All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this i... See more...
After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this is the query:   search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) as I sum(CATII) as II sum(CATIII) as III | transpose | sort - "row 1"     The Drilldown XML :   <drilldown> <condition field = "I"> <link target="blank"></link> </condition> <condition field = "II"> <link target="blank"></link> </condition> <condition field = "III"> <link target="blank"></link> </condition> </drilldown>     Any help is appreciated. Thank you,  Marco  
I have the following log in Splunk:   { "tags":{ "app":"foobar", "ou":"internal" }, "log":"{\"key1\":\"value1\",\"key2\":\"value2\",\"key3\":\"value3\"}", "timestamp... See more...
I have the following log in Splunk:   { "tags":{ "app":"foobar", "ou":"internal" }, "log":"{\"key1\":\"value1\",\"key2\":\"value2\",\"key3\":\"value3\"}", "timestamp":"2022-04-21T17:00:00.000Z" }     I know I can parse the string JSON into actual JSON and replace the _raw like this:   index=my_index_name | eval _raw=log   But, if I use the SPL above, the timestamp and tags keys would be deleted from the _raw, that's not what I want.   I want to use SPL to parse it in a way where the _raw equals to:     { "tags":{ "app":"foobar", "ou":"internal" }, "log": { "key1": "value1", "key2": "value2", "key3": "value3" }, "timestamp":"2022-04-21T17:00:00.000Z" }    
Hello Community,   I'm currently having trouble with a dashboard panel I'm making. The dashboard panel is supposed to display the time to triage per analyst but for every notable.  The results are ... See more...
Hello Community,   I'm currently having trouble with a dashboard panel I'm making. The dashboard panel is supposed to display the time to triage per analyst but for every notable.  The results are supposed to be derived from notables with the status_label "Ready for Review" OR "Closed: False Positive" OR "Pending" OR "Closed: Valid - Remediated". The field TriageTime doesn't populate anything, I suspect the problem to be within the join.   Search is below: `notable` | where owner="User1" OR owner="User2" OR owner="User3" OR owner="User4" OR owner="User5" OR owner="User6" | where status_label="Ready for Review" OR status_label="Closed: False Positive" OR status_label="Pending" OR status_label="Closed: Valid - Remediated" | rename status_label as status | rename rule_id as "Notable ID" | rename rule_name as Notable | rename owner as Analyst | join type=left rule_id [ search notable | eval review_time=if(status_label="Ready for Review",_time,null()) | eval inprogresstime=if(status_label="In Progress",_time,null()) | eval TriageTime=reviewtime-inprogresstime | eval TriageTime=tostring(TriageTime,"duration") | convert timeformat="%H:%M:%S" ctime(TriageTime) | stats min(review_time) as reviewtime min(inprogress_time) as inprogresstime values(rule_name) as rule_name values(owner) as real_name by rule_id] | table TriageTime, Notable, Analyst
tl;dr I want to take a list of events, separately sum the fields "message_accounts" (accounts processed in the event) and "message_processing" (time it takes to process) by "transaction_id" (so, in e... See more...
tl;dr I want to take a list of events, separately sum the fields "message_accounts" (accounts processed in the event) and "message_processing" (time it takes to process) by "transaction_id" (so, in essence, two composite values related to the transaction_id across however many chunks it was split to) so that I can bucket/bin the sum of the message_accounts by the corresponding average of the message_processing value across all of these families of events I have messages that show sub-totals of processing time for split-off chunks of a larger message, identified by a field called "transaction_id"  For example, our service accepts consolidated messages from another service (from 1 unit to thousands of combined message units) and splits them into chunks no larger than 100, where each chunk retains the "transaction_id" of the message source, so it's unique to the original message which we then split into more manageable pieces to be processed in parallel.
I use Splunk Enterprise 8.0.4.1 In indexes.conf I have changed maxTotalDataSizeMB value. According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of chan... See more...
