All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Guys, I have the following query which i am showing line chart in a panel, how ever i want to show the jobnames at each _time. Can you please help. Query : index=infra_apps sourcety... See more...
Hi Guys, I have the following query which i am showing line chart in a panel, how ever i want to show the jobnames at each _time. Can you please help. Query : index=infra_apps sourcetype=ca:atsys:edemon:txt EventCode=40245 AND (Status=Failure OR Status=Terminated OR Status=Running OR Status=Success) AppID=CDH Machine=* Job=* | dedup _raw | lookup datalakenodeslist.csv host as Machine OUTPUT cluster | search cluster=* | eval running=if(Status="RUNNING","1","0"),status=if(Status="RUNNING","start","stop"), time=_time+status | bin span=2m _time | stats max(running) as running, earliest(time) as first, latest(time) as last by Job,_time | xyseries _time Job running first last | makecontinuous span=2m _time | streamstats window=2 global=f earliest(last*) as last* | reverse | streamstats window=2 global=f earliest(first*) as first* | reverse | foreach running* [ eval <<FIELD>>=if(isnull('<<FIELD>>') AND like('first<<MATCHSTR>>',"%start"),"0",if(isnull('<<FIELD>>') AND like('first<<MATCHSTR>>',"%stop"),"1",if(isnull('<<FIELD>>') AND like('last<<MATCHSTR>>',"%start"),"1",if(isnull('<<FIELD>>') AND like('last<<MATCHSTR>>',"%stop"),"0",'<<FIELD>>'))))] | fields - first*, last* | filldown * | reverse | filldown * | reverse | addtotals fieldname=RunningCount | fields _time,RunningCount Query Statistical result: _time RunningCount 3/19/2020 8:00 53 3/19/2020 8:02 44 Now i would like to see the names of jobs at each _time
Hello. I'm trying to monitor a device's hard disk.. cpu.. etc. from universal forwarder. couldn't find the ram usage!? https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/MonitorWindo... See more...
Hello. I'm trying to monitor a device's hard disk.. cpu.. etc. from universal forwarder. couldn't find the ram usage!? https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/MonitorWindowsperformance
Hello Team, We have the "Pager Duty App for Splunk" which we use to the fullest as part of alert action from our Splunk Search Head. However, recently we upgraded our Splunk Enterprise infra f... See more...
Hello Team, We have the "Pager Duty App for Splunk" which we use to the fullest as part of alert action from our Splunk Search Head. However, recently we upgraded our Splunk Enterprise infra from 7.3.3 to 8.0.1 and post which the integration is not working. When we looked at Splunkbase , we came to know that this app is not yet compatible for Splunk Enterprise 8.*. Do we have any alternative solution or suggestion as work around until this app is enhanced. This is impacting our day to day operations and any help or ideas would be most welcomed. Thanks and regards, Vishwa
Im trying to update Splunk DB Connect but im getting error. An error occurred while downloading the app: [HTTP 404] https://127.0.0.1:8089/services/apps/local/splunk_app_cloudgateway/update; [{'c... See more...
Im trying to update Splunk DB Connect but im getting error. An error occurred while downloading the app: [HTTP 404] https://127.0.0.1:8089/services/apps/local/splunk_app_cloudgateway/update; [{'code': None, 'type': 'ERROR', 'text': 'Error downloading update from https://splunkbase.splunk.com/app/4250/release/1.10.0/download/?origin=cfu: Not Found'}] If I download the app from splunkbase and upload from file, will I lose all config in the app? Kind Regards, Michiel
I have data in below format in Splunk where I extracted this as Brand,Files,Size. Now at some places, where size is showing empty, I want to replace them with 0. I have used | fillnull ... See more...
I have data in below format in Splunk where I extracted this as Brand,Files,Size. Now at some places, where size is showing empty, I want to replace them with 0. I have used | fillnull value 0. | eval Size=if(isnull(Size), "0", Size) But still values are showing empty. I have used below query index=*** host=*** source=**** | rex field=_raw max_match=0 "(?[a-z]+),(?\w+\-?\d?.*)\,(?\d?.*)" | table Brand,Size,Files | eval _counter = mvrange(0,mvcount(Brand)) | stats list(*) as * by _counter | foreach * [ eval <> = mvindex('<>' , _counter)] | xyseries Brand Files Size | transpose 0 header_field=Brand column_name=Files | fillnull value=0 and the result i m getting as like below After using | fillnull value 0, I am getting 0 for those files which are not there for 2nd,3rd,4th brands. But not where size is showing empty. Can anyone help me with this ?
