All Topics

Top

All Topics

Good day, As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day a... See more...
Good day, As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day ago).  I used multisearch. However, I am getting this error:   Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command).   I also/already tried append, but I am not getting the results of the 2nd main search, just the first one. (i.e. count_ago has values, but count_now). I placed the | append in between the 2 main searches To, hopefully, be clearer, here's my actual search using multisearch with comments:   | multisearch `comment("1st main search")` [ search index="<index>" earliest=-0d@d latest=now | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="now" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) ] `comment("2nd main search")` [ search index="<index>" earliest=-1d@d latest=-0d@d | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="ago" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) ] | fields <group_name>, count_now, count_ago   This is my code for using append:   `comment("1st main search")` index="<index>" earliest=-0d@d latest=now | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="now" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) | append `comment("2nd main search")` [ search index="<index>" earliest=-1d@d latest=-0d@d | rename <join_field> as tmp | join tmp [ search index=<other_index> | table <ret_id> ] | where <ret_id>=<some_value> | eval key="ago" | stats list(<vals>) as <vals> | eventstats count(<vals>) as count_vals by <group_name> | sort -count_vals | head 20 | eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals)) | fields <group_name>, count_now, count_ago   Anybody have ideas on how to do this correctly? Thanks a lot in advance!
Hi,      I am ingesting json data using log2metrics_json source type into a metrics index. Everything is working fine when the json is ingested from a file, but when the json is received over udp, ... See more...
Hi,      I am ingesting json data using log2metrics_json source type into a metrics index. Everything is working fine when the json is ingested from a file, but when the json is received over udp, I am getting errors like this: INFO MetricSchemaProcessor [665036 typing] - channel confkey=source::udp:5514|host::1.1.1.1|log2metrics_json| has an event with no measure, will be skipped. WARN IndexProcessor [664977 indexerPipe] - The metric event is not properly structured, source=5514, sourcetype=log2metrics_json, host=1.1.1.1, index=j2m. Metric event data without a metric name and preoperly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:<metric>" (e.g..."metric_name:cpu.idle") with corresponding floating point values. raw=   What could be the root cause? Why is there this error when the source is udp, but works fine when read from file?
Hello dears, I have switches, ip address,ports and i want list with users which are connected to the ports. Users informations include lookup file which name is list.csv, so; list.csv contains : ip... See more...
Hello dears, I have switches, ip address,ports and i want list with users which are connected to the ports. Users informations include lookup file which name is list.csv, so; list.csv contains : ip,port,user <base_search>  | lookup list.csv ip as host AND port as if_name OUTPUT user |stats count by host,if_name,user
Hi, I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not working... See more...
Hi, I am trying to change/control many multi-select dropdowns by one Master_multi-select dropdown value/checks. So I am trying to use more than one value in the set-token tag. But it is not working, if I give 2 values in the Set-token tag. then it will get merge but if I give a single value then it is working fine. I tried multiple ways like double quotes, single quotes, and many symbols, but I could not find the solution.   Please find the below example and help me to find a solution.   <set token="form.Filter1"> "rejected" , "new" </set> out put will be like below.    But the expectation is like below     Example in multiselect code:- <input type="dropdown" token="MasterFilter_Token"> <label>MasterFilter</label> ..., <change> <condition> <set token="form.Filter1"> "new", "rejected", "closed" </set> ..., </condition> </change> ...,   @token1 @Anonymous @splunk 
Hi i have xml file like this, how can i table it with xpath or spath?   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <erro... See more...
Hi i have xml file like this, how can i table it with xpath or spath?   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <error-codes> <error-code code="000" message="Exceeded" severity="1" InfoCode="0000" action="" description=""/> <error-code code="001" message="Not Found" severity="1" InfoCode="0000" action="" description=" nope"/> </error-codes> </info>     excpected output: ....  | table code message severity InfoCode  action description
How do I replace a value for a field if the value is lesser than 0.02 by "Good"? Value Key date 0.02 1 1/1/2017 0.02 1 1/2/2017 0.05 1 1/3/2017 0.02 1 1/4/2017 0.02 1 1... See more...
How do I replace a value for a field if the value is lesser than 0.02 by "Good"? Value Key date 0.02 1 1/1/2017 0.02 1 1/2/2017 0.05 1 1/3/2017 0.02 1 1/4/2017 0.02 1 1/5/2017 0.02 1 1/6/2017   Suppose the value is lesser than 0.02, I want to replace the value by string "Good"   Value Key date Good 1 1/1/2017 Good 1 1/2/2017 0.05 1 1/3/2017 Good 1 1/4/2017 Good 1 1/5/2017 Good 1 1/6/2017
    i have installed Splunk on a Linux server made all the verifications to make sure its working. however, when i go on the browser the web page will not load  
I have a nested json element that gives back up to 8 field names. I table them like:   | table "Config.DiskBrandSize.*"   Which has child elements like:   Barracuda: 100gb Seagate: 50gb Sa... See more...
