All Topics

Top

All Topics

I have the follow situation: queryA returns correlations AAA BBB CCC DDD queryB returns correlations  AAA CCC EEE Expect result is the queryA events with correlations AAA and CCC. i ne... See more...
I have the follow situation: queryA returns correlations AAA BBB CCC DDD queryB returns correlations  AAA CCC EEE Expect result is the queryA events with correlations AAA and CCC. i need a query that compare the field correlation between them and if are equals show me the queryA events. Thanks
I am currently using a lookup to find matching IDs in my data. The lookup table is like 400k rows and if I use inputlookup with a join or append there is a limit to the amount of rows that is searche... See more...
I am currently using a lookup to find matching IDs in my data. The lookup table is like 400k rows and if I use inputlookup with a join or append there is a limit to the amount of rows that is searched for from the lookup table. I am now using just the command "lookup" to find the matching data and it works without any truncating warnings but I'm wondering if there is a limit for this command similar to subsearches. I can't seem to find anything in the lookup documentation. sample search index=some_index | lookup users_list.csv ID OUTPUTNEW username I output a new variable so that I can do " search username=*" since username is a new field and that will give me only matching IDs in my lookup table.
I need to modify the limits.conf for an index cluster. My question is if i modify /$Splunk/etc/system/local/limits.conf can this be done on the cluster manager and pushed out or does this need to be ... See more...
I need to modify the limits.conf for an index cluster. My question is if i modify /$Splunk/etc/system/local/limits.conf can this be done on the cluster manager and pushed out or does this need to be modified on the individual indexers themselves?
First Event INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 40658606156551247672591634534230307 with status Approved is published Second Event msg:  INFO | 2021-10-14 10:38 PM |  Mes... See more...
First Event INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 40658606156551247672591634534230307 with status Approved is published Second Event msg:  INFO | 2021-10-14 10:38 PM |  Message consumed: {"InputAmountToCredit":"22.67","CurrencyCode":"AUD","Buid":"1401","OrderNumber":"877118406","ID":"58916"}   I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events what is best way to sum the amount with the same status for specified timeframe   Thanks for all the support.
I need to index a file: /var/log/file.txt. This file runs every day, but sometimes the content doesn't change. This leaves me with no events on days that remain the same. I need it to index every tim... See more...
I need to index a file: /var/log/file.txt. This file runs every day, but sometimes the content doesn't change. This leaves me with no events on days that remain the same. I need it to index every time the timestamp changes on the file. I believe I need to add crcSalt =<SOURCE> to the inputs.conf in order to reindex it. However, my inputs monitors all files in /var/log. So if I add that to that input monitor, it would likely apply to all files in var log reindexing them all every time. Something I don't want. How can I reindex just this file daily while leaving the other files in the directory unchanged?  Many thanks
I am trying to extract the messages of a commonly used error log:   Creating review recommendations service case activity with errorMessage:  example message one here Creating review recommendatio... See more...
I am trying to extract the messages of a commonly used error log:   Creating review recommendations service case activity with errorMessage:  example message one here Creating review recommendations service case activity with errorMessage:  example message two over here    I want to do some graphing of counts of the totals of each individual message, so would like to extract the string and stats count by message. Having trouble extracting the string. How do I do this cleanly? The goal would be to have results for "example message one here" :  X number of results "example message two over here": Y number of results
Hi All, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?  Is it possible to do them in Splunk Enterprise trail... See more...
Hi All, We wanted to do POC for our client and wanted to ingest open telemetry data logs and trace into splunk and I have following questions?  Is it possible to do them in Splunk Enterprise trail license? Or Do we need to buy Splunk Observability module to monitor the open telemetry data? Can we use universal forwarder to collect the logs and trace or do we need to have the Splunk OpenTelemetry Connector? Share the link or document to ingest the open telemetry data logs into splunk.
Hello, I am trying to extract the system IDs from single event into the multiple events, I mean that each SID is in a separate line. I try to deploy a regex for this, without success. Could perhaps... See more...
Hello, I am trying to extract the system IDs from single event into the multiple events, I mean that each SID is in a separate line. I try to deploy a regex for this, without success. Could perhaps anyone help with the below? Kind Regards, Kamil   | makeresults | eval SID="I32 DYR DZ1 MHW DYN I58 ICZ ICN I69 I8Y IAE I6J I71 SLG I9Z I7T I7Z I5Y I5U I5T I3I I3G TCX I5O DZX DZC DYQ DYO DYM OGO OJ8 OK8 OKQ OKX DXF DYE DYF SS4 QMW I24 R9H O67 OP0 SP9 I4I I4M" | rex field=SID "^(?<SID2>[^\r\n].+)"  
Hi Team,  I've created a Splunk dashboard and I'm able to see the data, also I have created few users and given the permissions(admin) for the users to see the dashboard data. But somehow the users ... See more...