I have a dashboard that should perform a dynamic number of searches. For this purpose I created a search manager, which receives new search strings via a For loop. Via an on-data listener I access th... See more...
I have a dashboard that should perform a dynamic number of searches. For this purpose I created a search manager, which receives new search strings via a For loop. Via an on-data listener I access the results of the search manager. If I have only one pass of the loop, I get the correct results, but already with two passes I get the result of the second search output twice. I have attached a minimal example of the problem here. searchmanager = new SearchManager(…) for (var i = 0; i < array.length; i++) { var search_string = "| makeresults | eval a=" + i + " | table a"; searchmanager.settings.set("search", search_string); searchmanager.startSearch(); var results = searchmanager.data("results"); searchmanager.on("search:done", function() { results.on("data", function() { if (results.data()) { var fields = results.data().fields; var rows = results.data().rows; console.log(rows); } }) }) } The output of the console is for an array of a length of two always twice an object with "1" as the result and not one time "0" and then "1" as one would expect. For an array of a length of one the result is an object with "0" as the result. I suspect the on("data") listener because i checked the search string and everything and at any given point there is the difference of the value in the objects but as soon as I try to enter the result with the listener it only gives me the result with "1" in the row. I also tried to put the results in an array and access the result object after that with no success. I hope someone can help me and that the minimal example helps to explain my problem. Thank you very much.
from my saved search i'm trying to get the values of a field like below <search> <query>| savedsearch mysearch field3 = $value$ </query> </search> but its not working my report query is in... See more...
from my saved search i'm trying to get the values of a field like below <search> <query>| savedsearch mysearch field3 = $value$ </query> </search> but its not working my report query is index = internal |stats count by field1 field2 field3 field4
Hi, I have a Kubernetes cluster deployed in AWS and my application is running in that. Now I am able to monitor my application via AppDynamics java agent. I want to monitor the infrastructure now ... See more...
Hi, I have a Kubernetes cluster deployed in AWS and my application is running in that. Now I am able to monitor my application via AppDynamics java agent. I want to monitor the infrastructure now and I have used the autoscaling feature as well. So what is the best possible way to monitor the infra of my environment with a machine agent? Or is there any other way to do the same? Regards, Gopikrishnan 
Hello Splunkers, I'm having trouble getting some weblogs to show up correctly in Splunk. What I'm trying to index looks like this: 201.28.109.162 - - [13/Jan/2016 21:03:04:164] "POST /cart.do?a... See more...
Hello Splunkers, I'm having trouble getting some weblogs to show up correctly in Splunk. What I'm trying to index looks like this: 201.28.109.162 - - [13/Jan/2016 21:03:04:164] "POST /cart.do?action=view&itemId=EST-21&product_id=FL-DLH-02&JSESSIONID=SD7SL9FF3ADFF4 HTTP 1.1" 404 2827 "http://www.myflowershop.com/category.screen?category_id=GIFTS" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4"&&&12.130.60.5 - - [13/Jan/2016 17:15:44:111] "POST /product.screen?product_id=FI-FW-02&JSESSIONID=SD8SL8FF7ADFF7 HTTP 1.1" 200 404 "http://www.myflowershop.com/product.screen?product_id=FI-FW-02" "Opera/9.20 (Windows NT 6.0; U; en)" Every event is separated by &&& and so far I've managed the events to split somewhat correctly, but can't get rid of the &&& that still shows up at the beginning of each event: 201.28.109.162 - - [13/Jan/2016 21:03:04:164] "POST /cart.do?action=view&itemId=EST-21&product_id=FL-DLH-02&JSESSIONID=SD7SL9FF3ADFF4 HTTP 1.1" 404 2827 "http://www.myflowershop.com/category.screen?category_id=GIFTS" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" &&&12.130.60.5 - - [13/Jan/2016 17:15:44:111] "POST /product.screen?product_id=FI-FW-02&JSESSIONID=SD8SL8FF7ADFF7 HTTP 1.1" 200 404 "http://www.myflowershop.com/product.screen?product_id=FI-FW-02" "Opera/9.20 (Windows NT 6.0; U; en)" props.conf: LINE_BREAKER = (\d+)&&&(\d+) NO_BINARY_CHECK = true REPORT-access = access-extractions SHOULD_LINEMERGE = false TIME_PREFIX = \[ TRUNCATE = 0 category = Custom disabled = false maxDist = 28 pulldown_type = true I've also tried using things like MUST_BREAK_AFTER = .+?(?=&&&) but that didn't help either. Anybody who can offer any advice?
