All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many ... See more...
It is not clear what the dedup is doing, nor what the search XXX is for, but let's assume it is for the product you are interested in. Next, it isn't clear what the single would show. Is it how many users have used the product multiple times? | bin _time span=1mon | stats count by _time user_id | where count > 1 | timechart count span=1mon
Thanks Giuseppe for your advice.  The second one works. The first one somehow only returns 4 lines of results.  
okay, well noted. I will consider both option. Thank you for the discussion.
Hi @rsAU  The above reply should work fine for your situation.  if still any issues, pls update us  1) your full search query (remove any confidential info) 2) maybe a screenshot is better 
Hi @spisiakmi , let me understand: do you want to put in an input both the att1 and att3 tokens or do you want to pass all the att1 and att3 values of the lookup? in the first case, you have at f... See more...
Hi @spisiakmi , let me understand: do you want to put in an input both the att1 and att3 tokens or do you want to pass all the att1 and att3 values of the lookup? in the first case, you have at first to create in a dashboard a dropdown using a search like the following: | inputlookup lookup.csv | eval token=att1.",".att3 | dedup token | sort token | table token passing by value the token to te following search. Then run this search (in the same dashboard) index=myindex [ | makeresults | rex field=$token$ "^(?<att1>[^,]+),(?<att3>.*)" | eval earliest=strptime(att3, "%d.%m.%Y") | fields att1 att3 ] | ... Ciao. Giuseppe
Hi @cdevoe57 , you have to create a new appLogo.png (160x40 pixels) and appLogo_2x.png (320x80 pixels) file, contaning the image to show (both logo and name) and save it in $SPLUNK_HOME/etc/apps/<yo... See more...
Hi @cdevoe57 , you have to create a new appLogo.png (160x40 pixels) and appLogo_2x.png (320x80 pixels) file, contaning the image to show (both logo and name) and save it in $SPLUNK_HOME/etc/apps/<your_app>/static replacing the exisiting files. In this way you'll have the app icon you like, with both logo and name. Ciao. Giuseppe
That's not something I have come across - you could submit it as an idea https://ideas.splunk.com/  
Hi @rsAU , let me understand: you want to count the users that accessed the system more than one time, is this correct? You can use a simple search: <your_search> | stats count by user_id | wher... See more...
Hi @rsAU , let me understand: you want to count the users that accessed the system more than one time, is this correct? You can use a simple search: <your_search> | stats count by user_id | where count>1 Ciao. Giuseppe
Hi @Iris_Pi , supponing that the _time of your events is the Timestamp field, you have two solutions: 1) using stats (supponing a span of 1 hour): <your_search> | bin span=1h _time | stats sum(rxb... See more...
Hi @Iris_Pi , supponing that the _time of your events is the Timestamp field, you have two solutions: 1) using stats (supponing a span of 1 hour): <your_search> | bin span=1h _time | stats sum(rxbytes) AS rxbytes BY fwname interface 2) using timechart (supponing a span of 1 hour): <your_search> | eval col=fwname.", "interface | timechart span=1h sum(rxbytes) AS rxbytes BY col I prefer the first one. Ciao. Giuseppe
Trying to fix a corruption issue with a _metrics bucket, using the "./splunk rebuild <path> command. Doing this, i recieve the following WARN "Fsck - Rebuilding entire bucket is not supported for "m... See more...
Trying to fix a corruption issue with a _metrics bucket, using the "./splunk rebuild <path> command. Doing this, i recieve the following WARN "Fsck - Rebuilding entire bucket is not supported for "metric" bucket that has a "stubbed-out" rawdata journal. Only bloomfilter will be build" How would i rebuild the metrics bucket to fix the error?
Hi @tungpx , let me understand: you have a Splunk instance accessible without login (also by API)? is it maybe a free Splunk instance? in this case the only solution is to buy a license. Could you... See more...
