All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, you can create searches using the REST API in Splunk Cloud. Here are the basic steps: Get a Session Key: Authenticate with Splunk to get a session key. Create a Search Job: Use the /servic... See more...
Yes, you can create searches using the REST API in Splunk Cloud. Here are the basic steps: Get a Session Key: Authenticate with Splunk to get a session key. Create a Search Job: Use the /services/search/jobs endpoint to create a search job. You’ll need to send a POST request with your search query in the body. Check Search Status: Use the search ID (sid) returned from the previous step to check the status of your search job. Here’s a simple example using curl: curl -k -u username:password https://<splunk-cloud-url>/services/search/jobs -d search="search index=_internal | head 10" This command will create a search job that retrieves the first 10 events from the _internal index.    
Yes, it is.
I am trying to remove the year from from the time labels on the area chart without it messing up the charts format.  I've tried fieldformat but that would mess up the chart when the new year hap... See more...
I am trying to remove the year from from the time labels on the area chart without it messing up the charts format.  I've tried fieldformat but that would mess up the chart when the new year happens, any help would be great.
| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false") You didn't nest the second IF statement | eval description=if('app'=="linux", host. "-" ... See more...
| eval description=if('app'=="linux", host. "-" .alert_type',  'app'==windows, host. "-" .severity, "false") You didn't nest the second IF statement | eval description=if('app'=="linux", host. "-" .alert_type',if('app'==windows, host. "-" .severity, "false"))
I am trying to create a new field called "description" that contains values from two other existing fields.  If field "app" is equal to linux than i want to combine existing fields "host" and "aler... See more...
I am trying to create a new field called "description" that contains values from two other existing fields.  If field "app" is equal to linux than i want to combine existing fields "host" and "alert_type". If field "app" is equal to windows than i want to combine existing field values "host" and "severity" If app equals anything else, i want the value to be false.  Below is the eval i have, buts its not working:   | eval description=if('app'=="linux", host. "-" .alert_type', 'app'==windows, host. "-" .severity, "false")    
Hi Ryan, Unfortunately, the uninstall-smart-agent instructions did not work.  I need to remove the dead/inactive Smart Agent from the controller Agent Management--->Agents--->Smart Agents section.  ... See more...
Hi Ryan, Unfortunately, the uninstall-smart-agent instructions did not work.  I need to remove the dead/inactive Smart Agent from the controller Agent Management--->Agents--->Smart Agents section.  Thanks!
Hi can anybody help with this problem, please? source1: lookup Tab (lookup.csv) att1 att2 att3 F1 1100 12.09.2024 F2 1100 23.04.2024 F3 1100 15.06.2024 F4 1100 16.03.2024 att1 is also in index=... See more...
Hi can anybody help with this problem, please? source1: lookup Tab (lookup.csv) att1 att2 att3 F1 1100 12.09.2024 F2 1100 23.04.2024 F3 1100 15.06.2024 F4 1100 16.03.2024 att1 is also in index=myindex I want to have in a table for all att1 from lookup.csv count of all events from index=myindex att1=$att1$ AND earliest=strptime($att3$, "%d.%m.%Y") output: att1 count(from myindex) att2 att3 F1 count 1100 12.09.2024 F2 count 1100 23.04.2024 F3 count 1100 15.06.2024 F4 count 1100 16.03.2024
@shalomsuresh These solutions don't work if there are more than 3 with the same score, e.g. if "f" had a score of 73 as well.
Hello @Kathryn.Green, I was told you should be having a conversation soon with ApPDynamics about your questions here, as they have reached our privately. 
Is there a way to get Service Endpoint values (response time, load, errors) into Analytics so it can be queried? I have multiple custom service endpoints that are looking at the performance of api c... See more...
