All Topics

Top

All Topics

Dear Splunkers, I would like to ask your support in order to adapt my search query to return results if downtime taking specific time window e.g. 3 consecutive days. May search query is following:... See more...
Dear Splunkers, I would like to ask your support in order to adapt my search query to return results if downtime taking specific time window e.g. 3 consecutive days. May search query is following: | table _time, status, component_hostname, uptime | sort by _time asc | streamstats last(status) AS status by component_hostname | sort by _time asc | reverse | delta uptime AS Duration | reverse | eval Duration=abs(round(Duration/60,4)) | search uptime=0 Like this I was able identify components with uptime=0.  Now I would like to extend my query to display result when specific component downtime=0 for several consecutive days e.g. 3 or 2 days. Thank you
I am deployed to new project in splunk. We have logs coming from F5 WAF devices sent to our syslog server. Then we will install UF on our syslog server and forward it to our indexer. Syslog --- UF -... See more...
I am deployed to new project in splunk. We have logs coming from F5 WAF devices sent to our syslog server. Then we will install UF on our syslog server and forward it to our indexer. Syslog --- UF --- Indexer And we have few on premise servers and few are there in AWS EC2 instances. Can someone explain me more indepth about this project? There is no HF in our env as of now. So where can we write props.conf and transforms.conf? In indexer or UF? if we write in indexer, will it work because indexing is already done right? Will props.conf work before indexing the data in indexer?
My team has setup with correlation_search_1, service1 creating notable events that have the notable event aggregation policy - policy1.  Now I made additions, correlation_search2, service2 and pol... See more...
My team has setup with correlation_search_1, service1 creating notable events that have the notable event aggregation policy - policy1.  Now I made additions, correlation_search2, service2 and policy2. But when I went to the episodes review window I find out that notable event episodes from search2 are still using policy1, how do I get these set of episodes to follow policy2 without disturbing the previous setup following policy1, I cant find any setting that allows me to do so, please help where I can find this if it exists.
We are trying to onboard data from F5 WAF devices to our splunk. F5 team sending it by key value pairs. And one of them is "headers:xxxxxxxxx" (nearly 40 words). When data is getting  onboarded and w... See more...
We are trying to onboard data from F5 WAF devices to our splunk. F5 team sending it by key value pairs. And one of them is "headers:xxxxxxxxx" (nearly 40 words). When data is getting  onboarded and we are checking in splunk web, below the table format headers field is not capturing correctly. It is giving some other value. Same with other field where its value is getting truncated. Please help me in this case.
Hi, I am trying to change the indexer configuration from one cluster master to another but in the process of this change the indexer never starts. The web service log looks like below        ... See more...
Hi, I am trying to change the indexer configuration from one cluster master to another but in the process of this change the indexer never starts. The web service log looks like below        bash$ tail -f var/log/splunk/web_service.log 2024-11-01 16:26:18,141 INFO [6724f3196d7f1cd30e7350] _cplogging:216 - [01/Nov/2024:16:26:18] ENGINE Bus EXITED 2024-11-01 16:26:18,141 INFO [6724f3196d7f1cd30e7350] root:168 - ENGINE: Bus EXITED 2024-11-01 16:38:48,635 INFO [6724f608607f04aeca7810] __init__:174 - Using default logging config file: /data/apps/SPLUNK_INDEXER_1/splunk/etc/log.cfg 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk level=INFO 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver level=INFO 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers level=INFO 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers.proxy level=INFO 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.lib level=WARN 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.pdfgen level=INFO 2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.archiver_restoration level=INFO       Now I have even removed the clustering configuration from the server.conf but still the same issue with the Splunk instance. Any one else face the same issue?   Regards, Pravin
Hi all, We have ingested some logs using a heavy forwarder as below in /opt/splunk/etc/apps/test_inputs/local/: inputs.conf [monitor:///opt/splunk/test/test.log] index=test sourcetype=aws:elb:a... See more...
