All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a nested json element that gives back up to 8 field names. I table them like:   | table "Config.DiskBrandSize.*"   Which has child elements like:   Barracuda: 100gb Seagate: 50gb Sa... See more...
I have a nested json element that gives back up to 8 field names. I table them like:   | table "Config.DiskBrandSize.*"   Which has child elements like:   Barracuda: 100gb Seagate: 50gb Sandisk: 150gb    I then sum them up:   | chart sum("Config.DiskBrandSize.*")   and I get a table with columns like "sum(Config.DiskBrandSize{}.Sandisk)". But I want to rename that to just something like "SandiskTotal" which is created from the column name + "Total", NOT do manual renames. I can't figure out how to do this with a foreach either.
Hi I have field in my log that call ServerRespTime. I want to detect outliner of ServerRespTime. Here is the conditions: 1-under 0.05 is normal ServerRespTime 2-upper 0.05 (if continue for couple... See more...
Hi I have field in my log that call ServerRespTime. I want to detect outliner of ServerRespTime. Here is the conditions: 1-under 0.05 is normal ServerRespTime 2-upper 0.05 (if continue for couple of seconds) is abnormal  ServerRespTime   any idea?  Thanks,
I'm counting up the hits to my website's specific URI's over each day. I'm using chart because I have to bucket by _time for other reasons related to how the data is dumped from a db into splunk:   ... See more...
I'm counting up the hits to my website's specific URI's over each day. I'm using chart because I have to bucket by _time for other reasons related to how the data is dumped from a db into splunk:     | bucket span=1d _time | chart count(uri) as uris by _time domain       This works fine. But what I'd like to do now is be able to dynamically choose one of the URI's as a chart overlay and show its total percentage of the hits vs the total for the day. I can't figure out how to do this. Is there a way to access the | addtotals "Total" field but for only one column/URI? Or what about using tokens in the search and rerunning the search as I pick different URI's to overlay? Or....? I got the idea from this: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2107/SearchTutorial/Chartoverlays but I need to figure out how to calculate the percentages dynamically and against | addtotals "Total"
So, to preface this, I am very new to Splunk.  The end game is to make a chart overlay, but that's not my main question here. I have two searches with very similar information being returned. I n... See more...
So, to preface this, I am very new to Splunk.  The end game is to make a chart overlay, but that's not my main question here. I have two searches with very similar information being returned. I need to make a table with information from both searches and I just can't seem to manage it. I have tried append, appendcols, multisearch, etc. The problem is that I cannot use OR for the sourcetype because the two sourcetypes have extremely similar information in them and the queries to pull from them are the exact same. Example: First: index = indexa sourcetype = sourcetypeA  | count X as "Result A" | other logic etc | table month_year "Result A"   Second: index= indexa sourcetype = sourcetypeB | count X as "Result B" | other logic etc | table month_year "Result B" Ultimately I'd want the results to say: month_Year Result B Result A info info info Right now when I attempt to do anything, it just skips out on "Result B" entirely. I know there must be some simple way I'm just missing. If anyone could help me out I'd really appreciate it, this is driving me crazy.
Hi what is the rex for "No is invalid. Please ask to a admin" Here is the log: 21:32:26.729 customer modules: type="xsd:string"><response><result>ActionFail</result><errno>0... See more...
Hi what is the rex for "No is invalid. Please ask to a admin" Here is the log: 21:32:26.729 customer modules: type="xsd:string">&lt;response&gt;&lt;result&gt;ActionFail&lt;/result&gt;&lt;errno&gt;00000&lt;/errno&gt;&lt;desc&gt;No is invalid. Please ask to a admin&lt;/desc&gt;&lt;jobid&gt;000000&lt;/jobid&gt;&lt;msgid&gt;00000&lt;/msgid&gt;&lt;cmd&gt;info&lt;/cmd&gt;&lt;/response&gt;</return></ad1: Thanks,
I have data in the following format, measured in an interval of an hour. Date Restaurant id Food Code Average Order 1/1/2017 0:00 101 1 0.004 1/1/2017 1:00 101 1 0.004 1/1/2017 ... See more...