I have a nested json element that gives back up to 8 field names. I table them like:   | table "Config.DiskBrandSize.*"   Which has child elements like:   Barracuda: 100gb Seagate: 50gb Sandisk: 150gb    I then sum them up:   | chart sum("Config.DiskBrandSize.*")   and I get a table with columns like "sum(Config.DiskBrandSize{}.Sandisk)". But I want to rename that to just something like "SandiskTotal" which is created from the column name + "Total", NOT do manual renames. I can't figure out how to do this with a foreach either.
Hi I have field in my log that call ServerRespTime. I want to detect outliner of ServerRespTime. Here is the conditions: 1-under 0.05 is normal ServerRespTime 2-upper 0.05 (if continue for couple... See more...
Hi I have field in my log that call ServerRespTime. I want to detect outliner of ServerRespTime. Here is the conditions: 1-under 0.05 is normal ServerRespTime 2-upper 0.05 (if continue for couple of seconds) is abnormal  ServerRespTime   any idea?  Thanks,
I'm counting up the hits to my website's specific URI's over each day. I'm using chart because I have to bucket by _time for other reasons related to how the data is dumped from a db into splunk:   ... See more...
I'm counting up the hits to my website's specific URI's over each day. I'm using chart because I have to bucket by _time for other reasons related to how the data is dumped from a db into splunk:     | bucket span=1d _time | chart count(uri) as uris by _time domain       This works fine. But what I'd like to do now is be able to dynamically choose one of the URI's as a chart overlay and show its total percentage of the hits vs the total for the day. I can't figure out how to do this. Is there a way to access the | addtotals "Total" field but for only one column/URI? Or what about using tokens in the search and rerunning the search as I pick different URI's to overlay? Or....? I got the idea from this: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2107/SearchTutorial/Chartoverlays but I need to figure out how to calculate the percentages dynamically and against | addtotals "Total"
So, to preface this, I am very new to Splunk.  The end game is to make a chart overlay, but that's not my main question here. I have two searches with very similar information being returned. I n... See more...
So, to preface this, I am very new to Splunk.  The end game is to make a chart overlay, but that's not my main question here. I have two searches with very similar information being returned. I need to make a table with information from both searches and I just can't seem to manage it. I have tried append, appendcols, multisearch, etc. The problem is that I cannot use OR for the sourcetype because the two sourcetypes have extremely similar information in them and the queries to pull from them are the exact same. Example: First: index = indexa sourcetype = sourcetypeA  | count X as "Result A" | other logic etc | table month_year "Result A"   Second: index= indexa sourcetype = sourcetypeB | count X as "Result B" | other logic etc | table month_year "Result B" Ultimately I'd want the results to say: month_Year Result B Result A info info info Right now when I attempt to do anything, it just skips out on "Result B" entirely. I know there must be some simple way I'm just missing. If anyone could help me out I'd really appreciate it, this is driving me crazy.
Hi what is the rex for "No is invalid. Please ask to a admin" Here is the log: 21:32:26.729 customer modules: type="xsd:string">&lt;response&gt;&lt;result&gt;ActionFail&lt;/result&gt;&lt;errno&gt;0... See more...
Hi what is the rex for "No is invalid. Please ask to a admin" Here is the log: 21:32:26.729 customer modules: type="xsd:string">&lt;response&gt;&lt;result&gt;ActionFail&lt;/result&gt;&lt;errno&gt;00000&lt;/errno&gt;&lt;desc&gt;No is invalid. Please ask to a admin&lt;/desc&gt;&lt;jobid&gt;000000&lt;/jobid&gt;&lt;msgid&gt;00000&lt;/msgid&gt;&lt;cmd&gt;info&lt;/cmd&gt;&lt;/response&gt;</return></ad1: Thanks,
I have data in the following format, measured in an interval of an hour. Date Restaurant id Food Code Average Order 1/1/2017 0:00 101 1 0.004 1/1/2017 1:00 101 1 0.004 1/1/2017 ... See more...
