All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Per regex101.com, this expression works with the sample event. Time:(?<time>[^\]]+)  
You can use below rex. Which will fetch the highlighted context | rex "\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(?<result>[^\s]+)"
Hi @devsru , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Siddharthnegi , please try this: | rex "^\w+\s\d+\s\d+:\d+:\d+\s(?<ip>\d+\.\d+\.\d+\.\d+)" that you can test at https://regex101.com/r/Ha7ifi/1 Ciao. Giuseppe
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it... See more...
Oh sorry, Basically, an alert def will run every minute or so, the search will count the number of events for the 4 previous same days of the week, but only the same 5’ until current time So if it’s now 13h00, it’d count events in 12h55-13h00 for D-7, D-14, D-21, D-28, You have like 4 values with which you can calculate an avg and stdev. Based on this you can calculate and define a lowerBound and upperBound  (something like avg-stdev and avg+stdev) You count events in 12h55-13h00 of today and use isOutlier to know if you’re in your defined range or not. Table wise, that would be something like this I guess: time period D-7 | D-14 | D-21 | D-28 | avg | stdev | upperBound | lowerBound | D | isOutlier When possible, it also needs to be CPU friendly, there is an auto-check because they don’t like that 
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looki... See more...
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking... See more...
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. C... See more...
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. Cases: Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5. Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4. Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3. Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_... See more...
  .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60
I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1.  Please let me know if anyone know how to do this..    
A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. B... See more...
A bit more words please because it's getting a bit unclear quickly. I assume that you want to search for events -5m till now, -7d -5m tll -7d and so on for the last 4 week. That's pretty clear. But after that... What is "volume"? A count of events? Sum of their size? Something else? What do you mean by "define a range based on this"?  
1. What _exactly_ did you try? And how it 'doesn't work'? 2. EXTRACT and REPORT are two settings which can be used for search-time extractions.
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for... See more...
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for image, right now I uploaded an image manually to visualize the widget. I'm assessing a way to connect the required s3 Bucket with the widget so to get those images onto Splunk Dashboard. Please can anyone assist on how to achieve this? Thanks!
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, De... See more...
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, Define a range based on this, Get the count of the last 5 min from current time and tell when is out of the range All this in a table so I can use it from Alerts I read a lot of things, but couldn’t came up with something close enough so far, I’m still new with Splunk Thank you!
i tried transforms and props yesterday and it didnt work, but what is "EXTRACT or REPORT" you mention.
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp... See more...
If something doesn't work as you expect step back and check if you're getting right data in to get right data out. 1. After you eval your end_time, does it conatin a proper numerical epoch timestamp? 2. The time_epoch will most definitely _not_ contain proper epoch timestamp. The now() function itself returns what you need. There's no need to strptime() it. In fact it will only break its value since you can't parse a number using your provided time format.
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval ... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60  
I think the microsoft Webhook will be EOL in the end of this year,  and I have heard that we need to migrate to use the workflow app in team.Does anyone have the solution with that
hi I have a similar problem Tried this solution and I get an empty field   |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S"... See more...
hi I have a similar problem Tried this solution and I get an empty field   |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60 @Richfez   
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performanc... See more...
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performance. Splunk version 9.1.2. Can you pls. suggest how to resolve this problem so that only 1 app. icon does appear as before? Thank you