All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm curious about this value. "reason": "unrecognized character follows \\", Since the \\ is a literal escape is it reading the remainder of the message as text until the next naturally occurring "... See more...
I'm curious about this value. "reason": "unrecognized character follows \\", Since the \\ is a literal escape is it reading the remainder of the message as text until the next naturally occurring " on it's own?  Can you try changing the "\\" in the text portion of the message to "escape character set".  
As I am learning with Write-Once-Read-Many (WORM), there are situations where the buckets/tsidx files are re-uploaded when the indexers have hiccups during an upload. https://community.splunk.com/... See more...
As I am learning with Write-Once-Read-Many (WORM), there are situations where the buckets/tsidx files are re-uploaded when the indexers have hiccups during an upload. https://community.splunk.com/t5/Deployment-Architecture/smartstore-splunk-smartstore-and-Data-integrity/m-p/506769
Try this inside the quotes   Crestron Package Firmware version :(?<CCSFirmware>[^\s]+)
Once the base search runs with the filtered status the results are all that is left over.  You need to isolate your inputs source from your results query.  In this case 2 or more base searches are ne... See more...
Once the base search runs with the filtered status the results are all that is left over.  You need to isolate your inputs source from your results query.  In this case 2 or more base searches are needed. Things I have done/learned while doing this. - tstats search commands are much faster especially pulling single fields, use this if you can - inputs have limits on displaying unique values, enable search and wildcard options for long lists, never over 1,000 unique values if I recall correctly
Hello, I am currently working on project that involves integrating Splunk with Azure Virtual Desktop (AVD). Could you please provide me with any available documentation or resources that detail th... See more...
Hello, I am currently working on project that involves integrating Splunk with Azure Virtual Desktop (AVD). Could you please provide me with any available documentation or resources that detail the process or best practices for this integration? Any guidance or links to relevant materials would be greatly appreciated. Thank you in advance for your assistance. Best regards,
Hi! I am working as an IAM Specialist but I am looking to pivot to Splunk. I would like to set up a Splunk Enterprise environment using VMware where I can practice the basics and move to more advanc... See more...
Hi! I am working as an IAM Specialist but I am looking to pivot to Splunk. I would like to set up a Splunk Enterprise environment using VMware where I can practice the basics and move to more advanced functions including getting a solid base and understanding of networking. After seeing many videos for all kinds of set ups, I am not sure which would be best for me; set up wise, and I was wondering if anyone can help give me a set up that works best based off my laptop configurations. I would like to practice on VMs for both Windows/Linux. Laptop Config:  Lenovo IdeaPad touchscreen - AMD Ryzen 7 7730U : WUXGA - 16GB - 1TB SSD - OS Windows 11 Any information would be highly appreciated. 
I want to create one static field by looking status value = Issue host m_nname status A cpu Ok B disk Ok C memory Issue D netwok Ok E storage Issue   Issue fou... See more...
I want to create one static field by looking status value = Issue host m_nname status A cpu Ok B disk Ok C memory Issue D netwok Ok E storage Issue   Issue found in status column few field heath created with Bad value. Like below. host m_nname status Health A cpu Ok Bad B disk Ok Bad C memory Issue Bad D netwok Ok Bad E storage Issue Bad  
You should be able to do that using eventstats. ... | eval FinalStatus = if(Status="Yes", 1, 0) | eventstats min(FinalStatus) as FinalStatus by ServerName | eval FinalStatus = if(FinalStatus=1, "Yes... See more...
You should be able to do that using eventstats. ... | eval FinalStatus = if(Status="Yes", 1, 0) | eventstats min(FinalStatus) as FinalStatus by ServerName | eval FinalStatus = if(FinalStatus=1, "Yes", "No") | table ServerName, FinalStatus  
Things like "EventID" is in every event and that isn't showing up. I'll poke around the other conf more.
Anyone interested, This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts. There is an option in Addon builder called "event extract... See more...
Anyone interested, This solution worked just fine, however i ended up using the Addon builder instead since it was clean with less efforts. There is an option in Addon builder called "event extraction settings" here i simply used the following settings $.User This setting will break the events and also field/value pairs. Cheers!
@johnlee2327  Firstly I would not recommend you use this in email as you will need to embed the username & password in to the link you give.  External prompts are coming in the next release AFAIK... See more...
@johnlee2327  Firstly I would not recommend you use this in email as you will need to embed the username & password in to the link you give.  External prompts are coming in the next release AFAIK so you may not want to expend a lot of energy on this to then have it natively available.  For your question I thin you just need to put "deny" as a string not a list object.    -- Hope this helps. Happy SOARing --
So i am using multiselect to take dynamic input from user and it is working fine when i have individual searches running to populate dynamic list for each input but since for all those inputs my base... See more...
