All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to find single value based on result in a table?

by in Splunk Enterprise
‎05-19-2022 12:08 AM
‎05-19-2022 12:08 AM
Hi everyone, Please help me with this problem. After doing some search by Splunk, I have results in a table below: Id Average 1231 130 1234 540 1568 220 75... See more...
Hi everyone, Please help me with this problem. After doing some search by Splunk, I have results in a table below: Id Average 1231 130 1234 540 1568 220 7564 116 7894 273   No I need to calculate some values that based on the average in the table. For ex: result1= average of id 1231 / average of id 7894 result 2 = average of 1568 / average of 1234 How can I do it please? Thanks in advanced!
Labels

How to display a table with status reason and count of different status reasons like "NO_ID_UPLOADED", "FRAUD_ID"?

by in Splunk Search
‎05-19-2022 12:03 AM
‎05-19-2022 12:03 AM
Hi, This is splunk query and it returns nested JSON object  Query: sourcetype=_json_fluentd source="***" | search message="SQS Result Data" "FAIL" Response: { [-]    additional: { [-]    ... See more...
Hi, This is splunk query and it returns nested JSON object  Query: sourcetype=_json_fluentd source="***" | search message="SQS Result Data" "FAIL" Response: { [-]    additional: { [-]      Messages: [ [-]        { [-]          Body: { "clientName" : "mpc", "tenantId" : "assd", "mid" : "asd-bhn", "userId" : "112778", "transactionReferenceId" : "trans1223", "verificationResult" : "FAIL", "verificationResultTimestamp" : "2022-05-19T05:44:24.090Z", "statusReason" : "NO_ID_UPLOADED" }      ]    }    level: info    message: SQS Result Data } I want to display a table with status reason and count of different status reasons like "NO_ID_UPLOADED", "FRAUD_ID". Please share your answers.
Labels

How to show to line chart for failureCount, warningCounttimechart by time?

by in Splunk Search
‎05-18-2022 10:59 PM
‎05-18-2022 10:59 PM
Hi,   I am using below query in my Dashboard index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".... See more...
Hi,   I am using below query in my Dashboard index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart I want to show to line chart for failureCount, warningCounttimechart by time, I tried appending  timechart span=1d count by failureCount, warningCounttimechart, but of no use
Labels

How to populate a dropdown using a search SPL query in Dashboard Studio?

by in Dashboards & Visualizations
‎05-18-2022 10:54 PM
‎05-18-2022 10:54 PM
I need to create a simple dropdown and populate it using search query in Dashboard Studio.  We can do this in Dashboard classic but how to do it in Dashboard Studio. Then once the user selects an... See more...
I need to create a simple dropdown and populate it using search query in Dashboard Studio.  We can do this in Dashboard classic but how to do it in Dashboard Studio. Then once the user selects any option, how to pass the option to another search query. Like a token
Labels

Error while posting to url=/servicesNS/nobody/TA_EMC-Isilon/isiloncustom/isilonendpoint/setupentity Dell Isilon addon2.6

by in All Apps and Add-ons
‎05-18-2022 08:14 PM
‎05-18-2022 08:14 PM
This dell isilon addon setup page is not working. I am using version 2.6 of Dell EMC Isilon Addon below is the error getting while configuring setup page. Any help on setup page is really a... See more...
This dell isilon addon setup page is not working. I am using version 2.6 of Dell EMC Isilon Addon below is the error getting while configuring setup page. Any help on setup page is really appreciated  what changes we need to make on 
Labels

How to run a same search with multiple time ranges and append the value compare them?

by in Splunk Search
‎05-18-2022 06:41 PM
‎05-18-2022 06:41 PM
Here is the example of the search looks like : index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?... See more...
Here is the example of the search looks like : index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index | top xyzApi test_filed_1test_filed_1 index limit=20 | appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index | top xyzApi test_filed_1test_filed_1 index limit=20 ] Ideally i want to run the search for 9th and 16 of this monday and get the count of each day and compare , I'm not able to divide the count for each day 
Labels

How to initialize a time token earliest during dashboard refresh?

