All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello I've sample data with exactly 10 characters with the combination of alphabet (2-4 characters) followed by spaces (2-4 characters) and number (2-4 characters). Refer table for sample field valu... See more...
Hello I've sample data with exactly 10 characters with the combination of alphabet (2-4 characters) followed by spaces (2-4 characters) and number (2-4 characters). Refer table for sample field values. underscore represents a space. SI.No ID 1 ABCD__1234 2 AB____1234 3 ABCD___123 4 ABCDE__123   In dashboard, I've got filter for ID. The requirement is user can enter single or two spaces between the ABCD and 1234 in the filter box. By passing this token value with irrespective space values we need to fetch the results. Thank you.  
Hi All, I have a dashboard built using dashboard studio. I want to pass multiple tokens to another dashboard on click of value in one of the panels. I am using interactions --> Link to dashboar... See more...
Hi All, I have a dashboard built using dashboard studio. I want to pass multiple tokens to another dashboard on click of value in one of the panels. I am using interactions --> Link to dashboard. Adding tokens here. But not getting how to pass multiple tokens so it reflects in another dashboard.  Please can anyone suggest me on this. Regards, pnv
Hi All, I wanted to capture both Windows and Unix servers CPU, Memory and Disk usage.  below are sample event.    
https://www.nike.com/in/t/air-max-90-lv8-shoes-5KhTdP/FD4328-102 https://www.nike.com/in/t/air-max-dn-shoes-FtLNfm/DV3337-006 i need to extract  value 5KhTdP, FtLNfm
Hi  Can anyoine suggest me how to create Avg & Std Dev graph from the fields    
These are the fields I'm using - Body, ATNVersion, operatingsystem, osversion, MID 
  |msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype   Results: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 ... See more...
  |msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype   Results: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 aaca 25 fail 290 aaca 120 fail 8 aaca 80 pass 800 aaca 200 fail 400 aaca 210 pass 22 aaca 500 fail 10 aaw 120 fail 8 aaw 80 pass 2000 aaw 200 fail 3 aaw 210 pass 56 aaw 500 fail 22 aaw 0 pass 0 www 0 fail 8 www 10 pass 1000 www 25 fail 290 www 120 fail 8 www 80 pass 800 www 200 fail 400 amb 500 fail 10 amb 120 fail 8 amb 80 pass 2000 amb 200 fail 3 amb 210 pass 56 amb 500 fail 22 amb 0 pass 0 asf 0 fail 8 asf 10 pass 1000 asf 0 pass 0 asf 0 fail 8 asf 10 pass 1000 But we want the output as shown below: We need only top 4 errornumber show up along with the failed count service errorNumber errortype Failed aaca 0 fail 2538 10 pass 25 fail 120 fail 80 pass 200 fail 210 pass 500 fail aaw 120 fail 2089 80 pass 200 fail 210 pass 500 fail 0 pass www 0 fail 2506 10 pass 25 fail 120 fail 80 pass 200 fail amb 500 fail 2099 120 fail 80 pass 200 fail 210 pass 500 fail 0 pass asf 0 fail 2016 10 pass 0 pass 0 fail 10 pass  
I have a timechart that I want a column name to reflect a field name like how a variable or token would be used.     ```Example``` |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A)... See more...
I have a timechart that I want a column name to reflect a field name like how a variable or token would be used.     ```Example``` |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) as $name$ ```Expected Outcome would by a timechart with column named "C"```       Is this possible?
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the... See more...
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the splunk dashboard based on the output of the splunk query? For example, if suppose dev team added/removed the webpage or functionality, the visualization panel should be created/deleted automatically. Thank you in advance.
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( names... See more...
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( namespace and msg) ?   
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has ... See more...
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has a regex that requires the device to end in a number, whereas the / mount uses "/dev/root".  Is anyone aware of an updated script that work with the newer OS or has anyone been able to modify the script to correlate correctly?
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is... See more...
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is selected it's being added as a parameter to the url, so the next time the page is refreshed it would trigger an input "change" and will immediately open a new tab to the link. What would be the best way to trigger only when it was selected? I've tried adding <set> and <unset> the input token after the <link> tag so it should be removed from the url once the new tab was opened, but it had no effect. <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash1">Dashboard 1 ↗</choice> <choice value="dash2">Dashboard 2 ↗</choice> <choice value="dash3">Dashboard 3 ↗</choice> <change> <condition value="dash1"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash2"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash3"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> </change> </input>  
I am getting this error, may have returned partial results try running your search again.if you see this error repeatedly, review search.log for details or contact your Splunk administration Can i ... See more...