Hi Team,  I've created a Splunk dashboard and I'm able to see the data, also I have created few users and given the permissions(admin) for the users to see the dashboard data. But somehow the users are able to see the dashboard but unable to see data inside the dashboards. Other users are able to see the data coming from the index by search manually but are unable to see the data in the dashboard which is created by the admin user. Can you please guide me if I'm missing anything?
Hey Splunkers,  I am quite new to Splunk and want to create a heat map that displays average values per Hour grouped per day over a week. Below you can see what i got so far. My problem is that the... See more...
Hey Splunkers,  I am quite new to Splunk and want to create a heat map that displays average values per Hour grouped per day over a week. Below you can see what i got so far. My problem is that the columns and rows seem to be inverted and that the current y-axis shows values from 6 to ohter instead of 1 to 24 hours. Can anyone lend me a hand with this? Thanks in advance  Nico  EDIT: What i am looking for should look somewhat like this:     
Hi All, We have configured multiple inputs in our Splunk IDM Layer and few of them are Microsoft Add-ons. Each of these add-ons have multiple inputs with varied time frequency to pull data from Azur... See more...
Hi All, We have configured multiple inputs in our Splunk IDM Layer and few of them are Microsoft Add-ons. Each of these add-ons have multiple inputs with varied time frequency to pull data from Azure resources. Hence, we would like to know the limit on configuring the inputs or the limit of apps & add-ons that can be installed in the Splunk IDM layer. Also, we would like to know if the performance can be monitored by us through some means? Thanks!
Good Morning, I am using the http_poller logstash input filter to connect to the AppDynamics OAUTH API that I will then use to pass to the http filter plugin to retrieve AppDynamics REST API metri... See more...
Good Morning, I am using the http_poller logstash input filter to connect to the AppDynamics OAUTH API that I will then use to pass to the http filter plugin to retrieve AppDynamics REST API metric data to insert into Elasticsearch. My logstash http_poller configuration is: ``` input { http_poller { urls => { AppDynamics => { method => post url => "https://*appdynamics-test-account*/controller/api/oauth/access_token" headers => { "Accept" => "application/json" "Content-Type" => "application/vnd.appd.cntrl+protobuf;v=1" "Authorizations" => "*AppDynamics bearer token*" "grant_type" => "client_credentials" "client_id" => "Stage-CurlTest" "client_secret" => "*AppDynamics Client Secret*" } } } request_timeout => 60 schedule => { every => "1h"} codec => "json" metadata_target => "appd-token" type => "AppDynamics" } } } ``` I am getting the following error response when the poller tries to connect to AppDynamics ``` { "type": "AppDynamics", "@timestamp": "2021-10-18T14:02:11.191Z", "appd-token": { "request": { "method": "post", "url": "https://*appdynamics-test-account*/controller/api/oauth/access_token", "headers": { "Authorizations": "AppDynamics Bearer Token", "grant_type": "client_credentials", "client_secret": "`AppDynamics Client Secret`", "client_id": "Stage-CurlTest", "Content-Type": "application/vnd.appd.cntrl+protobuf;v=1", "Accept": "application/json" } }, "response_headers": { "x-content-type-options": "nosniff", "x-frame-options": "SAMEORIGIN", "x-xss-protection": "1; mode=block", "connection": "keep-alive", "server": "AppDynamics", "date": "Mon, 18 Oct 2021 14:02:10 GMT" }, "runtime_seconds": 0.36, "host": "SAPPLOG03", "name": "AppDynamics", "response_message": "Not Acceptable", "code": 406, "times_retried": 0 }, "@version": "1", "tags": [ "_httprequestfailure" ] } ``` New to both the http_poller filter and the AppDynamics Metric REST API so not sure what I have configured wrong. I have also posted to the Elastic Community forum. I have removed any account-specific information for security reasons so any additional information that would be helpful let me know and I'll get it for this post. Thanks, Bill
Hi, I created an app using the Add-on Builder v.4.0.0 to use custom Alert Actions on Splunk. I created two Add-on Setup parameters: username and password. When I enter the information on these fiel... See more...
