All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try this (index="wpg" host=*pz-pay*) (OrderSummary OR (OrderSummary AND "Address is invalid, it might contain a card number")) | eval is_invalid=if(searchmatch("Address is invalid, it might contain ... See more...
Try this (index="wpg" host=*pz-pay*) (OrderSummary OR (OrderSummary AND "Address is invalid, it might contain a card number")) | eval is_invalid=if(searchmatch("Address is invalid, it might contain a card number"), 1, 0) | stats count AS "Total", count(eval(is_invalid=1)) as Failure | eval result = (Failure * 100)/Total
Try something llke this index="wpg" host=*pz-pay* OrderSummary | eventstats count AS "Total" | search "Address is invalid, it might contain a card number" | stats count AS "Failure" values(Total) as... See more...
Try something llke this index="wpg" host=*pz-pay* OrderSummary | eventstats count AS "Total" | search "Address is invalid, it might contain a card number" | stats count AS "Failure" values(Total) as Total | eval result = (Total/Failure)*100
I'm sure you are stuck, as expected. The current tstats command produces only one field: count.  You can get some (and maybe all) of them using the list or values function, but any association betwe... See more...
I'm sure you are stuck, as expected. The current tstats command produces only one field: count.  You can get some (and maybe all) of them using the list or values function, but any association between the fields will be lost. For example,. | tstats count, values(analysis.threat_score) as ats, values(analysis.metadata.sandcastle_env.analysis_start) as start, ... from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"  
Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expect... See more...
Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.
Hi -  We have a requirement to join the below eval statement searches, would it be possible if someone could assist with the solution please? eval search 1 = index="wpg" host=*pz-pay* OrderSummar... See more...
Hi -  We have a requirement to join the below eval statement searches, would it be possible if someone could assist with the solution please? eval search 1 = index="wpg" host=*pz-pay* OrderSummary | stats count AS "Total" eval search 2 = index="wpg" host=*pz-pay* OrderSummary AND "Address is invalid, it might contain a card number") | stats count AS "Failure" eval result =( search 1/search 2)*100 Thanks, Tom
Hi All I did a look around for a syntax definition for SPL in Notepad++ and didn't find one. Attached is my attempt. Feel free to use. if you have any suggestions, changes etc then post a reply. Th... See more...
Hi All I did a look around for a syntax definition for SPL in Notepad++ and didn't find one. Attached is my attempt. Feel free to use. if you have any suggestions, changes etc then post a reply. Thanks everyone
I found a similar post that did not quite fit the bill of what I am trying to do. I want to be able to create a link graph that shows a logical flow of all of our data from index>sourcetype>fields... See more...
I found a similar post that did not quite fit the bill of what I am trying to do. I want to be able to create a link graph that shows a logical flow of all of our data from index>sourcetype>fields. Issues I am running into: | fieldsummary does not work with metadata and thus does not include the index or sourcetype. |tstats search is only able to show index and sourcetype. I figure there is a base search I need to set up to pull the initial sourcetypes to run fieldsummaries on, but I'm not sure how to string these techniques together or if something like this is even feasible without leaving a very heavy burden on the cluster. I would like to make this a report that updates a lookup weekly so that the dashboard is referencing the lookup instead of running this search. Thanks in advance for your time!
Hi @psla , I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @psla , I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
What do you mean by "HF is forwarding clients to MC"? A DC is issuing a POST to server's 8089 port for a /services/broker/phonehome/<client_info> endpoint. A server either responds if it's a DS or se... See more...
What do you mean by "HF is forwarding clients to MC"? A DC is issuing a POST to server's 8089 port for a /services/broker/phonehome/<client_info> endpoint. A server either responds if it's a DS or sends 404 if it isn't if I remember correctly. I don't recall any "relaying". What do you mean by "forwarding client info to MC"? Do you see POST /services/broker/phonehome/connection/... entries in splunkd_access.log on the MC? What is the deploymentclient.conf on your UFs? (effective config - from the btool output)
Hi @user487596 , sorry but I don't understand: what do you mean with "in all indexes without loading splunk"? You could use APIs to access Splunk from your application without using the Splunk GUI.... See more...
Hi @user487596 , sorry but I don't understand: what do you mean with "in all indexes without loading splunk"? You could use APIs to access Splunk from your application without using the Splunk GUI. Ciao. Giuseppe
hello.  @vigneshnarendra  So I'm curious about why maps are dangerous. In some cases system data may be lost. I would like to know the detailed reason why it is possible.
@gcusello , It's pretty clear what to look for, the question is how to do it in all indexes without loading splunk
| rex "^RAISE-ALARM(?<line>.*proxy)"
Have you included search head captain in your search? I believe only the scheduler node will get the failed logs. If you have included them, follow my next steps. Do you find them in your logs ... See more...
Have you included search head captain in your search? I believe only the scheduler node will get the failed logs. If you have included them, follow my next steps. Do you find them in your logs and they aren't extracted? Append the below SPL to extract them. | rex field=_raw "status=(?<status>\w+)" Do you get them when you do stats count on status?  If not then you have 100% success rate on the searches. 
Hi Team, We are using add-on to collect the Azure metrics through REST API. Data is getting ingested into Splunk cloud. However, we are seeing a lag of exactly 4 hours. Splunk Cloud is in UTC time z... See more...
Hi Team, We are using add-on to collect the Azure metrics through REST API. Data is getting ingested into Splunk cloud. However, we are seeing a lag of exactly 4 hours. Splunk Cloud is in UTC time zone. We have set the TZ=UTC  in HF apps/ local/props.conf as application is writing in UTC time. However, there is a lag in Splunk cloud.  https://splunkbase.splunk.com/app/3110 Any help is highly appreciated.
HI @munang. The risky command warning is only a safeguard for many commands which could be a potential risk if users run them without knowing what they are doing. https://docs.splunk.com/Docume... See more...
HI @munang. The risky command warning is only a safeguard for many commands which could be a potential risk if users run them without knowing what they are doing. https://docs.splunk.com/Documentation/Splunk/9.3.0/Security/SPLsafeguards You could set commands.conf as below and restart splunk to remove the warning. [<your_command_name>] is_risky = false  
Any ideas how it can be achieved?
Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential securi... See more...
Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official documentation says that the map command can result in data loss or potential security risks. But I don't see any details. Why?   https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map    
Hi All, I am able to see only 4 status, why am I not able to see status=skipped and status = continued  
As you mentioned, you can only manually link it if it's within the same app. That said, you should fix the actual correlation issue, which will correctly link it to the other application. This migh... See more...
As you mentioned, you can only manually link it if it's within the same app. That said, you should fix the actual correlation issue, which will correctly link it to the other application. This might just be due to the correlation not being picked up on the downstream application. Should be a quick fix