All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

could you please give me an example?
SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same th... See more...
SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same thing without inputlookup!
Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract th... See more...
Your data looks like JSON so perhaps you should start by extracting the value collection into a multivalue field. You can then use mvexpand to split it into separate events, and use rex to extract the fields. Note that you can't have two columns / fields with the same name as you have shown | spath value{} output=value | mvexpand value | rex field=value "(?<repos>[^:]+):\s*(?<count>\d+):\s*(?<active>\w+):\s*(?<othercount>\d+)" | table repos count active othercount
If there were a way to update a macro, it would likely to have a ReST endpoint, but there doesn't appear to be one. Having said that, even if there were, this sounds like a risky thing to be doing an... See more...
If there were a way to update a macro, it would likely to have a ReST endpoint, but there doesn't appear to be one. Having said that, even if there were, this sounds like a risky thing to be doing anyway. Perhaps a better way would be to update a lookup or kv store with the results from your search so that the macro can use those i.e. keep the processing (defined by the macro) separate from the data (found by the search). What you seem to be asking for smacks of self-modifying code, which, while it may sound like a cool thing to do, is generally not a safe practice.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens  
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macr... See more...
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macro if the lookup has any new values.
The search can return anything between 0 and something but that is not my question. I cannot judge the quality of the received data by its quantity. It is just important that I receive all the data I... See more...
The search can return anything between 0 and something but that is not my question. I cannot judge the quality of the received data by its quantity. It is just important that I receive all the data I'm asking for. Again, my question is, is there a way to detect if a search is dealing with partial results. As a user you been notified when you run the search manually. This I want to detect in the search itself. I will experiment with appendpipe.
Hi @JoseQuintero , you have to ingest the logs from your access points, parse them and search for the username of your user. What technology are you using? Could you share some sample of your acce... See more...
Hi @JoseQuintero , you have to ingest the logs from your access points, parse them and search for the username of your user. What technology are you using? Could you share some sample of your access points logs? Ciao. Giuseppe
Hi @iamtheclient20 , let me understand: you want to find the matches between the index and the lookup, in other words the values present both in the lookup and in the events, so, why doesn't my fir... See more...
Hi @iamtheclient20 , let me understand: you want to find the matches between the index and the lookup, in other words the values present both in the lookup and in the events, so, why doesn't my first solution  match your requisite? It extracts the events from the main search that match the values in the lookup and also the reverse (values in the lookup that match the events in the search). there could be an issue if you want the NOT match condition, but the match condition is reversable. Ciao. Giuseppe
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing withou... See more...
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing without a lookup please? I mean by using an index and an eval command for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map Rgds
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"valu... See more...
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.   my dashboard should look like, repos count active count new-repo 2 yes 17 new-repo-2 30 no 10 new-one-3 15 yes 0 old-repo 10 yes 23 my-repo 10 no 15   I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard. can someone help?   Thanks, Veeresh Shenoy
Hi gcusello, I cannot use this approached because of the limit. Thank you.
I see this "extracted_eventtype" field in many saved searches and dashboard inline searches. However, I cannot find where it is generated. In the DUO events I do see "event_type" and "eventtype" fie... See more...
I see this "extracted_eventtype" field in many saved searches and dashboard inline searches. However, I cannot find where it is generated. In the DUO events I do see "event_type" and "eventtype" fields. But not "extracted_eventtype". Dashboards with that field show "No results found." because that field is nowhere to be found in DUO events. Any thoughts / pointers would be very much appreciated!
I finally figured out the issue.  We have Splunk Observability Cloud.  I had setup Log Observer to connect to the Enterprise instance.  Part of the setup is to add indexes_list_all to the authorize.c... See more...
I finally figured out the issue.  We have Splunk Observability Cloud.  I had setup Log Observer to connect to the Enterprise instance.  Part of the setup is to add indexes_list_all to the authorize.conf file and make sure it's not checked for the new role you create for LO.  I didn't realize without that entry in authorize.conf it was enabled for all roles.  Once I added the capability in the file it became disabled for all roles.  I added that to the admin role and now all the stats are displaying on the indexes page.
Can you please help to share a documentation or some reference?
how can I monitoring an user if he is using the wireless in the company? thank you!
Hi @PickleRick I don't see anyAPI GET that shows Pod or Status any help/ guidance would be appreciated.  
My template consists of: app_directory_name local app.conf metadata local.meta app.conf [install] state = enabled [ui] is_visible = 0 label = # I usually use the exact app directory n... See more...
My template consists of: app_directory_name local app.conf metadata local.meta app.conf [install] state = enabled [ui] is_visible = 0 label = # I usually use the exact app directory name here [package] check_for_updates = 0   local.meta [] access = read : [ * ], write : [ admin ] export = system
Adding this attribute  enableCertBasedUserAuth = true \ to web.conf, generates the below proxy error The proxy server received an invalid response from an upstream server. The proxy server coul... See more...
Adding this attribute  enableCertBasedUserAuth = true \ to web.conf, generates the below proxy error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request Reason: Error reading from remote server
Hi @Khalid.Rehan, I found this AppDynamics Docs page that I think would be helpful. Please have a read and let me know if it helped. https://docs.appdynamics.com/appd/22.x/latest/en/end-user-mon... See more...
Hi @Khalid.Rehan, I found this AppDynamics Docs page that I think would be helpful. Please have a read and let me know if it helped. https://docs.appdynamics.com/appd/22.x/latest/en/end-user-monitoring/browser-monitoring/browser-real-user-monitoring/enable-the-content-security-policy-csp