Hello, I have a lookup table that looks like below: dns ip server1 ip1,ip2,ip3 server2 ip4,ip5,ip6 server3 ip7 server4 ip8,ip9,ip10,i... See more...
Hello, I have a lookup table that looks like below: dns ip server1 ip1,ip2,ip3 server2 ip4,ip5,ip6 server3 ip7 server4 ip8,ip9,ip10,ip11 So I have a Splunk search that generates a table with IP addresses and I want to automatically populate the relevant dns names I use the following but it does not work: | lookup lookup.csv "ip" AS IpAddress OUTPUT "dns" AS server_name Any idea how to solve it? Thanks
Good morning, I log different error messages in SPLUNK and want to get the average number of each error message and create an alert for this. What I tried: index="" AND http_message="... See more...
Good morning, I log different error messages in SPLUNK and want to get the average number of each error message and create an alert for this. What I tried: index="" AND http_message="" | timechart avg(http_message) Unfortunately it doesn't the deliver the excepted screen.
I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed. To extract the statement field in the even... See more...
I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed. To extract the statement field in the event, I am using the below regular expression | rex field=_raw "statement:(?[\d\D]*[\n\s])additional" which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this quote EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0) unquote The extra spaces is not getting removed. Could you please help on this to write regex? Sample event. database_name:test schema_name:dbo object_name:Table_2 statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0) additional_information: user_defined_information: application_name:EUPTTOPDBS004\SQLNAV-test-test2-4
Hi all, I have a requirement as below, When there is a name field, I want it to be ranked similar names together Name John John John Jack Jack Jack James James James Simi... See more...
Hi all, I have a requirement as below, When there is a name field, I want it to be ranked similar names together Name John John John Jack Jack Jack James James James Similar names should be grouped as Name Rank John 1 John 1 John 1 Jack 2 Jack 2 Jack 2 James 3 James 3 James 3 Could some one help pls
my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this: 00:00:00 – System01 - Number of concurrent users logged in to the device: 7 00:00:05 – Syst... See more...
my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this: 00:00:00 – System01 - Number of concurrent users logged in to the device: 7 00:00:05 – System02 - Number of concurrent users logged in to the device: 1 00:01:00 - System01 - Number of concurrent users logged in to the device: 3 00:01:05 - System02 - Number of concurrent users logged in to the device: 2 00:02:00 - System01 - Number of concurrent users logged in to the device: 4 00:02:05 - System02 - Number of concurrent users logged in to the device: 2 00:03:00 - System01 - Number of concurrent users logged in to the device: 12 00:03:05 - System02 - Number of concurrent users logged in to the device: 26 00:04:00 - System01 - Number of concurrent users logged in to the device: 166 00:04:05 - System02 - Number of concurrent users logged in to the device: 20 00:05:00 - System01 - Number of concurrent users logged in to the device: 12 00:05:05 - System02 - Number of concurrent users logged in to the device: 5 ... 00:23:00 - System01 - Number of concurrent users logged in to the device: 12 00:23:05 - System02 - Number of concurrent users logged in to the device: 3 it shall not requrie any stats/count command as the concurrent number is already given each hr. Could anyone advise a timechart/search command to display number of concerrent users each hr? thanks. 00hr 01hr 02hr 03hr 04hr 05hr … 23hr 7+1=8 3+2=5 4+2=6 12+26=38 166+20=186 12+5=17 12+3=15
Hi, I have two fields in my report. Time_Created and Time_Closed. They are for time an incident ticket was created and then closed. Their format is: Time_Created: 12/20/19 11:30 Time_Clos... See more...
