All Topics

Top

All Topics

Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><i... See more...
Hi, I want to add image inline with my title but i am getting like this below  Any suggestions on how can i add it inline like below     This is my code <row > <panel > <html> <h3><img src="/static/app/search/icons/info_icon.png" width="22" align="right" title="Details/> </h3> </html> <table> <title>BW TR Exception View</title> <search>
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 ... See more...
I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 by user   This gives me my results that I want but I want to now take the results of this to enrich information from the output by pulling other events from another index.  This will then generate an alert so nit being done pin a dashboard.   I could schedule a report and then reference something like a lookup table that wpuld probably work but I am trying to make it a bit more dynamic. I would like to maybe use the result from this and enrich with an ldap query but I dont think I can do that. Join is out of the question (limitations etc.) and I cant coalesce any further with other fields as they are in no way similar of even available.   Thoughts and thanks in advance.
What are the differences between the two? ITSI and Splunk Infrastructure Monitoring
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data... See more...
Hello experts, I would like to split the  fourth part of below lines . Please provide your suggestion if I can use REGEX for it.  Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNN/00000000001 Projects/IMGSD-102/Data/abc-NNNN/00000000001 Projects/IMGSD-102/Data/abc-NN/00000000001 Projects/IMGSD-102/Data/abc-N/00000000001   Now I need to get the answer as below. abc-NNN abc-NNN abc-NNNN abc-NN abc-N Kindly provide your suggestion for the same.   
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app... See more...
Hello Al!! i have a deployer with 3 search heads. when i deleted all the apps that i dont need anymore the deployer replicates good. Also when i install a new one. But when i try to upgrade an app it doesnt replicate to the search heads.    Any suggestions?   Thanks all!
I want to display the heading of my panel which include time from time peaker field  
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,... See more...
I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status such that ess_analyst  role should not  be able to make transition from new to a ,  b and c statuses.  But the issue is while  status a and b are hidden from the "Edit events" box, the c is not . Though the transition to status c is still disabled for analyst.   the id for a = 14, b =15 and c is 10. Please help me understand why I see this  behaviour.    
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Rev... See more...
Hello,   When trying to execute a savedsearch from the UI , it throws an error :Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Incident Review - Main': Error while replacing variable name='type_filter'. Could not find variable in the argument map.. There is no variable by this name - type_filter in the query. We are on the latest version of Splunk cloud 8.2.x.  This search was working fine till yesterday and nothing has changed from our end.  The Splunk cloud team did perform a maintenance for updates last night.  How to resolve this ? Any assistance appreciate.
i want to show the count from host as zero if the process is not found however not able to find 0 count the host disappears if process is not found index=oslogs sourcetype=ps COMMAND="process1" |st... See more...
i want to show the count from host as zero if the process is not found however not able to find 0 count the host disappears if process is not found index=oslogs sourcetype=ps COMMAND="process1" |stats count by host,COMMAND result :- host1  java 12 host2  java 3 host4  java 4 Expected result host1 12 host2 3 host3 0 host4 4
after launching a search request, Splunk displays the progress bar with an EN message, such as below : "<n> of <total> events matched" in FR version, the translated message is : "sur <n>,  <tota... See more...
after launching a search request, Splunk displays the progress bar with an EN message, such as below : "<n> of <total> events matched" in FR version, the translated message is : "sur <n>,  <total> qui correspondent" this means the EXACT inverse :  "<total> of <n> events matched" !! This has to be changed... thx, Hervé.
Hello, i am trying to create a dependency map without the external creation of tokens that are being fed to the append searches. Here is the motive: I have a list of Sources and Targets, where as ... See more...
Hello, i am trying to create a dependency map without the external creation of tokens that are being fed to the append searches. Here is the motive: I have a list of Sources and Targets, where as the Source of one Relation is the Target of many others and so on. This is recursive, but i would stop at 4 iterations for now ) The resulting table must only have the pairs of Source and Target Services as basis for the visualization. The first search looks something like this: index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$ | table Source_Service Target_Service The initial token is being fed via drilldown from the dashboard. So far no issue at all. So the first search creates the list of Source_Services connected to the Target_Service (token). Now i have actually two issues...sorry... First is that i cannot create the table of the pairs and create a token at the same time. The creation of the token would look something like this: index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$ | stats values(Source_Service) as results | eval list_of_Source_Services_search_one = mvjoin(results, ",") So the first issue is how to team them up in one search if possible The second issue starts once i have the token. The second search would look something like that: | append [ | search index=poc_analyze_something_rather Target_Service IN($list_of_Source_Services_Search_one$) | table Source_Service Target_Service ] However the first search does not seem to pass the token along into the append search. It is no issue at all if i make a search in the dashboard (no visualization) like this to create the token: <search>   <query>     index=poc_analyze_something_rather Target_Service=$my_initial_token_from dashboard$     | stats values(Source_Service) as results | eval source_list= mvjoin(results, ",")   </query>   <earliest>-15m</earliest>   <latest>now</latest>   <done>     <set token="list_of_Source_Services_Search_one">$result.source_list$</set>   </done> </search> The append search has no issues at all with this token. However there must be a way to create the list the Source and Targets without resulting to a dashboard with xml coded searches. Any idea? Thanks Mike
Hi Experts, I am running two searches by combining them with appendcols. But the final result is the common fields of both the searches. I want the entire search result of both the main and subsea... See more...
Hi Experts, I am running two searches by combining them with appendcols. But the final result is the common fields of both the searches. I want the entire search result of both the main and subsearch. I am using stats as well. Please advise. Thank you.
Hi, My requirement is to take each week monday data alone for a month in trending chart . This need to be showed for status field ,which will have ( pass,fail,error,deleted) values in it.The indivi... See more...
Hi, My requirement is to take each week monday data alone for a month in trending chart . This need to be showed for status field ,which will have ( pass,fail,error,deleted) values in it.The individual count of  status to be shown for each week monday for a month. Please let me know how to do this .  
How to install splunk services in centos
Now working lookup  On a local server on my computer, I got the result   But when I did exactly the same actions on the production server. one to one. Then there is no result   examp... See more...
Now working lookup  On a local server on my computer, I got the result   But when I did exactly the same actions on the production server. one to one. Then there is no result   examples in the photo, one user at a time. no result for everyone. where could i go wrong? Thanks!  Splunk Version 7.  both files have global mode  
Hello Team,  What could be the best possible solution to integrate Imperva cloud solution with Splunk. Is there any app/add-on available for Imperva to onboard the logs through API into Splunk. 
Hi, Our systems have multiple order records as XML transactions and each order can have multiple events on different dates. I want to search for orders that have had specific event codes and display... See more...
Hi, Our systems have multiple order records as XML transactions and each order can have multiple events on different dates. I want to search for orders that have had specific event codes and display a table to show the dates when each event code happened for that individual order. Index name is "xmlogs". Each XML has 'order ref', 'event date' and 'event code'. My search needs to be limited to event_code of 1001 or 1002 or 1003. Input XML looks like: <orderref>123456</order_ref> <evendate>2021-10-01T10:31:13</eventdate> <eventcode>1001</eventcode> Similar XML will be for event 1002 etc. I want output to look like: orderref 1001 1002 1003 123456 01/10/2021   04/10/2021 789123 05/10/2021 08/10/2021 13/10/2021   Any help will be much appreciated.
Hi  I am working in a system which looks for DFS (Dynamic Frequency Selection) channels. The search starts with the following event: CAC_STARTED. If if find a DFS channel then the search ends with... See more...
Hi  I am working in a system which looks for DFS (Dynamic Frequency Selection) channels. The search starts with the following event: CAC_STARTED. If if find a DFS channel then the search ends with CAC_COMPLETED and stays in DFS channel. If there is a radar detected, then the search ends with CAC_STOPPED and the system switches to non-DFS channel. Later the system again searches for DFS channel with CAC_STARTED and the patter follows.  I am trying to calculate the time spent on DFS and non-channels in a day.  Can someone please help me with the queries. I tried the following:  index=* mac="0cf9c0fef6fe" ("ACI_CAC_COMPLETED") | sort _time | stats max(_time) as maxtime min(_time) as mintime | eval maxt=strftime(maxtime,"%d:%H:%M:%S") | eval mint=strftime(mintime,"%d:%H:%M:%S") This gives me the total time spend on DFS channel BUT only if the system has never switched to non-DFS channel, ie., the ACI_CAC_STOPPED event never appeared in the whole span. How do I check if there was a ACI_CAC_STOPPED event in between an calculate the dfs and non-dfs time spent durations? Please advise.
Admission rules are cool but it would be great to know which ones people are using. It would also be great if the platform had a set of known bad SPL which could be toggled on. Here's a couple of obv... See more...
Admission rules are cool but it would be great to know which ones people are using. It would also be great if the platform had a set of known bad SPL which could be toggled on. Here's a couple of obvious ones we've started with: Prevent users searching all indexes: search_type=adhoc AND index=* Prevent users using all time searches: search_type=adhoc AND search_time_range=alltime  
How to add SSO in helm chart of splunk through config map  #helm #kubernetes #splunkhelm