All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to plot only cumulative users in timechart but daily user value also comes in the timechart. How can I ignore the daily user to be shown  Here is my search: <search> | timechart span=1d... See more...
I am trying to plot only cumulative users in timechart but daily user value also comes in the timechart. How can I ignore the daily user to be shown  Here is my search: <search> | timechart span=1d count as Daily_Users | streamstats sum(Daily_Users) as Cumulative_Users --Sunray
Hi How can search something like this:  40: message.body.v10.timeLocalTransaction: [00*]   FYI: seems not support special char in search.   Thanks,
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $tes... See more...
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong?     <dashboard> <label>Titel</label> <row> <panel depends="$alwaysHideCSS$"> <single> <search> <query> index=someSearch| rename searchResult AS XX </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="testtest">$result.XX$</set> </done> </search> <drilldown> <condition match="5==5"> <set token="test1">a</set> <set token="test2">b</set> <set token="test3">c</set> </condition> <condition match="1==9"> <set token="test1">d</set> <set token="test2">e</set> <set token="test3">f</set> </condition> <condition match="2==3"> <set token="test1">g</set> <set token="test2">h</set> <set token="test3">i</set> </condition> </drilldown> </single> </panel> </row> [... ] <!-- here I want to use those test-tokens but they never get set --> </dashboard>     The token "testtest" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.
Hello, I looked for a way to delete my account and I did not find any way, except to communicate with you in this way, can you delete my account? Regards,
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $tes... See more...
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However my tokens ($test1$, $test2$ and $test3$) get never set. Any ideas what I'm doing wrong? <dashboard> <label>Titel</label> <row> <panel depends="$alwaysHideCSS$"> <single> <search> <query> index=someSearch| rename searchResult AS XX </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="testtest">$result.XX$</set> </done> </search> <drilldown> <condition match="5==5"> <set token="test1">X5</set> <set token="test2">a</set> <set token="test3">b</set> </condition> <condition match="1==9"> <set token="test1">a</set> <set token="test2">X2</set> <set token="test3">b</set> </condition> <condition match="2==3"> <set token="test1">a</set> <set token="test2">b</set> <set token="test3">X3</set> </condition> </drilldown> </single> </panel> </row> [... ] <!-- here I want to use those test-tokens but they never get set --> </dashboard>   The token "testtest" is working. Why do the tokens ($test1$, $test2$ and $test3$) not get set? The condition "5==5" cannot be false.
Hi All,   I have a table with 5 rows as shown below. Report Count Comments Report 1 22 abc Report 2 786 def Report 3 10,037 ghi Report 4 719        jkl Whe... See more...
Hi All,   I have a table with 5 rows as shown below. Report Count Comments Report 1 22 abc Report 2 786 def Report 3 10,037 ghi Report 4 719        jkl When I click on any row, it displays data for that row using the <option name="drilldown">row</option> in my template like this : Hi Team,  According to our Splunk logs below are the top reports having high count:   Report: Report1 Comment: abc Count: 22 If you have any questions please feel free to contact us.  Regards  Support Team  ---------END of my display message---------- Now when I click 2nd row(after clicking the first row) I want 2nd-row data also to be displayed along with the above results so that the output looks like this:  Hi Team,  According to our Splunk logs below are the top reports having high count:   Report: Report1 Comment: abc Count: 22 Report: Report2 Comment: def Count: 786 If you have any questions please feel free to contact us.  Regards  Support Team  ---------END of my display message----------       This is the code I have used :    <row> <panel> <table> <title>click a row for more details</title> <search base="main_search"> <query>| table reportName count comments</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <fields>$table_fields$</fields> <drilldown> <eval token="customer_comment_en"> " Report: ".$ReportId$." Count: ".$count$." Comments: ".$comment$." " </eval> <set token="drilldown_display">block</set> </drilldown> </table> </panel> </row> <row depends="$drilldown_display$"> <panel> <html> <h1 class="SectionHeader">Customer Communication</h1> <div style="float:left; width:calc(95% - 50px);" class="pageInfo"> <pre> Hi Team, According to our splunk logs below are the top reports having high count: $customer_comment_en$ If you have any questions please feel free to contact us. Regards Support Team </pre> </div> </html> </panel> <panel>   Basically, I want to access data for not just one row, but multiple rows when I click on them and display Can anyone help?    