by in Dashboards & Visualizations
‎05-18-2022 06:00 PM
‎05-18-2022 06:00 PM
hi , i did some modifications to the time token earliest and latest as per my requirement as shown below. <input type="time" token="time_picker" searchWhenChanged="true"> <label>Time Picker</lab... See more...
hi , i did some modifications to the time token earliest and latest as per my requirement as shown below. <input type="time" token="time_picker" searchWhenChanged="true"> <label>Time Picker</label> <change> <eval token="my_earliest">if(isnum($time_picker.earliest$),$time_picker.earliest$,relative_time(now(),$time_picker.earliest$))</eval> <eval token="my_latest">if(isnum($time_picker.latest$),$time_picker.latest$,relative_time(now(),$time_picker.latest$))</eval> <eval token="my_now">now()</eval> <eval token="final_earliest">strftime($my_earliest$,"%m/%d/%Y:%H:%M:%S")</eval> <eval token="modified_axs">if($my_latest$==$my_now$,$my_latest$-60,$my_latest$)</eval> <eval token="modified_prex">if($my_latest$==$my_now$,$my_latest$,$my_latest$+60)</eval> <eval token="final_latest_axs">strftime(modified_axs,"%m/%d/%Y:%H:%M:%S")</eval> <eval token="final_latest_prex">strftime(modified_prex,"%m/%d/%Y:%H:%M:%S")</eval> </change> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> Now, when i refresh the dashboard i am getting  the error , it is not picking the default earliest. it is taking time_picker.earliest as now(). i want to set it for -15m during dashboard refresh  Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1652905253 > end=1652905193. how can i solve this issue ? @niketn 
Labels

Help getting field extraction from information in field=source

by in Getting Data In
‎05-18-2022 05:55 PM
‎05-18-2022 05:55 PM
Hi All, I am ingesting some logs from Heavy Forwarder and then sending them to indexers. *Snippet from inputs.conf on the Universal Forwarder [monitor:///opt/splunk/etc/apps/nonprod_apicalls/lo... See more...
Hi All, I am ingesting some logs from Heavy Forwarder and then sending them to indexers. *Snippet from inputs.conf on the Universal Forwarder [monitor:///opt/splunk/etc/apps/nonprod_apicalls/local/ce_p2_srv_data2_env_getstats_port.txt] disabled = false sourcetype = my:api:ce2 index = internet I would like to extract "data2" text from the filename.  I did a rex field extraction on search head and it works giving me "instance" field name under interesting fields on Search UI. Below is the regex I used | rex field=source "\/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+)"   So next step I did is created props.conf with below configuration [my:api:ce2] EXTRACT-instance = \/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+) in source   Restarted the splunk service on Heavy Forwarder, but it doesn't work. Can someone advise me if I am doing something wrong here or what is the issue. Thankyou Harry
Labels

Why are multiple base queries in Splunk dashboard giving improper visualizations?

