All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k message... See more...
Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k messages as such Result 35  45 53 D    C     F     C   A   Create headers with all keys provided through all messages. If key is not provided on message then cell should be empty. As you can see 53 is not always present, when that is the case its cell is empty.   Thanks in advance.  
I have events which will all have an ID, stageID, stageDuration, as well as other information. In the past I've used `chart sum(stageDuration) over ID by stageID` to create stacked bar charts, but n... See more...
I have events which will all have an ID, stageID, stageDuration, as well as other information. In the past I've used `chart sum(stageDuration) over ID by stageID` to create stacked bar charts, but now I’m more interested in the table produced by that command. It has a column for ID, then columns for the durations of each of the stageIDs that had the same ID. I would like to create a similar table except I would like to include additional columns. For example, I would like to conditionally populate a column with event.startTime from the stage foo if the stageID foo exists for an ID. I don't need to visualization, just the way of forming the table. It seems like there might be a way to do this with transactions but I haven't been able to figure it out.
We are looking into upgrading the Juniper Add On application from 1.0.2 to 1.5.5 using the following link:  https://splunkbase.splunk.com/app/2847/#/details   We still are using the juniper:ssl... See more...
We are looking into upgrading the Juniper Add On application from 1.0.2 to 1.5.5 using the following link:  https://splunkbase.splunk.com/app/2847/#/details   We still are using the juniper:sslvpn which apparently has been deprecated after version 1.3.  The eventtypes in version 1.0.2 reference this juniper:sslvpn sourcetype but the new 1.5.5 application does not reference juniper:sslvpn in any of its eventtypes.    Our current configuration using SC4S, however, still sends new events to juniper:sslvpn.  Is there another SC4S upgrade that is necessary to send data to new juniper sourcetypes prior to upgrading to the latest 1.5.5 version of the Juniper application?   Any help would be appreciated. Thank you.   Tom
I currently have an Indexer/Multiple Search Head cluster, but due to some regional requirements we are looking at smaller replicas of the environment in other regions. We need to have certain confi... See more...
I currently have an Indexer/Multiple Search Head cluster, but due to some regional requirements we are looking at smaller replicas of the environment in other regions. We need to have certain configurations, such as saved searches and dashboards, copied over to the new regions. However, we need some stuff, like the contents of lookup files, to not replicate over. Is there a way to setup a multi-site Search Head cluster to prevent replication of KV and CSV to other sites, but allow replication within each site? Or prevent single search heads in a cluster from receiving updates to their lookups? I know there are ways to prevent copies of indexed data from leaving a site, but not sure on bundle replication objects how exactly it processes.
I'm trying to save the results of my search in a token so I can reference it in another visualization.  I've read other post and people are using the <done> tags to solve this issue.   Below is m... See more...
I'm trying to save the results of my search in a token so I can reference it in another visualization.  I've read other post and people are using the <done> tags to solve this issue.   Below is my code     <row> <panel> <single> <search> <query>index = * | stats count as c</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <done> <set token="results" >$row.c$</set> </done> </search> <option name="drilldown">none</option> </single> </panel> </row>       ideally I would like to reference the "Results" token in other searches. Any help is appreciated.  -Marco 
Hello everyone, I have an issue with one field let say foo These are the scenarios: 1. If I run a search just with the index that contains the logs I can see the field foo at the fields bar pe... See more...
Hello everyone, I have an issue with one field let say foo These are the scenarios: 1. If I run a search just with the index that contains the logs I can see the field foo at the fields bar perfectly and also I can see the values. 2. If I select the field and is added to the search for example index=bar foo="hello" the results are ZERO even though I select that value from the previous search (where I saw the field and the values at the field bar). 3. If I add the sourcetype at the search example index=bar sourcetype=net foo="hello" I can see results but not the expected results, usually I get less than the real number and the number of results are random in the same interval of time. Configuration: I am using the automatic key-value field extraction KV_MODE=json to try to extract the fields of a source. The sources is sending the logs in JSON format.   #props.conf - SH configuration and indexers [net] CHARSET=UTF-8 KV_MODE=json TRUNCATE = 99999 LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SHOULD_LINEMERGE=true #inputs.conf - forwarder [monitor:///pat/*.json] sourcetype= net index = bar disabled = false crcSalt = <SOURCE> ignoreOlderThan = 1d   Version 8.2.2 Cluster enviroment.   Notes: Also I tried with another sourcetype and data not using the KV_MODE instead I used the EXTRACT-foo and I had the same results, the field doesn't show results when is added to the search. The rest all the fields are not having this issue, they work perfectly. Thank you for the help.
