All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Tiong.Koh, Thank you for posting to community. Could you clarify how many characters are currently being captured and how many characters you'd need to be shown? This will help in understandin... See more...
Hi Tiong.Koh, Thank you for posting to community. Could you clarify how many characters are currently being captured and how many characters you'd need to be shown? This will help in understanding the scope. From what I understand, the maximum character of query text shown is hardcoded to the maximum of 32,767 characters in database agent. We can’t change this setting, because, Increasing this limit might lead to higher memory consumption on the DB agent side and increased storage usage on the Controller side. ‌ Regards, Martina
can you please try to use loadjob as mentioned in the document.  <search> <query> | loadjob savedsearch="admin:search:SavedSearch" </query> </search>  
Someone mentioned in a previous post if a null value is present as an answer then it can mess with the viz.
File integrity is checked on start up - have you done a restart?
<deleted my own answer>
Given the complexity of the regex, I suspect the sample event may be over-simplified.  However, if it's a matter of the value field is an integer followed by a space then everything goes into the rea... See more...
Given the complexity of the regex, I suspect the sample event may be over-simplified.  However, if it's a matter of the value field is an integer followed by a space then everything goes into the reason field then this rex command will do. | rex "(?<MetricValue>\d+)\s(?<Reason>.*)"  
Actually most of your problem is coming from multiple capture groups inside a capture group designated by each "()" pairing.   | makeresults format=csv data="sample 600 reason and more:then what 70... See more...
Actually most of your problem is coming from multiple capture groups inside a capture group designated by each "()" pairing.   | makeresults format=csv data="sample 600 reason and more:then what 701 code practice Reason 899 something 104 this 12 nothing" | rex field=sample "^(?<Metric>[^\s]+)\s(?<Reason>[^:|^R]+).*$" | table sample Metric Reason   You can see in my example that after the <field> I did not nest additional capture group designations such as what you were using.  The above generates some random data which I hope fits your use case but you provided minimal examples so I made assumptions.  The rex as coded would with draw the information you are looking for assuming that the Metric is the first one the line or field and following that is the Reason with your indicated cut off characters or end of line like I indicated.  Feel free to remove the indicators for beginning of line and end of line if they don't fit your data. Here is the output I get. sample Metric Reason 600 reason and more:then what 600 reason and more 701 code practice Reason 701 code practice 899 something 899 something 104 this 104 this 12 nothing 12 nothing  
probably a basic question i have the following data  600 reason and this rex (?<MetricValue>([^\s))]+))(?<Reason>([^:|^R]+)) what i am getting is 60 in Metric Value and 0 in Reason i presume th... See more...
probably a basic question i have the following data  600 reason and this rex (?<MetricValue>([^\s))]+))(?<Reason>([^:|^R]+)) what i am getting is 60 in Metric Value and 0 in Reason i presume that is due to the match being up to the next NOT space, thus metric value is 60 and 0 remains in the data for Reason what is the right way to do this such that i get value = 600 and reason = reason
Of course. That's what you get when you're writing faster than you're thinking That eventstats should have "BY ip clause" so you get count of distinct values per each separate ip. So | eventstat... See more...
Of course. That's what you get when you're writing faster than you're thinking That eventstats should have "BY ip clause" so you get count of distinct values per each separate ip. So | eventstats dc(name) AS dc BY ip The rest stays the same.
Thanks ccWildcard Executing /opt/splunk/bin/splunk cmd python script.py make sense. Will update my app and retest.
@R15  For monitoring Stanzas, it's still pretty much the same. However, many new type of inputs exists too (modular, scripted, HEC etc...), who do not rely on the fishbucket.
Hi @PickleRick  When I ran the following command, the dc returned 6 for each row     | eventstats dc(name) as dc     dc ip location name 6 1.1.1.1 location-1 name0 6 1.1.1.1 l... See more...
Hi @PickleRick  When I ran the following command, the dc returned 6 for each row     | eventstats dc(name) as dc     dc ip location name 6 1.1.1.1 location-1 name0 6 1.1.1.1 location-1 name1 6 1.1.1.2 location-2 name2 6 1.1.1.2 location-20 name0 6 1.1.1.3 location-3 name0 6 1.1.1.3 location-3 name3 6 1.1.1.4 location-4 name4 6 1.1.1.4 location-4 name4b 6 1.1.1.5 location-0 name0 6 1.1.1.6 location-0 name0 So, the output are still missing1.1.1.5 and 1.1.1.6   Only name0 that exists on multiple rows should be removed.     Thanks for your help     | where name!="name0" OR (name=="name0" AND dc=1)     output dc ip location name 6 1.1.1.1 location-1 name1 6 1.1.1.2 location-2 name2 6 1.1.1.3 location-3 name3 6 1.1.1.4 location-4 name4 6 1.1.1.4 location-4 name4b Expected output: ip location name 1.1.1.1 location-1 name1 1.1.1.2 location-2 name2 1.1.1.3 location-3 name3 1.1.1.4 location-4 name4 1.1.1.4 location-4 name4b 1.1.1.5 location-0 name0 1.1.1.6 location-0 name0
I had this same issue. I built an ansible playbook that needed to run a python script. I got this error when running: /opt/splunk/bin/python script.py What fixed it: /opt/splunk/bin/splunk cmd pytho... See more...