I use Splunk Enterprise 8.0.4.1 In indexes.conf I have changed maxTotalDataSizeMB value. According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of change should not require splunk restart. Anyway I can't see the change in GUI https://my_splunk/en-US/manager/launcher/data/indexes without doing splunk restart. Any clue why is it like that?
I am trying to create a pie chart that would show difference error codes by category.  Here is my current query: index= my_index | stats last(_time) as _time last(Message) as Message by Type ... See more...
I am trying to create a pie chart that would show difference error codes by category.  Here is my current query: index= my_index | stats last(_time) as _time last(Message) as Message by Type | stats count by Type | eval ErrorCode=443 | eval ErrorrCode=503   I'd like to pull in all errors without specifying the ErrorCodes as I have in my query.
I have a time selector with custom tokens that control various aspects of the dashboard.  Changing the value of the time selector changes the values of the custom tokens. I also have a separate inpu... See more...
I have a time selector with custom tokens that control various aspects of the dashboard.  Changing the value of the time selector changes the values of the custom tokens. I also have a separate input dropdown with a list of times taken from when our alerts fired.  I need to update the time selector when the alert dates/times are chosen so the panels below update with a timeframe showing what happened with alert.  When changing the value of the separate input dropdown to a new date, the 'earliest' and 'latest' update on the time selector, but none of its custom tokens do.  They only change when I change the time selector. When I update input dropdowns with other input dropdown dynamically, they work, just not when I attempt to update the time selector from another input dropdown.   How can I update "all" tokens on the time selector, not just 'earliest' and 'latest' from the other dropdown?       <form theme="dark"> <label>Time Issue</label> <description></description> <fieldset submitButton="false" autoRun="false"> <input type="time" token="time" searchWhenChanged="true"> <label>Time Frame</label> <default> <earliest>@d-1d</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest">if(len('earliest')=0 OR 'earliest="" OR isnull('earliest') OR 'earliest'="null" OR 'earliest'="0", "@d-90d", 'earliest')</eval> <eval token="time.latest">if('latest'="now" OR len('latest')=0 OR isnull('latest') OR 'latest'="null","@m",'latest')</eval> <eval token="time.earliest_type">if(match('earliest', ".*[@smhdwy].*"), "rel", "abs")</eval> <eval token="time.latest_type">if(match('latest', ".*[@smhdwy].*"), "rel", "abs")</eval> <eval token="time.earliest_epoch">if($time.earliest_type$="rel", relative_time(now(), 'earliest'), 'earliest')</eval> <eval token="time.latest_epoch">if($time.latest_type$="rel", relative_time(now(), 'latest'), 'latest')</eval> <eval token="time.difference">$time.latest_epoch$-$time.earliest_epoch$</eval> <eval token="form.panel">if($time.difference$&lt;=604801,"compare","single")</eval> <eval token="form.span">if($time.difference$&gt;2592000,"1d",if($time.difference$&gt;604800,"1h",if($time.difference$&gt;172800,"15m",if($time.difference$&gt;86400,"3m","1m"))))</eval> <eval token="time.earliest_day1">if($time.earliest_type$="rel", 'earliest' . "-1d", 'earliest'-86400)</eval> <eval token="time.earliest_day1_epoch">'earliest'-86400</eval> <eval token="time.latest_day1">if($time.latest_type$="rel", 'latest' . "-1d", 'latest'-86400)</eval> <eval token="time.latest_day1_epoch">'latest'-86400</eval> <eval token="time.earliest_week1">if($time.earliest_type$="rel", 'earliest' . "-1w", 'earliest'-604800)</eval> <eval token="time.earliest_week1_epoch">'earliest'-604800</eval> <eval token="time.latest_week1">if($time.latest_type$="rel", 'latest' . "-1w", 'latest'-604800)</eval> <eval token="time.latest_week1_epoch">'latest'-604800</eval> </change> </input> <input type="dropdown" token="span" searchWhenChanged="true"> <label>Span</label> <choice value="1m">1 Minute</choice> <choice value="3m">3 Minute</choice> <choice value="5m">5 Minutes</choice> <choice value="10m">10 Minutes</choice> <choice value="15m">15 Minutes</choice> <choice value="30m">30 Minutes</choice> <choice value="1h">1 Hour</choice> <choice value="3h">3 Hours</choice> <choice value="6h">6 Hours</choice> <choice value="12h">12 Hours</choice> <choice value="1d">1 Day</choice> <change> <eval token="span.seconds">case($span$="1m", 60, $span$="3m", 180, $span$="5m", 300, $span$="10m", 600, $span$="15m", 900, $span$="30m", 1800, $span$="1h", 3600, $span$="3h", 10800, $span$="6h", 21600, $span$="12h", 43200, $span$="1d", 86400)</eval> <eval