All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Depending on how you have "removed" the timewrap command you could have a token which starts and ends a comment (```)   index=foo $comment$ [| makeresults | fields - _time | addinfo | eval day=mvr... See more...
Depending on how you have "removed" the timewrap command you could have a token which starts and ends a comment (```)   index=foo $comment$ [| makeresults | fields - _time | addinfo | eval day=mvrange(0,2) | mvexpand day | eval earliest=relative_time(info_min_time,"-".day."d") | eval latest=relative_time(info_max_time,"-".day."d") | fields earliest latest] $comment$ | timechart span=1m sum(value) as value | eval _time=_time $comment$ | timewrap 1d $comment$  
| makeresults format=csv data="ServerName,UpgradeStatus Server1,Completed Server2,Completed Server3,Completed Server4,Completed Server5,Completed Server6,Completed Server7,Pending Server8,Pending Ser... See more...
| makeresults format=csv data="ServerName,UpgradeStatus Server1,Completed Server2,Completed Server3,Completed Server4,Completed Server5,Completed Server6,Completed Server7,Pending Server8,Pending Server9,Pending Server10,Processing Server11,Processing" | eventstats count as Total | chart count by Total UpgradeStatus
Sometimes I set myself SPL conundrum challenges just to see how to solve them.  I realised I couldn't do something I thought would be quite straightforward.  For the dummy data below I want a single ... See more...
Sometimes I set myself SPL conundrum challenges just to see how to solve them.  I realised I couldn't do something I thought would be quite straightforward.  For the dummy data below I want a single row resultset which tells me how many events of each UpgradeStatus and how  many events in total i.e. Total Completed Pending Processing 11 6 3 2   I don't know in advance what the different values of UpgradeStatus might be and I don't want to use addtotals (this is the challenge part). I came up with the solution below which kinda "misuses" xyseries (which I'm strangely proud of) .  I feel like I'm missing a more straightforward solution, other than addtotals   Anyone up for the challenge? Dummy data and solution (misusing xyseries) follows...   | makeresults format=csv data="ServerName,UpgradeStatus Server1,Completed Server2,Completed Server3,Completed Server4,Completed Server5,Completed Server6,Completed Server7,Pending Server8,Pending Server9,Pending Server10,Processing Server11,Processing" | stats count by UpgradeStatus | eventstats sum(count) as Total | xyseries Total UpgradeStatus count        
An extension of this: https://community.splunk.com/t5/Splunk-Search/Looking-at-yesterdays-data-but-need-to-filter-the-data-to-only/m-p/696758#M236798   I've created a dashboard on the above with a... See more...
An extension of this: https://community.splunk.com/t5/Splunk-Search/Looking-at-yesterdays-data-but-need-to-filter-the-data-to-only/m-p/696758#M236798   I've created a dashboard on the above with an input that adds the timewrap line when the option is selected yes and nothing when the option is selected no.   The issue I am having is when no is selected, the graph looks like the following when I select smaller time windows. Below I selected 4 hours but how can I only show the last 4 hours and not the previous window.   Query is as follows: index=foo  [| makeresults | fields - _time | addinfo | eval day=mvrange(0,2) | mvexpand day | eval earliest=relative_time(info_min_time,"-".day."d") | eval latest=relative_time(info_max_time,"-".day."d") | fields earliest latest] | timechart span=1m sum(value) as value | eval _time=_time  
You could try protecting access to the lookup by putting in a kv store and accessing it through a custom command. This custom command would be in an app which is protected from "casual" users with pa... See more...
You could try protecting access to the lookup by putting in a kv store and accessing it through a custom command. This custom command would be in an app which is protected from "casual" users with particular roles and permissions. The custom command would return the matching word without disclosing the contents of the lookup. This is not a trivial solution but may at least go some way to meeting your requirement.
Hi @msalghamdi , it isn't so immediate if you want to search on all the raw events, if instead you want to search on a predefined field it's easier. In the second case you can use the lookup comman... See more...