by in Dashboards & Visualizations
‎05-18-2022 02:41 PM
‎05-18-2022 02:41 PM
Hello, I have 3 base queries in my splunk dashboard. But when the dashboard loads, only 1 or 2 base queries run displaying the data and visualization. Request you to please help me on this. PFB the... See more...
Hello, I have 3 base queries in my splunk dashboard. But when the dashboard loads, only 1 or 2 base queries run displaying the data and visualization. Request you to please help me on this. PFB the xml data:   <form> <label>All Errors</label> <description>Errors</description> <fieldset submitButton="false"> <input type="time" token="Time" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-24h</earliest> <latest>now</latest> </default> </input> </fieldset> <search id="search_urls"> <query> index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* | rex field=_raw "POST\s|GET\s(?&lt;URL&gt;[a-zA-Z0-9\W].+)\?|\s\HTTP" | rex field=_raw "x_b3_traceid\:\"(?&lt;TRACE_ID&gt;[a-zA-Z0-9]+)\"" | rex field=_raw "(?&lt;METHOD&gt;POST|GET)" | rex field=_raw "HTTP\/1.1\"\s+(?&lt;STATUS&gt;\d\d\d)\s" | join TRACE_ID [search index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* cf_instance_index="*APP/PROC/WEB*" (severity!=INFO OR tag=error) | rex field=_raw "(?&lt;ERROR_MESSAGE&gt;com.tmobile[a-zA-Z0-9\W].+)$" | rex field=_raw "\,(?&lt;TRACE_ID&gt;[0-9a-zA-Z]+)\,"] </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <search id="performance_urls"> <query> index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* | rex field=_raw "POST\s|GET\s(?&lt;URL&gt;[a-zA-Z0-9\W].+)\?|\s\HTTP" | rex field=_raw "x_b3_traceid\:\"(?&lt;TRACE_ID&gt;[a-zA-Z0-9]+)\"" | rex field=_raw "(?&lt;METHOD&gt;POST|GET)" | rex field=_raw "response_time\:(?&lt;RESPONSE_TIME&gt;[\d\.\d]+)" | rex field=_raw "HTTP\/1.1\"\s+(?&lt;STATUS&gt;\d\d\d)\s" </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <search id="errors"> <query>index=abc sourcetype=abc cf_org_name=abc cf_instance_index="*APP/PROC/WEB*" cf_app_name=* | rex field=_raw "(?&lt;ORA_ERROR&gt;ORA\-.+)$" | rex field=_raw "(?&lt;KAFKA_ERROR&gt;org.apache.kafka[a-zA-Z0-9\W].+)$" | rex field=_raw "(?&lt;ERROR_MESSAGE&gt;com.tmobile[0-9a-zA-Z\W].+)$" | rex field=_raw "message\:\s+(?&lt;errorMessage&gt;[0-9a-zA-Z\W].+)$" </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <row> <panel> <title>Timechart based on URLs (only 4xx/5xx)</title> <chart> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Timechart based on URLs (only 4xx/5xx - Unique Trace IDs)</title> <chart> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | dedup TRACE_ID | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics based on URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE (Sorted by maximum counts)</title> <table> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | stats count by URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart based on URLs (including 2xx/3xx)</title> <chart> <search base="search_urls"> <query> | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Timechart based on URLs (including 2xx/3xx - Unique Trace IDs)</title> <chart> <search base="search_urls"> <query> | dedup TRACE_ID | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics based on URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE (including 2xx/3xx)</title> <table> <search base="search_urls"> <query> | stats count by URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="totalsRow">false</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Database Errors (Timechart)</title> <chart> <search base="errors"> <query> search tag=error | timechart span=1h count by ORA_ERROR usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Database Errors by cf_app_name, Error Message (sorted by maximum counts)</title> <table> <search base="errors"> <query> search tag=error | stats count by cf_app_name, ORA_ERROR | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart of generic messages</title> <chart> <search base="errors"> <query> search errorMessage!="null" | timechart span=1h count by errorMessage useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of generic messages based on cf_app_name</title> <table> <search base="errors"> <query> search errorMessage!="null" | stats count by cf_app_name, errorMessage | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart of Kafka Errors</title> <chart> <search base="errors"> <query> search severity!=INFO OR tag=error | timechart span=1h count by KAFKA_ERROR usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics of Kafka Errors based on cf_app_name</title> <table> <search base="errors"> <query> search severity!=INFO OR tag=error | stats count by cf_app_name, KAFKA_ERROR | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>RMQ Errors (Timechart)</title> <chart> <search base="errors"> <query> search ERROR_MESSAGE="*RMQ*" AND (severity!=INFO OR tag=error) | timechart span=1h count by ERROR_MESSAGE usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of RMQ Errors based on cf_app_name</title> <table> <search base="errors"> <query> search ERROR_MESSAGE="*RMQ*" AND (severity!=INFO OR tag=error) | stats count by cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Deep Errors (Timechart)</title> <chart> <search base="errors"> <query> search ERROR_MESSAGE="*deep*" AND (severity!=INFO OR tag=error) | timechart span=1h count by ERROR_MESSAGE usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of Deep Errors based on cf_app_name</title> <table> <search base="errors"> <query> search ERROR_MESSAGE="*deep*" AND (severity!=INFO OR tag=error) | stats count by cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Performance of 4xx/5xx URLs - Response &gt; 10 sec (Timechart)</title> <chart> <search base="performance_urls"> <query> search STATUS&gt;=400 AND URL!="/" AND RESPONSE_TIME&gt;10 | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics of response time &gt; 10 sec for 4xx/5xx URLs</title> <table> <search base="performance_urls"> <query> search STATUS&gt;=400 AND URL!="/" AND RESPONSE_TIME&gt;10 | stats count by URL, cf_app_name, STATUS, METHOD | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Performance of URLs 2xx/3xx/4xx/5xx - Response &gt; 10 sec (Timechart)</title> <chart> <search base="performance_urls"> <query> search URL!="/" AND RESPONSE_TIME&gt;10 | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of response time &gt; 10 sec for 2xx/3xx/4xx/5xx URLs</title> <table> <search base="performance_urls"> <query> search URL!="/" AND RESPONSE_TIME&gt;10 | stats count by URL, cf_app_name, STATUS, METHOD | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel> </row> </form>

How to Use the Time Token Date Range as the Earliest / Latest Options?

by in Dashboards & Visualizations
‎05-18-2022 02:25 PM
‎05-18-2022 02:25 PM
Is there a way to use the time range set by the Preset Time Token as earliest and latest values in a string.  For example, if I my time token name is token_time and I set the range on a Dashboard to ... See more...
Is there a way to use the time range set by the Preset Time Token as earliest and latest values in a string.  For example, if I my time token name is token_time and I set the range on a Dashboard to "Year to date" is there some name or field name I can then use in the search earliest and latest option of token_time to reflect those dates so that I can use them in another search? earliest = the value for 1/01/2022 latest = now   Thanks in advance.
Labels