I have an issue where the link in the email alert does not function properly. I see the following message instead: "The search you requested could not be found." I am on version 7.2.0 Enterpr... See more...
I have an issue where the link in the email alert does not function properly. I see the following message instead: "The search you requested could not be found." I am on version 7.2.0 Enterprise edition.  I have power user access and the alert permissions are set to "Shared in App".  I have seen other discussions for known issues that appear related, but those issues do not show up under my version of Splunk in the known issues list
search Items NOT present in Index for example if day = Mon,tues,wed output query1 and query3 (as two separate  tables) if day = thur,friday output query4 and query5 (as two separate  tables) if... See more...
search Items NOT present in Index for example if day = Mon,tues,wed output query1 and query3 (as two separate  tables) if day = thur,friday output query4 and query5 (as two separate  tables) if day = Mon,friday output query1 (as one separate  table) if day = Mon,wed,friday output query2, query3 and query5 (as three separate  tables)
if statement to output multiple tables in splunk? For example I have 3 tables that have the following data Table 1  AA 1.1  AA1.5 BB 2.1 CC 3.1 AA 1.3 AA 1.4 Table 2 AA 1.1  AA1.8 B... See more...
if statement to output multiple tables in splunk? For example I have 3 tables that have the following data Table 1  AA 1.1  AA1.5 BB 2.1 CC 3.1 AA 1.3 AA 1.4 Table 2 AA 1.1  AA1.8 BB 2.1 CC 3.1 AA 1.3 AA 1.7 Table 3 AA 1.4 AA1.5 BB 2.6 CC 3.7 AA 1.4 AA 1.5 How can i search for AA so i get the output in the form of 3/2/1 different tables depending on what the query is? Also is there a way to call for a specific set of queries if one of the fields match for example i want to create a search query that if today is monday please search for aa if today is tuesday please search for bb Can i have an if statement call multiple table IDs for multiselect option? PS. I have the data in an excel sheet that i cannot deploy to splunk
I created a table visualization in dashboard studio. Search query has large numbers. How to format that number to display millions as 1.28M i.e with letter M  Not a mini-program with eval please. N... See more...
I created a table visualization in dashboard studio. Search query has large numbers. How to format that number to display millions as 1.28M i.e with letter M  Not a mini-program with eval please. Need a good function, format specifer
Hello all,  I have a field that contains hypens in the value.  For example, 20.0--(1259).  I am simply trying to replace it with space, but it does not work.  could you tell me what am I doing wr... See more...
Hello all,  I have a field that contains hypens in the value.  For example, 20.0--(1259).  I am simply trying to replace it with space, but it does not work.  could you tell me what am I doing wrong?    index=main | eval version_name = replace(version, "-", "  ")
I'm an intermediate Splunk user.  I have a query that has 3 fields i want to turn into a chart: 1. mySearchTerm (string) 2. geoID(10 values, each is a unique 5 digit number: 10010, 20020, etc...) ... See more...
I'm an intermediate Splunk user.  I have a query that has 3 fields i want to turn into a chart: 1. mySearchTerm (string) 2. geoID(10 values, each is a unique 5 digit number: 10010, 20020, etc...) 3. the count of searchTerms that appear per geoID I am able to get a table going using:     <main query> | stats count(mySearchTerm) as myCount BY geoID, mySearchTerm | table geoID myCount mySearchTerm       But when I go to build a visualization of any kind (bubble, scatter, etc) the layout looks wrong. I'd like to create a visualization of count of mySearchTerm broken down by geoID 2 part question: 1. Does my query seem appropriate for my intended use? 2. Is there a specific chart type that is more suited for this information?
Hello there. I have this stanza configured for event logs on the Domain Controllers: [WinEventLog://Security] disabled = 0 index=winos_i blacklist1 = EventCode="4662" Message="Object Name:\s+CN=... See more...
Hello there. I have this stanza configured for event logs on the Domain Controllers: [WinEventLog://Security] disabled = 0 index=winos_i blacklist1 = EventCode="4662" Message="Object Name:\s+CN=(?!mycn-1|mycn-2)" blacklist2 = 538,565,566,576,835,836,837,4931,4932,4933   Basically, I want only the 4662 events related to the CNs above. Well... I push the configuration to the DCs... and suddenly i get ALL 4662 events. What is wrong with that configuration? Can't figure this out. Thank you...
Hello World,  I am attempting to create a search in Splunk that will provide me with any and all changes an admin made to our firewalls. This is part of a "governance" task and we have logs coming ... See more...
