All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to find results present in lookup table and not in custom index?

by in Splunk Search
‎08-05-2022 08:30 AM
‎08-05-2022 08:30 AM
Hi All, I have enquired about this problem earlier as well in Splunk community, thus, apologies for duplicate query. However, I am unable to get a solution that helps to get my results 100% correct... See more...
Hi All, I have enquired about this problem earlier as well in Splunk community, thus, apologies for duplicate query. However, I am unable to get a solution that helps to get my results 100% correct. Moreover, the previous threads are old, thus, not sure if my comments will get visibility in those threads.  Resources in hand:-  I have a lookup table which has many fields. I am concerned with two fields: index and host. I have a custom index, which has many fields, but I need to use orig_index, orig_host. Requirement: - I need to fetch list of those hosts for each index which are present in lookup table but not in custom index. I tried with following with time range of last 24 hours:- |inputlookup table.csv |fields index, host |search NOT [search index="xxx" |rename orig_* AS *| table index, host | format] But, when I try to cross check the last reported date time of host value against the index, I get results of last hour. I tried with below SPL for cross check:- |tstats max(indextime) AS lastTime where index="dummy" AND host="10.10.10.10" BY host |convert ctime(lastTime) Thus, I need your help to resolve the issue. Thank you.

How to remove duplicates from the table?

by in Splunk Search
‎08-05-2022 08:14 AM
‎08-05-2022 08:14 AM
Hi community, I have table like below - Client Error_code Error Results abc 1003 2 abc 1003 3 abc 1013 1 abc 1027 3 abc 1027 5 ... See more...
Hi community, I have table like below - Client Error_code Error Results abc 1003 2 abc 1003 3 abc 1013 1 abc 1027 3 abc 1027 5 abc 1013 2 abc Total 16   I am trying to have distinct error codes in the table combining error results as well. I tries stats, dedup, didn't work
Labels

How to to take a specific 'cell' result and assign it as a token?

by in Splunk Search
‎08-05-2022 07:26 AM
‎08-05-2022 07:26 AM
I have a query that returns multi-row and multi-column results. I want to be able to take a specific 'cell' result and assign it as a token. I have done this with a single row table, using <set to... See more...
I have a query that returns multi-row and multi-column results. I want to be able to take a specific 'cell' result and assign it as a token. I have done this with a single row table, using <set token="foo">$result.TYPE1$</set>, but cant get the syntax for a multi-row table. For example, given the below, I want to tokenize the value chevy. VEHICLE TYPE1 TYPE2 MOTO harley honda CAR chevy oldsmobile TRUCK fire garbage   I thought $result.CAR.TYPE1$ would do it, but nope. (To be fair, this problem has plagued my life for some time, but I have finally gotten to the point to ask). This is not a drilldown or click.value, but a chart (results) that I want to pull out the specific value returned. 

Why won't this table show new field names?

by in Splunk Search
‎08-05-2022 07:00 AM
‎08-05-2022 07:00 AM
Based on what I've studied, I should be able to show a new field named item with a search such as the one below: index=existing_index | eval item = "apple" | stats count by source | table source, i... See more...
Based on what I've studied, I should be able to show a new field named item with a search such as the one below: index=existing_index | eval item = "apple" | stats count by source | table source, item, count I would expect output similar to the table below. source item count a/b/123.log apple 5 a/c/915.log apple 6 a/b/574.log apple 1   Instead, this happens: source item count a/b/123.log   5 a/c/915.log   6 a/b/574.log   1   Why did I not get what I expected?
Labels

How to concatenate events from multiple hosts as single host?

by in Splunk Search
‎08-05-2022 06:42 AM
‎08-05-2022 06:42 AM
Hai All, we have events from different hosts with same name. any search query to add them in single host field please suggest    dallvcrfix1p 1913 dallvcrfix1p.ops.invesco.net ... See more...
Hai All, we have events from different hosts with same name. any search query to add them in single host field please suggest    dallvcrfix1p 1913 dallvcrfix1p.ops.invesco.net 20    
Labels

Is anyone else experiencing this Bug in Dashboard Examples Table Cell Highlight?

