Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Topics
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Topics
All Topics
08-25-2021
06:48 AM
I'm watching the Fundamentals 2 course (finally XD) and I've come across the search ending with something like: | sort -field | rename field2 as something_else | fields - field3 And the question is ...
See more...
I'm watching the Fundamentals 2 course (finally XD) and I've come across the search ending with something like: | sort -field | rename field2 as something_else | fields - field3 And the question is whether it would be a bit faster to first remove the field and then sort? Or is it the other way around? On the one hand - removing fields should give you less data to manipulate when sorting. On the other hand - I don't expect Splunk to physically rewrite each and every event on each pipe so it might not really matter at all. Side question - let's assume we rewrite it into | search field2=something | fields - field3 In this case - is it better to first trim the event set and then remove field or first remove field and then trim? Of course I know that probably it's completely insignificant compared to the time it takes to get the data from the indexes. But that's just me digging into the internals
08-25-2021
06:41 AM
ı want time values comes from subsearch to main search for every record, for example my vpn session table have a start and end time. I want to use this start and end time for traffic logs. I wan...
See more...
ı want time values comes from subsearch to main search for every record, for example my vpn session table have a start and end time. I want to use this start and end time for traffic logs. I want to use for time filter this vpn_start and vpn_end fileds But no result has returned. I want to find traffic logs with in spesified time range on records. Thank you for helps. Happy splunking.
Labels
- Labels:
-
stats
08-25-2021
06:39 AM
Hi, I have two table. The first have few ip what i switched dotdecimal splunk_server="xyserver" index=main
source="/var/log/ids.log" earliest=-24h | stats count by name, dest_ip, src_ip...
See more...
Hi, I have two table. The first have few ip what i switched dotdecimal splunk_server="xyserver" index=main
source="/var/log/ids.log" earliest=-24h | stats count by name, dest_ip, src_ip | sort –count
| eval ip_dot_decimal_split=split(src_ip,".")
| eval first=mvindex(ip_dot_decimal_split,0),second=mvindex(ip_dot_decimal_split,1),third=mvindex(ip_dot_decimal_split,2),fourth=mvindex(ip_dot_decimal_split,3)| fields - ip_dot_decimal_split
| eval first=first*pow(256,3),second=second*pow(256,2),third=third*256
| eval ip_address_integer=first+second+third+fourth
| fields - first,second,third,fourth The second table is a geoIP database (this is a static db) index=main host="xy2server" sourcetype="geo_ip_locations" earliest="08/24/2021:00:00:00" latest="08/24/2021:00:01:00" | table start_off finish_off "Alpha_2 code" Country The start_off and finish_off is dotdecimal too. I want to search the ip_address_integer(created dotdecimal) between predefined ip ranges (start_off / finish_off) and give me back the country and alpha2 values in new columns of the first table. Thanks!
08-25-2021
06:34 AM
Hi, Access control page is throwing 404 error on search head.I am not able to access it.Whereas it is working fine on HF so version 8.0.5 is not the problem. How do i access the code of this page t...
See more...
Hi, Access control page is throwing 404 error on search head.I am not able to access it.Whereas it is working fine on HF so version 8.0.5 is not the problem. How do i access the code of this page through back end.? How do i fix this error?
Labels
- Labels:
-
installation
-
troubleshooting
08-25-2021
06:18 AM
Would you know how can I display an overlay of two charts that have different time ranges on the X-axis? For example, I would like to compare CPU utilization yesterday with the CPU utilization a wee...
See more...
Would you know how can I display an overlay of two charts that have different time ranges on the X-axis? For example, I would like to compare CPU utilization yesterday with the CPU utilization a week ago. Is it possible to combine the results of two searches below into one chart? | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-2days latest=-1days | timechart min(cpu_idle_pct) span=1hour | mstats avg(cpu.pctIdle) AS cpu_idle_pct WHERE index=mymetrics host=myserver span=5min earliest=-9days latest=-8days | timechart min(cpu_idle_pct) span=1hour Thanks !
Labels
- Labels:
-
timechart
08-25-2021
05:51 AM
Hi, We are using Splunk RPM package for installing splunk but before installing it we want to add some file to that package and repack it as RPM and then use it to install on other machines. A...
See more...
Hi, We are using Splunk RPM package for installing splunk but before installing it we want to add some file to that package and repack it as RPM and then use it to install on other machines. Anybody please help me on that .. Thanks In Advance
Labels
08-25-2021
05:28 AM
I have a dashboard with around 10 panels in it. There are two filters (input) on top of my dashboard. 'Index' and 'Source'. The 'Index' dropdown populates all the indices and then the corresponding ...
See more...
I have a dashboard with around 10 panels in it. There are two filters (input) on top of my dashboard. 'Index' and 'Source'. The 'Index' dropdown populates all the indices and then the corresponding sources are populated in the 'Source' dropdown input. Based on these selection the 10 panels are loaded. Current Scenario : Right now, when anyone opens the dashboard, the 'Index' and 'Source' dropdown values defaults to value "ALL" and all the panels immediately start to load. What I need help with : 1. I need a "Submit" button in my dashboard. So that when the dashboard is opened, it shouldn't automatically start loading the panels. It should wait until the user presses the "Submit" button. Sometimes user may want to change the value from ALL to other values. In that case also, (after user changes the input), the dashboard still should wait until "Submit" is pressed to start the searching with the new filter. What code I have to write in the backend XML to achieve this. 2. Also, is it possible to have another button, say "Stop", and when pressed it should stop loading of the dashboard.