I have data in the following format, measured in an interval of an hour. Date Restaurant id Food Code Average Order 1/1/2017 0:00 101 1 0.004 1/1/2017 1:00 101 1 0.004 1/1/2017 2:00 101 1 0.004 1/1/2017 3:00 101 1 0.004 1/1/2017 4:00 101 1 0.003 1/1/2017 5:00 101 1 0.003 1/1/2017 6:00 101 1 0.003 1/1/2017 7:00 101 1 0.003 1/1/2017 8:00 101 1 0.004 1/1/2017 9:00 101 1 0.003 1/1/2017 10:00 101 1 0.004 1/1/2017 11:00 101 1 0.004 1/1/2017 12:00 101 1 0.004 1/1/2017 13:00 101 1 0.005 1/1/2017 14:00 101 1 0.006 1/1/2017 15:00 101 1 0.006 1/1/2017 16:00 101 1 0.006 1/1/2017 17:00 101 1 0.005 1/1/2017 18:00 101 1 0.005 1/1/2017 19:00 101 1 0.005 1/1/2017 20:00 101 1 0.004 1/1/2017 21:00 101 1 0.004 1/1/2017 22:00 101 1 0.004 1/1/2017 23:00 101 1 0.004   I am trying to merge each 24-hour event into a single event and take an average of the average order. The output should be like this:   Date Restaurant id Food Code Average Order 1/1/2017 101 1 0.003   I tried using a time chart, bin every time I get all 24 rows. Since I have data measured every hour which is too specific, I want to turn it to a day interval instead and take the average for the average order. Help would be highly appreciated. 
Can I get an assistance on the command to update mmdb in my environment for a particular state.
Hello I need to open another panel from my main panel when I click on the field "web_url" So I need to display the events related to the field "web_url" in my second dashboard Here is what Iam doi... See more...
Hello I need to open another panel from my main panel when I click on the field "web_url" So I need to display the events related to the field "web_url" in my second dashboard Here is what Iam doing but it opens all the events and not only the events related to "web_url"... What is wrong please? <panel> <title>URL Web</title> <table> <search> <query>index=mes sourcetype=web | stats sum(web_error_count) as "Total erreurs Http" by web_url | rename web_url as web_url | sort - "Total erreurs Http"</query> <earliest>-1d@d</earliest> <latest>@d</latest> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="number" field="Parameters"></format> <format type="number" field="ResponseTime"> <option name="precision">1</option> <option name="unit">ms</option> <option name="useThousandSeparators">false</option> </format> <format type="color" field="Web Error Count"> <colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <format type="color" field="Total erreurs Http"> <colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="web_url">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel depends="$web_url$"> <table> <title>Response= $web_url$</title> <search> <query>index=mes sourcetype=web | table "ID" "Nom" site type"</query>  
Hi, I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only p... See more...
Hi, I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only per ticket, for example, if 3 engineers worked on a ticket then this table should show the last updated time and status only. my problem is that the following query is grouping tickets correctly but showing all status values per ticket and also changed the _time format to the integer values       | table_time status service user eventid tickets | stats values(status) values(service) values(user) values(eventid) by tickets | convert ctime(_time) sort _time        can you please advise, Regards
HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased... See more...
HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased by 40GB then trigger an alert Something like below , I want to trigger alert only for line 2 that is for database index_name yesterday day_before_yesterday diff application 20GB 10GB 10GB database 30GB 70GB 40GB security 40GB 20GB 20GB
Hello, Our test environment uses production LM and we never had any compatibility issue upgrading first test nodes : 6.2.3 > 6.5.2 6.5.2 > 7.1.4 7.1.4 > 7.3.4 We plan to upgrade 7.3.4 to 8.2.2, ... See more...
Hello, Our test environment uses production LM and we never had any compatibility issue upgrading first test nodes : 6.2.3 > 6.5.2 6.5.2 > 7.1.4 7.1.4 > 7.3.4 We plan to upgrade 7.3.4 to 8.2.2, any possible issue? In fact https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Configurealicensemaster rather looks best practice and not a requirement. Thanks    
Hi, I am trying to install the ITSI Module for Kafka smart monitoring App,  and its related Kafka streaming platform logging management TA, but I received notification from my support case that the ... See more...
Hi, I am trying to install the ITSI Module for Kafka smart monitoring App,  and its related Kafka streaming platform logging management TA, but I received notification from my support case that the app/addon is incompatible for jQuery reasons.  The TA came back with unspecified incompatibilities. Guilhem Marchand is the author of the work.  Does anyone know if the TA/App combo is being maintained? Thanks in advance, Alex  
Of the Servers LM, CM, SHC or Deployment server, which needs to be put in a maintenance mode before upgrading to 8.2.2.1 please? Thanks a million for your help.
If I am trying to execute the following code block and my total records is greater than 50K it limits me to the 50K so is there a modified example of this through an offset or pagination technique so... See more...
