All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank You! I don't think I can remove the last  console.warn() because the 'try 'of the  Unset token is depend on it so now the error don't appear on the dashboard but the unset token not working ... See more...
Thank You! I don't think I can remove the last  console.warn() because the 'try 'of the  Unset token is depend on it so now the error don't appear on the dashboard but the unset token not working Is there a way to unquarantine the console.js from the SH?
We use emails as alert outputs, arriving to a shared mailbox, getting alerts from other products as well. Then we have a power automate listening to the mailbox, catching those alert emails and sendi... See more...
We use emails as alert outputs, arriving to a shared mailbox, getting alerts from other products as well. Then we have a power automate listening to the mailbox, catching those alert emails and sending a notification in a chat group with the whole team. Works nicely, removing all the integration pain from how many tools we use.
Thank you for the reply, will assess the workaround and check if it's fulfilling the requirement
Hi @Cleanhearty , check if the used fields (amount, gender, and category) are in the lookup and the name is exactly the same (field names are case sensitive). then check the amount field format. c... See more...
Hi @Cleanhearty , check if the used fields (amount, gender, and category) are in the lookup and the name is exactly the same (field names are case sensitive). then check the amount field format. ciao. Giuseppe
Thanks for the help. Unfortunately it didnt return any results(statistics(0)). That's weird.  PS: I replaced the file name with the origial.
No matter how much I challenge my management, they want (like insist strongly) to know when there is no events under the 5min, basically before one of the 20k users tell us. Depending how long the jo... See more...
No matter how much I challenge my management, they want (like insist strongly) to know when there is no events under the 5min, basically before one of the 20k users tell us. Depending how long the job will take, I'll adapt the each minute to 5', 10', or what looks acceptable.. 
Splunk SPL works on a pipeline of events, so, in a way, they are streamed from one command to the next | makeresults ``` Start and event pipeline with one event ``` ``` Set the _raw field to the JSO... See more...
Splunk SPL works on a pipeline of events, so, in a way, they are streamed from one command to the next | makeresults ``` Start and event pipeline with one event ``` ``` Set the _raw field to the JSON string ``` | eval _raw="{\"json\": {\"class\": \"net.ttddyy.dsproxy.support.SLF4JLogUtils\"}}" ``` Extract the JSON from the _raw field, specifically the json.class field ``` | spath input=_raw path=json.class ``` Replace value in field and store in new field ``` | eval class=replace('json.class',"ttddyy", "goddamm-easy") ``` Show this as a table (effectively removes all other fields from the events in the pipeline) ``` | table class  
Ok. I would probably go for summary indexing because tstats doesn't support multiple time ranges. Launch a count search, store the result and only process the pre-summarized counts later. But the qu... See more...
Ok. I would probably go for summary indexing because tstats doesn't support multiple time ranges. Launch a count search, store the result and only process the pre-summarized counts later. But the question is why would you want to spawn search each minute? That seems to be an overkill. And you might run into whole host of problems with scheduling, delays, event lag and so on. Not to mention that you're gonna be spawning many many searches throughout the day.
Hi @Stives , check if there are two apps with associated the same icon: you can do this clicking on the first app and noting the app name from the address bar, then the same thing on the second app... See more...
Hi @Stives , check if there are two apps with associated the same icon: you can do this clicking on the first app and noting the app name from the address bar, then the same thing on the second app. probably you have two apps with the same icon. Another choice could be that you did an upgrade of a curtom app without flagging to override the existing version. In this case, you could try to see if you can remove the app (if it's a custom app) otherwise, you have to open a case to Splunk Cloud Support. Ciao. Giuseppe
I'm pretty sure Splunk Cloud won't do that for security.  A workaround is to put the dashboard and images in an app and upload the app to Splunk Cloud.
Hi @Thulasinathan_M , please try this: | inputlookup your_lookup.csv | stats max((eval(Priority=*, Rate, 0))) AS Rate_5 max((eval(Priority<5, Rate, 0))) AS Rate_4 max((eval(Priority... See more...
Hi @Thulasinathan_M , please try this: | inputlookup your_lookup.csv | stats max((eval(Priority=*, Rate, 0))) AS Rate_5 max((eval(Priority<5, Rate, 0))) AS Rate_4 max((eval(Priority<4, Rate, 0))) AS Rate_3 max((eval(Priority<2, Rate, 0))) AS Rate_1 BY User Ciao. Giuseppe
Per regex101.com, this expression works with the sample event. Time:(?<time>[^\]]+)  
You can use below rex. Which will fetch the highlighted context | rex "\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(?<result>[^\s]+)"
Hi @devsru , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Siddharthnegi , please try this: | rex "^\w+\s\d+\s\d+:\d+:\d+\s(?<ip>\d+\.\d+\.\d+\.\d+)" that you can test at https://regex101.com/r/Ha7ifi/1 Ciao. Giuseppe
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it... See more...
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it’s now 13h00, it’d count events in 12h55-13h00 for D-7, D-14, D-21, D-28, You have like 4 values with which you can calculate an avg and stdev. Based on this you can calculate and define a lowerBound and upperBound  (something like avg-stdev and avg+stdev) You count events in 12h55-13h00 of today and use isOutlier to know if you’re in your defined range or not. Table wise, that would be something like this I guess: time period D-7 | D-14 | D-21 | D-28 | avg | stdev | upperBound | lowerBound | D | isOutlier When possible, it also needs to be CPU friendly, there is an auto-check because they don’t like that 
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looki... See more...
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking... See more...
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. C... See more...
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. Cases: Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5. Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4. Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3. Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_... See more...
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60