All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AndySplunks , I’m a Community Moderator in the Splunk Community. This question was posted 9 years ago, so it might not get the attention you need for your question to be answered. We recommen... See more...
Hi @AndySplunks , I’m a Community Moderator in the Splunk Community. This question was posted 9 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Instead of inputlookup, you could use your metadata search to retrieve the sourcetype names. Obviously, this will only include the sourcetypes for which there have been events, and not for all config... See more...
Instead of inputlookup, you could use your metadata search to retrieve the sourcetype names. Obviously, this will only include the sourcetypes for which there have been events, and not for all configured sourcetypes.
Is there no way to do with with a variable from the app name column to be used in the others?   I'd rather not merge all the queries into one as they are not the same sourcetype at the end of the d... See more...
Is there no way to do with with a variable from the app name column to be used in the others?   I'd rather not merge all the queries into one as they are not the same sourcetype at the end of the day.
In order to line up the app name / code and the metrics, the format for the app code should be the same in all three searches (which currently it is not - you have three different ways of representin... See more...
In order to line up the app name / code and the metrics, the format for the app code should be the same in all three searches (which currently it is not - you have three different ways of representing this). Also, on two of your searches, you have used  | streamstats count | where count=1 This is the same as | head 1 That is, you will only get one event (possibly not what you were after?) One way to get the results to line up is to append the three searches and then gather the results with a stats command | stats values(metric1) as metric1 values(metric2) as metric2 by appcode
KLK Same issue 9.1.2.
thank you for your reply , can you suggest any method apart from the lookup one?  
Query For Application Names | inputlookup `SmtOverride("")` | search type=Platform | eval app=appCode." (".appName. ")" | stats count by app | sort app | streamstats count | where count=1 | fields a... See more...
Query For Application Names | inputlookup `SmtOverride("")` | search type=Platform | eval app=appCode." (".appName. ")" | stats count by app | sort app | streamstats count | where count=1 | fields app   Query for Compliance Metric 1   `cce_container_summary_ds` type="platform" environment="*-prod" environment!="*-non-prod" scanner=*-prod | stats values(temp) as temp by _time imageName registry appCode appCustodian l5 l4 l3ItHead environment scanner type assetType run day p1s p2s p3s p4s p5s | eventstats max(run) as max_run by imageName registry appCode environment scanner type day | where run=max_run | eval temp=split(temp,"@#@#") | eval due=mvmap(temp, mvindex(split(temp,"::"),4)) | where isnotnull(mvfilter(due>0)) OR isnull(due) | lookup `SmtOverride("appCode OUTPUT appName")` | eval p1p2=if(p1s>0 OR p2s>0, 1, 0) | eval p3p4p5=if(p3s>0 OR p4s>0 OR p5s>0, 1, 0) | stats sum(p1p2) as p1p2 sum(p3p4p5) as p3p4p5 by imageName registry appCode appCustodian type l5 appName | eventstats dc(imageName) as total_image_count by appCode | stats dc(eval(p1p2==1)) as p1p2 values(appCode) as appCode by imageName total_image_count appName | stats sum(p1p2) as p1p2 by total_image_count appCode appName | eval appCode=appCode. " - " .appName | eval overall_perc=100-round((p1p2)*100/total_image_count,2) | fields overall_perc appCode | sort appCode | streamstats count   Query for Compliance Metric 2 `cce_container_summary_ds` type="platform" environment="*-prod" environment!="*-non-prod" scanner=*-prod | stats values(temp) as temp values(failingControls) as tss values(p1s) as p1s values(p2s) as p2s values(p3s) as p3s values(p4s) as p4s values(p5s) as p5s by _time imageName registry appCode type l5 environment scanner run day | eventstats max(run) as max_run by imageName registry appCode environment scanner type day | where run=max_run | eval temp=split(temp,"@#@#") | eval vSeverity=mvmap(temp, mvindex(split(temp,"::"),4)) | eval critical=mvcount(mvfilter(match(vSeverity,"critical"))) | eval high=mvcount(mvfilter(match(vSeverity,"high"))) | fillnull value="0" critical high | eval tssStatus=if(critical=0 AND high=0, tssStatus, "Non-Compliant") | stats count as totalAssets, count(eval(like(tssStatus, "Compliant"))) AS Compliant by appCode | eval compliancePerc=round(((Compliant/totalAssets)*100),2) | sort appCode | streamstats count | where count=1 | fields appCode compliancePerc        
Please share some sample anonymised events in a code block so we can see what you are dealing with?
