All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147386 https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452 H... See more...
https://community.splunk.com/t5/Getting-Data-In/Adding-a-field-and-changing-source-from-Source/m-p/147386 https://community.splunk.com/t5/Getting-Data-In/How-to-replace-meta-information/m-p/98452 Here are 2 links demonstrating different use cases to replace source values with something for their particular use.  Leveraging rex you can replace your source with the value and match you require.  The process is the same even if the rex is different.
Thanks @dural_yyz  for the answer. Where can I find the Submit button options you mentioned?   I could not find any documentation for that...
Thank you for the reply, Do i have to create a web hook and run script for it or how can i do it? 
Depends on what your SMS provider provides as API hooks.  It's well documented that you can use a Splunk Alert to interact with API's but that needs to be provided by the far end or something you man... See more...
Depends on what your SMS provider provides as API hooks.  It's well documented that you can use a Splunk Alert to interact with API's but that needs to be provided by the far end or something you manually create yourself.
Found the issue. It was because I am not using null values before the transforming command
You could look at using the map command to pass the appcode from the first search to the other searches. However, I would hesitate to recommend this as it has performance and limits implications. At... See more...
You could look at using the map command to pass the appcode from the first search to the other searches. However, I would hesitate to recommend this as it has performance and limits implications. At the end of the day, the sourcetypes may be different in the initial searches (which is why they would be in separate searches which are appended to one another), but by the end they are similar, i.e. an app code and a metric (or two). Having said that, if you wanted to go down this route, you should still look at optimising the combined searches (but they are quite complex for someone who doesn't know your data to figure out what you are ultimately aiming to achieve).
This is the right answer
Ugly and stupid but I've seen this before and didn't find a nice answer. Try this... 'initial search spl' | fields * 'remainder of search as written'
Hi @AndySplunks , I’m a Community Moderator in the Splunk Community. This question was posted 9 years ago, so it might not get the attention you need for your question to be answered. We recommen... See more...
Hi @AndySplunks , I’m a Community Moderator in the Splunk Community. This question was posted 9 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Instead of inputlookup, you could use your metadata search to retrieve the sourcetype names. Obviously, this will only include the sourcetypes for which there have been events, and not for all config... See more...
Instead of inputlookup, you could use your metadata search to retrieve the sourcetype names. Obviously, this will only include the sourcetypes for which there have been events, and not for all configured sourcetypes.
Is there no way to do with with a variable from the app name column to be used in the others?   I'd rather not merge all the queries into one as they are not the same sourcetype at the end of the d... See more...
Is there no way to do with with a variable from the app name column to be used in the others?   I'd rather not merge all the queries into one as they are not the same sourcetype at the end of the day.
In order to line up the app name / code and the metrics, the format for the app code should be the same in all three searches (which currently it is not - you have three different ways of representin... See more...
In order to line up the app name / code and the metrics, the format for the app code should be the same in all three searches (which currently it is not - you have three different ways of representing this). Also, on two of your searches, you have used  | streamstats count | where count=1 This is the same as | head 1 That is, you will only get one event (possibly not what you were after?) One way to get the results to line up is to append the three searches and then gather the results with a stats command | stats values(metric1) as metric1 values(metric2) as metric2 by appcode
KLK Same issue 9.1.2.
thank you for your reply , can you suggest any method apart from the lookup one?  
Query For Application Names | inputlookup `SmtOverride("")` | search type=Platform | eval app=appCode." (".appName. ")" | stats count by app | sort app | streamstats count | where count=1 | fields a... See more...
Query For Application Names | inputlookup `SmtOverride("")` | search type=Platform | eval app=appCode." (".appName. ")" | stats count by app | sort app | streamstats count | where count=1 | fields app   Query for Compliance Metric 1   `cce_container_summary_ds` type="platform" environment="*-prod" environment!="*-non-prod" scanner=*-prod | stats values(temp) as temp by _time imageName registry appCode appCustodian l5 l4 l3ItHead environment scanner type assetType run day p1s p2s p3s p4s p5s | eventstats max(run) as max_run by imageName registry appCode environment scanner type day | where run=max_run | eval temp=split(temp,"@#@#") | eval due=mvmap(temp, mvindex(split(temp,"::"),4)) | where isnotnull(mvfilter(due>0)) OR isnull(due) | lookup `SmtOverride("appCode OUTPUT appName")` | eval p1p2=if(p1s>0 OR p2s>0, 1, 0) | eval p3p4p5=if(p3s>0 OR p4s>0 OR p5s>0, 1, 0) | stats sum(p1p2) as p1p2 sum(p3p4p5) as p3p4p5 by imageName registry appCode appCustodian type l5 appName | eventstats dc(imageName) as total_image_count by appCode | stats dc(eval(p1p2==1)) as p1p2 values(appCode) as appCode by imageName total_image_count appName | stats sum(p1p2) as p1p2 by total_image_count appCode appName | eval appCode=appCode. " - " .appName | eval overall_perc=100-round((p1p2)*100/total_image_count,2) | fields overall_perc appCode | sort appCode | streamstats count   Query for Compliance Metric 2 `cce_container_summary_ds` type="platform" environment="*-prod" environment!="*-non-prod" scanner=*-prod | stats values(temp) as temp values(failingControls) as tss values(p1s) as p1s values(p2s) as p2s values(p3s) as p3s values(p4s) as p4s values(p5s) as p5s by _time imageName registry appCode type l5 environment scanner run day | eventstats max(run) as max_run by imageName registry appCode environment scanner type day | where run=max_run | eval temp=split(temp,"@#@#") | eval vSeverity=mvmap(temp, mvindex(split(temp,"::"),4)) | eval critical=mvcount(mvfilter(match(vSeverity,"critical"))) | eval high=mvcount(mvfilter(match(vSeverity,"high"))) | fillnull value="0" critical high | eval tssStatus=if(critical=0 AND high=0, tssStatus, "Non-Compliant") | stats count as totalAssets, count(eval(like(tssStatus, "Compliant"))) AS Compliant by appCode | eval compliancePerc=round(((Compliant/totalAssets)*100),2) | sort appCode | streamstats count | where count=1 | fields appCode compliancePerc        
Please share some sample anonymised events in a code block so we can see what you are dealing with?
How do you measure this? Do you count how many places each field is shown on the dashboard? Do you multiply this by the number of rows in the table? Do you multiply this by the number of times the da... See more...
How do you measure this? Do you count how many places each field is shown on the dashboard? Do you multiply this by the number of rows in the table? Do you multiply this by the number of times the dashboard has been viewed? What is the value of this metric? What are you actually trying to determine, and how will you use this information?
Hello team, I need a query to extarct most commonly used fields by the users in a paticular dashboard. Please help me. Thanks! Renuka O
Chart also not giving the results
No. It does not work this way. As I quoted earlier in this thread, the settings are applied in order of stanza precedence (after the final config is decided from separate files according to the conf... See more...
No. It does not work this way. As I quoted earlier in this thread, the settings are applied in order of stanza precedence (after the final config is decided from separate files according to the configuration files precedence). So [source::something] settings have highest precedence, then [host::something] and finally just [sourcetype] settings. You can't do logical conditions between those stanzas.