Hi @msalghamdi , it isn't so immediate if you want to search on all the raw events, if instead you want to search on a predefined field it's easier. In the second case you can use the lookup command, something like this: <your_search> | lookup your_lookup.csv your_key OUTPUT your_key AS found_key In the other case there was a solution from @somesoni2 to my same requirement of around 10 years ago, very hard to remember. Ciao. Giuseppe
thanks for the prompt response.   our risk team wants to provide a list of critical project keyword which will be stored as a lookup, and we'd search the DLP logs for any match  in the lookup, but ... See more...
thanks for the prompt response.   our risk team wants to provide a list of critical project keyword which will be stored as a lookup, and we'd search the DLP logs for any match  in the lookup, but the require that the analyst shouldn't have the ability to view the lookup which means that the analyst wouldn't know what keyword matched if the DLP captured more that a file/keyword in one log, so we thought if maybe there's a way we can highlight matched keywords in the search
Dear MiniNenya, According to your explain, how did you calculate "average amount of data ingested by each index" ? Sincerely, Benny On  
We have developed an add-on to pull Audit logs from Zabbix.: https://splunkbase.splunk.com/app/5272   Check this and let us know at splunk.support@dataelicit.com if you are facing any issue.
What type of Integration you are looking for? Looking to get data from Splunk to Zabbix Or Zabbix to Splunk or anything else?
This app is supported by my company. And we have released latest version of app providing additional support to pull Audit logs from Zabbix and added more details also.  If you still facing issue wit... See more...
This app is supported by my company. And we have released latest version of app providing additional support to pull Audit logs from Zabbix and added more details also.  If you still facing issue with add-on please send us and email at splunk.support@dataelicit.com
Hi @Alex_Rus , yes, it's possible modifying inputs.conf on your Splunk_TA_Windows adding whitelists and/or blacklists to filter your events. Otherwise it's possible to filter events, using props.co... See more...
Hi @Alex_Rus , yes, it's possible modifying inputs.conf on your Splunk_TA_Windows adding whitelists and/or blacklists to filter your events. Otherwise it's possible to filter events, using props.conf and transfroms.conf on the Indexers following the instrauctions at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues If possible it's better the first solution (inputs.conf), otherwise you can use the second one. Ciao. Giuseppe
App on deployment-server. I think, filtering by props and transform is better, but maybe I'm wrong)
Hi @msalghamdi , could you better describe your requirement, eventually with an example? Ciao. Giuseppe
Hi @jroedel , if the Add Data feature doesn't permit to use this feature I suppose that it isn't possible event if it's strange. I tried but I have the same result Ciao. Giuseppe
Hi @Alex_Rus , let me understand: you want to filter events on the Universal Forwarder, is it correct? see blacklists and whiteslists in Splunk_TA_Windows documentation that guides you: https://do... See more...
Hi @Alex_Rus , let me understand: you want to filter events on the Universal Forwarder, is it correct? see blacklists and whiteslists in Splunk_TA_Windows documentation that guides you: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_filtering Ciao. Giuseppe
Hello Splunkers How can i utilize a lookup in a correlation search showing the detected keyword in the search result ? its a requirement that the analyst shouldn't have the capability to view l... See more...
Hello Splunkers How can i utilize a lookup in a correlation search showing the detected keyword in the search result ? its a requirement that the analyst shouldn't have the capability to view lookups Thanks in advance.
Thanks for your second attempt. I tried, but still no luck. Might there be the possibility, that the "Add Data" WebUI Wizard does not support this correctly?
Hi Splunk community!  I need to filter events from the Splunk_ta_Windows application by the EventCode, Account_Name and Source_Network_Address fields. Tell me, in what form should props.conf and tra... See more...
Hi Splunk community!  I need to filter events from the Splunk_ta_Windows application by the EventCode, Account_Name and Source_Network_Address fields. Tell me, in what form should props.conf and transform.conf be written and in what folder should they be located?
Hi @jroedel , please try this: TIME_FORMAT=%s,\n\s*\"nanoOfSecond\"\s*:\s*%9N TIME_PREFIX=\"epochSecond\"\s*:\s* MAX_TIMESTAMP_LOOKAHEAD=500 Ciao. Giuseppe