I have data in the following format, measured in an interval of an hour. Date Restaurant id Food Code Average Order 1/1/2017 0:00 101 1 0.004 1/1/2017 1:00 101 1 0.004 1/1/2017 2:00 101 1 0.004 1/1/2017 3:00 101 1 0.004 1/1/2017 4:00 101 1 0.003 1/1/2017 5:00 101 1 0.003 1/1/2017 6:00 101 1 0.003 1/1/2017 7:00 101 1 0.003 1/1/2017 8:00 101 1 0.004 1/1/2017 9:00 101 1 0.003 1/1/2017 10:00 101 1 0.004 1/1/2017 11:00 101 1 0.004 1/1/2017 12:00 101 1 0.004 1/1/2017 13:00 101 1 0.005 1/1/2017 14:00 101 1 0.006 1/1/2017 15:00 101 1 0.006 1/1/2017 16:00 101 1 0.006 1/1/2017 17:00 101 1 0.005 1/1/2017 18:00 101 1 0.005 1/1/2017 19:00 101 1 0.005 1/1/2017 20:00 101 1 0.004 1/1/2017 21:00 101 1 0.004 1/1/2017 22:00 101 1 0.004 1/1/2017 23:00 101 1 0.004   I am trying to merge each 24-hour event into a single event and take an average of the average order. The output should be like this:   Date Restaurant id Food Code Average Order 1/1/2017 101 1 0.003   I tried using a time chart, bin every time I get all 24 rows. Since I have data measured every hour which is too specific, I want to turn it to a day interval instead and take the average for the average order. Help would be highly appreciated. 
Can I get an assistance on the command to update mmdb in my environment for a particular state.
Hello I need to open another panel from my main panel when I click on the field "web_url" So I need to display the events related to the field "web_url" in my second dashboard Here is what Iam doi... See more...
Hello I need to open another panel from my main panel when I click on the field "web_url" So I need to display the events related to the field "web_url" in my second dashboard Here is what Iam doing but it opens all the events and not only the events related to "web_url"... What is wrong please? <panel> <title>URL Web</title> <table> <search> <query>index=mes sourcetype=web | stats sum(web_error_count) as "Total erreurs Http" by web_url | rename web_url as web_url | sort - "Total erreurs Http"</query> <earliest>-1d@d</earliest> <latest>@d</latest> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="number" field="Parameters"></format> <format type="number" field="ResponseTime"> <option name="precision">1</option> <option name="unit">ms</option> <option name="useThousandSeparators">false</option> </format> <format type="color" field="Web Error Count"> <colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <format type="color" field="Total erreurs Http"> <colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="web_url">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel depends="$web_url$"> <table> <title>Response= $web_url$</title> <search> <query>index=mes sourcetype=web | table "ID" "Nom" site type"</query>  
Hi, I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only p... See more...
Hi, I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only per ticket, for example, if 3 engineers worked on a ticket then this table should show the last updated time and status only. my problem is that the following query is grouping tickets correctly but showing all status values per ticket and also changed the _time format to the integer values       | table_time status service user eventid tickets | stats values(status) values(service) values(user) values(eventid) by tickets | convert ctime(_time) sort _time        can you please advise, Regards
HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased... See more...
HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased by 40GB then trigger an alert Something like below , I want to trigger alert only for line 2 that is for database index_name yesterday day_before_yesterday diff application 20GB 10GB 10GB database 30GB 70GB 40GB security 40GB 20GB 20GB
Hello, Our test environment uses production LM and we never had any compatibility issue upgrading first test nodes : 6.2.3 > 6.5.2 6.5.2 > 7.1.4 7.1.4 > 7.3.4 We plan to upgrade 7.3.4 to 8.2.2, ... See more...
Hello, Our test environment uses production LM and we never had any compatibility issue upgrading first test nodes : 6.2.3 > 6.5.2 6.5.2 > 7.1.4 7.1.4 > 7.3.4 We plan to upgrade 7.3.4 to 8.2.2, any possible issue? In fact https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Configurealicensemaster rather looks best practice and not a requirement. Thanks    
Hi, I am trying to install the ITSI Module for Kafka smart monitoring App,  and its related Kafka streaming platform logging management TA, but I received notification from my support case that the ... See more...
Hi, I am trying to install the ITSI Module for Kafka smart monitoring App,  and its related Kafka streaming platform logging management TA, but I received notification from my support case that the app/addon is incompatible for jQuery reasons.  The TA came back with unspecified incompatibilities. Guilhem Marchand is the author of the work.  Does anyone know if the TA/App combo is being maintained? Thanks in advance, Alex  
Of the Servers LM, CM, SHC or Deployment server, which needs to be put in a maintenance mode before upgrading to 8.2.2.1 please? Thanks a million for your help.