All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

The following is my JS code       require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!"... See more...
The following is my JS code       require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!" ], function(_, $, mvc, SearchManager, TableView) { var mySearch = splunkjs.mvc.Components.getInstance("main_search"); var myResults = mySearch.data("results"); myResults.on("data", function(){ allFields = myResults.data().fields; filteredFields = allFields.filter(field => !consistentFields.includes(field)); }); var filteredFields; var consistentFields = ["Field 1", "Field 2", "Field 3" ]; var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return true; }, render: function($td, cell) { if(filteredFields.includes(cell.field)){ if (cell.value === "Failure") { $td.addClass("failure"); } else if (cell.value === "Warn") { $td.addClass("warn"); } else if (cell.value === "Success") { $td.addClass("success"); } } // Update the cell content $td.text(cell.value).addClass("string"); } }); mvc.Components.get("main_table").getVisualization(function(tableView) { // Add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); });     I am not having the table load every time as I look at my console and I am getting the following error message Uncaught TypeError: myResults.data() is undefined This issue is my hunch for why my code works but not every single time since the page won't necessarily load.
Hi There, I have this query that reports  the status code error rates. index=apache_core userAgent!="nginx/*" source="*access.log*" requestURI!="/web/app*" NOT (requestURI="/api/xyz/*" OR reques... See more...
Hi There, I have this query that reports  the status code error rates. index=apache_core userAgent!="nginx/*" source="*access.log*" requestURI!="/web/app*" NOT (requestURI="/api/xyz/*" OR requestURI="/api/yyy/*" AND statusCode=404) earliest=-30m latest=now | stats count(eval(statusCode>=400)) as errors, count as total | eval ErrorRate = errors * 100 / total | fields ErrorRate   This works , but  looks like it is taking an average of error rate  in last 30 mins and reports  over  the threshold  if there is a onetime spike... What I want  is  to   Alert , only if the Error Rate  is  higher than threshold for  continuous  10mins   in last 30mins OR 1 hr.  How can I achieve that ?   Thanks, DD
Hi all I want to create an app that contains several dashboards, but i want to allow the user to config some things (macros, lookups, etc...) easily like the configuration page in Splunk DB Connect,... See more...
Hi all I want to create an app that contains several dashboards, but i want to allow the user to config some things (macros, lookups, etc...) easily like the configuration page in Splunk DB Connect, but i can't find how to update config files with js. Also, i would like to know what is better: html inside a view, or using a template   Thank you very much
Hi I'm using Universal forwarder and trying to consume a complex csv file. Usually this works OK by configuring props.conf correctly on the forwarder. However, this CSV file is quite complex, with m... See more...
Hi I'm using Universal forwarder and trying to consume a complex csv file. Usually this works OK by configuring props.conf correctly on the forwarder. However, this CSV file is quite complex, with many Grouped Field. "{ }" to be used for encapsulating outer most list and "[]" for internal lists. Every internal list within {} or [] will be comma separated. Is this possible to achieve? I mean to get the naming of the header fields correct?  Since the header fields will change depending on which groups or lists have data. I have a good documentation of the csv file format, but haven't found any ways to make props.conf handle these grouped fields and lists.....
I recently switched over my Splunk 8 server to Python 3. Definitely not a nice experience as not just Python itself changed but also some libraries got dropped, most notable OpenSSL. I can understa... See more...
I recently switched over my Splunk 8 server to Python 3. Definitely not a nice experience as not just Python itself changed but also some libraries got dropped, most notable OpenSSL. I can understand upgrades like switching from urllib2 to urllib3, but dropping OpenSSL completely? That is rather weird. So I wonder what other silly surprises are lurking and what they are thinking dropping pretty essential libraries. For the time being I switched back. But on the long run, that is not a viable strategy. cheers afx
How to set status message for job not ran on saturday and sunday .here the query which i used in case statement.In my query its only working for saturday.but not getting for sunday. Thanks in advanc... See more...