Hi, I have two fields in my report. Time_Created and Time_Closed. They are for time an incident ticket was created and then closed. Their format is: Time_Created: 12/20/19 11:30 Time_Closed: 1/1/20 16:50 I need to find the difference between both and result in an additional field e.g. Time_to_resolution. Basically, I need to see how long it took to resolve a ticket from its creation to closure. Thanks, in advance!!!
Hi All, We have a scripted input, which indexes JSON data into Splunk and using SPATH we have writing our correlation rules. Now that we have Splunk ES, we would like to map JSON data to CIM in Sp... See more...
Hi All, We have a scripted input, which indexes JSON data into Splunk and using SPATH we have writing our correlation rules. Now that we have Splunk ES, we would like to map JSON data to CIM in Splunk. Can anyone please guide us to understand how and is it possible to map JSON to CIM in Splunk which can be used in Splunk ES. Thanks.
Hi, I have a table with 2 columns and I want to change the colour of one of them based on whether or not its bigger or smaller than the second column. For example, in the table below, I would ex... See more...
Hi, I have a table with 2 columns and I want to change the colour of one of them based on whether or not its bigger or smaller than the second column. For example, in the table below, I would expect the first 2 rows of column1 to be green, while the last 2 rows will be red: field1, field2 100, 200 12, 5000 200, 100 9999, 2 I've taken 2 approaches, configuring colorPalette with a variable from my search directly which seemed to not work, secondly tried to update a token through the search because one of the links below suggests that tokens will work. I've used these posts as references to no avail still: https://answers.splunk.com/answers/656201/can-i-use-if-match-x-regex-y-z-in-a-colorpalette-e.html https://answers.splunk.com/answers/469742/how-to-edit-dashboard-to-use-token-values-to-deter.html https://answers.splunk.com/answers/673787/how-to-set-a-token-based-on-search-results.html Here's my sample dashboard: <form theme="dark"> <row> <panel> <title>Random title</title> <table> <search> <query> index=someIndex source=someSource| eval field1=bla, field2=bla | table field1 field2 </query> <earliest>$earliest$</earliest> <latest>$latest$</latest> <done> <set token="tokStatus">$result.field1$</set> </done> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="latency"> <colorPalette type="expression">if(value > $tokStatus$, "#53A051", "#DC4E41")</colorPalette> </format> </table> </panel> </row> </form> Any ideas on how to do so?
I am trying to optimize the query speed of the db connect app . I have read the following post, it tell me I can use | noop search_optimization=false , but splunk return an error when I using. ... See more...
I am trying to optimize the query speed of the db connect app . I have read the following post, it tell me I can use | noop search_optimization=false , but splunk return an error when I using. Error in 'noop' command : invalid argument:'search_optimization' this my search : |noop search_optimization = false|dbxquery connection="connectTestDB" query="select * from clientData" I also tried to add | noop search_optimization=false at end of dbxquery ,errors remain
payload : {"nodeId":34567,"cycleCode":10} someone please help me in how to extract nodeID i tried like this : rex field=_raw "\"nodeId\"\s:\s(?P)"
Hi all, I have Splunk ESS Version: 7.1.3. After updating the GeoLite2-City.mmdb db (last 17/3/20) I noticed that in my query the location is still wrong. Example: index=network eventtype=... See more...
Hi all, I have Splunk ESS Version: 7.1.3. After updating the GeoLite2-City.mmdb db (last 17/3/20) I noticed that in my query the location is still wrong. Example: index=network eventtype=cisco_vpn_start "AnyConnect parent session started." | where src_ip ="37.161.xx.xxx" | iplocation src_ip | table src_ip, Country src_ip Country 37.161.xx.xxx France However when I running the following command: | makeresults | eval ip="37.161.xx.xxx" | iplocation ip | table Country, ip Country ip Italy 37.161.xx.xxx Why in one case is the correct value returned to me (Italy) while in the first case France appears to me? The behavior is very anomalous to me Do you have any suggestion or fix for first query? Thanks a lot, Saverio