How to create two multi value fields to produce a json object of name value pairs?

by in Splunk Search
‎05-18-2022 02:11 PM
‎05-18-2022 02:11 PM
I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to ... See more...
I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to create a json object that looks like this. { key1:val1, key2:val2, key3:val3 } index=test5 earliest=@s-24h apicall IN (aws_es_listDomainNames aws_es_listTags) NOT err | eval resourceid=coalesce(resourceid, DomainName) | eval uid=resourceid+accountid+region | rename "TagList{}.Key" AS keys | rename "TagList{}.Value" AS values | eval tags=mvzip('keys','values'," = ") | nomv tags.    //  this matches up the key and value pairs but isn't useful with json_object.   I've tried using json_object but json_object only accepts arguments and not a string of key value pairs.  Is there a way to produce a json object from the two multivalue fields above?   Thanks.    
Labels

How to create a table from key value pairs which are not always present?

by in Getting Data In
‎05-18-2022 02:00 PM
‎05-18-2022 02:00 PM
Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k message... See more...
Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k messages as such Result 35  45 53 D    C     F     C   A   Create headers with all keys provided through all messages. If key is not provided on message then cell should be empty. As you can see 53 is not always present, when that is the case its cell is empty.   Thanks in advance.  
Labels

How can I aggregate information into rows based on a transaction ID?

by in Splunk Search
‎05-18-2022 12:51 PM
‎05-18-2022 12:51 PM
I have events which will all have an ID, stageID, stageDuration, as well as other information. In the past I've used `chart sum(stageDuration) over ID by stageID` to create stacked bar charts, but n... See more...
I have events which will all have an ID, stageID, stageDuration, as well as other information. In the past I've used `chart sum(stageDuration) over ID by stageID` to create stacked bar charts, but now I’m more interested in the table produced by that command. It has a column for ID, then columns for the durations of each of the stageIDs that had the same ID. I would like to create a similar table except I would like to include additional columns. For example, I would like to conditionally populate a column with event.startTime from the stage foo if the stageID foo exists for an ID. I don't need to visualization, just the way of forming the table. It seems like there might be a way to do this with transactions but I haven't been able to figure it out.
Labels

How to send data to new juniper sourcetypes prior to upgrading to the latest 1.5.5 version of the Juniper application?

by in All Apps and Add-ons
‎05-18-2022 12:32 PM
‎05-18-2022 12:32 PM
We are looking into upgrading the Juniper Add On application from 1.0.2 to 1.5.5 using the following link:  https://splunkbase.splunk.com/app/2847/#/details   We still are using the juniper:ssl... See more...
We are looking into upgrading the Juniper Add On application from 1.0.2 to 1.5.5 using the following link:  https://splunkbase.splunk.com/app/2847/#/details   We still are using the juniper:sslvpn which apparently has been deprecated after version 1.3.  The eventtypes in version 1.0.2 reference this juniper:sslvpn sourcetype but the new 1.5.5 application does not reference juniper:sslvpn in any of its eventtypes.    Our current configuration using SC4S, however, still sends new events to juniper:sslvpn.  Is there another SC4S upgrade that is necessary to send data to new juniper sourcetypes prior to upgrading to the latest 1.5.5 version of the Juniper application?   Any help would be appreciated. Thank you.   Tom
Labels

Is there a way to setup a multi-site Search Head cluster to prevent replication of KV and CSV to other sites?

by in Splunk Enterprise
‎05-18-2022 12:15 PM
‎05-18-2022 12:15 PM
I currently have an Indexer/Multiple Search Head cluster, but due to some regional requirements we are looking at smaller replicas of the environment in other regions. We need to have certain confi... See more...
I currently have an Indexer/Multiple Search Head cluster, but due to some regional requirements we are looking at smaller replicas of the environment in other regions. We need to have certain configurations, such as saved searches and dashboards, copied over to the new regions. However, we need some stuff, like the contents of lookup files, to not replicate over. Is there a way to setup a multi-site Search Head cluster to prevent replication of KV and CSV to other sites, but allow replication within each site? Or prevent single search heads in a cluster from receiving updates to their lookups? I know there are ways to prevent copies of indexed data from leaving a site, but not sure on bundle replication objects how exactly it processes.
Labels

How to save the results of a search into a token?