Hi All,   I have a table with 5 rows as shown below. Report Count Comments Report 1 22 abc Report 2 786 def Report 3 10,037 ghi Report 4 719        jkl Whe... See more...
Hi All,   I have a table with 5 rows as shown below. Report Count Comments Report 1 22 abc Report 2 786 def Report 3 10,037 ghi Report 4 719        jkl When I click on any row, it displays data for that row using the <option name="drilldown">row</option> in my template like this : Hi Team,  According to our splunk logs below are the top reports having high count:   Report: Report1 Comment: abc Count: 22 If you have any questions please feel free to contact us.  Regards  Support Team  ---------END of my display message---------- Now when i click 2nd row(after clicking the first row) I want 2nd row data also to be displayed along with the above results so that the output looks like this:  Hi Team,  According to our splunk logs below are the top reports having high count:   Report: Report1 Comment: abc Count: 22 Report: Report2 Comment: def Count: 786 If you have any questions please feel free to contact us.  Regards  Support Team  ---------END of my display message----------   This is the code i have used :  <row> <panel> <table> <title>click a row for more details</title> <search base="main_search"> <query>| table reportName count comments</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <fields>$table_fields$</fields> <drilldown> <eval token="customer_comment_en"> " Report: ".$ReportId$." Count: ".$count$." Comments: ".$comment$." " </eval> <set token="drilldown_display">block</set> </drilldown> </table> </panel> </row> <row depends="$drilldown_display$"> <panel> <html> <h1 class="SectionHeader">Customer Communication</h1> <div style="float:left; width:calc(95% - 50px);" class="pageInfo"> <pre> Hi Team, According to our splunk logs below are the top reports having high count: $customer_comment_en$ If you have any questions please feel free to contact us. Regards Support Team </pre> </div> </html> </panel> <panel> Basically i want to access data for not just one row, but multiple rows when i click on them and display Can anyone help?      
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However I get the error "<drilldown> not all... See more...
Hello, I want to conduct a search, set a token according to the search result and then set another bunch of tokens depending on the search result token. However I get the error "<drilldown> not allowed here" in line 13. I use exactly the same syntax as in the example of the splunk documentary (https://docs.splunk.com/Documentation/Splunk/8.1.3/Viz/tokens under the section "Troubleshoot job property access"). Is there some kind of typo I'm not seeing?   <dashboard> <label>Title</label> <search> <query> index=somesearch| rename testresult AS XX </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="testtoken">$result.XX$</set> </done> </search> <drilldown> <condition match="1==1"> <set token="test1">X1</set> <unset token="test2"></unset> <unset token="test3"></unset> </condition> <condition match="testtoken==2"> <unset token="test1"></unset> <set token="test2">X2</set> <unset token="test3"></unset> </drilldown> [...] <dashboard>     Help would be greatly appreciated.
Hi Splunk Community, How does Spunk prioritize conditional case functions? Lets say I have a case function with 2 conditions - they work fine, and results are as expected, but then lets say I flip t... See more...