Hi all, We have ingested some logs using a heavy forwarder as below in /opt/splunk/etc/apps/test_inputs/local/: inputs.conf [monitor:///opt/splunk/test/test.log] index=test sourcetype=aws:elb:accesslogs disabled=0 start_from=oldest _meta = splunk_orig_fwd::splunkfwd_hostname Props.conf [aws:elb:accesslogs] TRANSFORMS-aws_elb_accesslogs = aws_elb_accesslogs_extract_all_fields Transforms.conf [aws_elb_accesslogs_extract_all_fields] REGEX = ^(?P<Protocol>\S+)\s+(?P<Timestamp>\S+)\s+(?P<ELB>\S+)\s+(?P<ClientPort>\S+)\s+(?P<TargetPort>\S+)\s+(?P<RequestProcessingTime>\S+)\s+(?P<TargetProcessingTime>\S+)\s+(?P<ResponseProcessingTime>\S+)\s+(?P<ELBStatusCode>\S+)\s+(?P<TargetStatusCode>\S+)\s+(?P<ReceivedBytes>\S+)\s+(?P<SentBytes>\S+)\s+\"(?P<Request>[^\"]+)\"\s+\"(?P<UserAgent>[^\"]+)\"\s+(?P<SSLCipher>\S+)\s+(?P<SSLProtocol>\S+)\s+(?P<TargetGroupArn>\S+)\s+\"(?P<TraceId>[^\"]+)\"\s+\"(?P<DomainName>[^\"]+)\"\s+\"(?P<ChosenCertArn>[^\"]+)\"\s+(?P<MatchedRulePriority>\S+)\s+(?P<RequestCreationTime>\S+)\s+\"(?P<ActionExecuted>[^\"]+)\"\s+\"(?P<RedirectUrl>[^\"]+)\"\s+\"(?P<ErrorReason>[^\"]+)\"\s+(?P<AdditionalInfo1>\S+)\s+(?P<AdditionalInfo2>\S+)\s+(?P<AdditionalInfo3>\S+)\s+(?P<AdditionalInfo4>\S+)\s+(?P<TransactionId>\S+) Before we applied the props and transforms.conf, we have used the rex function to test the logs in the search head as below and the fields appeared when searched: index=test sourcetype=aws:elb:accesslogs | rex field=_raw "^(?P<Protocol>\S+)\s+(?P<Timestamp>\S+)\s+(?P<ELB>\S+)\s+(?P<ClientIP>\S+)\s+(?P<TargetIP>\S+)\s+(?P<RequestProcessingTime>\S+)\s+(?P<TargetProcessingTime>\S+)\s+(?P<ResponseProcessingTime>\S+)\s+(?P<ELBStatusCode>\S+)\s+(?P<TargetStatusCode>\S+)\s+(?P<ReceivedBytes>\S+)\s+(?P<SentBytes>\S+)\s+\"(?P<Request>[^\"]+)\"\s+\"(?P<UserAgent>[^\"]+)\"\s+(?P<SSLCipher>\S+)\s+(?P<SSLProtocol>\S+)\s+(?P<TargetGroupArn>\S+)\s+\"(?P<TraceId>[^\"]+)\"\s+\"(?P<DomainName>[^\"]+)\"\s+\"(?P<ChosenCertArn>[^\"]+)\"\s+(?P<MatchedRulePriority>\S+)\s+(?P<RequestCreationTime>\S+)\s+\"(?P<ActionExecuted>[^\"]+)\"\s+\"(?P<RedirectUrl>[^\"]+)\"\s+\"(?P<ErrorReason>[^\"]+)\"\s+(?P<AdditionalInfo1>\S+)\s+(?P<AdditionalInfo2>\S+)\s+(?P<AdditionalInfo3>\S+)\s+(?P<AdditionalInfo4>\S+)\s+(?P<TransactionId>\S+)" However, when we ingested the logs as usual, the fields weren't extracted as per the rex during the search, is there anything missing or why the regex isn't being applied to the logs?  Appreciate if anyone has any advice on this. Thank you in advance.
Hi I have a unique request where I want to display the Event Actions -- > Show Source link to be displayed on the dashboard instead of drilling down by opening the query -- > event and then ---> show... See more...
Hi I have a unique request where I want to display the Event Actions -- > Show Source link to be displayed on the dashboard instead of drilling down by opening the query -- > event and then ---> show source.
