchmatch(text1_value,"Load Balancer"),"LoadBalancer", "Endpoints") | timechart span=1d count BY type Ciao. Giuseppe
@ITWhisperer  Thanks for your response. With dedup command it is giving expected 2 results. 1 for storage and 2 for retrieval. Without dedup command it is giving me 5 results. Note : The... See more...
@ITWhisperer  Thanks for your response. With dedup command it is giving expected 2 results. 1 for storage and 2 for retrieval. Without dedup command it is giving me 5 results. Note : There are no such impact seen after removing the join inputlookup with "lookup command".
| rex "\"policyId\":\"(?<policyId>\w+)\""
Hello @PickleRick  Thats an interesting topic, I will dig more information about it. I let you know here If I found something interesting Thanks ! Nicolas
Can you give an example of an event which generates the incorrect values? (Perhaps with the correct field names too?)
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a str... See more...
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.  Is this possible? index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"