All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So I have a SPL and it searchs an Index and brings back over 1.8 Million events I have done some evals to get the Project, Size of file and Speed. What I want to do is just to list the top 10 speed... See more...
So I have a SPL and it searchs an Index and brings back over 1.8 Million events I have done some evals to get the Project, Size of file and Speed. What I want to do is just to list the top 10 speeds and their relevant Project (It could be the same project is listed 10 times) I have done something with stats(sum) but I don't want the sum.... Out of the 1.8 Million I need to just show the top 10 events and speed and it project number My fields from eval are ProjectID, MB is the size and speed is SecTM is the speed I seem to be stuck on Splunk doing a sum for the entire Project and I guess that would be true since I am using sum
I need to omit all events for a ptask that is now task_active=false, not just the latest event, this is why I need to do something before the stats latest. If I do stats values instead of stats la... See more...
I need to omit all events for a ptask that is now task_active=false, not just the latest event, this is why I need to do something before the stats latest. If I do stats values instead of stats latest I want the green events but the red events are causing issues with my data as they were more recent. Not sure if you saw my previous post but I was hoping there would be a way to put an out of scope marker throughout all the unwanted events  
@T_K_421 Based on what you are seeing the likely issues are either Network or Permissions on the Azure side.  If you followed the instructions then it should work. It may be worth either re-validati... See more...
@T_K_421 Based on what you are seeing the likely issues are either Network or Permissions on the Azure side.  If you followed the instructions then it should work. It may be worth either re-validating the existing config or starting again. 
Please try:   (`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold") | eval problem=if(sourcetype="problem",number,dv_pr... See more...
Please try:   (`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold") | eval problem=if(sourcetype="problem",number,dv_problem) | stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem | fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active | search problem!="" AND task_active!=false
The missing custom fields are present on local and remote searchHeads? 
I dont want any of the events for a ptask where there is result of task_active=false I can't just do a search for task_active=true because it just brings back events from when the ptasks that are ... See more...
I dont want any of the events for a ptask where there is result of task_active=false I can't just do a search for task_active=true because it just brings back events from when the ptasks that are now task_active=false from when they were previously true I was thinking of a solution of having a marker before I did the stats latest | eval OutOfScope=if(task_active="false",1,0) then I'd need something to say if for number if one event is OutOfScope=1 then all events for that ptask number are OutOfScope=1
@petsafe Please describe the steps that you executed for the upgrade. 
does removing it from the serverclass cause it to be deinstalled on the forwarders in the class?
Update While this works : | inputlookup servers | dedup host | sort host | table host host The issue I have here is I need to use the token to shrink the returned list.  As noted above, this DO... See more...
Update While this works : | inputlookup servers | dedup host | sort host | table host host The issue I have here is I need to use the token to shrink the returned list.  As noted above, this DOES NOT work: | inputlookup servers where environment = $token$ | dedup host | sort host | table host host  ...this returns NOTHING and I've spent several hours going bald trying to figure this out.  Then I found it. The issue is the WHERE clause.  Apparently, you cannot do an inputlookup to return 1 field while doing the comparision on another field.  Who knew?  So if the query is returning both the host AND the environment...then it works. What I ended up with is: | inputlook servers | table host, environment | where environment = "$token$" | fields - environment ...and now it's happy.   Thanks to all as I wouldn't haven't this far w/o getting the answers to my stupid questions!   
Sorry, still not clear for me how the expected outcome should look like.
No luck.   The Health and Status dashboards work, so it does see the lookups, we just can't access them in the main screen.  We're currently on Splunk 9.2.2, so maybe it will clear up once we move to... See more...
No luck.   The Health and Status dashboards work, so it does see the lookups, we just can't access them in the main screen.  We're currently on Splunk 9.2.2, so maybe it will clear up once we move to 9.3.
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node.  I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missi... See more...
Thank you both for your replies, i was afraid of making a mess keeping a "cluster" with just one node.  I have SF and Rf=2, im a aware that probably the searches will trigger a warning about a missing node in the cluster but the searches will be performed only for historical reasons. Thank you again! This is a really good community, and Splunk is really an excellent product, im really sad that i had to let this go.     
Could you please check your splunkd.log for any error events and share them?
Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in m... See more...
Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in my results
Do you wanna filter out some events based on the results that are produced by our shared search? Would be great if you could clarify the expected outcome. Furthermore please provide some sample data.
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the ass... See more...
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the asset in SOAR with the corresponding tenant, app, and secret information. The redirect URI was entered into the Azure app registration page with /result per the instructions. When I test connectivity, the test will time out after about a minute. I may have missed something in the documentation, but the configuration all seems correct. Has anyone else run into this?
For feature enhancement requests you should visit https://ideas.splunk.com/ and if there is no existing idea matching with your request/idea you should raise a new idea.
The "query" (or in Splunk terminology - search) you're looking for will depend on what data you have indexed in your Splunk.
@prasireddy Sorry was on vacation the last two weeks. Are you still facing the issue?
It's the query to search those logs that I am looking for.