All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have this query index=x host=y "searchTerm" | stats Avg(Field1) Avg(Field2) which returns a count of N statistics. I would like modify my query such that (first stats value) statistics[0], ... See more...
I have this query index=x host=y "searchTerm" | stats Avg(Field1) Avg(Field2) which returns a count of N statistics. I would like modify my query such that (first stats value) statistics[0], (middle stats value) ((statistics[0]+statistics[N])/length(statistics)), (final stats value) statistics(N) are returned in the same query I have tried using head and tail but that still limits it to the specified value after 'head' or 'tail'. What other options are available?  
What would cause a command line query ( bin/splunk search "..." ) to return duplicate results over what the UI would return?
I have had success in the past by base-64 encoding the image in an <img> tag and sending the html email. Can you try that? As for formatting the email, you could try writing the email in your favori... See more...
I have had success in the past by base-64 encoding the image in an <img> tag and sending the html email. Can you try that? As for formatting the email, you could try writing the email in your favorite email client, then viewing the source code, then copy-and-pasting it into the SOAR email action html body field. It may still need some tweaking, but most of the formatting should be preserved.
In your dropdown, you seem to have the fieldForLabel and fieldForValue both set to "apps", but in your dynamic query you have used the table command to filter the fields down to only the "APPLICATION... See more...
In your dropdown, you seem to have the fieldForLabel and fieldForValue both set to "apps", but in your dynamic query you have used the table command to filter the fields down to only the "APPLICATION" field. Therefore no results will appear except for the default "All". I recommend changing fieldForLabel and fieldForValue to "APPLICATION".
Have a go at this: index=* "daily.cvd" | dedup host | table host | append [| inputlookup hosts.csv] | stats count by host | where count = 1 | lookup hosts.csv host outputnew host as host_found | eva... See more...
Have a go at this: index=* "daily.cvd" | dedup host | table host | append [| inputlookup hosts.csv] | stats count by host | where count = 1 | lookup hosts.csv host outputnew host as host_found | eval status = if(isnull(host_found),"NEW","MISSING") | table host status Make sure you have a lookup table (hosts.csv) with a single "host" column containing all your expected hosts.
It might be possible to hotwire the app, but you would void the warranty. It would also be worth reading through the terms of use to ensure you are not breaking it. The app itself should, in theory,... See more...
It might be possible to hotwire the app, but you would void the warranty. It would also be worth reading through the terms of use to ensure you are not breaking it. The app itself should, in theory, provide code that makes an API call to the Splunk AI servers. I could not tell you for sure as I have only used the Preview version.
Either two columns as you described, or two columns with machines that SHOULD appear and another column saying Missing if it's not there or New if it's new and unexpected. That way I wouldn't need to... See more...
Either two columns as you described, or two columns with machines that SHOULD appear and another column saying Missing if it's not there or New if it's new and unexpected. That way I wouldn't need to look through them as thoroughly and at a glance be able to see if something is wrong.
If I understand correctly, you would like the final output to be two columns, where one shows the machines that SHOULD appear, and the second shows the machines that DO appear? Then you could see whi... See more...
If I understand correctly, you would like the final output to be two columns, where one shows the machines that SHOULD appear, and the second shows the machines that DO appear? Then you could see which machines are not appearing and therefore need attention? E.g. SHOULD_APPEAR DO_APPEAR host1 host1 host2   host3 host3 ... ...
Hello everyone, I'd like to start out by saying I'm really quite new to Splunk, and we run older versions(6.6.3 and 7.2.3). I'm looking to have a search that will do the following: - Look up the c... See more...
Hello everyone, I'd like to start out by saying I'm really quite new to Splunk, and we run older versions(6.6.3 and 7.2.3). I'm looking to have a search that will do the following: - Look up the current hosts in our system, which I can get with the following search     index=* "daily.cvd" | dedup host | table host      - Then compare to a CSV file that has 1 column with A1 being "host" and then all other entries are the hosts that SHOULD be present/accounted for. -- Using ChatGPT I was able to get something like below which on it's own will properly read the CSV file and output the hosts in it.     | append [ | inputlookup hosts.csv | rename host as known_hosts | stats values(known_hosts) as known_hosts ] | eval source="current" | eval status=if(isnull(mvfind(known_hosts, current_hosts)), "New", "Existing") | eval status=if(isnull(mvfind(current_hosts, known_hosts)), "Missing", status) | mvexpand current_hosts | mvexpand known_hosts | table current_hosts, known_hosts, status     - However when I combine the 2, it will show me 118 results(should only be 59) and there are no results in the "current_hosts" column, and after 59 blank results, the "known_hosts" will then show the correct results from the CSV.     index=* "daily.cvd" | dedup host | table host | append [ | inputlookup hosts.csv | rename host as known_hosts | stats values(known_hosts) as known_hosts ] | eval source="current" | eval status=if(isnull(mvfind(known_hosts, current_hosts)), "New", "Existing") | eval status=if(isnull(mvfind(current_hosts, known_hosts)), "Missing", status) | mvexpand current_hosts | mvexpand known_hosts | table current_hosts, known_hosts, status     I'd love to have any help on this, I'm wouldn't be surprised if ChatGPT is making things more difficult than needed.  Thanks in advance!
This is not a reliable way. If any other host mentions the host we're after, such event will get routed to syslog...
index=A sourcetype="Any" | eval Hostname=lower(Hostname) | table Hostname os device_type ```# Include os and device_type fields``` | dedup Hostname | append [ search index=B sourcetype="foo"... See more...
index=A sourcetype="Any" | eval Hostname=lower(Hostname) | table Hostname os device_type ```# Include os and device_type fields``` | dedup Hostname | append [ search index=B sourcetype="foo" | eval Hostname=lower(Reporting_Host) | table Hostname | dedup Hostname ] | stats values(os) as os values(device_type) as device_type count by Hostname | eval match=if(count=1, "missing", "ok") | table Hostname os device_type match ------ If you find this solution helpful, please consider accepting it and awarding karma points !!    