Hello World,  I am attempting to create a search in Splunk that will provide me with any and all changes an admin made to our firewalls. This is part of a "governance" task and we have logs coming from the FWs. Any pointers will be appreciated.  Best, AD
Documenting a solution built while working with ITSI 4.13 and CP for Monitoring and Alerting 1.5 on a Splunk 8.2.4 platform.  The content pack for monitoring and alerting creates the itsi_entity_na... See more...
Documenting a solution built while working with ITSI 4.13 and CP for Monitoring and Alerting 1.5 on a Splunk 8.2.4 platform.  The content pack for monitoring and alerting creates the itsi_entity_name_normalizer import job to ensure that every entity will get an alias called entity_name.  They use this alias for other searches in the logic created from the content pack so it is important that it runs as intended.   When the number of entities grows the likelihood of this job failing increases.  Attempts to run the out-of-the-box spl on a larger entity pool will highlight a 414 error that the URI being too long since it looks at the entire pool every run. To fix this issue we need to change the logic in the 'ITSI Import Objects - itsi_entity_name_normalizer' job so it will not run against entities which already have the entity_name alias. Original SPL: | inputlookup itsi_entities | eval entity_name=title Updated SPL: | inputlookup itsi_entities where NOT _itsi_identifier_lookups=entity_name* | search retirable!=1 | eval entity_name=title | eval entity_title=title | head 5000 While the eval for entity_title is redundant it is useful when using the search for ad-hoc entity import cases as the UI will restrict us from mapping title to title.  Doesn't hurt to have it.  If others disagree please update as needed.   Additionally, since we need to control the volume in each batch the head function gives us that flexibility.  We are protected in case we get a large influx of new entities. This assumes you do not need the entity_name field continually overwritten every cycle.  I could not find a reason why it matters to be updated after reviewing the other knowledge items the content pack creates.  Lastly, with the introduction of Entity Management Policies in ITIS 4.x we added an extra filter for entities without the retirable flag set.  If an entity is flagged to be retired we concluded it should be excluded from this job.  Likelihood an entity would qualify would be rare as that function represents the end of an entity lifecycle but no harm in having the extra check. 
Need to compare between the date that the user was entered in the lookup table to the revisit month selected. add panel: <panel depends="$add$"> <title>Add User</title> <table> <search> <query>... See more...
Need to compare between the date that the user was entered in the lookup table to the revisit month selected. add panel: <panel depends="$add$"> <title>Add User</title> <table> <search> <query> | inputlookup USB.csv | append [ | makeresults | eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"] | eval today=strftime( | table _time, user, category, department, description, revisit | lookup lookup_im user as user OUTPUT category department | outputlookup USB.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="add"></unset> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>   reauthorize panel: <panel depends="$reauthorize$"> <title>Reauthorize User</title> <table> <search> <query> | inputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>
I have some events coming in that use a lookup to resolve to an action eg : Block,block,not sent = blocked tagged, delivered, logged = delivered Occasionally a multivalue field appears such as ... See more...
I have some events coming in that use a lookup to resolve to an action eg : Block,block,not sent = blocked tagged, delivered, logged = delivered Occasionally a multivalue field appears such as : Tagged Logged OR Tagged Block the Logic should be :  Tagged Logged = delivered Tagged Block = Block Trying to figure out how to add this logic to utilise the lookup. Played around with nomv which creates a single value field but adds a \n so the value becomes :  Tagged\nLogged But then i need to do do a sedcmd to remove the \n and then add the result to the lookup to resolve the desired action. Is there a better approach in this scenario ?  thx  
splunk table not giving the accurate sum of the fields in addtotals, even when i use the stats sum function, once the nos exceed 100000, it will not sum it innacurate result in the addtotals
Hi  I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments  i want to make a proper procedure call out of it by replacing "?"  with actual vales from the argum... See more...
Hi  I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments  i want to make a proper procedure call out of it by replacing "?"  with actual vales from the arguments  Eg:  Filed1  exec procedureABC arg1 = ?, arg2 = ?, arg3 = ? Filed2  arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this  "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC" How can i do this ?
Hi, Suppose I have these following entries in a table A-  1 A - 2 A - 3 B - 1 B-  2 I want to average the values of the same key. Something like this, A-  3.5 B - 1.5 Help me out ... See more...
Hi, Suppose I have these following entries in a table A-  1 A - 2 A - 3 B - 1 B-  2 I want to average the values of the same key. Something like this, A-  3.5 B - 1.5 Help me out on this