All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Actually, that's a problem which does not have a precise solution. Short of re-running the search and checking what kind of sourcetypes are returned (and even then it's not 100% sure because you can ... See more...
Actually, that's a problem which does not have a precise solution. Short of re-running the search and checking what kind of sourcetypes are returned (and even then it's not 100% sure because you can have some random aspects of the search) there's no way of knowing what sourcetypes were searched in general case. So everything you infer from your searches will only be some kind of heuristics - it will give you some probable overview of your searches results but short of recording access to each single event (which obviously Splunk does not do) there's no way of knowing which particular events/metric points were accessed and subsequently what were their metadata values.
What was the search you used to populate sourcetypes_1.csv?
Hi Splunk Experts, I had configured HEC and tried to send logs data via OTEL collector but I don't find service for collector. So, kindly suggest how to enable collector service to receive data from... See more...
Hi Splunk Experts, I had configured HEC and tried to send logs data via OTEL collector but I don't find service for collector. So, kindly suggest how to enable collector service to receive data from OTEL Collector. Much appreciated for your inputs. Regards, Eshwar
Hi marnall, I have changed fieldForLabel and fieldForValue to "APPLICATION". Still the dropdown menu is returning only "All". Could you please help ?..Below is the latest code. <form hideChrome="tr... See more...
Hi marnall, I have changed fieldForLabel and fieldForValue to "APPLICATION". Still the dropdown menu is returning only "All". Could you please help ?..Below is the latest code. <form hideChrome="true" version="1.1"> <label>SCODE_VIEW</label> <fieldset submitButton="false" autoRun="false">> <input type="time" token="field1" searchWhenChanged="true" > <label></label> <default> <earliest>-30d@d</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="SelectedApp" searchWhenChanged="true"> <label>Application Name</label> <Search> <query> index="idxmainframe" source="*_SCODE_DATA.CSV" earliest=$field1.earliest$ latest=$field1.latest$ | table APPLICATION | dedup APPLICATION | stats count by APPLICATION </query> </Search> <fieldForLabel>APPLICATION</fieldForLabel> <fieldForValue>APPLICATION</fieldForValue> <choice value="*">All</choice> <default>All</default> </input> </fieldset> <row> <panel> <table> <search> <query>| pivot Scode ds dc(USR_ID) AS "Distinct Count of USR_ID" SPLITROW APPLICATION AS APPLICATION SPLITROW MENU_DES AS MENU_DES SPLITROW REPORTING_DEPT AS REPORTING_DEPT SPLITCOL USER_TYPE BOTTOM 0 dc(USR_ID) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | sort 0 APPLICATION MENU_DES REPORTING_DEPT </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  
Thank you for your prompt reply .. Actually , I am having this search which lists the sourcetypes that have not been searched , but it is not very accurate so it might contain sourcetypes that are ... See more...
Thank you for your prompt reply .. Actually , I am having this search which lists the sourcetypes that have not been searched , but it is not very accurate so it might contain sourcetypes that are still searchable : index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype | search hasBeenSearched="0" So, I created a lookup into which I have put the sourcetypes that have been searched...I was thinking to reference this lookup  in the above mentioned query so that it could remove the sourcetypes that are searchable .. But the query is not giving me results . Can you please check where should i Adjust those commands related to referencing that lookup .. here is how I have used the query, but the results are not coming: index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype| search NOT [inputlookup sourcetypes_1.csv | fields sourcetype] | search hasBeenSearched="0"
Hi @gcusello, thanks for giving this quick reply.   I checked the filename either manually and second time by using the following command: | inputlookup ldap_users.csv   This returns the lookup... See more...
Hi @gcusello, thanks for giving this quick reply.   I checked the filename either manually and second time by using the following command: | inputlookup ldap_users.csv   This returns the lookup as expected. I can see and edit my lookup with the lookup editor app. I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.   However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.   So for me the solution is to just utlitze another lookup: index=main source_type=some_event_related_to_users | lookup identity_lookup_expanded identity as src_user  
Do you get the same results when running the command line on all nodes in the cluster? How many nodes do you have?
"non searchable" is not the same as "have not been searched" The problem with this sort of search is that Splunk is not good at finding things which aren't there! You could search through the intern... See more...
"non searchable" is not the same as "have not been searched" The problem with this sort of search is that Splunk is not good at finding things which aren't there! You could search through the internal logs to see what searches have been executed and extract from that which sourcetypes have been specified. This would give you a list of sourcetypes which have been searched specifically, but if sourcetype is not used in the search, all sourcetypes for the index specified could be searched, so do you want to include those as having been searched or say that they haven't been searched? Anyway, having got a list of sourcetypes which have been searched, you should compare this to a list of all sourcetypes to determine which ones "have not been searched" (given the caveats just mentioned).