I am getting this error, may have returned partial results try running your search again.if you see this error repeatedly, review search.log for details or contact your Splunk administration Can i please get solution for this     Thanks, sahitya
Hi Guys, I want to show two field values into single column in a table .query and sample logs given below.   index="mulesoft" applicationName="api" |spath content.payload{} |mvexpand content.pay... See more...
Hi Guys, I want to show two field values into single column in a table .query and sample logs given below.   index="mulesoft" applicationName="api" |spath content.payload{} |mvexpand content.payload{}| transaction correlationId | rename "content.payload{}.AP Import flow processing results{}.requestID" as RequestID "content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId content.payload{} as response | eval OracleRequestId="RequestID: ".RequestID." ImpConReqId: ".ImpConReqId|table response OracleRequestId   Actual Result response        OracleRequestId GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] }   { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } RequestID: 101572722 ImpConReqId: 101572713   Expected Result: response        OracleRequestId GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] } requestID:101660728 { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } RequestID: 101572722 ImpConReqId: 101572713  
I have this query (below): 1) When I run this query in Splunk web, I get back SID and get data using SID. 2) When I use curl command, I get back SID and get data using SID. 3) But when I use Py... See more...
I have this query (below): 1) When I run this query in Splunk web, I get back SID and get data using SID. 2) When I use curl command, I get back SID and get data using SID. 3) But when I use Python, I get SID in the response with status code 201. #read this query from file   with open("aquery2.txt", "r") as f: aQuery = f.read() ##derive earliest and latest finalAQuery=("search" + " " +("earliest=" + "1711982700.001" + "=" + ("latest=" + 1711983600.0 + " " + aQuery)   url = "https://abc.splunkcloud.com:8089/servicesAB/-/xyz/search/jobs" def getSid(): try:   response = requests.post(url, headers={'Authorization': TOKEN}, data={'search': finalAQuery}, verify=False)   I get back the SID. But when I use the SID to get the results, I get error 404, <Response [404]> {"messages":[{"type":"FATAL","text":"Unknown endpoint."}]} def getMetric(): try:   getData=(url + '/' + sid + '/results') getSidResponse = requests.get(getData, headers={'Authorization': TOKEN}, data={'output_mode' : 'json'}, verify=False)   #aquery.txt contents below.   index=apigee sourcetype="apigee:Prod_access_logs" | rex field=proxyUri "(?P<proxyUri>(([a-zA-Z]+)\d)(?:\d\/[a-zA-Z]+|\/[a-zA-Z]+)+)" | convert num("requestTimeinSec") |rex field=_raw "(?<timeStamp>\d{4}\-\d{1,2}\-\d{1,2}T\d{1,2}\:\d{1,2}\:\d{1,2}\-\d{1,2}\:\d{1,2})\s+(?<hostValue>\w+)\s+\S+\s+\S+\s+(?<requestTimeinSec>\S+)\s+\-\s+-\s+(?P<httpStatusCode>\w+)\s+(?<upstreamHttpStatusCode>\w+)\s+\w+\s+\w+\s+(?<methodName>\w+)\s+(?<proxyUri>\S+)\s+(?<httpVersion>\S+)\s+(?<messageId>\S+)" |rex field=_raw "^([^\t]+\t){35}(?P<ClientId>[^\t]+)" | eval totalResponseTime=round(requestTimeinSec*1000) | replace "z1/credit/bank/info/usa" with "x1/credit/bank/info/canada" in proxyUri | replace "v1/taste" with "/connecticut/taste/v1/newyork" in proxyUri | rangemap field="httpStatusCode" "httpStatusCode"=0-499 | rename range as RangeSuccesshttpStatusCode | eval Product=case(like(ClientId, "JERSEY"), "aaa", like(ClientId, "APPLE"), "bbb", like(ClientId, "HELLO"), "ccc") | eval ATier=case((like(proxyUri,"/paypal/jersey/v1/newyork") AND like(methodName,"POST") AND IN (Product, "aaa", "bbb", "ccc")) , "Tier1", (like(proxyUri,"v1/credit/bank/info/canada") AND like(methodName,"GET") AND IN (Product, "aaa", "bbb", "ccc")) OR (like(proxyUri,"v1/credit/accounts/profile") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier2",(like(proxyUri,"v1/alerts/preferences") AND like(methodName,"GET") AND IN (Product, "Venmo", "Cobrand", "PPC")), "Tier3",1==1,"NA") | stats count(totalResponseTime) as TotalTrans, count(eval(RangeSuccesshttpStatusCode="httpStatusCode")) as TotalSuccesTran, count(eval(httpStatusCode<500)) as GoodEvents, by ATier Product proxyUri methodName | where ((Product IN ("aaa", "bbb", "ccc")) AND (ATier IN ("Tier1", "Tier2","Tier3"))) |rename methodName AS Method | fields ATier proxyUri Method TotalTrans GoodEvents  
So, I have two indexes and sourcetypes with the following fields: index1 and sourcetype1: aip = 34.465.45.234 AppVendor = vendor1, vendor2, vendor3 (These are all from different events) AppNa... See more...