How to set status message for job not ran on saturday and sunday .here the query which i used in case statement.In my query its only working for saturday.but not getting for sunday. Thanks in advance index=xx* app_name="xxx" OR cf_app_name="yyy*" OR app_name="ccc" |span_time span=1d |eval dayweek=strftime(_time,"%H")|convert timeformat="%m-%d-%y" ctime(_time) as c_time|eval Job = case(like(msg, "%first%"), "first Job", like(msg, "%second%"), "second Job", like(msg, "%third%"), "third job",like(msg, "%fourth%"), "fourth job")| stats count(eval(like(msg, "%All feed is completed%") OR like(msg, "%Success:%") OR like(msg, "%Success: %") OR like(msg, "%Finished success%"))) as Successcount count(eval(like(msg, "%Fatal Error: %") OR like(msg, "%Fatal Error:%") OR like(msg, "%Job raised exception%") AND like(msg, "% job error%"))) as failurecount by Job c_time dayweek|eval status=case((Job="fourth job") AND (dayweek=="Saturday" OR dayweek=="Sunday"),"NA",Successcount>0,"Success",failurecount>0,"Failure")| xyseries Job c_time status  
Hello, I am trying to find two events from my log with time into consideration, as earliest and latest. Next I am trying to find the total time by doing a diff between latest and earliest, but I am ... See more...
Hello, I am trying to find two events from my log with time into consideration, as earliest and latest. Next I am trying to find the total time by doing a diff between latest and earliest, but I am getting no data back. Here is how my query looks like: index=test sourcetype="test:node"  "enter" OR "exit" | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval diff=Latest-Earliest | eval FirstEvent=strftime(Earliest,"%m/%d/%y %H:%M") | eval LastEvent=strftime(Latest,"%m/%d/%y %H:%M") | eval DiffEvent=strftime(diff,"%m/%d/%y %H:%M") | eval temp = tostring(round(strptime(Latest,"%m/%d/%y %H:%M") -strptime(Earliest,"%m/%d/%y %H:%M"),0),"duration") | eval NetTotalTime=replace(temp,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") | table FirstEvent, LastEvent, NetTotalTime, diff, Earliest,DiffEvent And here is what I get in my result: FirstEvent | LastEvent|  NetTotalTime|  diff|  Earliest|  DiffEvent 07/07/20 04:56 08/11/20 08:01   3035102.875 1594078003.853 02/05/70 08:35   FYI: I am only interested in FirstEvent, LastEvent, NetTotalTime (this is coming blank). The last 3 columns (diff, Earliest,DiffEvent) are just to show you how the data looks like. Hope to get an answer soon.
Hey!   So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following:      | inputlookup voucher_numbers.csv | table ... See more...
Hey!   So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following:      | inputlookup voucher_numbers.csv | table voucher | map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$ | table eventtype,$voucher$"     It returns all the eventtypes I want, but I loose the information of which address (or voucher) was used for getting each of them. So I ideally want something like this: Voucher = SomeVoucher, Eventtype= a,b,c,d   But I only get the Eventtype bit.   Edit: I tried the following but it didn't work: | inputlookup voucher_numbers.csv | table voucher | map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype) | eval voucher = $voucher$| table voucher, eventtype" Also when I put $voucher$ in double quotes, it just keeps filling the new voucher field with blanks.  Any Idea?
Hello, i am getting the following json via syslog and i ingest it to splunk. Aug 13 12:45:40 10.200.7.200 {"Status": "Failed", "Received": "2020-08-13T10:45:07.2887421", "ToIP": null, "StartDate": ... See more...
Hello, i am getting the following json via syslog and i ingest it to splunk. Aug 13 12:45:40 10.200.7.200 {"Status": "Failed", "Received": "2020-08-13T10:45:07.2887421", "ToIP": null, "StartDate": "2020-08-13T10:44:39.530583Z", "Index": 2, "EndDate": "2020-08-13T10:45:39.530583Z", "FromIP": "2603:10a6:803:67::17"}   i want to extract the json data. So i created a new app on my searchhead with a props.conf for my custom sourcetype: [security:type] TIME_PREFIX = "Received":\s*" # SEDCMD-strip_prefix = s/^[^{]+//g SEDCMD-StripHeader = s/^[^\{]+// INDEXED_EXTRACTIONS=JSON KV_MODE=json TZ = UTC   still it doesnt extract the json data. Can someone help me out?   thanks in advance! Andreas
Team, I have field 50+ employee id = 12345. I need to split this numbers and perform addition operation in splunk and to show up those in splunk Employee id - 12345 action should be = 1+2+3+4+5 = ... See more...
Team, I have field 50+ employee id = 12345. I need to split this numbers and perform addition operation in splunk and to show up those in splunk Employee id - 12345 action should be = 1+2+3+4+5 = 15 
Hello Splunk members! I currently have a search that produces "Users" connecting to certain "hosts" whereas the status of connection is "created". The output is displayed as | timechart span=d dc(us... See more...