So i am using multiselect to take dynamic input from user and it is working fine when i have individual searches running to populate dynamic list for each input but since for all those inputs my base search is same so i had thought to use Splunk's base search feature to populate the list which works fine at first submit but now when the panels are loaded and user wants to change the value in multiselect input it does not list all the values which were available at first . So wanted to know if is there something we can do to have this working in same fashion as it works for individual dynamics searches meaning the underlying values which were returned at first should remain intact or at least when the user is selecting "All" option it should repopulate that list. I had tried using tokens set unset and stuff but no luck. I also tried having different base search for multiselect dropdown and panel but that too didn't worked. Following is xml with base search which has the issue of reselecting multiselect dropdown values after submission - <form version="1.1" theme="light"> <label>testing Clone</label> <search id="base_dropdown"> <query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <search id="base_panel"> <query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time_tok"> <label>Time</label> <default> <earliest>-7d@d</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="status_tok"> <label>status</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>status</fieldForLabel> <fieldForValue>status</fieldForValue> <search base="base_dropdown"> <query>|stats count by status|sort 0 + status</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="file_tok"> <label>file</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>file</fieldForLabel> <fieldForValue>file</fieldForValue> <search base="base_dropdown"> <query>|stats count by file|sort 0 + file</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="itemId_tok"> <label>itemId</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>itemId</fieldForLabel> <fieldForValue>itemId</fieldForValue> <search base="base_dropdown"> <query>|stats count by itemId|sort 0 + itemId</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> </fieldset> <row> <panel> <table> <title>Count </title> <search base="base_panel"> <query>| stats count</query> <!--- <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest>--> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   Following is without base search for multiselect drop down which works as expected- <form version="1.1" theme="light"> <label>testing</label> <!--<search id="base_dropdown"> <query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search>--> <search id="base_panel"> <query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time_tok"> <label>Time</label> <default> <earliest>-7d@d</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="status_tok"> <label>status</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>status</fieldForLabel> <fieldForValue>status</fieldForValue> <search> <query>index=main sourcetype=access_combined_wcookie earliest="$time_tok.earliest$" latest="$time_tok.latest$" |stats count by status|sort 0 + status</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="file_tok"> <label>file</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>file</fieldForLabel> <fieldForValue>file</fieldForValue> <search> <query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by file|sort 0 + file</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> <input type="multiselect" token="itemId_tok"> <label>itemId</label> <choice value="*">All</choice> <default>*</default> <delimiter>,</delimiter> <fieldForLabel>itemId</fieldForLabel> <fieldForValue>itemId</fieldForValue> <search> <query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by itemId|sort 0 + itemId</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> </input> </fieldset> <row> <panel> <table> <title>Count</title> <search base="base_panel"> <query>| stats count</query> <!--- <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest>--> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> Dashboard 
No luck ,   
Update. I have found I can use this API to approve. But still need username password or token T^T. curl -X POST -k -u "username:password" https://10.250.74.118:8443//rest/approval/15/responses -d "... See more...
Update. I have found I can use this API to approve. But still need username password or token T^T. curl -X POST -k -u "username:password" https://10.250.74.118:8443//rest/approval/15/responses -d "{\"responses\": [\"deny\"]}" But it showing the error that: {"failed": true, "message": "Invalid resolution. must be one of approve, deny, delegate"} Anyone know why?  
Sure, it seems it was only needed for a particular eventhub, and there I am running: SEDCMD-remove_quot_infront= s/^\"{/{/g SEDCMD-remove_quot_behind = s/}\"$/}/g SEDCMD-remove_slash = s/\\"/"/g
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each ser... See more...
I have a sample data pushed to splunk as below: Help me with splunk query where I want only unique server names with final status as second column. compare both horizantally & vertically for each server second column status, if any of the second column value is No for that server then consider No as final status for that server, if all the second column values are Yes for a Server, then consider that server final status as Yes. sample.csv: ServerName,Status Server1,Yes Server1,No Server1,Yes Server2,No Server2,No Server3,Yes Server3,Yes Server4,Yes Server5,No Server6,Yes Server6,No Server6,Yes Server6,No Server7,Yes Server7,Yes Server7,Yes Server7,Yes Server8,No Server8,No Server8,No Server8,No Output should looks similar to below:  ServerName,FinalStatus Server1,No Server2,No Server3,Yes Server4,Yes Server5,No Server6,No Server7,Yes Server8,No
All I learning for prompt is that I need to open broser and prompt with SOAR GUI. Is any Rest API or link available for answer prompt ? I want to pass some variable in the mail. If somebody click ... See more...
All I learning for prompt is that I need to open broser and prompt with SOAR GUI. Is any Rest API or link available for answer prompt ? I want to pass some variable in the mail. If somebody click certain link, It will accept or reject the prompt for event "4" base on API automatically. It will reduce IT's workload!
Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forward... See more...
Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forwarder patches. At this point the Windows server stops being able to send logs and never recovers even when the HF is available again. I wonder if this is related to v9.3.0 of the agent, because we didn't see any issues before this was upgraded. 
can you check your direct messages
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by ca... See more...
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by category | sort - count This will give you output of all the categories present with event count in decreasing order (i.e. highest count first).   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.!!