by in Dashboards & Visualizations
‎05-18-2022 12:00 PM
‎05-18-2022 12:00 PM
I'm trying to save the results of my search in a token so I can reference it in another visualization.  I've read other post and people are using the <done> tags to solve this issue.   Below is m... See more...
I'm trying to save the results of my search in a token so I can reference it in another visualization.  I've read other post and people are using the <done> tags to solve this issue.   Below is my code     <row> <panel> <single> <search> <query>index = * | stats count as c</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <done> <set token="results" >$row.c$</set> </done> </search> <option name="drilldown">none</option> </single> </panel> </row>       ideally I would like to reference the "Results" token in other searches. Any help is appreciated.  -Marco 
Labels

Why is one field not been extracted as expected?

by in Splunk Search
‎05-18-2022 11:08 AM
‎05-18-2022 11:08 AM
Hello everyone, I have an issue with one field let say foo These are the scenarios: 1. If I run a search just with the index that contains the logs I can see the field foo at the fields bar pe... See more...
Hello everyone, I have an issue with one field let say foo These are the scenarios: 1. If I run a search just with the index that contains the logs I can see the field foo at the fields bar perfectly and also I can see the values. 2. If I select the field and is added to the search for example index=bar foo="hello" the results are ZERO even though I select that value from the previous search (where I saw the field and the values at the field bar). 3. If I add the sourcetype at the search example index=bar sourcetype=net foo="hello" I can see results but not the expected results, usually I get less than the real number and the number of results are random in the same interval of time. Configuration: I am using the automatic key-value field extraction KV_MODE=json to try to extract the fields of a source. The sources is sending the logs in JSON format.   #props.conf - SH configuration and indexers [net] CHARSET=UTF-8 KV_MODE=json TRUNCATE = 99999 LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SHOULD_LINEMERGE=true #inputs.conf - forwarder [monitor:///pat/*.json] sourcetype= net index = bar disabled = false crcSalt = <SOURCE> ignoreOlderThan = 1d   Version 8.2.2 Cluster enviroment.   Notes: Also I tried with another sourcetype and data not using the KV_MODE instead I used the EXTRACT-foo and I had the same results, the field doesn't show results when is added to the search. The rest all the fields are not having this issue, they work perfectly. Thank you for the help.
Labels

Why is there a bad link in email alerts?

by in Reporting
‎05-18-2022 11:05 AM
‎05-18-2022 11:05 AM
I have an issue where the link in the email alert does not function properly. I see the following message instead: "The search you requested could not be found." I am on version 7.2.0 Enterpr... See more...
I have an issue where the link in the email alert does not function properly. I see the following message instead: "The search you requested could not be found." I am on version 7.2.0 Enterprise edition.  I have power user access and the alert permissions are set to "Shared in App".  I have seen other discussions for known issues that appear related, but those issues do not show up under my version of Splunk in the known issues list
Labels

Why are search Items not present in Index?

by in Splunk Search
‎05-18-2022 10:35 AM
‎05-18-2022 10:35 AM
search Items NOT present in Index for example if day = Mon,tues,wed output query1 and query3 (as two separate  tables) if day = thur,friday output query4 and query5 (as two separate  tables) if... See more...
search Items NOT present in Index for example if day = Mon,tues,wed output query1 and query3 (as two separate  tables) if day = thur,friday output query4 and query5 (as two separate  tables) if day = Mon,friday output query1 (as one separate  table) if day = Mon,wed,friday output query2, query3 and query5 (as three separate  tables)

if statement to output multiple tables in splunk?

by in Splunk Search
‎05-18-2022 10:24 AM
‎05-18-2022 10:24 AM
if statement to output multiple tables in splunk? For example I have 3 tables that have the following data Table 1  AA 1.1  AA1.5 BB 2.1 CC 3.1 AA 1.3 AA 1.4 Table 2 AA 1.1  AA1.8 B... See more...
if statement to output multiple tables in splunk? For example I have 3 tables that have the following data Table 1  AA 1.1  AA1.5 BB 2.1 CC 3.1 AA 1.3 AA 1.4 Table 2 AA 1.1  AA1.8 BB 2.1 CC 3.1 AA 1.3 AA 1.7 Table 3 AA 1.4 AA1.5 BB 2.6 CC 3.7 AA 1.4 AA 1.5 How can i search for AA so i get the output in the form of 3/2/1 different tables depending on what the query is? Also is there a way to call for a specific set of queries if one of the fields match for example i want to create a search query that if today is monday please search for aa if today is tuesday please search for bb Can i have an if statement call multiple table IDs for multiselect option? PS. I have the data in an excel sheet that i cannot deploy to splunk