I had this same issue. I built an ansible playbook that needed to run a python script. I got this error when running: /opt/splunk/bin/python script.py What fixed it: /opt/splunk/bin/splunk cmd python script.py Not sure if you're having the same problem but for some reason the request module doesn't load right of handle ssl if you do /opt/splunk/bin/python but DOES work correctly if you use /opt/splunk/bin/splunk cmd python. Hope it helps!
is ended up solving a major problem for me using Ansible to setup Splunk and running python scripts inside the Ansible playbook. Thank you so much!
This list has aged quite a bit, is it still accurate? @yannK 
You can help yourself and check how many distinct values are there in the name field. | eventstats dc(name) as dc | where name!="name0" OR (name=="name0" AND dc=1) Then you can | dedup name f ne... See more...
You can help yourself and check how many distinct values are there in the name field. | eventstats dc(name) as dc | where name!="name0" OR (name=="name0" AND dc=1) Then you can | dedup name f needed
Hi @PickleRick  Sorry I missed another condition. I also updated the initial post. The name0 is not in order. The dedup/filter should not be applied  to IPs that doesn't contain "name0" AND it shou... See more...
Hi @PickleRick  Sorry I missed another condition. I also updated the initial post. The name0 is not in order. The dedup/filter should not be applied  to IPs that doesn't contain "name0" AND it should not be applied to unique IP that has "name0" So,  unique IP like 1.1.1.5 and 1.1.1.6 that has "name0" needs to be remained in the data.   What I did now is to filter out statically, but another IP could show up with the same pattern.   Thank you again for your help Data: ip name location 1.1.1.1 name0 location-1 1.1.1.1 name1 location-1 1.1.1.2 name2 location-2 1.1.1.2 name0 location-20 1.1.1.3 name0 location-3 1.1.1.3 name3 location-3 1.1.1.4 name4 location-4 1.1.1.4 name4b location-4 1.1.1.5 name0 location-0 1.1.1.6 name0 location-0   Expected output: ip name location 1.1.1.1 name1 location-1 1.1.1.2 name2 location-2 1.1.1.3 name3 location-3 1.1.1.4 name4 location-4 1.1.1.4 name4b location-4 1.1.1.5 name0 location-0 1.1.1.6 name0 location-0   | makeresults format=csv data="ip, name, location 1.1.1.1, name0, location-1 1.1.1.1, name1, location-1 1.1.1.2, name2, location-2 1.1.1.2, name0, location-20 1.1.1.3, name0, location-3 1.1.1.3, name3, location-3 1.1.1.4, name4, location-4 1.1.1.4, name4b, location-4 1.1.1.5, name0, location-0 1.1.1.6, name0, location-0"    
Then just filter out all events with name="name0" | where name!="name0" or even | search name!="name0" Then you can dedup if needed.
Hi @PickleRick  Thank you for your help. I also updated the original post. The name0 is not in order. The dedup/filter should not be applied  to IP that doesn't contain "name0" Data: ip ... See more...
Hi @PickleRick  Thank you for your help. I also updated the original post. The name0 is not in order. The dedup/filter should not be applied  to IP that doesn't contain "name0" Data: ip name location 1.1.1.1 name0 location-1 1.1.1.1 name1 location-1 1.1.1.2 name2 location-2 1.1.1.2 name0 location-20 1.1.1.3 name0 location-3 1.1.1.3 name3 location-3 1.1.1.4 name4 location-4 1.1.1.4 name4b location-4 Expected output: ip name location 1.1.1.1 name1 location-1 1.1.1.2 name2 location-2 1.1.1.3 name3 location-3 1.1.1.4 name4 location-4 1.1.1.4 name4b location-4 | makeresults format=csv data="ip, name, location 1.1.1.1, name0, location-1 1.1.1.1, name1, location-1 1.1.1.2, name2, location-2 1.1.1.2, name0, location-20 1.1.1.3, name0, location-3 1.1.1.3, name3, location-3 1.1.1.4, name4, location-4 1.1.1.4, name4b, location-4"  
Hello, my deployment server shows 11 errors, however the query doesn't return any results and I have selected all time. Where would I go from here?