All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the ne... See more...
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the new panel.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Thank you @rohit1793, this spreadsheat is very helpfull!
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", ... See more...
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" }, { "bad_strptime": "%y-%m-%d %H:%M:%S%", "conf_file": "props.conf", "stanza": "iislogs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" } ] affected event " btoolTag = btool_validate_regex" [ { "bad_regex": "(?i)id_618_(?<eventfield_1>\\\\w*).*i_Media=MEDIA_(?<eventfield_2>\\\\w*).*i_Dnbits=(?<eventfield_3\\\\w*).*cs_PERString=(?<eventfield_4>\\\\w*)", "conf_file": "props.conf", "stanza": "fansfms:aaio", "attribute": "EXTRACT-AoIP_message1", "reason": "syntax error in subpattern name (missing terminator?)", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" }, { "bad_regex": "([\\i\\\\fr\\n]+---splunk-admon-end-of-event---\\r\\n[\\r\\n]*)", "conf_file": "props.conf", "stanza": "source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))", "attribute": "LINE_BREAKER", "reason": "unrecognized character follows \\", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" } ]  
Please provide the config that you've implemented on HF for the described setup.
Please check out following blog post for Dashboard studio: Dashboard Studio: How to Configure Show/Hide and Token Eval in Dashboard Studio | Splunk
Please provide the affected event and an event that is parsed correctly.
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain ho... See more...
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe
If I want to exclude multiple fields by using NOT condition how can to use NOT query   NOT sessionId=X AND groupID=Y Is this works? please suggest
Please execute your original search without testmode=true and after the execution please click on Job --> Inspect Job. Check if you see any error message in the popup.    
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. ... See more...
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. Giuseppe
Hi ,   I would like to exclude particular session under multiple session ID's    
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.j... See more...
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.json] INDEXED_EXTRACTIONS=json EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)     *On IDX*     [sourcetype_name] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=\"timestamp\"\:\s\" MAX_TIMESTAMP_LOOKAHEAD=19 TIME_FORMAT=%Y-%m-%dT%H:%M:%S TRUNCATE=999999     *on Search Head*     [sourcetype_name] KV_MODE=none       Parsing works for all files except one Here is an excerpt, timestamp with none value Can you help me on this ?   
If you only wanna see events that do not contain the field sessionId You must search as follows   host="*" NOT sessionId   
Hi @jagan_vannala , maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words: host="*" NOT sessionId=X Anyway, your two searchs has different results because w... See more...
Hi @jagan_vannala , maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words: host="*" NOT sessionId=X Anyway, your two searchs has different results because with sessionId!=X you tale all the logs where the filed sessionId is present and hasn't the value "X", instead with NOT sessionId=X you have all the events except the ones with sessionId=X , even if the sessionId field isn't present. Ciao. Giuseppe
HI Team, When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in... See more...
HI Team, When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in results. could you please help how i can exclude  particular field host="*"  sessionId!=X  host="*" NOT sessionId!=X 
Hi @user487596 , Splunk is a search engine, so you can use it for this: you must know the rules (e.g. searching for the password word) and then apply to the indexes. At first I'd start identifying... See more...
Hi @user487596 , Splunk is a search engine, so you can use it for this: you must know the rules (e.g. searching for the password word) and then apply to the indexes. At first I'd start identifying the login and create user actions for each environment in your infrastructure (e.g. in windows these action are identifed with EventCode = 4624 and 4720), then you can run searches with those specific filters to see if there are clear text passwords. Ciao. Giuseppe
HI, @gcusello  I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splu... See more...
HI, @gcusello  I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splunk.
Hi @user487596 , could you better describe your requisite? In Splunk access to data is managed at index level, in other words, you can define for each role, which are the indexes that the users wit... See more...
Hi @user487596 , could you better describe your requisite? In Splunk access to data is managed at index level, in other words, you can define for each role, which are the indexes that the users with that role can access. In addition, it's also possible to add some additional restrictions, but always at Role level, not user level. Ciao. Giuseppe
Hello, I've created a dashboard that is showing 4 teams in dropdown menu. Now when I choose one of the team, I want to only see the panels for the specific team.  I've created the drop-down input a... See more...
Hello, I've created a dashboard that is showing 4 teams in dropdown menu. Now when I choose one of the team, I want to only see the panels for the specific team.  I've created the drop-down input and given it a label called Team. I have created statis options like Team 1, Team 2, Team 3, Team 4. So, my question is how do I assign each panel chart to one of the teams in the drop down? From some of the online searching I've done - it is asking to use tokenization concept. Could you please help me achieve this result.
can you share the props or SEDCMD you are using right now?