by in Dashboards & Visualizations
‎08-05-2022 06:15 AM
‎08-05-2022 06:15 AM
Hi, On last version of Dashboard Examples (v 8.2.5) & Splunk (v9.0), I see a bug with table cell highlight JS. When you go on Table cell Page on dashboard Examples, you see table with cell highli... See more...
Hi, On last version of Dashboard Examples (v 8.2.5) & Splunk (v9.0), I see a bug with table cell highlight JS. When you go on Table cell Page on dashboard Examples, you see table with cell highlighting work correctly. But if you refresh avec Ctrl + R this page, randomly, Highlighting disappear. I reproduce the same bug with a custom dashboard. Have you the same Bug ?  
Labels

How do I create Punchcard that sorts bins with color?

by in Dashboards & Visualizations
‎08-05-2022 05:59 AM
‎08-05-2022 05:59 AM
Im trying to make a punchcard to visualize incoming issues per hour in the prvious week. This is the result i get with the following code:        | eval issues="Issue Priority" | stats count... See more...
Im trying to make a punchcard to visualize incoming issues per hour in the prvious week. This is the result i get with the following code:        | eval issues="Issue Priority" | stats count(issues) by date_hour date_wday       I really want to get more bins like on the right side so that i can assign values with color. E.g. 0<10 = green, 11<70 = yellow, 71<150=red.  Something i need to include?
Labels

Is it possible to merge searches with same index but different host names?

by in Splunk Search
‎08-05-2022 05:50 AM
‎08-05-2022 05:50 AM
Hello, I have two searches with same index but different host names. Is it possible to have the results of both the searches in a dropdown in a dashboard so that the result appears in a table as pe... See more...
Hello, I have two searches with same index but different host names. Is it possible to have the results of both the searches in a dropdown in a dashboard so that the result appears in a table as per the selection of the host name? Both the searches have different field names. Can someone guide me on this please? Thanks in advance. Arshi.

OTel Attribute Descriptions

by in Splunk AppDynamics
‎08-05-2022 05:25 AM
‎08-05-2022 05:25 AM
In the "Configure The OpenTelemetry Collector" documentation I see "Attribute Description": service.name string shoppingcart Logical name of the service; equivalent to your AppDynamics tier n... See more...
In the "Configure The OpenTelemetry Collector" documentation I see "Attribute Description": service.name string shoppingcart Logical name of the service; equivalent to your AppDynamics tier name..... service.namespace string Shop A namespace for the service.name; equivalent to your AppDynamics application name.... Is this correct? "service.namespace" = "application name" and "service.name" = "tier name". Or should it be "service.namespace" = "tier name" and "service.name" = "application name" and this is just a mistake documenting it?

How to create a dashboard with date picture?

by in Dashboards & Visualizations
‎08-05-2022 05:12 AM
‎08-05-2022 05:12 AM
  I would like to create a dashboard that shows it's output when the time is picked and the values of the time is equal to two fields in the index data  itself, how can I make this ?
Labels

2 problems: Can't send alert mail or download apps on the portal because of the wrong password?

by in Splunk Enterprise
‎08-05-2022 04:59 AM
‎08-05-2022 04:59 AM
please help me I have 2 problems the first problem with sending alerts by email: in analysnat index= _internal "sendmail" it notifies me that it has a bad password problem but I am sure of enterin... See more...
please help me I have 2 problems the first problem with sending alerts by email: in analysnat index= _internal "sendmail" it notifies me that it has a bad password problem but I am sure of entering my password the second problem with access to splunkbase via splunk portal: I can't access splunkbase via the splunk enterprise portal to download applications, (bad password too) however I can do that through URL is there a workaround because it is very important to send alert emails?? for app installation; I manage, I download from the site then I install it but I must have a solution for the problem of alert emails.
Labels

Why is Dashboard studio only showing Redirect to URL in drilldown option?

by in Dashboards & Visualizations
‎08-05-2022 03:28 AM
‎08-05-2022 03:28 AM
Hello there   I'm trying dashboard studio for the first time and it awesome but i can't figure out why in drilldown option I can see only what in screenshot: any idea? Thanks in advance

