All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have a dashboard with a number of panels. One of the panels needs to output all events for an index under certain conditions like certain src, port, sourcetype, etc. The other panels in the... See more...
Hi, I have a dashboard with a number of panels. One of the panels needs to output all events for an index under certain conditions like certain src, port, sourcetype, etc. The other panels in the dashboard uses base searches and outputs only counts. These panels work. However, the panel outputting the events uses a saved search and NEVER finishes, even when I change the time range to VERY small time ranges like 30 seconds. I need the panel's search to complete as the stakeholder wants to export the panel's results.. The following is the slow panel on the Dashboard: And here is the respective Saved Search: Can you please help?  Thank you, Patrick
Greetings I am new to Splunk. I need to know if it is possible to draw a diagram using the below search results: Sourceip | Destinationip | Destination Port | Count 1.1.1.1 | 10.10.10.10 | 443 | 200 2... See more...
Greetings I am new to Splunk. I need to know if it is possible to draw a diagram using the below search results: Sourceip | Destinationip | Destination Port | Count 1.1.1.1 | 10.10.10.10 | 443 | 200 2.2.2.2 | 10.10.10.10 | 80 | 100 1.1.1.1 | 20.20.20.20 | 1521 | 90 1.1.1.1 | 10.10.10.10 | 445 | 80 I found the application "Network Diagram Viz" that could do something similar Kindly do you have any advice regarding this Please advise
Hi Team, Below is my query: index=os sourcetype=linux_mpio Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host IN (r3ddclxp00003*) | dedup host | rex max_... See more...
Hi Team, Below is my query: index=os sourcetype=linux_mpio Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host IN (r3ddclxp00003*) | dedup host | rex max_match=0 "(?ms)^DISK\=\"(?<DISK>[^\"]+)\"\s+NAME\=\"(?<NAME>[^\"]+)\"\s+HCTL\=\"(?<HCTL>[^\"]+)\"\s+TYPE\=\"(?<TYPE>[^\"]+)\"\s+VENDOR\=\"(?<VENDOR>[^\"]+)\"\s+SIZE\=\"(?<SIZE>[^\"]+)\"\s+SCSIHOST\=\"(?<SCSIHOST>[^\"]+)\"\s+CHANNEL\=\"(?<CHANNEL>[^\"]+)\"\s+ID\=\"(?<ID>[^\"]+)\"\s+LUN\=\"(?<LUN>[^\"]+)\"\s+BOOTDISK\=\"(?<BOOTDISK>[^\"]+)\"" | stats values(_time) AS TIME, values(NAME) as "DISK NAME" , list(SIZE) AS SIZE, list(VENDOR) AS VENDOR, list(LUN) AS LUN, list(BOOTDISK) as BOOTDISK by host | appendcols [search index=os sourcetype=linux_mpio host IN (r3ddclxp00003*) Firmware_Version="------------------------- MULTIPATH STATUS ----------------------------*" | dedup host |rex max_match=0 "^(?<lines>.+)\n+" | eval first_line=mvindex(lines,2,15) | rex field=first_line "^(?<name>\w+)\s+(?<uuid>[^ ]+)" | stats list(name) AS "MPATH" , LIST(uuid) AS UUID BY host ] | table host, "DISK NAME" ,VENDOR SIZE, LUN, UUID , MPATH| rename host as Host, SIZE AS Size, "DISK NAME" AS "Disk Name", VENDOR AS Vendor, LUN AS "LUN ID" and below is my output:   Would it be possible to add a line break for UUID and MPATH? For example: can we use an if else condition where in IF VENDOR(1) =LSI then add a line break for UUID so that the appropriate values will be mapped... Thanks for the help, Ranjitha N  
Running CIM 5.0 and was looking to do some reporting on users/groups added to security groups (information provided by the Windows Security Log event 4732 - but when I look in the Change datamodel, I... See more...
Running CIM 5.0 and was looking to do some reporting on users/groups added to security groups (information provided by the Windows Security Log event 4732 - but when I look in the Change datamodel, I cannot see the target group of the add in any of the fields. We are using out of the box Splunk_TA_windows, and Splunk Add-on for Microsoft Windows and I would have hoped that the data model would have been automatically filled with the relevant fields. Am I missing something obvious, or is there something I need to setup myself to get this working? Thanks Simon
query | bin _time span=30m | chart avg(throughput) by _time server Hi, I want only the avg(throughput) by _time server values that exceed a certain number to be shown. I tried multiple differen... See more...
query | bin _time span=30m | chart avg(throughput) by _time server Hi, I want only the avg(throughput) by _time server values that exceed a certain number to be shown. I tried multiple different ways and came up with broken queries/queries that return empty results like the following: # broken query | where avg(throughput) by _time server > 80 # no results found | search avg(throughput) by _time server > 80 # broken query | rename avg(throughput) by _time server as avgthroughput | where avgthroughput > 80 Would appreciate suggestions! Thank you. P.S. Splunk beginner
Hi Folks, Looking for a variable which can be used to pass business transaction name in Email or HTTP request template similar to below. ${latestEvent.node.name} - For Node Name Regards, Mohit
Hi If I have below sample message how can I extract procedure names from it, I'm pretty new to splunk any help or guidance would be great. I would like to extract the highlighted message. ... See more...
