All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have a search that links problem and problem task tables with a scenario that gives unexpected results My search brings back the latest ptasks against the problem but I have identified some task... See more...
I have a search that links problem and problem task tables with a scenario that gives unexpected results My search brings back the latest ptasks against the problem but I have identified some tasks that were closed as duplicate after the last update on the active tasks (`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold") | eval problem=if(sourcetype="problem",number,dv_problem) | stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem | fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active | where problem!="" Is it possible to mark an event that is closed as out of scope then disclude all the events of the same number?
Hi, I know the post was in 2019, but for the next one who fall on this topic, I share some tips about that. Use double stats to avoid mvexpand : index=index1 | some crazy stuff | fields source1 ... See more...
Hi, I know the post was in 2019, but for the next one who fall on this topic, I share some tips about that. Use double stats to avoid mvexpand : index=index1 | some crazy stuff | fields source1 host | append [search index=index2 | some more crazy struff | fields source2 host] | stats values(source1) as source1, values(source2) as source2 by host ```add this next line if you want source1 or source2 are null : |fillnull value="N/A" source1 source2 ``` |stats c by host source1 source2  Hope this will be helpfull
Hi @hazem , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @rvany , I don't know if this can solve your issue, but I found that using XML rendering not all the fields are correctly displayed, try using xmlRender=0 in inputs.conf. Ciao. Giuseppe
Morning All  I am trying to work out how to use splunk spl to pick random names from a list i have 1 field called 'displayName'. there are over 200 entries and i'd like to use Splunk to pick 5 rand... See more...
Morning All  I am trying to work out how to use splunk spl to pick random names from a list i have 1 field called 'displayName'. there are over 200 entries and i'd like to use Splunk to pick 5 random names    appreciate help in this Paula    
Splunk Enterprise: 9.0.3 (Linux) Splunk Add-on for Microsoft Windows: 8.9.0 Data source: Windows Server 2016 Data format: XML When extracting EventIDs from XML data the EventID is _not_ extracted... See more...
Splunk Enterprise: 9.0.3 (Linux) Splunk Add-on for Microsoft Windows: 8.9.0 Data source: Windows Server 2016 Data format: XML When extracting EventIDs from XML data the EventID is _not_ extracted if there's a "Qualifiers" attribute. Only the "Qualifiers" field is then extracted - see screenshot. Is this intentionally?
  | rex max_match=0 ": \[(?<id>\w+)\]"  
  | rex max_match=0 "\[KOREASBC1\](?<message>[^;]+)"  
Hi I want to extract the highlighted part RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; So... See more...
Hi I want to extract the highlighted part RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#2; local0.warning [S=2952580] [BID=d57afa:30] RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#2; Unique ID:209; Additional Info1:; [Time:29-08@17:53:05.656] 17:53:05.655 10.82.10.245 local0.warning [S=2952579] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:208; Additional Info1:; [Time:29-08@17:53:05.655]
Hi , I want to extract the color part. RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; Sourc... See more...
Hi , I want to extract the color part. RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#2; local0.warning [S=2952580] [BID=d57afa:30] RAISE-ALARM:acIpGroupNoRouteAlarm: [KOREASBC1] IP Group is temporarily blocked. IP Group (IPG_ITSP) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#2; Unique ID:209; Additional Info1:; [Time:29-08@17:53:05.656] 17:53:05.655 10.82.10.245 local0.warning [S=2952579] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:208; Additional Info1:; [Time:29-08@17:53:05.655]
| makeresults | eval _raw="{ \"time\": \"2024-09-19T08:03:02.234663252Z\", \"json\": { \"ts\": \"2024-09-19T15:03:02.234462341+07:00\", \"logger\": \"<anonymized>\", \"level\": \"WARN... See more...
| makeresults | eval _raw="{ \"time\": \"2024-09-19T08:03:02.234663252Z\", \"json\": { \"ts\": \"2024-09-19T15:03:02.234462341+07:00\", \"logger\": \"<anonymized>\", \"level\": \"WARN\", \"class\": \"net.ttddyy.dsproxy.support.SLF4JLogUtils\", \"method\": \"writeLog\", \"file\": \"<anonymized>\", \"line\": 26, \"thread\": \"pool-1-thread-1\", \"arguments\": {}, \"msg\": \"{\\\"name\\\":\\\"\\\", \\\"connection\\\":22234743, \\\"time\\\":20000, \\\"success\\\":false, \\\"type\\\":\\\"Prepared\\\", \\\"batch\\\":false, \\\"querySize\\\":1, \\\"batchSize\\\":0, \\\"query\\\":[\\\"select * from whatever.whatever w where w.whatever in (?,?,?) \\\"], \\\"params\\\":[[\\\"1\\\",\\\"2\\\",\\\"3\\\"]]}\", \"scope\": \"APP\" }, \"kubernetes\": { \"pod_name\": \"<anonymized>\", \"namespace_name\": \"<anonymized>\", \"labels\": { \"whatever\": \"whatever\" }, \"container_image\": \"<anonymized>\" } }" | spath json.msg output=msg | spath input=msg query{}
When running a search on the Incident Review dashboard where the search term is the <event_id> value or event_id="<event_id>", there are no results. It used to work in the past, and in one of the la... See more...