token="time.earliest_snap">(int($time.earliest_epoch$/$span.seconds$)*$span.seconds$)+$span.seconds$</eval> <eval token="time.latest_snap">int($time.latest_epoch$/$span.seconds$)*$span.seconds$</eval> <eval token="time.earliest_week1_snap">(int($time.earliest_week1_epoch$/$span.seconds$)*$span.seconds$)+$span.seconds$</eval> <eval token="time.latest_week1_snap">int($time.latest_week1_epoch$/$span.seconds$)*$span.seconds$</eval> <eval token="time.difference_snap">$time.latest_snap$-$time.earliest_snap$</eval> <eval token="span.intervals">ceil($time.difference$/$span.seconds$)</eval> <eval token="span.intervals_snap">$time.difference_snap$/$span.seconds$</eval> </change> <default>5m</default> <initialValue>5m</initialValue> </input> <input type="dropdown" token="panel" searchWhenChanged="true"> <label>Panel</label> <choice value="single">Single</choice> <choice value="compare">Compare</choice> <change> <condition value="compare"> <unset token="showPanelSingle"></unset> <set token="showPanelCompare">true</set> </condition> <condition value="single"> <unset token="showPanelCompare"></unset> <set token="showPanelSingle">true</set> </condition> </change> <default>compare</default> <initialValue>compare</initialValue> </input> <input type="dropdown" token="timeOption" searchWhenChanged="true"> <label>Choose a Time</label> <fieldForLabel>timeLabel</fieldForLabel> <fieldForValue>time</fieldForValue> <search> <done> <condition match="len('timeOption') != &quot;0&quot;"> <unset token="form.time.earliest"></unset> <unset token="form.time.latest"></unset> <eval token="form.time.earliest">if($timeOption$ &gt; relative_time(now(), "@d-1d"), "@d-1d", relative_time($timeOption$, "@d-2h"))</eval> <eval token="form.time.latest">if($timeOption$ &gt; relative_time(now(), "@d-1d"), "@m", relative_time($timeOption$, "@d+1d+2h"))</eval> </condition> </done> <query>| makeresults count=5 | eval _time = floor((relative_time(_time, "@d") / 86400) * 86400) | streamstats current=false count as _row | eval time = _time - (_row * 86400) | eval timeLabel = strftime(time, "%Y-%m-%d")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition match="len('timeOption') != &quot;0&quot;"> <unset token="form.time.earliest"></unset> <unset token="form.time.latest"></unset> <eval token="form.time.earliest">if($timeOption$ &gt; relative_time(now(), "@d-1d"), "@d-1d", relative_time($timeOption$, "@d-2h"))</eval> <eval token="form.time.latest">if($timeOption$ &gt; relative_time(now(), "@d-1d"), "@m", relative_time($timeOption$, "@d+1d+2h"))</eval> </condition> </change> </input> </fieldset> <row> <panel> <html> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>timeOption</span></div> <div style="width: 300px; float: left;"><span>$timeOption$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest</span></div> <div style="width: 300px; float: left;"><span>$time.earliest$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest</span></div> <div style="width: 300px; float: left;"><span>$time.latest$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_type</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_type$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_type</span></div> <div style="width: 300px; float: left;"><span>$time.latest_type$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.difference</span></div> <div style="width: 300px; float: left;"><span>$time.difference$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_day1</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_day1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_day1</span></div> <div style="width: 300px; float: left;"><span>$time.latest_day1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_day1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_day1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_day1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_day1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_week1</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_week1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_week1</span></div> <div style="width: 300px; float: left;"><span>$time.latest_week1$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.earliest_week1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.earliest_week1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>time.latest_week1_epoch</span></div> <div style="width: 300px; float: left;"><span>$time.latest_week1_epoch$</span></div> </div> <div style="width: 100%; clear: both;"> <div style="width: 300px; float: left;"><span>panel</span></div> <div style="width: 300px; float: left;"><span>$panel$</span></div> </div> </html> </panel> </row> </form>    
Hi all, I need your help with a query to extract the values of fields with multiple values. The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name a... See more...