Hello All, I am looking for a query that can provide me with a list of sourcetypes that have not been searched .Kindly suggest.
Hi @tsocyberoperati , the @PickleRick 's hint is correct, but you can use this approach finding a correct regex to identify the hosts. Ciao. Giuseppe
Thank you for the information.  So, if the upgraded version is in compatible with the Cribl workers then can we go for upgrade even though the final downstream cloud components runs with lower version?
For example I have a link to a specific trace:  https://xxxx.signalfx.com/#/apm/traces/2459682daf1fe95db9bbff2042a1ec0e This for example will show me all the trace water fall from the beggining of t... See more...
For example I have a link to a specific trace:  https://xxxx.signalfx.com/#/apm/traces/2459682daf1fe95db9bbff2042a1ec0e This for example will show me all the trace water fall from the beggining of the trace. Now, I want to be able to access this trace from a specific start_time and see till end_time. Is it possible? If yes, what should be the correct link?
This should be fast enough | tstats max(_time) AS _time WHERE index=* BY host | where relative_time(now(), "-30d") > _time | reltime | rename reltime as since_last_update | eval last_update_time = s... See more...
This should be fast enough | tstats max(_time) AS _time WHERE index=* BY host | where relative_time(now(), "-30d") > _time | reltime | rename reltime as since_last_update | eval last_update_time = strftime(_time, "%F %T")
ChatGPT is perhaps the last place you want to learn SPL from.  The task is relative straightforward. index=* "daily.cvd" | fields host ``` only needed if sources have too many fields ``` | eval sour... See more...
ChatGPT is perhaps the last place you want to learn SPL from.  The task is relative straightforward. index=* "daily.cvd" | fields host ``` only needed if sources have too many fields ``` | eval source = "INDEX" | append [inputlookup hosts.csv | eval source = "CSV"] | stats values(source) as source by host | eval status = case(mvcount(source) > 1, null(), source == "CSV", "Missing", true(), "New") | fields - source
@gcusello I ended up taking an entirely different approach. I ditched inputlookup/lookup and used a bit of eval, where and eventstats to achieve it. For your suggestion to use summary index, I do not... See more...
@gcusello I ended up taking an entirely different approach. I ditched inputlookup/lookup and used a bit of eval, where and eventstats to achieve it. For your suggestion to use summary index, I do not have privileges to create a new index, so couldn't try that but it would have worked i guess. Thank you though,  I can definitely keep this approach in mind whenever I run into problems again. 
First, unless you have prior knowledge that number of Hostname in index A is always larger than that in index B in any search period, "missing" simply means that the name appears only in one index.  ... See more...
First, unless you have prior knowledge that number of Hostname in index A is always larger than that in index B in any search period, "missing" simply means that the name appears only in one index.  The following does not try to address this problem, but will give you what you want, and is much simpler, perhaps more performant. (index=A sourcetype="Any") OR (index=B sourcetype="foo") | eval Hostname=coalesce(lower(Hostname), lower(Reporting_Host)) | fields index Hostname operating_system device_type | stats values(*) as * by Hostname | eval match=if(mvcount(index) == 1, "missing", "ok") Not only operating system and device type, you can add any other fields of interest that may only exist in one of indices.
How to fix"Could not load lookup=LOOKUP-autolookup_prices"
Simple query, actually. index=ourindex earliest=epoch1 latest=epoch2 Command line query returns 16 events, same query in UI returns 8 events. The 16 events have 8 duplicates. Running 9.1.1 Splunk ... See more...
Simple query, actually. index=ourindex earliest=epoch1 latest=epoch2 Command line query returns 16 events, same query in UI returns 8 events. The 16 events have 8 duplicates. Running 9.1.1 Splunk Enterprise. Search head cluster.
thanks @dural_yyz . I was thinking of a solution where for a specific token I could enable HTTP protocol. I infer based on your comment and @jawahir007 comment, I infer that its a global setting and ... See more...
thanks @dural_yyz . I was thinking of a solution where for a specific token I could enable HTTP protocol. I infer based on your comment and @jawahir007 comment, I infer that its a global setting and cannot be changed for a specific token. I wonder why Splunk recommends to use HTTP for performance optimisation(referring to below statement from listed ref link). Sending data over HTTP results in a significant performance improvement compared to sending data over HTTPS. Troubleshoot HTTP Event Collector - Splunk Documentation