Hi Splunkers,, We have issue about our Telegram Alert. We set alert send every 5 minutes, but the happened is alert send only one or two time per day. We fill and telnet proxy server confirm connect... See more...
Hi Splunkers,, We have issue about our Telegram Alert. We set alert send every 5 minutes, but the happened is alert send only one or two time per day. We fill and telnet proxy server confirm connected. telnet xxx.xxx.co.id 8080 Trying xx.xx.xx.xx... Connected to xxx.xxx.co.id.   We also check on splunkd.log there's SSL error. Below the error log: 11-04-2024 10:30:07.063 +0700 ERROR sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram STDERR - WARNING:urllib3.connectionpool:Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1106)'))': /bot7980126779:AAGIDUqqXlAEdfeLE7_OcOiqtJCIOzVljXc/sendMessage?chat_id=-4525666353&text=%3Cb%3ESPLUNK+ALERT+MESSAGE%0A------------------------------%3C%2Fb%3E%0A%3Cb%3EAlert+Name%3C%2Fb%3E%3A+test_telegram+%0A%3Cb%3ESEVERITY%3C%2Fb%3E%3A+High+%0A%3Cb%3EMESSAGE%3C%2Fb%3E%3A+R2.BRN.PE-MOBILE.2%3B56+%0A%3Cb%3EResults+Link%3C%2Fb%3E%3A+https%3A%2F%2Fdcosplunksearchhead%3A8000%2Fapp%2Falert_telegram%2Fsearch%3Fq%3D%257Cloadjob%2520scheduler__usercomm_YWxlcnRfdGVsZWdyYW0__RMD5486a20947b8a80a2_at_1730691000_1982%2520%257C%2520head%25201%2520%257C%2520tail%25201%26earliest%3D0%26latest%3Dnow&parse_mode=HTML 11-04-2024 10:30:07.363 +0700 INFO sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram - Alert action script completed in duration=6326 ms with exit code=5 11-04-2024 10:30:07.363 +0700 WARN sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram - Alert action script returned error code=5 11-04-2024 10:30:07.363 +0700 ERROR sendmodalert [2216772 AlertNotifierWorker-0] - Error in 'sendalert' command: Alert script returned error code 5. Please help us to solve this issue. Thanks.. 
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet... See more...
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet core in containers i couldn't find any refrence for environment which i can set for in docker image, is ther any way i use secure credentials like java agent?
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default... See more...
I want my customer to be able to set the "interval" and control how frequent the module runs. I started with this: default/inputs.conf   [app_name] interval = 43200   and it worked as a default fallback, but once I added it to inputs.conf.spec, things started to break [app_name://<name>] interval = <integer>   The value was ignored. I tried 30 for every 30 seconds and tracked logs. further more I had this log message in my server: Ignoring parameter "interval" for modular input "app_name" when scheduling the runtime for script="/opt/splunk/etc/apps/app_name/bin/script_name.py". This means potentially Splunk won't be restarting it in case it gets terminated.   What is the way to expose "interval" to end user? (Ideally in "more options" at the Add Input UI. )      
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","... See more...
