All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I have a data in which i have the employee name and the manager name. I want to create a search where if someone select a name ( For Ex: John) it should return records where John is Manager ... See more...
Hello, I have a data in which i have the employee name and the manager name. I want to create a search where if someone select a name ( For Ex: John) it should return records where John is Manager Directly or Indirectly . In below Example if i select John it should return all 3 records, Joy, Adam and Roy because Adam reports to John and Joy and Roy reports to Adam. If i select Adam, it should only return 2 records, Joy and Roy. _time FirstName Manager Name 08th March Joy Adam 07th March Adam John 06th March Roy Adam   Can someone please help, how can i do that ?
Hello,  In my EUM Dashboard, I want to add a pie chart of referrers so it appears as in the attached image  for example, there is more than one value of google referrers. I want to group refe... See more...
Hello,  In my EUM Dashboard, I want to add a pie chart of referrers so it appears as in the attached image  for example, there is more than one value of google referrers. I want to group referrers so that all referrers that contains google.com are considered one group (google referrer) and all contains (Facebook.com) has value of Facebook and so on . I don't need to show distribution based on each unique value How can I do this? note: the used query as below SELECT referrer, count(referrer) FROM web_session_records WHERE referrer IS NOT NULL Thanks ^ Edited by @Ryan.Paredez for readability.  
I have following query which provides me details of a db userid whenever the count crosses X value, however I want to modify this to a dynamic search based on a rolling average of that value for last... See more...
I have following query which provides me details of a db userid whenever the count crosses X value, however I want to modify this to a dynamic search based on a rolling average of that value for last 10 days. Can you pls help?   index=abc sourcetype=DBConnectionUsage  | spath cdb | spath pdb | spath application_user | search cdb=* pdb=* application_user = "*" cluster="E3"| bin span=30m _time| stats sum(connection_count) as connection_count by application_user, pdb | where connection_count >100     I want to modify the where condition to where connection_count > 'avg (conn count for last 10 days)'.
Hi Team, @gcusello      I have created two dropdown (Group and Device) I want create another dropdown timeframe and link first two dropdown with timeframe dropdown. How to achieve this? Group... See more...
Hi Team, @gcusello      I have created two dropdown (Group and Device) I want create another dropdown timeframe and link first two dropdown with timeframe dropdown. How to achieve this? Group     Device  Timeframe   Please help me in clearing my doubts. Thanks, Priya
I have index=syslog where the hostname comes as fqdn and Ip address i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all afte... See more...
I have index=syslog where the hostname comes as fqdn and Ip address i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all after . should be removed and save it in a new field host.  example : hostname column has hostname which looks like abcd-efg-hij-k23-b1.xyz.gmail Now after using rex/sed i want in the host field abcd-efg-hij-k23-b1 everything after . should be removed.  note: i also have ip address which has . in it so while applying rex the ip addresses should not be considered. It should only affect/take into consideration the alphanumeric field. 
Hi Everyone, I have below query: index=abc ns=hjk app_name=pi "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | stats count(RID) as count, valu... See more...
Hi Everyone, I have below query: index=abc ns=hjk app_name=pi "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | stats count(RID) as count, values(RID) as RID by sourceagent| rename sourceagent as "Source"|fields Source count I have created this as a bar chart. I am getting X axis as count and Y axis as source. I want X-AXIS should be discrete as it shows the file count. How can I do that. Can someone guide me on that. I have attached as screenshot.
Hello,   Unfortunately, my complete query does not go through because of the following error: The search auto-finalized after it reached its time limit: 60 seconds. Now I read that I could change... See more...
Hello,   Unfortunately, my complete query does not go through because of the following error: The search auto-finalized after it reached its time limit: 60 seconds. Now I read that I could change this in the limits.conf, but I don't have a local splunk app. It all runs through Splunk's website (8.0.2) via the Search & Reporting app. Can I make any settings there so that my search runs through?
Hey I have a single server 8.1.2 deployment on a Windows 2016 server, with the Splunk_TA_windows app installed and that app broke when updating it to 8.1.1 Now it shows with version number "8.1.1R6... See more...
Hey I have a single server 8.1.2 deployment on a Windows 2016 server, with the Splunk_TA_windows app installed and that app broke when updating it to 8.1.1 Now it shows with version number "8.1.1R62a79cd" and it's knowledge objects don't seem to take effect. I tried disabling it, stopping Splunk, removing deleting the folder (had to use takeowner.exe to be able to delete it), starting Splunk and then re-installing the app without issues - but it again shows with version 8.1.1R62a79cd and is not working. I tried this with installing from the app store, as well as downloading the app to a file and install from there. After a while of it being re-installed, the app management page would show the link to update from this version 8.1.1R62a79cd to version 8.1.1 which acts the same way as updating other apps but it doesn't fix the issue. What else can I try? thanks
I have a python script to call the api everyday . Whenever the script runs , it calls the api and fetches all time data . The issue i have here is to avoid duplicate data when it gets ingested into s... See more...
I have a python script to call the api everyday . Whenever the script runs , it calls the api and fetches all time data . The issue i have here is to avoid duplicate data when it gets ingested into splunk.I have a unique field in the json data to avoid the duplicate entries .How do i configure that in props.conf ? Can you please help
splunk ta_unix app only collects and stores swap memory used percent metrics and  i want to index other metrics like swap used/total/available data.   PRINTF='END {printf "%10d %10d %10d %10.1f ... See more...
splunk ta_unix app only collects and stores swap memory used percent metrics and  i want to index other metrics like swap used/total/available data.   PRINTF='END {printf "%10d %10d %10d %10.1f %10.1f %10s %10.1f %10s %10s %10s %10s %10s %10s %10.2f %10.2f %10.2f %10.2f %10.2f\n", memTotalMB, memFreeMB, memUsedMB, memFreePct, memUsedPct, pgPageOut, swapUsedPct, pgSwapOut, cSwitches, interrupts, forks, processes, threads, loadAvg1mi, waitThreads, interrupts_PS, pgPageIn_PS, pgPageOut_PS}' DERIVE='END {memUsedMB=memTotalMB-memFreeMB; memUsedPct=(100.0*memUsedMB)/memTotalMB; memFreePct=100.0-memUsedPct; swapUsedPct=swapUsed ? (100.0*swapUsed)/(swapUsed+swapFree) : 0; waitThreads=loadAvg1mi > cpuCount ? loadAvg1mi-cpuCount : 0}'    
How can I find users who stopped a service? I have tried [WinHostMon://service] and [WinEventLog://System] But the first option lists the status of services and for second option log doesn't hav... See more...
How can I find users who stopped a service? I have tried [WinHostMon://service] and [WinEventLog://System] But the first option lists the status of services and for second option log doesn't have a User field.
hi I am doing a basic count with the xml below     <input type="dropdown" token="tok_filtersite" searchWhenChanged="true"> <label>Site</label> <choice value="N">N</choice> <... See more...
hi I am doing a basic count with the xml below     <input type="dropdown" token="tok_filtersite" searchWhenChanged="true"> <label>Site</label> <choice value="N">N</choice> <choice value="SE">SE</choice> <initialValue>N</initialValue> <default>N</default> </input> <input type="dropdown" token="tok_filtercategory" searchWhenChanged="true"> <label>Category.</label> <default>*</default> <choice value="*">*</choice> <choice value="HW/PC TABLET">HW/PC TABLET</choice> <choice value="HW/PC LAPTOP">HW/PC LAPTOP</choice> <choice value="HW/PC DESKTOP">HW/PC DESKTOP</choice> <choice value="Hardware">Hardware</choice> <initialValue>*</initialValue> </input> <input type="text" token="tok_filterdepartment" searchWhenChanged="true"> <label>Department</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="tok_filterresponsible" searchWhenChanged="true"> <label>Responsible (Use *_* or "_")</label> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <title>Number of devices with "Production" STATUS</title> <single> <title>Source : ServiceNow</title> <search> <query>| inputlookup fo_all where TYPE="PC" (DOMAIN=I OR DOMAIN=B) (CATEGORY = "HW/PC LAPTOP" OR CATEGORY ="HW/PC TABLET" OR CATEGORY ="HW/PC DESKTOP") (STATUS = "Production") | search SITE=$tok_filtersite|s$ | search CATEGORY=$tok_filtercategory|s$ | search DEPARTMENT=$tok_filterdepartment$ | search RESPONSIBLE_USER=$tok_filterresponsible|s$ | stats dc(HOSTNAME)</query>     But the count is right only when I delete the DEPARTMENT token and I dont know why The only think I can say is that most the time, the DEPARTMENT field is empty     | search DEPARTMENT=$tok_filterdepartment$   And if cumulate the number of events when I add this at the end of my search : search NOT DEPARTMENT="" search DEPARTMENT="" the number of results is right... What is the problem please?
TA TYPEs INTERNAL_SHARING_ID REUSE_REQUEST.OMICS_DATA REUSE_REQUEST.STUDY_METADATA REUSE_REQUEST.GENETIC_DATA REUSE_REQUEST.CLINICAL_DATA REUSE_REQUEST.BIOMARKERS_DATA REUSE_REQUEST.IMAGES... See more...
TA TYPEs INTERNAL_SHARING_ID REUSE_REQUEST.OMICS_DATA REUSE_REQUEST.STUDY_METADATA REUSE_REQUEST.GENETIC_DATA REUSE_REQUEST.CLINICAL_DATA REUSE_REQUEST.BIOMARKERS_DATA REUSE_REQUEST.IMAGES_DATA REUSE_REQUEST.HBS_DATA REUSE_REQUEST.RWE_DATA REUSE_ADMIN_INFO.REQUEST_COMMENTS INT-20191104-1 false false false true false false false false null   Above is my table . I Want to display only the fieldnames whose values are true and ignore the other fields along with the internal_sharing_id column like below .   interna_sharing_id -  clinical_data        
Hi Guys, could anyone help me to split the following json file in multiple events? I tried in different ways, adding KVMODE=json, modifying LINE_BREAKER or adding EVENT_BREAKER to my propos.conf, b... See more...
Hi Guys, could anyone help me to split the following json file in multiple events? I tried in different ways, adding KVMODE=json, modifying LINE_BREAKER or adding EVENT_BREAKER to my propos.conf, but I'm unable to find a solution... Following a json example, What I'm trying is to capture the messages between square brackets and the split the events contained. In this example I have two differents events starting with "eventId" field and eneding with "policyId"field   { "name": "SecureSphere_Audit_PCI_-_Login_audit_15.01.2021_1043_19.02.2021_2359_ith-aru-sec-imp-gw03_0_mxName.0000000002", "messageRaw": [{ "eventId": "6930995712914260054", "eventCreationTime": "2021-02-19T17:04:32Z", "streamId": "20", "sourcePort": 2978, "destinationPort": 1527, "originalUserName": "sapserviceid6", "parsedQuery": "N/A (login)", "logCollectorName": "N/A", "realDateTime": "2021-02-19T17:04:31Z", "base": { "keysCrc": "3392074420543545270", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapserviceid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapserviceid6", "gatewayName": "ith-aru-sec-imp-gw03", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "policy": "PCI - Login audit", "policyId": "993812781714235096" }, { "eventId": "6930995712914335615", "eventCreationTime": "2021-02-19T17:04:41Z", "streamId": "30", "sourcePort": 2978, "destinationPort": 1527, "originalUserName": "sapid6", "parsedQuery": "N/A (login)", "logCollectorName": "N/A", "realDateTime": "2021-02-19T17:04:41Z", "base": { "keysCrc": "-4699307483851221009", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw03", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "policy": "PCI - Login audit", "policyId": "993812781714235096" }] }   Thanks in advance for your help Mario
Good morning, I have created a dashboard with multiple searches and when I change a box the rest wait to do pooling and it is very slow. The data file is very small, it is a local csv. My license is ... See more...
Good morning, I have created a dashboard with multiple searches and when I change a box the rest wait to do pooling and it is very slow. The data file is very small, it is a local csv. My license is free, I think I do the searches wrong.   Example   <form theme="dark"> <label>Almacenamiento</label> <description>Cuadro de Mando Almacenamiento Prosegur</description>$Pais$<fieldset submitButton="false" autoRun="false"> <html> <img src="/static/app/search/logoprosegur_3.PNG?updated={Now}" style="max-width:250%;width:50;height:50”;"/> <div style="display:inline;width:5000px;"/> <div> <a title="Esquemas" href="http://10.28.62.77:8000/static/app/search/sede_$Ciudad$.png?updated={Now}" target="_blank"> <img srcset="/static/app/search/sede_$Ciudad$.png?updated={Now}" style="float:right;max-width:10%;width:10;height:10”;"/> </a> </div> </html> <input type="dropdown" token="Pais" searchWhenChanged="true"> <label>Sede por pais</label> <fieldForLabel>VendorCountry</fieldForLabel> <fieldForValue>VendorCountry</fieldForValue> <search> <query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" |search VendorCity="$Ciudad$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" | stats count by VendorCountry</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">ALL</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="dropdown" token="Ciudad" searchWhenChanged="true"> <label>Sede por ciudad</label>#<selectFirstChoice>true</selectFirstChoice> <fieldForLabel>VendorCity</fieldForLabel> <fieldForValue>VendorCity</fieldForValue> <search> <query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv"| search VendorCountry="$Pais$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" |stats count by VendorCity</query> <earliest>0</earliest> <latest></latest>
Hi, @ITWhisperer @bowesmana @niketn  @dmarling  Could you Please help me with my doubt Query: "index=71412-cli sourcetype=show_interface | fields type interface operStatus |table type interface o... See more...
Hi, @ITWhisperer @bowesmana @niketn  @dmarling  Could you Please help me with my doubt Query: "index=71412-cli sourcetype=show_interface | fields type interface operStatus |table type interface operStatus |search interface=port*" output of the query type                       interface Port-channel     Port-channel1 Port-channel     Port-channel261 Port-channel     Port-channel100 Port-channel     Port-channel99.202 Port-channel     Port-channel99.200 Port-channel     Port-channel99.160 Port-channel     Port-channel99.159 Port-channel     Port-channel99.158 Port-channel    Port-channel99.157 I need to capture only the values after the Port-channel(99.157) from the interface column and create separate column to print only the ids of port-channel Expected output type                       interface                                  port-id Port-channel     Port-channel1                          1 Port-channel     Port-channel261                     261 Port-channel     Port-channel100                    100 Port-channel     Port-channel99.202             99.202 Port-channel     Port-channel99.200             99.200 Port-channel     Port-channel99.160             99.160 Port-channel     Port-channel99.159             99.159 Port-channel     Port-channel99.158             99.158 Port-channel    Port-channel99.157              99.157 Please help me in solving this doubts Thanks and regards, Priya  
In my search result i am getting AD & Login locations. Now I want to filter result, if both AD and Login locations are same.  Please help me with splunk query @soutamo @saravanan90 @thambisett... See more...
In my search result i am getting AD & Login locations. Now I want to filter result, if both AD and Login locations are same.  Please help me with splunk query @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa 
Hi @scelikok
Hi, I have installed a Splunk addon for e.g; Github add-on ( https://splunkbase.splunk.com/app/3739/) and its no more supported now for Splunk version 8. Can you please let me know how i can delete ... See more...
Hi, I have installed a Splunk addon for e.g; Github add-on ( https://splunkbase.splunk.com/app/3739/) and its no more supported now for Splunk version 8. Can you please let me know how i can delete this addon completely without using the help of CLI.  From Splunk when i go to Apps--> Manage Apps , I could get an option only to Disable the addon, Edit properties etc.  Could please guide me in uninstalling the addon completely add-on from my Splunk page. Thanks