Is there a way to get Service Endpoint values (response time, load, errors) into Analytics so it can be queried? I have multiple custom service endpoints that are looking at the performance of api calls from a specific customer.  They are calls like createCart and placeOrder etc. Is there a way for me to get the values like load, response time, and error counts for these service endpoints, in Analytics? I know I can get those metrics for business transactions, but these service endpoints are subsets within the BTs.  I don't want to have to create a custom BT for each of these custom service endpoints if I can avoid that. Thanks, Greg
Hi @Huy.Nguyen, First off, cool profile pic! Second, I found this AppD Docs page that could be helpful on how to uninstall a Smart Agent with Command line. https://docs.appdynamics.com/appd/24.x... See more...
Hi @Huy.Nguyen, First off, cool profile pic! Second, I found this AppD Docs page that could be helpful on how to uninstall a Smart Agent with Command line. https://docs.appdynamics.com/appd/24.x/24.8/en/agent-management/smart-agent/uninstall-smart-agent
Hi, Is the Dnslookup available in Splunk cloud like enterprise?
If you want to avoid using 2 streamstats you shall try this way, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,Rank-1,Rank) | fields - Diff And with 2 streamstats you sh... See more...
If you want to avoid using 2 streamstats you shall try this way, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,Rank-1,Rank) | fields - Diff And with 2 streamstats you shall try this so to avoid 1 extra filldown command, | streamstats count as Rank | streamstats window=2 range(Score) as range | eval Rank=if(Rank=1 OR range != 0, Rank, Rank-1)
Hi, What if we are unable to upgrade the controller (v24.4.1) to version 24.6 or higher at this time, is there a way to remove the inactive Smart Agent from the controller via the command line or fr... See more...
Hi, What if we are unable to upgrade the controller (v24.4.1) to version 24.6 or higher at this time, is there a way to remove the inactive Smart Agent from the controller via the command line or from the database?  Thanks!
Have you tried the lookup command https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Lookup  
I lessened the amount of fields in the csv and that solved the issue. 
Hi Team  Can you please help me to provide a solution to use a csv file with the external vs internal user id data in the splunk.  Below is the current query and output that extracts the internal... See more...
Hi Team  Can you please help me to provide a solution to use a csv file with the external vs internal user id data in the splunk.  Below is the current query and output that extracts the internal userid and i need another column to add corresponding external user id.  Csv file : ABC.csv usr_id,eml_add_ds internal user id 1 , external user id 1 internal user id 2 , external user id 2 internal user id 3 , external user id 3 internal user id 4 , external user id 4 Query : (index=ABC) ("Start" OR "Finish") Properties.AspNetCoreEnvironment="*" | rex field=Message "Start:\s*(?<start_info>[^\s]+)" | rex field=Message "user\s(?<Userid>[^\took|.]+)" | search start_info=* | table Userid | sort time   Output :   
It is difficult to tell without seeing your events and lookup file values but taking a clue from the field name "cidr", does your lookup file contain CIDR-style values, and if so, have you created a ... See more...
It is difficult to tell without seeing your events and lookup file values but taking a clue from the field name "cidr", does your lookup file contain CIDR-style values, and if so, have you created a lookup definition with advanced setting for match type CIDR(cidr)?
@richgalloway @jawahir007  Thank you both for the nice explanation.  As part of my migration activity, I want to clean up or remove all the unnecessary sourcetypes from Splunk so that we may use ... See more...
@richgalloway @jawahir007  Thank you both for the nice explanation.  As part of my migration activity, I want to clean up or remove all the unnecessary sourcetypes from Splunk so that we may use less disk space and move data more quickly from the old server to the new one. But as per your suggestion, delete command will never reduce disk space and in migration the entire data will have to be copied. Am I understanding it correctly ? Some more addition on my first ask. 1. All the sourcetypes coming from one source. 2. All the sourcetypes belongs to only one index. 3. We are using transforms and props to build the sourcetypes. When a particular type of pattern events comes; then transforms create the sourcetype( as mentioned regex inside ) 4. All the parsing and filtering will take care by python script. 5. Both unnecessary and necessary sourcetypes are included in that one index.   Thanks   
  l