- Tags:
- dashboard
Labels
- Labels:
-
Dashboard Studio
-
panel
08-25-2021
04:28 AM
In my logs I have different url and i need to fins a smart way to get the base_url. The urls are: /gw/api/request/assets?AccountId=710534357902&reportDate=2021-08-25 - I want to obtain /gw/ap...
See more...
In my logs I have different url and i need to fins a smart way to get the base_url. The urls are: /gw/api/request/assets?AccountId=710534357902&reportDate=2021-08-25 - I want to obtain /gw/api/request/assets /gw/api/oidc/client/v1 - I want to obtain /gw/api/oidc/client/v1 /gw/api/oidc/client/v1/ - I want to obtain /gw/api/oidc/client/v1 /gw/api/AccountOpenings/423423423-32sdf-34243 - I want to obtain /gw/api/AccountOpenings /gw/api/AccountOpenings/345645fgh5-54hju-45565- I want to obtain /gw/api/AccountOpenings Can I use a single regexp to do that ? Now I use something like this but I don't think that is the right way | eval a=split(URL,"?")|eval URL=mvindex(a,0)
| rex field=URL "(?<base_url>.*AccountOpenings/v[0-9]).*"
| eval URL=if(match(URL,"AccountOpenings" ),base_url,URL)
Labels
- Labels:
-
field extraction
08-25-2021
04:17 AM
Hi, I have 2 multivalue fields I want to make a simple line chart out of them. Each event looks like this x: [0.1,0.2,0.3,0.4,0.5] , y: [1.7, 1.4, 2.4, 5.5 ,4.7] Where x and y are multivalu...
See more...
Hi, I have 2 multivalue fields I want to make a simple line chart out of them. Each event looks like this x: [0.1,0.2,0.3,0.4,0.5] , y: [1.7, 1.4, 2.4, 5.5 ,4.7] Where x and y are multivalue fields in the event. The line chart should be an average graph of those values in the selected time range. I tried using mvexpand and it didn't work.
08-25-2021
03:51 AM
Hi Team, I have a dashboard in which I have 2 dropdowns. 1 SELECT API : - PARTY INTERACTION -TICKET MANAGAMENT 2.SELECT OPERATION -this second dropdown needs to be populated based on first ...
See more...
Hi Team, I have a dashboard in which I have 2 dropdowns. 1 SELECT API : - PARTY INTERACTION -TICKET MANAGAMENT 2.SELECT OPERATION -this second dropdown needs to be populated based on first one a. If API = PARTY INTERACTION then values here - <choice value="*">Alle</choice> <choice value="LISTTROUBLETICKETS">LISTTROUBLETICKETS</choice> <choice value="RETRIEVETROUBLETICKET">RETRIEVETROUBLETICKET</choice> <choice value="CREATETICKET">CREATETICKET</choice> <choice value="UPDATETICKET">UPDATETICKET</choice> <choice value="RETRIEVETICKETTHEME">RETRIEVETICKETTHEME</choice> <choice value="GETINBOXDETAILSFORUSER">GETINBOXDETAILSFORUSER</choice> b.If API=TICKET MANAGAMENT <choice value="*">Alle</choice> <choice value="LISTPARTYINTERACTIONS">LISTPARTYINTERACTIONS</choice> <choice value="RETRIEVEPARTYINTERACTION">RETRIEVEPARTYINTERACTION</choice> Please help me to do this .
Labels
- Labels:
-
panel
08-25-2021
03:05 AM
Hi All, One of the user account has been changed by someone and it got reflected in our Active Directory as well so we want to know who has changed it. Consider an example i.e. I am Anandh Alagara...
See more...
Hi All, One of the user account has been changed by someone and it got reflected in our Active Directory as well so we want to know who has changed it. Consider an example i.e. I am Anandh Alagarasan and my Firstname would be Anandh and Lastname would be Alagarasan. So recently someone has updated my Firstname to Venkat. So in Active Directory when we checked the account i could see that my account is reflecting as Venkat Alagarasan. So we want to know who had changed the FirstName of the user. Hence we want to know will it be captured in Wineventlogs ? If yes, We want to find out who is the user who had changed the First name of the user account Anandh Alagarasan? So kindly help to know how to pull the information using Search query.
08-25-2021
02:22 AM
I've got a search head cluster with servers in two time zones. Users are geolocated load balanced, but if one site's servers is unreachable, they are routed to the other site's servers. I know us...
See more...
I've got a search head cluster with servers in two time zones. Users are geolocated load balanced, but if one site's servers is unreachable, they are routed to the other site's servers. I know users can set their timezone in preferences; however, I'm looking for a solution that would allow me to update their default timezone information in their user account through a query/rest api.