Hi Splunk Community, How does Spunk prioritize conditional case functions? Lets say I have a case function with 2 conditions - they work fine, and results are as expected, but then lets say I flip the conditions. What I see happen when I flip the conditions in the case function the results are not correct. Shouldn't Splunk be able to still check which condition it applies to even though I have flipped the conditions?  Example below: Case: TimeSchedule should output the closest 7th min or 37th min - so every half hour past the 7th min or 37th min from the zipTime_epoch. Works Fine as output TimeSchedule should be 2021-03-06 23:37:59.000000   | makeresults | eval zipTime="2021-03-06 23:35:59.000" | eval zipTime_epoch=strptime(zipTime, "%Y-%m-%d %H:%M:%S.%6N") | eval lastunzip_hour=tonumber(strftime(zipTime_epoch, "%H")) | eval lastunzip_min=tonumber(strftime(zipTime_epoch, "%M")) | eval lastunzip_sec=round(zipTime_epoch%60,6) | eval TimeSchedule=strftime(case(lastunzip_min%30 < 7, zipTime_epoch-zipTime_epoch%1800+420+lastunzip_sec,lastunzip_min!=37 AND lastunzip_min!=7, zipTime_epoch-zipTime_epoch%1800+2220+lastunzip_sec,1=1,zipTime_epoch),"%Y-%m-%d %H:%M:%S.%6N") | table TimeSchedule, zipTime, lastunzip_hour, lastunzip_min, lastunzip_sec, zipTime_epoch     Does not work fine when case in conditions are flipped- output should be 2021-03-06 23:37:59.000000 instead.   | makeresults | eval zipTime="2021-03-06 23:35:59.000" | eval zipTime_epoch=strptime(zipTime, "%Y-%m-%d %H:%M:%S.%6N") | eval lastunzip_hour=tonumber(strftime(zipTime_epoch, "%H")) | eval lastunzip_min=tonumber(strftime(zipTime_epoch, "%M")) | eval lastunzip_sec=round(zipTime_epoch%60,6) | eval TimeSchedule=strftime(case( lastunzip_min!=37 AND lastunzip_min!=7, zipTime_epoch-zipTime_epoch%1800+2220+lastunzip_sec,lastunzip_min%30 < 7, zipTime_epoch_epoch-zipTime_epoch_epoch%1800+420+lastunzip_sec,1=1,zipTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")    
Hi All,  I was looking for a query which can look for the previous one month data, calculate frequency of data being coming to indexer and sourcetype (data is not real time and for eg. say we are get... See more...
Hi All,  I was looking for a query which can look for the previous one month data, calculate frequency of data being coming to indexer and sourcetype (data is not real time and for eg. say we are getting data into index and sourcetype after . 5 hours or so) and return average (as frequency will differ every time say sometime 5 hours or sometimes 4 hours). For example. Indexer A and sourcetype B are receiving data every 5 hour on an average within a day. Can somebody please help in this regards? Thanks.
I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces... See more...
I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces, adding and additional layer of brain trauma.  In testing,  /([^{=,]+)=([^,}]+)/g  does the job in regex101, but not splunk.  Such as: | makeresults | eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}" | rex field=msg.additionalValues "/([^{=,]+)=([^,}]+)/g"  Results in:  Error: "Error in 'rex' command: The regex '/([^{=,]+)=([^,}]+)/g' does not extract anything. It should specify at least one named group. Format: (?<name>...)."  Since i have multiple named groups, how is this possible?   
I have a search I am running, and I am trying to enumerate this one specific email domain's email responses, if it was blocked, delivered, so on. When I run this search (will be below) I get my stats... See more...
I have a search I am running, and I am trying to enumerate this one specific email domain's email responses, if it was blocked, delivered, so on. When I run this search (will be below) I get my stats table just fine, but I get no results per main field. What am I doing wrong? index=emails | search recipient="*@thing.com*" OR Recipient="*@thing.com*" | stats count(eval((recipient="*@thing.com") OR (Recipient="*@thing.com*"))) AS @thing BY email_response   Table looks like this  email_response                                                             @thing blocked                                                                               0 delivered                                                                            0 quarantined                                                                      0
Event Data: {"Debug":[   {"Action":"User-Created","Result":"OK"},   {"Action":"Granted-Permissions","Result":"Failed"} ]} My try: # Get the events where Action equal "User-Created" and Result="... See more...
Event Data: {"Debug":[   {"Action":"User-Created","Result":"OK"},   {"Action":"Granted-Permissions","Result":"Failed"} ]} My try: # Get the events where Action equal "User-Created" and Result="Failed" Search: index=index_name Debug{}.Action="User-Created" AND Debug{}.Result="Failed" Expected: No records should be returned because there are not a single record where the two values are true. Result: Multiple records returned, conjunction is not being performed, it operates like an OR logical function. Notes: It works if I choose simple not KV data. Thanks,
What are the main causes of delayed searches indicated by the health indicator on the Search Heads? How do I do I fix them. Thx
Hi, I have events like this: server=serverA field1=foo field2=bar And I would like to override the host-field with serverA so I configured on our indexers: props.conf [foo:bar] DATETIME_C... See more...
Hi, I have events like this: server=serverA field1=foo field2=bar And I would like to override the host-field with serverA so I configured on our indexers: props.conf [foo:bar] DATETIME_CONFIG = CURRENT LINE_BREAKER = field2=.*([\r\n]+) SHOULD_LINEMERGE = false TRANSFORMS-A = trans_host transforms.conf [trans_host] REGEX = SERVER\=(\w+)$ FORMAT = host::$1 DEST_KEY = MetaData::host   But it's not working.. I still get the original host-value. What am I missing here?
I have 2 different searches and I need to create an alert that would trigger if the results of the 2 searches are not equal. Below are my 2 searches. What we are doing is comparing a count of records... See more...
I have 2 different searches and I need to create an alert that would trigger if the results of the 2 searches are not equal. Below are my 2 searches. What we are doing is comparing a count of records in and count of records out to make sure the application did not have an issue processing. index=omma source=omma | bin _time span=5ms | stats latest(liccount) as "Value" by lictype | stats sum("Value") as "Total Records"   index=omma | stats dc(record_id) as "Total Records"
Please help with SPLs for the following Alerts. Thank u very much in advance. Active Directory unusual login activity after hours 10PM-6AM EST Active Directory Possible compromised admin accts DNS... See more...
Please help with SPLs for the following Alerts. Thank u very much in advance. Active Directory unusual login activity after hours 10PM-6AM EST Active Directory Possible compromised admin accts DNS communication with Foreign / Risky countries SQL DB monitoring unauthorized changes  
I have a big table which is not easy to group on visualizations. Can I make each 2 columns as same color group so that can see them together  immediately. For example:    
Hi  I installed the Alerts Manager app as I was hoping to have better features to view and manage my incidents and alerts in enterprise security. I installed the app (id:2665) and the add-on (id3665... See more...
Hi  I installed the Alerts Manager app as I was hoping to have better features to view and manage my incidents and alerts in enterprise security. I installed the app (id:2665) and the add-on (id3665) to my SH, created a new index named alerts and completed the set up.  However there are no Incidents or Alerts showing in any of the dashboards. My understanding was that this app would pull the incidents/alerts from ES so I can manage them? But nothing is showing In the app, i can create a new incident no problem and can see it being added to the new "alerts" index, but this isn't much use to me. Is there something im missing here regarding this app or its purpose?? Thanks
Hi, I have a tabular results of folks, who are using index=* in their searches. So i have SPL that outputs below User app title SPL email user1 search xyz index=* abc\@test.com us... See more...
Hi, I have a tabular results of folks, who are using index=* in their searches. So i have SPL that outputs below User app title SPL email user1 search xyz index=* abc\@test.com user2 app1 abc index=* source=* user2\@test.com   WHen i add the below command, i see email of all the results in the table. | sendemail to="abc@test.com" format=table subject=myresults sendresults=true inline=true   But i want user1, to get only his/her result Similarly user2, should get only his/her result.   SO i tried below. but none worked. | map [|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true] | map [sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]   | map  search="|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true" | map  search="sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"   Please let me know the right syntax.