Hi all, I need your help with a query to extract the values of fields with multiple values. The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name and Value). Below is an example of the log: "OperationProperties": [{ "Name": "Actions", "Value": "XX" }, { "Name": "Conditions", "Value": "XX" }, { "Name": "Provider", "Value": "XX" }, { "Name": "RemoveOutlookRuleBlob" }, { "Name": "Name", "Value": "XX" }, { "Name": "IsNew" }, { "Name": "IsDirty", "Value": "XX" }, { "Name": "RuleOperation", "Value": "XX" }, { "Name": "ServerRule", "Value": "XX" }], The fields 'Name: IsNew' and 'Name:RemoveOutlookRuleBlob' do not have the corresponding 'Value:' field. I tried the following search, but I noticed that when the 'Value' field doesn't exist, it aggregates with the next available 'Value' field. base search.... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | table Name Value, temp temp Actions,ForwardToRecipientsAction Conditions,SentToRecipientsCondition,FromRecipientsCondition Provider,RuleOrganizer RemoveOutlookRuleBlob,XXX Name,True IsNew,Delete IsDirty, XX *The 'IsNew' field does not have 'True' value, as you can see in the first image. My final search will looks like this after I correct the Name=Value. base search... | spath path=OperationProperties{}.Name output=Name | spath path=OperationProperties{}.Value output=Value | eval temp=mvzip(Name, Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0), Value=mvindex(split(temp,","),1), Value=mvindex(split(temp,","),2) | eval {Name}=Value | stats values(*) as * by _time Id Can I have any solutions here? Thank you.
I have a situation where I want to launch lookup editor in a new window, load a particular lookup and have a pre-determined filter that is set by a token on the dashboard I'm coming from.  All work B... See more...
I have a situation where I want to launch lookup editor in a new window, load a particular lookup and have a pre-determined filter that is set by a token on the dashboard I'm coming from.  All work BUT the filter portion because it appears that the filtering takes place in jquery and therefore I dont have a way to pass the string.  Is there a way to pass the string in the url with an undocumented property so that I can get the dashboard link to launch completely?
Hi all,  i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. can anyone please tell me how to do it ?   | makeresults | eval targe... See more...
Hi all,  i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. can anyone please tell me how to do it ?   | makeresults | eval target_text="My name is supersaiyan, leave this to me"   Thanks  
Hello there,   Recently i have restarted the splunk from then splunk is showing an error message regarding Palo Alto network add on. And if i removed that add on, the problem will be resolved. Bu... See more...
Hello there,   Recently i have restarted the splunk from then splunk is showing an error message regarding Palo Alto network add on. And if i removed that add on, the problem will be resolved. But my query is how can i check that the add on is working in background for any purpose or not??? We are using Palo alto firewall, is this add on useful to collect the data from the palo alto firewall?? If i removed this add on does the logs of splunk will not be displayed in splunk? Please help me with this query...  Thanks in advance.
We operate a rather large M$ Tenant and I am running into issues with this add on not consuming all of our user objects with the AAD user input.  It dies around 550,000 users; I am assuming due to th... See more...