Labels
- Labels:
-
search head
08-25-2021
02:15 AM
I am trying to set up an alert in Splunk that will email a user whenever their Windows session is X days old. It would be across multiple hosts/users and use the security event log to determine if th...
See more...
I am trying to set up an alert in Splunk that will email a user whenever their Windows session is X days old. It would be across multiple hosts/users and use the security event log to determine if there hasn't been a 4647 or 1074 event since their 4624 logon event. Has anyone set up something similar? Thanks in advance!
Labels
- Labels:
-
stats
08-25-2021
02:01 AM
index="fw" app="ping" | bin _time span=10m | stats count by client_ip,dest_ip | stats list(dest_ip) AS dest_ip , list(count) AS count by client_ip | table client_ip , dest_ip , count I'd l...
See more...
index="fw" app="ping" | bin _time span=10m | stats count by client_ip,dest_ip | stats list(dest_ip) AS dest_ip , list(count) AS count by client_ip | table client_ip , dest_ip , count I'd like to check the origin IP and destination IP that I pinged 10 times in 10 minutes. However, this command calculates the number of times for all times. Give me a hand with this.
Labels
- Labels:
-
stats
08-25-2021
01:55 AM
Hello sir, i just installed the add on "Alien vault check OTX" in my splunk enterprise. i have integrated my api key, but when i use the command | checkotx <ip-add> it shows nothing there is ther...
See more...
Hello sir, i just installed the add on "Alien vault check OTX" in my splunk enterprise. i have integrated my api key, but when i use the command | checkotx <ip-add> it shows nothing there is there any configuration missing, can you provide me documentation?? @larmesto kindly please update me.
Labels
- Labels:
-
configuration
08-25-2021
01:36 AM
I have time field which have values such as 9AM-10PM, 10:00AM-11:00PM, I want to change 9AM-10PM to 9:00AM-10:00 PM, to normalize field in sameformat. I tired strftime(strptime(time_field,"%H%p-%H...
See more...
I have time field which have values such as 9AM-10PM, 10:00AM-11:00PM, I want to change 9AM-10PM to 9:00AM-10:00 PM, to normalize field in sameformat. I tired strftime(strptime(time_field,"%H%p-%H%p"),"%H:%M%p-%H%:%M%p") But its not working, I also tried convert() and fieldformat but no luck. Any idea how can I achieve this ?
08-25-2021
01:23 AM
I want to make a presentation in a dashboard where I can see a line per service with the duration of each call of that service. I have made a table in splunk and would create a linechart wiht multi...
See more...
I want to make a presentation in a dashboard where I can see a line per service with the duration of each call of that service. I have made a table in splunk and would create a linechart wiht multiple lines (per service a line) with duration in y-as en time in x-as. How can i do that? Or is there another way to get that done? my search: index=test sourcetype=test-performance duration>0 | convert timeformat="%Y-%m-%dT%H:%M:%S%:z" ctime(_time) AS date | table date, metric, duration | sort by date some events from the table. date metric duration 2021-08-25T08:55:28+02:00 service1 93 2021-08-25T08:55:28+02:00 service1 4 2021-08-25T08:55:28+02:00 service3 3 2021-08-25T08:55:28+02:00 service4 1 2021-08-25T08:55:23+02:00 service5 84 2021-08-25T08:55:20+02:00 service5 88 2021-08-25T08:50:55+02:00 service1 91 2021-08-25T08:50:55+02:00 service1 18 2021-08-25T08:50:55+02:00 service3 14 2021-08-25T08:50:55+02:00 service6 2 2021-08-25T08:50:55+02:00 service7 4 2021-08-25T08:50:55+02:00 service4 5 2021-08-25T08:50:54+02:00 service8 46 2021-08-25T08:50:54+02:00 service9 43 2021-08-25T08:49:58+02:00 service1 88 2021-08-25T08:49:58+02:00 service1 17 2021-08-25T08:49:58+02:00 service3 16 2021-08-25T08:49:58+02:00 service10 10 2021-08-25T08:49:58+02:00 service11 10 2021-08-25T08:49:58+02:00 service6 2
08-25-2021
12:13 AM
I am trying to install exchange server addon and facing below error. "There was an error processing the upload. Invalid app contents: archive contains more than one immediate subdirectory: and TA-W...
See more...
I am trying to install exchange server addon and facing below error. "There was an error processing the upload. Invalid app contents: archive contains more than one immediate subdirectory: and TA-Windows-Exchange-IIS" Kindly help me out
Labels
- Labels:
-
add-on
08-24-2021
11:42 PM
Hi, We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 day...
See more...
Hi, We have a multisite cluster with 1 indexer on each site with 1 SH on primary site. Currently, when search affinity is enabled and we run a search for index "crowdstrike" , we can see past 30 days data. But when search affinity is disabled on the search head, the same search displays recent data and not the past 30 days. Question: Is there something missing configuration wise?
Labels
- Labels:
-
indexer clustering
-
search head
08-24-2021
10:30 PM
I would like to know the ip that made status=404 more than 10 times in 10 minutes in a week. Please help me. field list ip = src_ip status = status
Labels
- Labels:
-
using Splunk Enterprise