Hello,  I'm new to Splunk synthetic platform and looking for guidance on how below alert conditions work Test 1: Scheduled to run every 1 minute. So does this mean, an alert email triggered when t... See more...
Hello,  I'm new to Splunk synthetic platform and looking for guidance on how below alert conditions work Test 1: Scheduled to run every 1 minute. So does this mean, an alert email triggered when the test fails 3 times in a row (of 1min frequency)?   Test 2: Scheduled to run every 30 minutes. So does this mean, an alert email triggered when the test fails at any time during the scheduled frequency?  
Does using alltime help?
I am using Splunk Enterprise 9.2.1. on CentOS Linux kernel 3.10.0-1160.119.1.el7.x86_64 and my desktop OS is Windows 10 Enterprise.  I do not switch to RTL as I exclusively use LTR.  In this case, th... See more...
I am using Splunk Enterprise 9.2.1. on CentOS Linux kernel 3.10.0-1160.119.1.el7.x86_64 and my desktop OS is Windows 10 Enterprise.  I do not switch to RTL as I exclusively use LTR.  In this case, the RTL characters are included as titles in some data. I got it to work by creating a macro for the eval function, and only pasting in the RTL text as the very last step before saving it.   Then I just added the macro to my search query so I did not need to include any of the RTL encoded characters in the search itself explicitly.  
Hi Experts, My data source consists of a CSV file containing columns such as TIMESTAMP, APPLICATION, MENU_DES, REPORTING_DEPT, USER_TYPE, and USR_ID. I have developed a Dashboard that includes a tim... See more...
Hi Experts, My data source consists of a CSV file containing columns such as TIMESTAMP, APPLICATION, MENU_DES, REPORTING_DEPT, USER_TYPE, and USR_ID. I have developed a Dashboard that includes a time picker and a pivot table utilizing this data source. Currently, the user wishes to filter the pivot table by APPLICATION. I have implemented a dropdown menu for APPLICATION and established a search query accordingly. However, the dropdown only displays "All," and the search query dont seeem to be returning values to the dropdown list. Additionally, I need to incorporate a filter condition for APPLICATION in the pivot table based on the selection made from the dropdown menu. Could you please assist me with this? Below is my dashboard code.     <form hideChrome="true" version="1.1"> <label>Screen log view</label> <fieldset submitButton="false" autoRun="false">> <input type="time" token="field1"> <label></label> <default> <earliest>-30d@d</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="SelectedApp" searchWhenChanged="true"> <label>Application Name</label> <search> <query> index="idxmainframe" source="*_screen_log.CSV" | table APPLICATION | dedup APPLICATION | sort APPLICATION </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <fieldForLabel>apps</fieldForLabel> <fieldForValue>apps</fieldForValue> <choice value="*">All</choice> <default>All</default> </input> </fieldset> <row> <panel> <table> <search> <query>| pivot screen ds dc(USR_ID) AS "Distinct Count of USR_ID" SPLITROW APPLICATION AS APPLICATION SPLITROW MENU_DES AS MENU_DES SPLITROW REPORTING_DEPT AS REPORTING_DEPT SPLITCOL USER_TYPE BOTTOM 0 dc(USR_ID) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | sort 0 APPLICATION MENU_DES REPORTING_DEPT </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>                                                
I'm comparing two indexes, A and B, using the hostname as the common field. My current search successfully identifies whether each hostname in index A is present in index B. However, I also want to i... See more...
I'm comparing two indexes, A and B, using the hostname as the common field. My current search successfully identifies whether each hostname in index A is present in index B. However, I also want to include additional information from index A, such as the operating system and device type, in the output. This information is not present in index B. How can I modify my query to display the operating system alongside the status (missing/ok) for each hostname? below is the query I am using index=A sourcetype="Any" | eval Hostname=lower(Hostname) | table Hostname | dedup Hostname | append [ search index=B sourcetype="foo" | eval Hostname=lower(Reporting_Host) | table Hostname | dedup Hostname ] | stats count by Hostname | eval match=if(count=1, "missing", "ok")
What version of Splunk are you using? What OS are you using on your desktop? What do you use to switch the the input fro LTR to RTL?
Thanks for the idea. Unfortunately that's not going to work. I have to use a lookup table to get the Site and mstat insists on being the first command in the query.  index=metrics host=* | rex ... See more...
Thanks for the idea. Unfortunately that's not going to work. I have to use a lookup table to get the Site and mstat insists on being the first command in the query.  index=metrics host=* | rex field=host "^(?<host>[\w\d-]+)\." | lookup dns.csv sd_hostname AS host | timechart span=5m partial=f limit=0 per_second(Query) as QPS by Site I also tried using mstat BY host but that did not return any results.
In my case I was sending TCP info (JSON) through API REST, I had to recreate my source type configuration like this: Name: Whatever Description: Whatever Destination App: Whatever Category: What... See more...
In my case I was sending TCP info (JSON) through API REST, I had to recreate my source type configuration like this: Name: Whatever Description: Whatever Destination App: Whatever Category: Whatever Indexed extractions: json Next in the Advanced TAB, you need to add this extra setting: KV_MODE = none The reason is that the json I send via API already contains the event attribute in the splunk expected way, so KV_MODE (key value mode) should be set to none, like this way you avoid double parsing the event json data. { "sourcetype": "MyCustomSourceType", "index": "index-name", "event": { "a": "aa", "n": 1, ..... } }  
Hi @Fadil.CK, Thanks for sharing the solution!