We operate a rather large M$ Tenant and I am running into issues with this add on not consuming all of our user objects with the AAD user input.  It dies around 550,000 users; I am assuming due to the bearer token coming from the graph API timing out at the 1 hour mark; all of the ingestion appears to start and stop at the 1 hour mark. Anyone have any ideas how to get around this?  I really want to use splunk to version control and audit my user configurations offline and leverage this data for lookups coming from the azure related logs.  I can't however unless I get all of the user objects. Second, I would love to see group memberships supported in this add on!!  This would be super helpful to target reports and audits against accounts.
how to check the odd once out   ( field < 1) field with 2 or more values  Ex  field = true                                 output field1 = true, false                     false                   ... See more...
how to check the odd once out   ( field < 1) field with 2 or more values  Ex  field = true                                 output field1 = true, false                     false                                                                false, true                             true, false                     false, true  
Hi All, One of my scheduled report is quite expensive. It runs everyday from Monday to Friday and results in 30 days worth of data. Search Query index=abc_* | stats count by index,host How... See more...
Hi All, One of my scheduled report is quite expensive. It runs everyday from Monday to Friday and results in 30 days worth of data. Search Query index=abc_* | stats count by index,host How can I improve its search efficiency? Please suggest .
Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monitor stanza and all of them have same source type, below is my monitor stanza File to... See more...
Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monitor stanza and all of them have same source type, below is my monitor stanza File to be monitored is below   archive.log.DYYYYMMDD.Tnnnnnn   [monitor:///opt/sw/ss/splunklogs/archive.log.*.*] index=abc disabled = 0 sourcetype=es:test:sd:logs Sample log file is below: where YYYYMMDD-Date ex-20220412 nnnnnn-6 digit timestamp ex- 171300 Below is props conf [es:test:sd:logs] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE= ^[\d+\-\d+\-\d+\s+\d+\d:+\d+:\d+.\d+\d+] MAX_TIMESTAMP_LOOKAHEAD=28 TIME_FORMAT=%d-%m-%y %H:%M:%S.%N TIME_PREFIX=^\w Below is the data on which REGEX was done. [2022-04-04 23:10:30.643] Please let me know if there anything wrong in my configurations in internal logs for log level error it shows below error. StreamId:123456 had parsing error:unexpected character while expecting ' : ' :  ' , '
Hi, I am trying to use this visualization but I am getting the following error:   Can you please help? Many thanks, Patrick
HI all,  I am trying to capture multiple lines between two strings in my log data. But so far have not been able to figure out a solution.  the log data is as follows: 'calls': 'apfsae.providers.e... See more...
HI all,  I am trying to capture multiple lines between two strings in my log data. But so far have not been able to figure out a solution.  the log data is as follows: 'calls': 'apfsae.providers.economic.china_jobs_data_provider.ChinaJobsProvider', 'db_connection': 'providers/database_connection :: qtrewd_iq', 'db_view_name': 'adweh.V_datayes_china_recruitment', 'calls': 'apfsae.providers.mappings.company_id_to_barra_mapper.BbToBarraMapper',   I want to capture lines starting from ChinaJobsProvider to 'calls':  Thank you !
Hey, I need to use the Network Diagram Viz as one of my panels for my dashboard: https://splunkbase.splunk.com/app/4438/#/details However, it appears I am using the app incorrectly. ... See more...
Hey, I need to use the Network Diagram Viz as one of my panels for my dashboard: https://splunkbase.splunk.com/app/4438/#/details However, it appears I am using the app incorrectly. Can you please help? Thanks, Patrick
Hello Could someone help me with a query? I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of ... See more...
Hello Could someone help me with a query? I have this default report Top Notable Event Sources which returns me IP's (count, sparkline etc). How can I add an extra column to have the hostname of those IP's?   
Hi peeps,  I need help to fine tune this query; index=network sourcetype=ping | eval pingsuccess=case(match(ping_status, "succeeded"), Number) Basically, I want to create a new field for ping ... See more...
Hi peeps,  I need help to fine tune this query; index=network sourcetype=ping | eval pingsuccess=case(match(ping_status, "succeeded"), Number) Basically, I want to create a new field for ping success that will show the event count as values. Please help.