So, I have two indexes and sourcetypes with the following fields: index1 and sourcetype1: aip = 34.465.45.234 AppVendor = vendor1, vendor2, vendor3 (These are all from different events) AppName = app2, app3, app1 (All from different events corresponding to position of the vendors above) AppVersion = 3.0343, 1.354, 2.5465 (Same convention) index2 and sourcetype2: jsonevent.external_ip = 34.465.45.234 jsonevent.hostname = Host1 jsonevent.Username = User1 I use the following search: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.external_ip as exip | rename aip as agentip | eval external_ip = coalesce(agentip, exip) | stats values(jsonevent.hostname) as Hostnames, values(jsonevent.Username) as Users, values(AppVendor) as Vendors, values(AppName) as Applications, values(AppVersion) as Version by external_ip | search Hostnames=* Users=* Vendors=* Applications=* Version=* I get the following: external_ip                    Hostnames         Usernames              Vendors             Applications                Version 34.465.45.234             Host1                    User1                          Vendor1           app1                                1.354                                                                                                                   Vendor2           app2                                2.5465                                                                                                                    Vendor3           app3                                3.0343   What I want is the following: external_ip                    Hostnames         Usernames              Vendors             Applications                Version 34.465.45.234             Host1                    User1                          Vendor1           app2                                3.0343 34.465.45.234             Host1                    User1                          Vendor2           app3                                1.354  34.465.45.234             Host1                    User1                          Vendor3           app1                                2.5465 Does anyone have any ideas how to achieve this?
Hi community, I have a dropdown for environments like DEV/CT/PROD, and saved it into a token `SDLC`. Now I would like to define another token `new_sdlc`. It's "ctpm" when `SDLC` is "pm"; Otherwise... See more...
Hi community, I have a dropdown for environments like DEV/CT/PROD, and saved it into a token `SDLC`. Now I would like to define another token `new_sdlc`. It's "ctpm" when `SDLC` is "pm"; Otherwise, it's the same value as `SDLC`. In the end, I found a way working but a bit stupid, simply because it seems "!=" is not allowed so I have to list all conditions. I've checked a few posts but didn't find a working and elegant way. I bet there is one. Looking forward to your help. Here is my code: <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="SDLC"> <label>SDLC</label> <choice value="prod">PROD</choice> <choice value="ct">CT</choice> <choice value="pm">PM</choice> <default>prod</default> <initialValue>prod</initialValue> <change> <condition label="CT"> <set token="new_sdlc">ct</set> </condition> <condition label="PM"> <set token="new_sdlc">ctpm</set> </condition> <condition label="PROD"> <set token="new_sdlc">prod</set> </condition> </change> </input> </fieldset>
Hello I tried to change a Custom App name (e.g BRB_App to CAA_App) on the Deployer through the Cli but i realize that the name change only affects the Folder name not the name of the App when i chec... See more...
Hello I tried to change a Custom App name (e.g BRB_App to CAA_App) on the Deployer through the Cli but i realize that the name change only affects the Folder name not the name of the App when i checked the UI. Is there a way to effect that change to affect the Name of the custom App and not just the folder name 
Hi, I'm looking for a way to connect the SPLUNK to a ODCB data base, so the Splunk will be able to pull any data needed from that data base. So far, I have been told that the SPLUNK is working with... See more...
Hi, I'm looking for a way to connect the SPLUNK to a ODCB data base, so the Splunk will be able to pull any data needed from that data base. So far, I have been told that the SPLUNK is working with JDBC and the other product is working with ODBC, so there is no way to make that connection. Can someone tell me otherwise?