Hello, Below is my log file and I want to break as two log events in splunk using props.conf(regex)   2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}2024-07-31T01:38:09.930Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"404":0,"200":0},"codeCategory":{"6":0,"0":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1208","msecBins":{"50":8,"100":0,"500":2,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"504":0,"200":10},"codeCategory":{"19":0,"0":10,"5":0}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"201","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":12,"100":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":2984280751}} 2024-07-31T01:38:09.931Z [INFO] ContentGenerator {"recordType":"CGHealth","ContentGenerator":{"KnownSessions":1,"WaitingForResponse":0,"PendingDeleteSessions":0,"UnderRecovery":0,"jobQueue":0,"JobsEnqueued":5221688,"JobsDequeued":5221688,"AllocatedSessions":1,"CGStatsSessions":1,"HPIReqs":8,"ManifestCacheObjs":83,"SavedState":29159,"HlsCount":1,"DashCount":0,"HpiReq":346395,"HpiCancel":0,"GitRef":"41d2f857114d10689016ff5074144a580b1ba544","Status":200},"DecisionQueue":{"adReqQueue":{"queuedJobs":658,"dequeuedJobs":658,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":1,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500},"boReqQueue":{"queuedJobs":0,"dequeuedJobs":0,"lowExceeded":0,"highExceeded":0,"maxQueueDepth":0,"deadline":0,"lowCount":0,"highCount":0,"outstanding":0,"lowWater":250,"highWater":500}},"MQMessages":{"Messages":{"1511":2,"1508":22,"1514":352,"704":359,"706":6,"1044":658,"709":372,"9":4693470}}} 2024-07-31T01:39:09.058Z [INFO] ContentGenerator {"recordType":"CGStats","statType":"global","workFlow":"","front":{"hlsMaster":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0,"404":0},"codeCategory":{"0":0,"6":0}},"hlsVariant":{"requests":10,"responses":10,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"1305","msecBins":{"500":0,"1000":2,"5000":0,"15000":0,"above":0,"50":8,"100":0},"errors":0,"codes":{"504":0,"200":10,"404":0},"codeCategory":{"5":0,"19":0,"0":10}},"dashMPD":{"requests":0,"responses":0,"responseMCHit":0,"responseAwaitingDecision":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0},"codeCategory":{}}},"back":{"origin":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":12,"requestCacheCount":12,"responses":12,"response**bleep**":0,"responsesMiss":12,"responsesHeld":0,"msecSum":"287","msecBins":{"50":12,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"504":0,"200":12,"404":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"advert":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"404":0,"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}}},"altcon":{"hlsMaster":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"errors":0,"codes":{"200":0}},"hlsVariant":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"errors":0,"codes":{"200":0}},"dashMPD":{"requests":0,"requestCacheCount":0,"responses":0,"response**bleep**":0,"responsesMiss":0,"responsesHeld":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"errors":0,"codes":{"200":0}}}},"decision":{"hls":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{"8":0,"0":0,"3":0,"4":0,"5":0},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{"0":0,"2":0,"3":0},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}},"dash":{"ads":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"admux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0,"preDecision":{"added":0,"request":0,"response":0,"consumed":0,"timeouts":0,"dropped":0}},"acds":{"markers":0,"opportunities":0,"opportunityDrops":{},"requests":0,"responses":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0},"altconmux":{"responses":0,"timeouts":0,"msecSum":"0","msecBins":{"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0,"above":0}},"placedPerOp":{},"placements":0,"opAborts":0,"spliceDrops":0,"spliceFails":0,"spliceStarts":0,"spliceEnds":0,"spliceTrims":0,"spliceAborts":0}}},"session":{"hls":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{"0":0},"restoreErrors":0,"restoreCodes":{"1":0},"msecSum":"0","msecBins":{"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0},"restoreMsecSum":"0","restoreMsecBins":{"5000":0,"15000":0,"above":0,"50":0,"100":0,"500":0,"1000":0},"reconfig":0,"reserveLimit":0},"dash":{"requests":0,"responses":0,"restoreRequests":0,"restoreResponses":0,"errors":0,"codes":{},"restoreErrors":0,"restoreCodes":{},"msecSum":"0","msecBins":{"500":0,"1000":0,"5000":0,"15000":0,"above":0,"50":0,"100":0},"restoreMsecSum":"0","restoreMsecBins":{"above":0,"50":0,"100":0,"500":0,"1000":0,"5000":0,"15000":0},"reconfig":0,"reserveLimit":0}},"timestamp":{"statsResetTime":1207442342,"nsTimestamp":1982904320}}     Expectation: Event1 : 2024-07-31T01:38:09.930Z [INFO] ContentGenerator Event 2 : complete json   
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations fro... See more...
We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations from the Universal Forwarder installed on the Active Directory server?
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue... See more...