Hi @tungpx , let me understand: you have a Splunk instance accessible without login (also by API)? is it maybe a free Splunk instance? in this case the only solution is to buy a license. Could you better describe your situation? Ciao. Giuseppe  
Hi @Cleanhearty , I suppose that you already ingested the csv file in a lookup or in an index. If in a lookup you can define what you mean with "gender that performed the most fraudulent activities... See more...
Hi @Cleanhearty , I suppose that you already ingested the csv file in a lookup or in an index. If in a lookup you can define what you mean with "gender that performed the most fraudulent activities and in what category", I suppose that you mean most fraudolent by amount, so you could try something like this: | inputlookup fraud_report.csv | stats max(amount) AS amount BY gender category | sort -amount | head 10 in this way, you have the top 10 categories by gender that have the greatest amount. My hint is also to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial) to learn how to run similar searches. Ciao. Giuseppe
Lookup is just one type of knowledge object.  Field extractions, transforms, calculated fields, event types, tags, etc., etc., can all have limited permissions if any of your subsearches use those.  ... See more...
Lookup is just one type of knowledge object.  Field extractions, transforms, calculated fields, event types, tags, etc., etc., can all have limited permissions if any of your subsearches use those.  For example, you think a field is available to you, and it appears to be available to you in search window because you are the owner of that private extraction.  But the field may not be available when another user runs the dashboard.  Again, this is just another example.
Many thanks! Yes, it is what I want, your answer is very helpful! Many thanks!
As a newbie I am currently working on a mini internship project which requires me to analyse a dataset using splunk. I have completed almost all but the last part of it which reads  "gender that perf... See more...
As a newbie I am currently working on a mini internship project which requires me to analyse a dataset using splunk. I have completed almost all but the last part of it which reads  "gender that performed the most fraudulent activities and in what category". Basically im supposed to get the gender (F or M) that performed the most fraud in specifically in what category. The dataset which consists of a column of  steps, customer, age,gender, Postcodeorigin, merchant, category,amount and fround from a file name fraud_report.csv . The file has already been uploaded to splunk.  I am just stuck at the query part.
Hi, @yuanliu , the macro is shared in app, and i don't use any lookup files in the macro. I use join in the macro to get the data from 3 different source types. Is the join causing the issue?
When you define lookup, did you set match type to CIDR? This is in Advanced options.    
By "make the result has 3 columns," do you mean that when logs only come from less than 3 servers, you still want to display the one with no logs (with value 0)? In that case, you must know the exac... See more...
By "make the result has 3 columns," do you mean that when logs only come from less than 3 servers, you still want to display the one with no logs (with value 0)? In that case, you must know the exact name of the three servers.  Then, use foreach to fill the values. index=* AND appid=127881 AND message="*|NGINX|*" AND cluster != null AND namespace != null | eval server = (namespace + "@" + cluster) | timechart span=1d count by server | foreach "127881-p@23p", "127881-p@24p", "127881-p@25p" [eval <<FIELD>> = if(isnull('<<FIELD>>'), 0, '<<FIELD>>')]  
The subject is too generic without knowing what the macro consists of.  But if there is no obvious error messages, the problem could be in permissions of knowledge objects (lookups, extractions/trans... See more...
The subject is too generic without knowing what the macro consists of.  But if there is no obvious error messages, the problem could be in permissions of knowledge objects (lookups, extractions/transforms, calculated fields, etc.) used in the macro. First, of course, check if the macro itself is shared in the app where the dashboard runs.  Then, is there any lookup used in the macro that is not shared with this app?  And so on, and so forth.
You can go into token management to find out which this token belongs to, then go into permissions and find out what permissions the user has. To think, every user who can launch a search should be ... See more...
You can go into token management to find out which this token belongs to, then go into permissions and find out what permissions the user has. To think, every user who can launch a search should be allowed to use /services/search/jobs endpoint.  So, that is highly abnormal.  Maybe first test that user in UI to see if it can launch job manager menu.  Meanwhile, a trivial user should not be allowed to see another user's search, so denying /services/search/jobs/<searchid> can be the result of "otherness". Also, it is not clear what exactly context defines "sometimes".  If the behavior is inconsistent over time using the same token on the same endpoint, maybe it's time to call support.