Hi, I created an app using the Add-on Builder v.4.0.0 to use custom Alert Actions on Splunk. I created two Add-on Setup parameters: username and password. When I enter the information on these fields and click on the "Save" button, it seems that these information were not saved (no UI changes) and if I close and re-open the UI some fields are not filled. This same app was working on the previous version of the Add-on Builder and the fields were being filled. However, it seem that this info is being saved on the .conf files. In the attachment there is a screenshot with the "password" field not being filled when I re-opened the UI screen. Could someone help me? I am using Splunk version 8.2.1 and tried with different web browsers. Thanks.  
on the output I get the result with users. the username is similar to the name of the mail. how do i call the username variable in the sendemail command  username abc abc1 abc2 John 1 2 ... See more...
on the output I get the result with users. the username is similar to the name of the mail. how do i call the username variable in the sendemail command  username abc abc1 abc2 John 1 2 3 Smith 3 1 2 Georgy 2 3 1 | sendemail to="$username$@gmail.com" sendresults=true subject="Test sub" message="message" error  command="sendemail", {u'@gmail.com': (501, '5.1.3 Invalid address')} while sending mail to: @gmail.com in the output, the variable takes the username, gets everyone's name and sends a message to everyone And is it possible to make everyone get only their own line of output? Thanks !!!
hello I dont succeed to round the fiel ResponseTime which is a decimaf field with a point instaed a comma   index=tutu | eval web_duration_ms=round('web_duration_ms', 0) | timechart avg(web_durat... See more...
hello I dont succeed to round the fiel ResponseTime which is a decimaf field with a point instaed a comma   index=tutu | eval web_duration_ms=round('web_duration_ms', 0) | timechart avg(web_duration_ms) as ResponseTime by Url    what is wrong please?
I appreciate any help in preventing license usage warnings ? One item I thought of was to create a Dashboard of Indexes Data & License utilization. What other items do I need to watch to prevent Lice... See more...
I appreciate any help in preventing license usage warnings ? One item I thought of was to create a Dashboard of Indexes Data & License utilization. What other items do I need to watch to prevent License usage warnings please? Thank u in advance.
I have a field name Sec_field i want to know list of dashboards are using this field <Sec_field> is it possible to get using a SPL
Hello, The query above calculates some fields for period of time as at the time picker also, we have an alert which every 6 minutes the values for 2 minuets i want to save the results of the alert... See more...
Hello, The query above calculates some fields for period of time as at the time picker also, we have an alert which every 6 minutes the values for 2 minuets i want to save the results of the alert and at the end calculate the results of a whole week i saw that there is an option to use table dataset my question is if table dataset is the right option, if yes - how can i do it if not, what is the best way to achieve my goal  | stats count as Total_Requests count(eval(Request_Status=500 OR Request_Status=501 OR Request_Status=502 OR Request_Status=503 OR Request_Status=599 OR F5_statusCode=0 OR F5_statusCode="connection limit")) as Requests_Returned_Errors count(eval(Request_Status=504 OR F5_serverTime>20000)) as Requests_Returned_Timeouts by API | fields API Total_Requests Requests_Returned_Errors Requests_Returned_Timeouts | lookup APIs_Owners.csv API OUTPUT Owner | eval TotalErrors=Requests_Returned_Errors+Requests_Returned_Timeouts, SLOTotal=round((Total_Requests-TotalErrors)/Total_Requests*100,2), Owner = if(isnotnull(Owner) , Owner ,"null - edit lookup") | fields API Total_Requests TotalErrors Requests_Returned_Errors Requests_Returned_Timeouts SLO* Owner  thanks
Hi, I'd really appreciate some advice on this. I have a data set looking at users and the apps they have access to. There are 3 apps in total. I want to be able to product a pie chart or visualisat... See more...
Hi, I'd really appreciate some advice on this. I have a data set looking at users and the apps they have access to. There are 3 apps in total. I want to be able to product a pie chart or visualisation showing the combinations that users have access to. Can anyone give any suggestions on the type of query I need to write? Sample data attached UserID App1 App2 App3 1 0 1 0 2 0 1 0 3 0 1 0 4 0 1 0 5 0 0 0 6 0 0 0 7 0 0 0 8 0 0 0 9 1 1 1 10 1 1 1 11 1 1 1 12 1 1 0 13 1 1 0 14 1 1 0 15 0 0 0 16 0 0 0 Many thanks,  Tim  
Dear Splunk community, How do I use a variable inside a colorpallete expression using SimpleXML? I have the following:   mySearch | eval myField = 100   If I have a table that returns rows with ... See more...
Dear Splunk community, How do I use a variable inside a colorpallete expression using SimpleXML? I have the following:   mySearch | eval myField = 100   If I have a table that returns rows with numbers in them, I can change the color of that row doing so:   <format type="color" field="sourceField"> <colorPalette type="expression">if (value > myField ,"#df5065","#00FF00")</colorPalette> </format>   Expectation: Any row above 100 is red (df5065) and all other fields are green (00FF00). Result: All rows are green I need to use myField to calculate with. How do I do that? I have tried:   $myField$ 'myField' (myField)   None work. Thanks in advance.