All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Stives , check if there are two apps with associated the same icon: you can do this clicking on the first app and noting the app name from the address bar, then the same thing on the second app... See more...
Hi @Stives , check if there are two apps with associated the same icon: you can do this clicking on the first app and noting the app name from the address bar, then the same thing on the second app. probably you have two apps with the same icon. Another choice could be that you did an upgrade of a curtom app without flagging to override the existing version. In this case, you could try to see if you can remove the app (if it's a custom app) otherwise, you have to open a case to Splunk Cloud Support. Ciao. Giuseppe
I'm pretty sure Splunk Cloud won't do that for security.  A workaround is to put the dashboard and images in an app and upload the app to Splunk Cloud.
Hi @Thulasinathan_M , please try this: | inputlookup your_lookup.csv | stats max((eval(Priority=*, Rate, 0))) AS Rate_5 max((eval(Priority<5, Rate, 0))) AS Rate_4 max((eval(Priority... See more...
Hi @Thulasinathan_M , please try this: | inputlookup your_lookup.csv | stats max((eval(Priority=*, Rate, 0))) AS Rate_5 max((eval(Priority<5, Rate, 0))) AS Rate_4 max((eval(Priority<4, Rate, 0))) AS Rate_3 max((eval(Priority<2, Rate, 0))) AS Rate_1 BY User Ciao. Giuseppe
Per regex101.com, this expression works with the sample event. Time:(?<time>[^\]]+)  
You can use below rex. Which will fetch the highlighted context | rex "\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(?<result>[^\s]+)"
Hi @devsru , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Siddharthnegi , please try this: | rex "^\w+\s\d+\s\d+:\d+:\d+\s(?<ip>\d+\.\d+\.\d+\.\d+)" that you can test at https://regex101.com/r/Ha7ifi/1 Ciao. Giuseppe
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it... See more...
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it’s now 13h00, it’d count events in 12h55-13h00 for D-7, D-14, D-21, D-28, You have like 4 values with which you can calculate an avg and stdev. Based on this you can calculate and define a lowerBound and upperBound  (something like avg-stdev and avg+stdev) You count events in 12h55-13h00 of today and use isOutlier to know if you’re in your defined range or not. Table wise, that would be something like this I guess: time period D-7 | D-14 | D-21 | D-28 | avg | stdev | upperBound | lowerBound | D | isOutlier When possible, it also needs to be CPU friendly, there is an auto-check because they don’t like that 
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looki... See more...
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking... See more...
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. C... See more...
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. Cases: Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5. Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4. Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3. Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_... See more...
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60
I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1.  Please let me know if anyone know how to do this..    
A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. B... See more...
A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. But after that... What is "volume"? A count of events? Sum of their size? Something else? What do you mean by "define a range based on this"?  
1. What _exactly_ did you try? And how it 'doesn't work'? 2. EXTRACT and REPORT are two settings which can be used for search-time extractions.
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for... See more...
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for image, right now I uploaded an image manually to visualize the widget. I'm assessing a way to connect the required s3 Bucket with the widget so to get those images onto Splunk Dashboard. Please can anyone assist on how to achieve this? Thanks!
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, De... See more...
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, Define a range based on this, Get the count of the last 5 min from current time and tell when is out of the range All this in a table so I can use it from Alerts I read a lot of things, but couldn’t came up with something close enough so far, I’m still new with Splunk Thank you!
i tried transforms and props yesterday and it didnt work, but what is "EXTRACT or REPORT" you mention.
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp... See more...
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp? 2. The time_epoch will most definitely _not_ contain proper epoch timestamp. The now() function itself returns what you need. There's no need to strptime() it. In fact it will only break its value since you can't parse a number using your provided time format.
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval ... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60