How to fix CPU=all Unix field not being retrieved?

by in All Apps and Add-ons
‎08-05-2022 03:05 AM
‎08-05-2022 03:05 AM
Hello Community. Can you please tell me how to fix this, I don't understand why this is happening. I have explored various topics but have not been able to find a solution. I have an applica... See more...
Hello Community. Can you please tell me how to fix this, I don't understand why this is happening. I have explored various topics but have not been able to find a solution. I have an application which is configured by Splunk_TA_nix on remote servers. But not all servers are getting the CPU=all field I first encountered this when a team with their dashboard contacted me. They had 2 lonely servers. On one of them the CPU field was extracted and the dashboard worked. On the other one it didn't work anymore. I have set up a new server to forward the logs. But there was no CPU field on that one either. I even installed the sysstat utility. But I can't figure it out yet. Thus I am asking for help. Regards to everyone
Labels

How would I calculate time difference between different events of a table?

by in Splunk Search
‎08-05-2022 03:03 AM
‎08-05-2022 03:03 AM
Hi All,  i am using 2 searches combined via an append to get me data in the following format. Each row is a distinct event in Raw data. _time Status owner rule_ID 2022-08-03 23:00... See more...
Hi All,  i am using 2 searches combined via an append to get me data in the following format. Each row is a distinct event in Raw data. _time Status owner rule_ID 2022-08-03 23:00:00 <null> unassigned 001 2022-08-03 23:35:00 Acknowledged John 001 2022-08-03 23:40:00 Resolved John 001   I need to calculate time_difference between each event  i.e. each row above.  How can i get another column called "difference" added that shows the delta between these 3 different events. Desired Output: _time Status owner rule_ID Difference  2022-08-03 23:00:00 <null> unassigned 001 0 2022-08-03 23:35:00 Acknowledged John 001 0:35:00 2022-08-03 23:40:00 Resolved John 001 0:05:00 Note:  Rule_ID is the only common field in all 3 events. I referred to other posts here where folks have recommended transaction command. Unfortunately i don't have any specific field to use in startswith or endswith  , so transaction won't work. Thank you in advance
Labels

How to write query to exclude the logs having src_ip starting with either 10 or 172?

by in Splunk Search
‎08-05-2022 02:44 AM
‎08-05-2022 02:44 AM
I have this query in Splunk which gets me the src_ip  along with different fields  for the particular UserId. But i want to exclude the logs having src_ip starting with either 10 or 172 . Could someo... See more...
I have this query in Splunk which gets me the src_ip  along with different fields  for the particular UserId. But i want to exclude the logs having src_ip starting with either 10 or 172 . Could someone please help     index=wineventlog $UserId sourcetype="WinEvt:ADFS" EventCode=120* | rex "IpAddress\W(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | rex "Activity\sID\W(?<Activity_ID>\s.*)" | table src_ip, Activity_ID, _time, UserAgent | sort _time | reverse
Labels

How to calculate difference between timestamps of two successive logs?

by in Splunk Search
‎08-05-2022 02:38 AM
‎08-05-2022 02:38 AM
Hi , Can you please help me to write a query for calculating the difference in time for two simultaneous logs? I want to calculate the difference for multiple such logs simultaneously, and then vie... See more...
Hi , Can you please help me to write a query for calculating the difference in time for two simultaneous logs? I want to calculate the difference for multiple such logs simultaneously, and then view the difference in a tabular format
Labels

How to add annotations for non time based X-axis?

by in Dashboards & Visualizations
‎08-05-2022 02:36 AM
‎08-05-2022 02:36 AM
Hello, I am trying to add annotations to a line chart, where the x-axis is a simple Id ( 1, 2, 3,....), a field named "RunId".  Each event label then should display (on mouse hover) the content of... See more...
Hello, I am trying to add annotations to a line chart, where the x-axis is a simple Id ( 1, 2, 3,....), a field named "RunId".  Each event label then should display (on mouse hover) the content of the field "Info", which is extracted in the annotation search. Both primary and annotation datasource include the field "RunId". But no event is displayed, why ?     "viz_jcq0L1f3": { "type": "viz.column", "dataSources": { "primary": "ds_bNZHw3eE", "annotation": "ds_annotation" }, "encoding": { "annotationX": "annotation.RunId" },... ... }         "ds_annotation": { "type": "ds.search", "options": { "query": "index=someTestIndex source=*runids.txt | rex field=_raw \" (?<RunId>\\d+)\" |rex field=_raw \"info=\\\"(?<Info>[^\\\"]+)\" | dedup RunId | table RunId, Info" }, "name": "Annotation Search" },    
Labels