Hello Splunk members! I currently have a search that produces "Users" connecting to certain "hosts" whereas the status of connection is "created". The output is displayed as | timechart span=d dc(users) by host Here is a sample of how my search currently look like: index=search "remote access" (host="1.1.1.1" OR host="2.2.2.2" OR host="3.3.3.3") | eval host = case(host="1.1.1.1", "server1", host="2.2.2.2","server2", host="3.3.3.3", "server3") | rex field=_raw "\shas\sbeen\s\(?P<status>(created))\." | rex field=msg "\(SPI=\s(?P<session_id>\w+)\)" | timechart span=d dc(users) by host Now my aim is to have a lookup file (User-site.csv) the lookup has 2 fields. 1. UserID 2. Site I would like to filter out users based on site. For example, I want my timechart to only produce results for site "ABC" where users connected to. In my lookup UserID is matched to their dedicated Site, however the current search has Users from all Site which is something I need to filter out. Note: The UserID on the lookup is not 100% a match to (users) field on the initial search so I think I need to have something like "LIKE" command to compare similar characteristics from my lookup UserID field with users and then filter out the events based on site code (i.e. ABC) I would appreciate your assistance with this, I have previously made this work but this time the lookup fields are not 100% match so I can't figure a way to use a LIKE command here. Thanks
Hi, I have the following search and sub-search: index=someindex source=somesource | search [search index=otherindex source=othersource | fields hostname] My subsearch generates list of hostnames. ... See more...
Hi, I have the following search and sub-search: index=someindex source=somesource | search [search index=otherindex source=othersource | fields hostname] My subsearch generates list of hostnames. As a result I'd like to get list of hosts that have been found by main search and list of hosts that have not been found.  The hosts not found I'd like to put in one table and the on hosts found apply some filter and present in another table.  
When we install an App (any app) in Splunk, will the sourcetype be created automatically?
My query fetches ( recipient, time, subject) in table.   However, my requirement is to split incident number ( INC00027697776) from subject and display it in another column named Incident??
Hello all, I created multiple alerts for multiple MSSQL instances (say log_space_Alert, blocking_alert, data_space_alert,replication_alert) Say, I plan to do an activity in ABC instance at 8/13 10 ... See more...
Hello all, I created multiple alerts for multiple MSSQL instances (say log_space_Alert, blocking_alert, data_space_alert,replication_alert) Say, I plan to do an activity in ABC instance at 8/13 10 - 11 AM. Is there any way to suppress all these alerts for this particular instance and time? Appreciate your help guys!
Hi Team, I need to create a use case with the field "attack signature" from Symantec logs. i already have Symantec log but that does not have attack signature field. Do i need to enable anything in... See more...
Hi Team, I need to create a use case with the field "attack signature" from Symantec logs. i already have Symantec log but that does not have attack signature field. Do i need to enable anything in logging? How can i achieve the above scenario? Thanks in Advance    
Using the Splunk REST API, one can use GET against the "saved/searches" endpoint and get a list of all Saved Searches. We can use filters on the key names in the dictionary element to reduce the num... See more...
Using the Splunk REST API, one can use GET against the "saved/searches" endpoint and get a list of all Saved Searches. We can use filters on the key names in the dictionary element to reduce the number of entries returned. However, I want to filter based on the <author><name> element: is that possible with the REST API? Ultimately, I'm trying to answer this question with the REST API: what are all the saved searches that are created by a specific user / what are all the saved searches in a specific user's namespace?   References: 1) Example XML output is given in the documentation for "saved/searches": https://docs.splunk.com/Documentation/Splunk/8.0.5/RESTREF/RESTsearch#saved.2Fsearches    
I need a query that will give the count of views of dashboard, number of queries executed by dashboard, time taken by queries, count of executions by user.
Hi All, Can anyone help me in the dashboards for AWS Insight  In splunk_app_aws --> Insights dashboards, I am getting the data when I click on the arrow down button. Please see the screenshot belo... See more...
Hi All, Can anyone help me in the dashboards for AWS Insight  In splunk_app_aws --> Insights dashboards, I am getting the data when I click on the arrow down button. Please see the screenshot below But when i copy and paste the same code in another application in the same server, I am not getting the details of the account. The code is same but no idea why the details are not showing up...  
The Advanced XML is not supported with the Splunk upgraded version of 8.X - So how can I identify that which XML is used by my dashboard. - In case if its using Advanced XML and it will be creating... See more...
The Advanced XML is not supported with the Splunk upgraded version of 8.X - So how can I identify that which XML is used by my dashboard. - In case if its using Advanced XML and it will be creating problem if my Splunk is upgraded to recent version, then how can I fix it? Could anyone please help me on this.