Hi If I have below sample message how can I extract procedure names from it, I'm pretty new to splunk any help or guidance would be great. I would like to extract the highlighted message.   ...lib.service.exc.ServiceHTTPError: service=svysvc_v2 url=http://x-vip/v2/sys/505019269 http_status=500 error={"code":500,"status":500,"error":{"service":null,"reason":"Unhandled exception","type":"unhandled-exception","error":"OperationalError: (pymssql._pymssql.OperationalError) (10316, b'The app domain with specified version id (84271) was unloaded due to memory pressure and could not be found.DB-Lib error message 20018, severity 16:\\nGeneral SQL Server error: Check messages from the SQL Server\\n')\n[SQL: \n \n \n EXEC Database01.dbo.Procedure01\n @ids=%(ids)s,@den(den)s,@Visible=(visible)s;\n ...   I'm trying to extract all the failed procedures from the error logs and get the counts by each procedure. Thank you
The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I... See more...
The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the results of 4 different searches. So that if the scope was site, only the results from the site search would be shown. Actual Search: index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search $request_type_token$ | where "$scope_token$" == "request_type" ] [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"] | timechart cont=FALSE span=$span_token$ sum(success) by request_type Search after token substitution with literal values. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | multisearch [search request_type="*" | where "site" == "request_type" ] [search request_type="*" site="RTP" | where "site" == "site"] [search request_type="*" site="RTP" zone="*" | where "site" == "zone"] [search scope=site request_type="*" site="RTP" zone="*" cluster="*" | where "site" == "cluster"] | timechart cont=FALSE span=hour sum(success) by request_type BUT ... the results of this query are equivalent to no search at all and I basically do not filter anything. index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3 | spath input=message | timechart cont=FALSE span=hour sum(success) by request_type This query and the one above give the same result. What am I missing here? When I execute each part of the multi-search separately, the results are correct. I get empty results for all but the 'where "site" == "site"' search. But when I run the whole query I get no filtering at all. Help!
Looking for some help with this one. I'm building a few charts that are meant to serve as vulnerability trending. Our data is uploaded to Splunk on a daily basis. However, what I did not account f... See more...
Looking for some help with this one. I'm building a few charts that are meant to serve as vulnerability trending. Our data is uploaded to Splunk on a daily basis. However, what I did not account for is when a manual push occurs in the event of troubleshooting or rapidly changing data. What I was doing was set a search that counts the number of times severity=critical appears in the uploaded data by _time. Due to the fact that sometimes a manual push will have a day with extra data. In the table below, there are 86 records when it should be 60. index="foobar" | where severity="Critical" | bucket _time span=1d as day | eventstats latest(_time) as Last | stats count(severity) by day, Last | eval First=strftime(First,"%H:%M:%S") | eval Last=strftime(Last,"%Y/%m/%d:%H:%M:%S") | eval day=strftime(day,"%Y/%m/%d") day Last count(severity) 2022/02/16 2022/03/18:05:34:27 57 2022/02/17 2022/03/18:05:34:27 60 2022/02/18 2022/03/18:05:34:27 86 How can I set my search to only count the number of entries once per day, restricted to the latest h:m:s?
I have a table with some basic fields , where the events represent items that need to have an action taken. I would like to have a drop down menu as the last item in the list with the desired action.... See more...
I have a table with some basic fields , where the events represent items that need to have an action taken. I would like to have a drop down menu as the last item in the list with the desired action. The action to be taken could be a link to an external page, or even another splunk search that just has to be executed, but not displayed.  For example: Action 1 or Action 2 would result in either a separate Search Being Run, or a separate link being "clicked". In both cases I'd like the drop down to be replaced with a static image, like a checkmark. (Indicating which action had been taken.) I realize this is pretty custom stuff that's going to require javascript or something else, I just have no idea where to start. Has anybody else tried to do anything like this? Thanks!
The documenation says that loggers that implement ILogger are supported, but no where does it describe how to capture those messages.  Our on-prem controller is version 21.4 and our agents are all 22... See more...