How to filter specific events from use case?

by in Splunk Search
‎08-05-2022 02:10 AM
‎08-05-2022 02:10 AM
Hi All, We have turned on the Use Case - ESCU 0365 Authentication Failures Alert We need this turned on in order to assess risky logins, however due to the nature of the company (being a Universi... See more...
Hi All, We have turned on the Use Case - ESCU 0365 Authentication Failures Alert We need this turned on in order to assess risky logins, however due to the nature of the company (being a University) we have alot of old unused Alumni accounts that we cannot get rid of. The issue we are running into is that the risk scores of some of these accounts are consistently rising causing a consistent volume of Highs.  We have found that the accounts are trying to login via the user agent BAV2ROPC which is the Azure User Agent for Legacy Authentication (IMAP, POP3 etc) We have tried adding these users to a conditional access policy in Azure to prevent these Authentication attempts but that has not worked. The question I am asking is, is there any possible way in the Use Case search to specifically filter our BAV2ROPC so we do not constantly get these alerts as they are causing alot of noise within our search and it is making it difficult to find actual attempts to access users accounts. This is our Correlation Search for this use case index=appext_o365 `o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`

How to write rex to get "domain.com"?

by in Splunk Search
‎08-05-2022 12:37 AM
‎08-05-2022 12:37 AM
I have field user-agent like this user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\r\nHost: domain.com\r\nConne... See more...
I have field user-agent like this user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\r\nHost: domain.com\r\nConnection: Keep-Alive\r\n"   How's the SPL query, if I just wanna get the "domain.com". Thanks.
Labels

How to combine three different queries(condition) to create one email alert?

by in Splunk Search
‎08-04-2022 11:24 PM
‎08-04-2022 11:24 PM
1st Query :     StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" HasError__c=false Transaction_Log__c="*" | eval message = "200andNo matching records were found" | where l... See more...
1st Query :     StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" HasError__c=false Transaction_Log__c="*" | eval message = "200andNo matching records were found" | where like(_raw,"%".message."%") | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "400andDealer Code provided is invalid" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "400andDealer Type provided is invalid" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "400andNo Dealer Code was provided" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "400andNo Dealer Type was provided" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "400andInvalid input data" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval message = "500andCannot deserialize request body" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:exception_log__c" ErrorCode__c=500 Interface_Name__c=StoreManagementAPI | eval message = "Unexpected character" | where like(_raw,"%".message."%")] | append [search StoreManagementAPI index=b2cforce sourcetype="sfdc:exception_log__c" ErrorCode__c=500 Interface_Name__c=StoreManagementAPI | where Error_Description__c != "Unexpected character (&#39;}&#39; (code 125)): was expecting double-quote to start field name at [line:4, column:6]" | table _time,Error_Description__c | rename Error_Description__c as message] | timechart span=30m count by message | eval eval threshold = 25     2nd query :     StoreManagementAPI index=b2cforce sourcetype="*" "attributes.type"="*" | stats count(sourcetype) as total_events | where total_events > 480     3rd query :   StoreManagementAPI index=b2cforce sourcetype="sfdc:transaction_log__c" Transaction_Log__c="*" | eval _raw= Transaction_Log__c | rex max_match=0 "timestamp[[:punct:]]+(?<timestamp>[^\\\"]+)" | eval first_timestamp=mvindex(timestamp,0), last_timestamp=mvindex(timestamp, -1) | eval first_ts = strptime(first_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z"), last_ts = strptime(last_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval diff = last_ts - first_ts | stats avg(diff) as average  
Labels