If I am trying to execute the following code block and my total records is greater than 50K it limits me to the 50K so is there a modified example of this through an offset or pagination technique someone can provide that will allow me to iterate through the full result set beyond the 50k oneshotSearchArgs.put("earliest_time", yesterday+"T05:00:00.000" ); oneshotSearchArgs.put("latest_time", today+"T05:00:00.000" ); oneshotSearchArgs.put("count", 0); String oneshotSearchQuery = "search " + searchString; // The search results are returned directly InputStream results_oneshot = service.oneshotSearch(oneshotSearchQuery, oneshotSearchArgs); // Get the search results and use the built-in XML parser to display them ResultsReaderXml resultsReader = new ResultsReaderXml(results_oneshot); HashMap<String, String> event; int eventsMatched = 0; String log = null; ArrayList<String> list = new ArrayList<>(); while ((event = resultsReader.getNextEvent()) != null) { }
hello I need to display 0 in a single panel if there is no results I tried the 2 solutions below but it doesnt works how to do this please?   | stats avg(Response) | eval Response=if(Response="... See more...
hello I need to display 0 in a single panel if there is no results I tried the 2 solutions below but it doesnt works how to do this please?   | stats avg(Response) | eval Response=if(Response="0","0",Response) | stats avg(Response) | eval Response=if(Response="","0",Response)  
I have my splunk Jason in below format   { [-] delete_me: True vendor: Dbruzy name: Rahul date: [ [-] 10-jan-2022 30-dec-2022 ] count_target: [ [-] 1700 300 ] site: India type: Sales }       I ... See more...
I have my splunk Jason in below format   { [-] delete_me: True vendor: Dbruzy name: Rahul date: [ [-] 10-jan-2022 30-dec-2022 ] count_target: [ [-] 1700 300 ] site: India type: Sales }       I am looking for a query to get output like this: Vendor Name Date Count_Target Site Type Dbruzy Rahul 10-jan-2022 1700 India Sales Dbruzy Rahul 30-dec-2022 300 India Sales   But I am getting as below: Vendor Name Date Count_Target Site Type Dbruzy Rahul 10-jan-2022 30-dec-2022 1700 300 India Sales Dbruzy Rahul 10-jan-2022 30-dec-2022 1700 300 India Sales   Query I am using:     my index | rename count_target{} as target | rename Date{} as voltage | spath input=voltage path=voltage output=someOtherField | spath input=someOtherField | foreach voltage* [ eval voltage=mvappend(voltage, '<<FIELD>>')] | spath input=target path=target output=someOtherField1 | spath input=someOtherField1 | foreach target* [ eval target=mvappend(target, '<<FIELD>>')] | mvexpand target| mvexpand voltage | stats values(voltage) as Date values(target) as Count_Target by Vendor, Name,Site,Type     Can you please help?
Hi All I have installed a machine agent on the server and extension on Redis and I have given the application name, tier name, and node name and it was working fine. Now, I plan to install the ... See more...
Hi All I have installed a machine agent on the server and extension on Redis and I have given the application name, tier name, and node name and it was working fine. Now, I plan to install the NodeJS agent to the NodeJS application and have configured the controller information the same as the controller provided. But it was not connecting as checked with document and machine agent controller-info.xml file should be removed with the application name, node name, and Tier name.  I restarted the application but it was not connected. So, have stopped the machine agent and rename the folder, and restarted the application still the same. Does anyone face the same issue? Kindly help. thanks
Newbie here...! I have a list of IP's in a CSV from which I need to exclude few IP's (IP1, IP2, IP3, etc.,) from the results of a query. Here's how my search looks. Example search:  base searc... See more...
Newbie here...! I have a list of IP's in a CSV from which I need to exclude few IP's (IP1, IP2, IP3, etc.,) from the results of a query. Here's how my search looks. Example search:  base search | join type=left ip [| inputlookup iplist.csv |fields ip] |fields Any help would be appreciated. Thanks
Hi,  I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not workin... See more...
Hi,  I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not working, if I give 2 values in the Set-token tag. then it will get merge but if I give a single value then it is working fine. I tried multiple ways like double quotes, single quotes., etc but I could not find the solution   Please find the below example and help me to find a solution.   <set token="form.Filter1"> "new", "rejected" </set> out put will be like below.  But the expectation is like below   Example in multiselect:- <input type="dropdown" token="MasterFilter_Token"> <label>MasterFilter</label> ..., <change> <condition> <set token="form.Filter1"> "new", "rejected", "closed" </set> ..., </condition> </change> ..., Thanks in Advance!!!  
Hello Team! I have a problem I need to solve, but I couldn't find a way to do it. I have some servers that have Universal Forwarder installed and Windows services are being monitored through it... See more...
Hello Team! I have a problem I need to solve, but I couldn't find a way to do it. I have some servers that have Universal Forwarder installed and Windows services are being monitored through it. What happens is that sometimes some of these services are unavailable and there is a need to restart this service, I would like to know if, somehow, as soon as Splunk identifies that one of these services is out, run a script on the local server that restarts that service That is, I need to know if there is any way to run a script that is in the universal forwarder through Splunk Server Thanks in advance!