The documenation says that loggers that implement ILogger are supported, but no where does it describe how to capture those messages.  Our on-prem controller is version 21.4 and our agents are all 22.1 or later.  We have the .net Microsoft.Extensions.Logging.Console logger setup and it is outputting messages.  How do we configure AppD to capture those messages?
I had a situation where I wanted to know if the mstats p90(cpu) over 5 minutes of a host was above a certain value; but needed to extend it to 10 minutes for some hosts. I figured rather than make tw... See more...
I had a situation where I wanted to know if the mstats p90(cpu) over 5 minutes of a host was above a certain value; but needed to extend it to 10 minutes for some hosts. I figured rather than make two searches I could use span=5m and search back 10 minutes: (Search Window: -10m@m to @m) | mstats p90(_value) AS p90A WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=5m Except this was often producing 3 events per host, because unless I'm mistaken  mstats span always aligns to UTC 0, so if I'm running the search on a minute not divisible by 5 (say every 3 minutes) I'll end up with 3 data points per host instead of 2. So I thought, maybe using prestats + bin + stats will work; I can get 10 samples and use bin aligntime=earliest to force them to just 2 time bins. I think this works, a quick check says that the P90 values are the same up until 4 decimal places if the times are aligned: (Search Window: @h-10m to @h) | mstats p90(_value) AS p90A WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=5m | join host, _time [| mstats p90(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=1m | bin _time span=5m aligntime=earliest | stats p90(_value) AS p90B BY host, _time ] | where round(p90A,4) != round(p90B,4) So this search should work for any two 5 minute intervals aligned to any minute of the day. | mstats p90(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=1m | bin _time span=5m aligntime=earliest | stats p90(_value) AS p90 BY host, _time | where p90 > 80 | stats list(p90), count by host | where count == 2 OR match(host, "prod") I ended up not needing it when I realized my alert was already locked to every 5 minutes. Has anyone else tried doing this? Know a better way without creating two searches?
Hello,   I am trying to find the list of elapsed time over a specific time using our os process sourcetype. Looks something like this index=os sourcetype=ps host=* COMMAND=* | where ELAPSED > "1... See more...
Hello,   I am trying to find the list of elapsed time over a specific time using our os process sourcetype. Looks something like this index=os sourcetype=ps host=* COMMAND=* | where ELAPSED > "12:59:59" | table COMMAND ELAPSED _time  But for some reason, the ELAPSED time is still displaying values under this time.   If the ELAPSED Time goes over a day, I am able to filter that out with the where command. Example:  | where ELAPSED > "60-12:59:59" | table COMMAND ELAPSED _time -> Output will give me the results which are older than 60 days, 12:59:59 hours.
Hi all,  I have a JSON payload that contains as 'custom_fields' section that is made up of a set of title:keyname and value:value. This is because the tool has varying formats of key/value p... See more...
Hi all,  I have a JSON payload that contains as 'custom_fields' section that is made up of a set of title:keyname and value:value. This is because the tool has varying formats of key/value pairs that it outputs.  Per the screenshot, i'm trying to figure out a way to extract any values where the key is title:Mode but can't for the life of me work out how to do it.  The Mode key will have 1 of 2 values (Monitored or Remediated) and wanting to show this in a table that includes other values from the overall json packet (e.g. _time, description etc.) Any ideas would be greatly appreciated as spent several hours trying!
I have a dashboard with a timeframe dropdown created by a token called "query_time".  I'm trying to create a panel to show the availability of a given service/process over whatever period of time is ... See more...
I have a dashboard with a timeframe dropdown created by a token called "query_time".  I'm trying to create a panel to show the availability of a given service/process over whatever period of time is selected in the "query_time" dropdown (I have my ps.sh running every 1800 seconds btw, hence the 1800 shown).  I thought it would be as simple as subtracting the two, as shown below, but I'm getting an error whenever I incorporate the $query_time.earliest$ into the query.  It seems to play nice if I were to use just $query_time.latest$ though.  Is there any way to get this time difference in the query without it erroring out?  Thanks in advance!       <panel> <chart> <title>rhnsd Availability</title> <search> <query>index=os host="mydb1" sourcetype=ps rhnsd | stats count | eval availability=count/(($query_time.latest$-$query_time.earliest$)/1800)*100) | fields availability</query> <earliest>$query_time.earliest$</earliest> <latest>$query_time.latest$</latest> </search> <option name="charting.axisY.maximumNumber">100</option> <option name="charting.chart">fillerGauge</option> <option name="charting.chart.rangeValues">[0,90,100]</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0xdc4e41","0x53a051"]</option> <option name="refresh.display">progressbar</option> </chart> </panel>        
Currently I have a search query that will show when an event happens with the device_id, count, and the device name. The search is set up to count when an event happens, but I also want to know when ... See more...