Hi All,   I have a requirement where I need to filter the virtual machine outage occurrence from the kernel logs.   I have sent kernel logs to splunk based on some pattern. Now I have a issue for filtering those values in splunk. Here the requirement is, I need to filter the data only if one "string" has appeared in logs on same day.   example: I have following logs in splunk date1: hv_vmbus: registering driver hv_netvsc date1:hv_netvsc 000d3 eth0: VF dot 1 added date1:hv_netvsc 000d3 eth0: VF dot 2 added date1:hv_netvsc 000d3 eth0: VF dot 2 removed date1:hv_netvsc 000d3 eth0: VF dot 1 removed date2:hv_netvsc 000d3 eth0: VF dot 1 added date2:hv_netvsc 000d3 eth0: VF dot 2 added date2:hv_netvsc 000d3 eth0: VF dot 2 removed date2:hv_netvsc 000d3 eth0: VF dot 1 removed   I need to fetch  the data for "dot" only if "hv_vmbus" pattern occured on same date. here I need only data in date1   I tried following query but it isn't working for me. "index="index0" | search "dot" | rex field=msg "VF\s+dot\s+(?<dot_number>\d+)" | dedup msg | sort _time,host | stats range(_time) as n1 by host,dum_number"   Requesting help for achieving this requirement.   Thanks, Veeresh Shenoy  
I have  2 field that holds 3 values Field 1 values= a,b,c Field 2 values= 1,2,3 Is there a way to table without using Join/append/appendcols command? this is how my search q... See more...
I have  2 field that holds 3 values Field 1 values= a,b,c Field 2 values= 1,2,3 Is there a way to table without using Join/append/appendcols command? this is how my search query looks so far but im getting this wierd results index= example sourcetype=example1 |search "example" |rex field=text "???<field1>" |rex field=text "OTL<field1>" ...exisiting search query |appendcols index= example sourcetype=example1 |search "example" |rex field=text "???<field1>" |rex field=text "OTL<field1>" |search field1 != c |rex field=text "<field2>" |table field1 field2 |search field2= 1 |append [index= example sourcetype=example1 |search "example" |rex field=text "???<field1>" |rex field=text "OTL<field1>" |search field1 != a field1 !=b |rex field=text "<field2>" |table field1 field2 |search field2= 2] the weird results I'm getting is   
I have this docker file when my base image is red-hat9    ENV SPLUNK_PRODUCT splunk ENV SPLUNK_VERSION 7.0.3 ENV SPLUNK_BUILD fa31da744b51 ENV SPLUNK_FILENAME splunk-${SPLUNK_VERSION}-${SPLUNK_B... See more...
I have this docker file when my base image is red-hat9    ENV SPLUNK_PRODUCT splunk ENV SPLUNK_VERSION 7.0.3 ENV SPLUNK_BUILD fa31da744b51 ENV SPLUNK_FILENAME splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz ENV SPLUNK_HOME /opt/splunk ENV SPLUNK_GROUP splunk ENV SPLUNK_USER splunk ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk ENV OPTIMISTIC_ABOUT_FILE_LOCKING=1 RUN groupadd -r ${SPLUNK_GROUP} \ && useradd -r -m -g ${SPLUNK_GROUP} ${SPLUNK_USER} RUN dnf -y update \ && dnf -y install --setopt=install_weak_deps=False glibc-langpack-en glibc-all-langpacks \ && localedef -i en_US -f UTF-8 en_US.UTF-8 || echo "Locale generation failed" \ && dnf clean all ENV LANG en_US.UTF-8 # pdfgen dependency RUN dnf -y install krb5-libs \ && dnf clean all # Download official Splunk release, verify checksum and unzip in /opt/splunk # Also backup etc folder, so it will be later copied to the linked volume RUN dnf -y install wget sudo RUN mkdir -p ${SPLUNK_HOME} \ && wget -qO /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME} \ && wget -qO /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FILENAME}.md5 \ && (cd /tmp && md5sum -c ${SPLUNK_FILENAME}.md5) \ && tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \ && rm /tmp/${SPLUNK_FILENAME} \ && rm /tmp/${SPLUNK_FILENAME}.md5 \ && dnf -y remove wget \ && dnf clean all \ && mkdir -p /var/opt/splunk \ && cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \ && rm -fR ${SPLUNK_HOME}/etc \ && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \ && chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC} COPY etc/ /opt/splunk/etc/ COPY license.xml /splunk-license.xml COPY entrypoint.sh /sbin/entrypoint.sh RUN chmod +x /sbin/entrypoint.sh EXPOSE 9998/tcp EXPOSE 9999/tcp WORKDIR /opt/splunk ENV SPLUNK_CMD edit user admin -password admin -auth admin:changeme --accept-license --no-prompt ENV SPLUNK_CMD_1 add licenses /splunk-license.xml -auth admin:admin ENV SPLUNK_START_ARGS --accept-license --answer-yes VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ] ENTRYPOINT ["/sbin/entrypoint.sh"] CMD ["start-service"] I also mount volumes in /data/splunk  And use this command to run the container from the host  docker run \ --name splunk \ --hostname splunk \ -d \ -p 80:8000 \ -p 8088:8088 \ -p 8089:8089 \ -p 9998:9998 \ -p 9999:9999 \ -v $splunkVarRoot:/opt/splunk/var \ -v $splunkEtcRoot:/opt/splunk/etc \ -e "SPLUNK_START_ARGS=--accept-license --answer-yes" \ $IMPL_DOCKER_REPO/$splunkVersion docker run \ --name splunk \ --hostname splunk \ -d \ -p 80:8000 \ -p 8088:8088 \ -p 8089:8089 \ -p 9998:9998 \ -p 9999:9999 \ -v /data/splunk/var:/opt/splunk/var \ -v /data/splunk/etc:/opt/splunk/etc \ -e "SPLUNK_START_ARGS=--accept-license --answer-yes" \ my_image The UI is working and seems ok but I don't see any data and I get this 'kv store process terminated abnormally exit code 1'  What should I do
Hello everyone, I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section,... See more...
Hello everyone, I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section, I get an error like in the other image. Can you help me resolve this issue?  
I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction ... See more...
I am having two index( index A and index B). Here I need to measure response time of topup of prepaid or postpaid number with help of transaction ID. From index A I can filter where the transaction is prepaid or postpaid,index A contains(customer ID, Type(Prepaid or Postpaid). In indexB we have two logs one is request log and other is response log. With help of customer ID from Index A I need to find the transaction ID from Request log since customer ID is not available in response log. Once we get the transaction ID, we need to substract the time stamp (Response log time- Request log time). Index A. Log pattern---> _timestamp, customerID,type Index B----> contains request and response log. Request log pattern---> timestamp, transactionID, customer ID Response log pattern--->timestamp, transactionID,status.   Method to measure --> From index A we need to get customerID and then go to index B to find out the transaction ID from Request log. With help of transactionID need to subtract the timestamp between response and request log from index B Please help us how we can proceed,in SPL query.
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i w... See more...
Hi All,  I just wanted to know if there is any way to display text boxes upon clicking any of the buttons in my dashboard. I uploaded pic for your reference.  Upon clicking any of the button, i want to display 2 text boxes. And later i would like to provide input in those text boxes and search for the logs.       <dashboard version="1.1" script="customview.js" theme="dark"> <label>Search Dashboard</label> <row> <panel> <html> <h1 style="text-align: center;">Choose from the below options to get started :)</h1> <!-- Centered button container --> <div style="display: flex; justify-content: center; align-items: center; gap: 10px; margin-top: 20px;"> <button id="proxySearch" onclick="showTextBoxes()" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Proxy Search</button> <button id="WAFsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">WAF Search</button> <button id="DNSsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">DNS Search</button> <button id="Emailsearch" style="background-color: #007bff; color: white; width: 150px; height: 50px; font-size: 18px; border: none; border-radius: 5px;">Email Search</button> </div> <div id="mychart"></div> </html> </panel> </row> </dashboard>       I first wanted to know how to show text boxes upon clicking any of the button. I know we have to use js for this kind of activity, but can anyone suggest how it needs to be done?   
I'm looking for a query to display a list of jobs stuck in queue (the past 7 days). Does anyone knows the query?  
Hello, I'm still new to Splunk, recently I was testing with BrowsingHistoryView Add-on for Splunk. I was able to deploy it and push to the windows clients. However it is not working properly, basica... See more...
Hello, I'm still new to Splunk, recently I was testing with BrowsingHistoryView Add-on for Splunk. I was able to deploy it and push to the windows clients. However it is not working properly, basically BrowsingHistoryView.exe is not working fully under virtual splunk account, if I run loader .bat script under my account it working perfectly. Can anyone help on this ? Thank you.