How do you measure this? Do you count how many places each field is shown on the dashboard? Do you multiply this by the number of rows in the table? Do you multiply this by the number of times the da... See more...
How do you measure this? Do you count how many places each field is shown on the dashboard? Do you multiply this by the number of rows in the table? Do you multiply this by the number of times the dashboard has been viewed? What is the value of this metric? What are you actually trying to determine, and how will you use this information?
Hello team, I need a query to extarct most commonly used fields by the users in a paticular dashboard. Please help me. Thanks! Renuka O
Chart also not giving the results
No. It does not work this way. As I quoted earlier in this thread, the settings are applied in order of stanza precedence (after the final config is decided from separate files according to the conf... See more...
No. It does not work this way. As I quoted earlier in this thread, the settings are applied in order of stanza precedence (after the final config is decided from separate files according to the configuration files precedence). So [source::something] settings have highest precedence, then [host::something] and finally just [sourcetype] settings. You can't do logical conditions between those stanzas.
Where does the data for columns 2 and 3 come from? Please share your search(es)
The xyseries command doesn't work like that https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries Try replacing it with the chart command |chart avg(fusionapiLatency) as avg... See more...
The xyseries command doesn't work like that https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries Try replacing it with the chart command |chart avg(fusionapiLatency) as avg_fusionapiLatency over _time by useragent
Hello, Is it possible to send alert using our sms provider? If not how can i send SMS for alerts? Thanks.
Hi @PiotrAp , it's always better to use the latest possible version, with the following rules: UF version must be the same or lower than the one on the Indexer or HF that receives data. UF version... See more...
Hi @PiotrAp , it's always better to use the latest possible version, with the following rules: UF version must be the same or lower than the one on the Indexer or HF that receives data. UF version must be compatible with the operative system you have on the server. If you cannot use the latest version because your OS is old, search for the latest certified version; if you don't find it, ask to Splunk Support. How often upgrade it: at least when the installed version is out of support, but a good planning could be  once a year. Ciao. Giuseppe
Hi all, i have a monitor stanza in inputs.conf  that monitor our organization proxy, the logs are sent by syslog-ng i have only one stanza that monitor 4 diff sources IP's from that proxy. i want... See more...
Hi all, i have a monitor stanza in inputs.conf  that monitor our organization proxy, the logs are sent by syslog-ng i have only one stanza that monitor 4 diff sources IP's from that proxy. i want to configure diff "source" to each source ip's without seeing in the value (under the source field) the name of the log. lets say the monitor path is (in the deployment server): $SPLUNK_HOME/syslog/proxy/*/*.log in the source field i will see: $SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/<proxy_date_and_time>.log i want the source to stop at proxy_source_a|b|c|d, example: $SPLUNK_HOME/syslog/proxy/<proxy_source_a|b|c|d>/ is that possible?  
@ITWhisperer fair enough. The goal here is to have 3 queries Gather a list of all application names  (Column 1) Gather a list of compliance metric 1 for all applications (Column 2) Gather a ... See more...
@ITWhisperer fair enough. The goal here is to have 3 queries Gather a list of all application names  (Column 1) Gather a list of compliance metric 1 for all applications (Column 2) Gather a list of compliance metric 2 for all applications (Column 3) For Column 1 I've been able to use a search for the first field to the 20th field for all rows.  My issue is that I need the application name to line up with compliance metric one and two.  In other words I can't select the first row and  second and then so on as if an application name gets added it will be out of order.  What I'd like to do is take a variable that holds the result from column one and search for that exact application name in the compliance metrics to ensure I alway have the right one.
index="test" source="test2"  "REPORT RequestId: "| eval Latency = rex(***) |xyseries avg(Latency) as avg_Latency over _time by useragent