Currently I have a search query that will show when an event happens with the device_id, count, and the device name. The search is set up to count when an event happens, but I also want to know when the event doesn't happen, so it counts devices with 0 count. Here is my search: sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize  - RESPONSE_SENT" |rename additionalMessage.requestBody.deviceId as device_id |stats count(message) by device_id |sort -count(message) |lookup DeviceNamesAll.csv device_id OUTPUT device_name Search will show this: device_id count(message) device_name 0297f12-e0ac-40d6-8ff5-2d2c2787b 45 Store12 37ca5c1-2c3f-41d-88d4-57f8b354c4 41 Store54   I cant figure out how to also count the device_id's that have a count of 0. If anyone could help it would be greatly appreciated!
Good Afternoon, TLDR; Can a search query result that provides more than 1 field be outputted to a file with a command like outputlookup and have its multiple fields compared against for later usa... See more...
Good Afternoon, TLDR; Can a search query result that provides more than 1 field be outputted to a file with a command like outputlookup and have its multiple fields compared against for later usage? If so, how? How to create an optimal dashboard that identifies new domains via dns queries whether utilizing the .csv file or another way?  I am attempting to make a dashboard that will display newly-observed/newly-registered domains. From what I believe to be the most efficient method (and please feel free to correct me or provide an alternate solution), I need to make a search query that will establish a baseline and output it to a .csv file. Then create a second query that will actually create the dashboard that compares new results to that .csv file. Here's what I have so far: Step 1 - Create the .csv file index=nsm tag=dns query=* message_type=QUERY src_ip="10.20.30.*" | dedup query | stats earliest(_time) as FirstAppearance count by src_ip | fieldformat FirstAppearance=strftime(FirstAppearance, "%x %X") This current query produces this output: src_ip                 FirstAppearance      count 10.20.30.40     01/01/2001              782 What I want it to produce for the .csv file is the src_ip and the associated queries that go along with it. Example: src_ip                 query 10.20.30.40     www<.>google<.>com                               www<.>youtube<.>com 10.20.30.41      www<.>news<.>com Step 2 - Create the dashboard that will compare new results searched to the .csv file Once the dashboard is created, I know I'll have to include the command inputlookup which will look into the .csv created. My question is how do I make that comparison, and how do I create the query in a way that will display accurately in the Dashboard? Any information would greatly be appreciated.
| chart count over date_month by seriesName  , I have a search that display counts over month by seriesname . but instead of this count i need to display average of the count over month by series nam... See more...
| chart count over date_month by seriesName  , I have a search that display counts over month by seriesname . but instead of this count i need to display average of the count over month by series name ..    date_month seriesName 1 seriesName 2 seriesName 3   1 march % % % 2 feb % % %
hi I need to use eval count in a search like this       | chart count(eval(web > 12))       But this count is right if I filter events préviously from a string what I would like ... See more...
hi I need to use eval count in a search like this       | chart count(eval(web > 12))       But this count is right if I filter events préviously from a string what I would like to do is something like this       | chart count(eval(web > 12 AND TOTO=a))       NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events... How to do this please? Rgds
Hi, How do I add an addition numeric value to the show source dropdown list in version 8.1.6. I would like to add 2000. By default max is 1000. In version 7.3.5 is was just a matter of adding ano... See more...
Hi, How do I add an addition numeric value to the show source dropdown list in version 8.1.6. I would like to add 2000. By default max is 1000. In version 7.3.5 is was just a matter of adding another line to the xml with 2000. But in 8.1.6 the xml looks like this : <?xml version="1.0"?> <view template="pages/app.html" type="html" isDashboard="False"> <label>Show Source</label> </view>   7.3.5 looked like this : <view isVisible="false" template="search.html" isDashboard="False"> <label>Show source</label> <module name="AccountBar" layoutPanel="appHeader"> <param name="mode">popup</param> </module> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="clearOnJobDispatch">True</param> <param name="maxSize">1</param> <module name="SoftWrap" layoutPanel="pageControls"> <param name="enable">False</param> <module name="Count" layoutPanel="pageControls"> <param name="options"> <list> <param name="text">25</param> <param name="value">25</param> </list> <list> <param name="text">50</param> <param name="selected">True</param> <param name="value">50</param> </list> <list> <param name="text">100</param> <param name="value">100</param> </list> <list> <param name="text">200</param> <param name="value">200</param> </list> <list> <param name="text">500</param> <param name="value">500</param> </list> <list> <param name="text">1000</param> <param name="value">1000</param> </list> <list> <param name="text">2000</param> <param name="value">2000</param> </list> </param> <module name="ShowSource" layoutPanel="resultsAreaLeft"> </module> </module> </module> </module> </view>