When running a search on the Incident Review dashboard where the search term is the <event_id> value or event_id="<event_id>", there are no results. It used to work in the past, and in one of the last updates, it stopped working. I am using Enterprise Security version 7.3.2
Yep you are right, I wasn't thinking about that. We can still use the following, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,null,Rank) | filldown | fields - Diff
{ "time": "2024-09-19T08:03:02.234663252Z", "json": { "ts": "2024-09-19T15:03:02.234462341+07:00", "logger": "<anonymized>", "level": "WARN", "class": "net.ttddyy.dsproxy.support.... See more...
{ "time": "2024-09-19T08:03:02.234663252Z", "json": { "ts": "2024-09-19T15:03:02.234462341+07:00", "logger": "<anonymized>", "level": "WARN", "class": "net.ttddyy.dsproxy.support.SLF4JLogUtils", "method": "writeLog", "file": "<anonymized>", "line": 26, "thread": "pool-1-thread-1", "arguments": {}, "msg": "{\"name\":\"\", \"connection\":22234743, \"time\":20000, \"success\":false, \"type\":\"Prepared\", \"batch\":false, \"querySize\":1, \"batchSize\":0, \"query\":[\"select * from whatever.whatever w where w.whatever in (?,?,?) \"], \"params\":[[\"1\",\"2\",\"3\"]]}", "scope": "APP" }, "kubernetes": { "pod_name": "<anonymized>", "namespace_name": "<anonymized>", "labels": { "whatever": "whatever" }, "container_image": "<anonymized>" } }     to begin with, I'd like to do equivallent`jq '.json.msg|fromjson|.query[0]'`. After that, eventually, do the actual parameter substitutions, deduplication, counting, min/max time, but that's way beyond of scope of this question.
I am testing the SmartStore setup on S3 with Splunk Enterprise running on an EC2 instance. I am attempting this with an IAM role that has full S3 access. When I included the access keys in indexes... See more...
I am testing the SmartStore setup on S3 with Splunk Enterprise running on an EC2 instance. I am attempting this with an IAM role that has full S3 access. When I included the access keys in indexes.conf and started the instance, SmartStore successfully started. However, when I assigned the IAM role permissions to the EC2 instance and removed the key information from indexes.conf, Splunk froze at the loading screen with indexes.conf.... Running AWS commands shows that various files from S3 are listed. Below is the indexes.conf. During the loading process, Splunk freezes and does not start. The splunkd.log shows a shutdown message at the end. If I re-enter the key information in indexes.conf, it works again. I want to operate this using the IAM role.   [default] remotePath = volume:rstore/$_index_name [volume:rstore] storageType = remote path = s3://S3バケット名 remote.s3.endpoint = https://s3.ap-northeast-1.amazonaws.com    
This is based on your local time format so you might have to change that to not include the year (do you really want to do that?)
Actually, UDP is _not_ a stream. UDP is a connectionless protocol and every datagram is independent from all other ones.
Please share the raw event that you are working on, anonymised and in a code block to preserve formatting.
I'm new to splunk and really struggle very hard with it's documentation. Everytime I try to do something, it does not work as documented. I'm pretty fluent with free tool named jq, but it requires t... See more...
I'm new to splunk and really struggle very hard with it's documentation. Everytime I try to do something, it does not work as documented. I'm pretty fluent with free tool named jq, but it requires to downloading the data from splunk to process it, which is very inconvenient to do over globe. I have some query producing jsons. I'd like to do this trivial thing. Extract data from field json.msg (trivial projection), parse them as json, then proceed further. In jq this is as hard as: '.json.msg | fromjson '  Done. Can someone advice how to do this in splunk? I tried: … | spath input=json.msg output=msg_raw path=json.msg and multiple variants of that, but it either does not compile (say if path is missing) or do nothing. … spath input=json.msg output=msg_raw path=json.msg | table msg_raw prints empty lines.  I need to do much more complex things with it(reductions/aggregations/deduplications) all trivial in jq, but even this is not doable in splunk query. How to do? Or where is valid documention showing things which works?
Hi @hazem , ok, not it's clear. Anyway,  let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poin... See more...
Hi @hazem , ok, not it's clear. Anyway,  let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors