All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, From my system I recive number of events, some of them contain a value of the letter 'c' and then 7 digits like so: 'c5426987'. I want to create a field by the name user_id that will contain ... See more...
Hello, From my system I recive number of events, some of them contain a value of the letter 'c' and then 7 digits like so: 'c5426987'. I want to create a field by the name user_id that will contain that value. I tried to use extract field and mark the value I was searching for but it got only some of the results and not all of them, the thing is that the value shows up in different ways like: - name:c1234567 -somedata/c1234567 - login by c1234567 and I can't find a way to get them all...  I tested a regex in a website that examines regexes and it did extract what I was searching for. the regex I tested was: "/c[/d]{7}/g" and it gave the wanted results on the website.  I tried using both rex and regex commands and they didnt seem to work... can you please help me to find the way to create the field "user_id" using that regex? thanks! omer shira
Hi Have anyone indexed Ubisecure's Ubilogin audit or diag files? Basically those are CSV files, BUT depending of event there are different amount of columns even same type of even based on e.g. used... See more...
Hi Have anyone indexed Ubisecure's Ubilogin audit or diag files? Basically those are CSV files, BUT depending of event there are different amount of columns even same type of even based on e.g. used authentication method. time, src ip, action, user info, f1, f2, f3, f4 t1, src-1, authentication method list, _xyz, "CN=aa,OU=b....", "user agent" t2, src-1, authentication method list, _xyz, password.xx, "CN=aa,OU=b....", "user agent" t3, src-1, login, _xyz, yyy, password.xx, "CN=bb, OU=cc...", foo,...,...,.. Even same action can contain different amount of fields based on "user info" field. There are some other actions too. If there is no better solution then I probably try this: https://community.splunk.com/t5/Getting-Data-In/Indexing-a-CSV-data-file-with-more-than-one-set-of-data/m-p/40562 r. Ismo 
Hi, I have some logs like this: fields ............................................. Location=Location#All Locations#Site#City#E-MY-SIT-00-XYZ#TEST, fields.......................... So I need to e... See more...
Hi, I have some logs like this: fields ............................................. Location=Location#All Locations#Site#City#E-MY-SIT-00-XYZ#TEST, fields.......................... So I need to extract for example E-MY-SIT-00-XYZ from Location field. The string E-MY-SIT-00-XYZ could be different but the schema is always 1Letter-2letters-3letters-2numbers-3letters. Can you help me to extract the string? Thank you in advance
Hi Team, I want to find the license usage in GB for last 30 days for a particular Event ID for index=wineventlog so kindly help with the query. The fields are: EventCode=4688 index=wineventlog s... See more...
Hi Team, I want to find the license usage in GB for last 30 days for a particular Event ID for index=wineventlog so kindly help with the query. The fields are: EventCode=4688 index=wineventlog sourcetype=winlog  
@bowesmana  Hi, could you please help me in replacing the join in below query? index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId d... See more...
@bowesmana  Hi, could you please help me in replacing the join in below query? index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId deviceId | join deviceId [ search index=168347-np [| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=290681 | fields deviceId ] | stats dc(physicalElementId) as Devices   Thanks
I have a dashboard with two panels. One is sales data and one is returns. I would like to have a drop down that I enter the store number and it updates both panels with that number. In the query I ha... See more...
I have a dashboard with two panels. One is sales data and one is returns. I would like to have a drop down that I enter the store number and it updates both panels with that number. In the query I have storeno= and the token should be passed to both query dashboards here. How do I do that?   thank you
I'm trying to get the time-based functionality to work on a kvstore, but I'm not getting anywhere. I have taken a look at the other posts on this topic, but I can't get it working.  My collections.c... See more...
I'm trying to get the time-based functionality to work on a kvstore, but I'm not getting anywhere. I have taken a look at the other posts on this topic, but I can't get it working.  My collections.conf file: [tracking] enforceTypes=true field.dashboard = string field.idhash = string field.misc = string field.time = number My transforms.conf file: [tracking] collection = tracking external_type = kvstore fields_list = _key,time,dashboard,misc,idhash time_field = time time_format = %s I am adding records to the kvstore via the API, and I'm writing the time in epoch form (seconds, 10 digits). I'm mainly following the directions is this post: https://community.splunk.com/t5/Splunk-Search/How-to-get-time-based-lookups-working-with-KV-Store/m-p/221824  It looks like Splunk isn't recognising the time format - when I do a time based search, all the records in the kvstore are returned (| inputlookup tracking).
Hello  I have csv file below which i take refference to get a verified output by using conditions verified column conditions:we have to consider the TC.strd2ExecutionDate as the Verifed_Date. Veri... See more...
Hello  I have csv file below which i take refference to get a verified output by using conditions verified column conditions:we have to consider the TC.strd2ExecutionDate as the Verifed_Date. Verifed_Date = d2ExecutionDate Cond 2: we get the First_Date and Second_Date from PhaseMapping file. Eg:- R06=Tue 24 Mar 2020,Wed 10 Jun 2020 First_Date = Tue 24 Mar 2020 Second_Date = Wed 10 Jun 2020 then compare those date into the Verifed_Date Date Compare:- if(First_Date.before(Verifed_Date ) /second_Date.before(verified_Date)consider the value as 1, else if(First_Date.equals(Verifed_Date )/(Second_Date=verified_Date)consider the values as 0, else consider the r value as 2; if D2_ExecutionDate is null or empty mean verified should be null . a). (Date Compare(Verifed_Date ,First_Date == 0 || Verifed_Date ,First_Date == 1) && (Verifed_Date ,Second_Date == 2 || Verifed_Date, Second_Date == 0)) get the verified values from PhaseMapping verified = R06.1 Can you suggest me any queries for this conditions Thank you in advance CRS__implementation_phase  First_Date Second_Date UPV1                    Mon 10 Sep 2018 Sun 02 Dec 2018 UPV2                         Mon 03 Dec 2018 Mon 18 Mar 2019 DCV0                       Tue 19 Mar 2019 Thu 13 Jun 2019 DCV2                      Thu 06 Jun 2019 Mon 12 Aug 2019 DCV3                     Tue 13 Aug 2019 Wed 30 Oct 2019 R00                    Thu 31 Oct 2019 Sun 08 Dec 2019 R04                      Mon 09 Dec 2019 Thu 13 Feb 2020 R05                        Fri 14 Feb 2020 Mon 23 Mar 2020 R06                       Tue 24 Mar 2020 Wed 10 Jun 2020 R06.1                        Thu 11 Jun 2020    Wed 24 Jun 2020 R06.2 Thu 25 Jun 2020 Mon 03 Aug 2020 R06.3  Tue 04 Aug 2020 Sun 30 Aug 2020 R06.4   Mon 31 Aug 2020 Mon 30 Nov 2020
Is there an outage with MINT? Since about 02h30 GMT this morning almost no events are being collected by the Splunk MINT Add-on Modular Input into my Splunk Enterprise platform.  This is across mult... See more...
Is there an outage with MINT? Since about 02h30 GMT this morning almost no events are being collected by the Splunk MINT Add-on Modular Input into my Splunk Enterprise platform.  This is across multiple apps.  My MINT Dashboard seems to show active sessions for the Apps, so the problem appears to be in the collection of the data from the MINT cloud environment into Splunk. No errors appearing relating to the Modular Input.  What's strange is a very small number (single digit) of events have been received at random times over last few hours but a tiny fraction of what is expected. 
I am currently troubleshooting a new deployment of SAI. Linux hosts are detected but windows hosts are not.  I have read that for entities to be displayed that the search | mcatalog values("entity_t... See more...
I am currently troubleshooting a new deployment of SAI. Linux hosts are detected but windows hosts are not.  I have read that for entities to be displayed that the search | mcatalog values("entity_type") as "entity_type" values("os") as "os" WHERE metric_name=processor.* AND index=em_metrics BY "host" should return results. However I the metrics for my windows hosts appear to be missing the prefix(in this case Processor.x). For example what should be Processor.%_User_Time is just %_User_time in my metrics. Does anyone have experience with an issue like this. Help is very much appreciated.
Hello, My team and I installed a new UF on one of our systems. we wanted it to send the data from the system to a specific index we made for it. after we installed the UF it immediately started to... See more...
Hello, My team and I installed a new UF on one of our systems. we wanted it to send the data from the system to a specific index we made for it. after we installed the UF it immediately started to transfer data to the main index since its the default. then I stopped the UF and changed the inputs.conf file so it will send the data to the specific  index and it did right when I started the UF again.  The problem is that now there is still data in the main index. the indexes in the environment are clustered so the option of "splunk clean eventdata -index main" will not work on that case... I couldn't find anothe solution, can you please help me? thanks, omer shira.
After upgrading from version 8.0.5 to 8.1.1, an error message appeared regarding Dell SonicWall Analytic (see below screenshot).   Anybody had the same issue? Is there any workaround? Thanks i... See more...
After upgrading from version 8.0.5 to 8.1.1, an error message appeared regarding Dell SonicWall Analytic (see below screenshot).   Anybody had the same issue? Is there any workaround? Thanks in advance.
I have few zip file (after extend is thound of csv files) in a folder, each zip file size is over 1GB. I use monitor stanza monitor this folder but Splunk did not index these zip file.   Splunk... See more...
I have few zip file (after extend is thound of csv files) in a folder, each zip file size is over 1GB. I use monitor stanza monitor this folder but Splunk did not index these zip file.   Splunk 7.3.3 Standalone   [monitor://D:\zipfolder] index =my_index sourcetype = my_sourcetype crcSalt = <SOURCE>     Any suggests ? Thanks.
Hi Team, I have one requirement. I need to extract one field from the event. Below are my events. 2020-12-15 01:33:19,049 INFO [ Web Server-54321] o.a.n.w.s.AuthenticationFilter Attempting request... See more...
Hi Team, I have one requirement. I need to extract one field from the event. Below are my events. 2020-12-15 01:33:19,049 INFO [ Web Server-54321] o.a.n.w.s.AuthenticationFilter Attempting request for (<akale14><lpdosputb50156.phx.vxp.com><CN=lpdosputb50089.phx.vxp.com................ 2020-12-15 01:32:35,854 INFO [Web Server-67688] o.a.n.w.s.AuthenticationFilter Attempting request for (<kkanchi><CN=lpdosputb50090.phx.vxp.com, OU=Middleware Utilities 2020-12-15 01:31:39,772 INFO [ Web Server-53937] o.a.n.w.s.AuthenticationFilter Attempting request for (<pwadh19><lpdosputb50089.phx.vxp.com><CN=lpdosputb50089.phx.vxp.com I want to extract the word that I have highlighted. Can someone provide me regex for that. Than
index="win*" host="abc" -- doesnt give results index="win*" host="ABC" -- gives results But , it is not suppose to function that way , since I heard Field values are case insensitive? Kindly help
I would like to make use of the format function to modify the results of a sub-search. I'm getting spaces in the output that are causing problems with my search. I'm using CASE in the result to make... See more...
I would like to make use of the format function to modify the results of a sub-search. I'm getting spaces in the output that are causing problems with my search. I'm using CASE in the result to make the search case sensitive. My format function is: | format "" "CASE(" "" ")" "OR name=" "" The output of my subsearch is: CASE( "User 1" ) OR name= CASE( "User 2" ) OR name= CASE( "User 3" ) The extra spaces around the search term prevents the CASE function from working. Is there any way to remove these spaces? 
Hi All, Splunk is ingesting only a portion of the scripted input ps.sh from my *nix os TA, and I don't know why. Before a certain date, it was all ingesting fine. After a particular date, it's begu... See more...
Hi All, Splunk is ingesting only a portion of the scripted input ps.sh from my *nix os TA, and I don't know why. Before a certain date, it was all ingesting fine. After a particular date, it's begun to only ingest the Headers from the script output, rather than the output values themselves:   USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS   Has anyone else experienced this before? 
I have a splunk query that gives me all the logs of slow queries(AQL) but I need to know which ones have taken more than 10 sec. I need to compare them with previous version slow queries and see if t... See more...
I have a splunk query that gives me all the logs of slow queries(AQL) but I need to know which ones have taken more than 10 sec. I need to compare them with previous version slow queries and see if there is any improvement? My splunk query: index=hello_world host_zone=pr source="*hi*" "slow query" Sample log: slow query: 'FOR s IN abcdef FILTER LOWER(ghijk) == '123456789' LET serviceId = lmno FOR v IN pqrst GRAPH uvw_xyz RETURN v', bind vars: {}, took: 5.384533 s
After clicking the "Access Free Trial" button in this page : https://www.appdynamics.com/free-trial/, I get redirected into my account page, without any email on whether or not the Free Trial has bee... See more...
After clicking the "Access Free Trial" button in this page : https://www.appdynamics.com/free-trial/, I get redirected into my account page, without any email on whether or not the Free Trial has been successfully started. However, when I go into my profile page, there is this message stating that I don't have any subscription yet, including the free trial.
I imported a csv into Splunk and now I need to compare two of the fields to find identical values. Compare the values of "Customer_Full_Name" and "User_Full_Name" to find who, if anyone, is both a cu... See more...
I imported a csv into Splunk and now I need to compare two of the fields to find identical values. Compare the values of "Customer_Full_Name" and "User_Full_Name" to find who, if anyone, is both a customer and a user. I feel like eval should be able to help here but can't think of how to do it. Once I have that figured out I need to see if there are users looking at the records of customers that happen to also be users but I'll leave that for another question later.