All Topics

Top

All Topics

Hi Team  How to convert millsec value to seconds  index=testing | timechart max("event.Properties.duration") Can anyone helps to with spl query search converting value  millsec value to seconds... See more...
Hi Team  How to convert millsec value to seconds  index=testing | timechart max("event.Properties.duration") Can anyone helps to with spl query search converting value  millsec value to seconds       
Hello, It seems that in the dashboard studio the static choropleth map has no legend. Here is the spl: index=xxxxxxxx sourcetype=yyyyyy mailgate* src=* | iplocation src | stats count by Country |... See more...
Hello, It seems that in the dashboard studio the static choropleth map has no legend. Here is the spl: index=xxxxxxxx sourcetype=yyyyyy mailgate* src=* | iplocation src | stats count by Country | geom geo_countries allFeatures=True featureIdField=Country If I put this map in a classic dashboard I get the map with the legend but in the dashboard studio no legend is showed. Is it a way to show this legend in the dashboard studio? Regards, Emile
we used a  F5 load balancer in front of 2 Intermediate Forwarders,  to receive syslog messages. the issue of the load balancer as all logs are forwarded to one IF and the other is empty. We need to... See more...
we used a  F5 load balancer in front of 2 Intermediate Forwarders,  to receive syslog messages. the issue of the load balancer as all logs are forwarded to one IF and the other is empty. We need to balance the load between them. where can I investigate this issue?
Hi everyone, i have an Enterprise instance installed on a Windows machine. I am trying to monitor the CPU performance of the machine on which the instance is on so that i can generate an alert whenev... See more...
Hi everyone, i have an Enterprise instance installed on a Windows machine. I am trying to monitor the CPU performance of the machine on which the instance is on so that i can generate an alert whenever the CPU exceeds 90% performance. Any help will be greatly appreciated!!!
Hello to everyone! I have a Splunk Instance with DMC Every day I see this message in the Erros report:   04-22-2024 03:03:08.599 +0300 ERROR AdminManagerDispatch [56824 TcpChannelThread] - Admin ... See more...
Hello to everyone! I have a Splunk Instance with DMC Every day I see this message in the Erros report:   04-22-2024 03:03:08.599 +0300 ERROR AdminManagerDispatch [56824 TcpChannelThread] - Admin handler 'resource-usage' not found.   What does it mean? How can I fix it?
Hello I have this query :  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | spath path=result.69991058{} output=testResult | mvexpand te... See more...
Hello I have this query :  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | spath path=result.69991058{} output=testResult | mvexpand testResult | spath input=testResult path=fullName output=test_name | spath input=testResult path=success output=test_outcome | spath input=testResult path=skipped output=test_skipped | spath input=testResult path=time output=test_time | table library testResult test_name test_outcome test_skipped test_time | eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", ""))) | stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time | eval total_tests = passed_tests + failed_tests | eval success_ratio=round((passed_tests/total_tests)*100,2) | table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time | sort + success_ratio And i'm trying to make its dynamic so i will see results for other numbers than '69991058' How can i make it ? i'm trying with regex but it looks like im doing something wrong since im getting 0 results while in the first query there are results  index="github_runners" sourcetype="testing" source="reports-tests" | spath path=libraryPath output=library | rex field=_raw "result\.(?<number>\d+)\{\}" | spath path="result.number{}" output=testResult | mvexpand testResult | spath input=testResult path=fullName output=test_name | spath input=testResult path=success output=test_outcome | spath input=testResult path=skipped output=test_skipped | spath input=testResult path=time output=test_time | table library testResult test_name test_outcome test_skipped test_time | eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", ""))) | stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time | eval total_tests = passed_tests + failed_tests | eval success_ratio=round((passed_tests/total_tests)*100,2) | table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time | sort + success_ratio
Hi Splunkers, I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart ... See more...
Hi Splunkers, I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart representation over a column chart. Here are things currently i have, My Chart and My SPL query:   SPL: index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine | appendcols [search index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=* | eval ds_file_path=ds_path."\\".ds_file | stats max(block_count) as total_blocks by ds_file_path] I need to assign the overlay field value(avg_processing_time_per_block )from the line in SPL: | chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine The reason I'm attempting to assign it as a token is that the avg_processing_time_per_block has dynamic values (sometimes it may be 10 or 12 machines data ).instead of rwmini and rwws01. Column has total_blocks value   Or is there any ways to achieve this requirement? Your thoughts on these are highly appreciated. Thank you in advance. Sanjai
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to ... See more...
Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to old server still. I believe there is  old connection saved at deployment client. Does anyone of you know how to encounter this issue ? Your solution helps me lot please. Regards, PNV
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dro... See more...
Thanks In Advance. I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dropdown one is application Name another one interface name.If i select values i am getting result .If select ALL and the values shows *.in the splunk query.Instead of * .I want to gey values like OR conditions.If i the token getting * then it showing all the values.But i want to show the values which is comming from inputlookup values both application name and interface name.     When i am selecting ALL my splunk query like this: index=mulesoft environment=PRD (applicationName="*" OR priority IN ("ERROR", "WARN")) | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName="*" FileList="*" | sort -timestamp | sort -timestamp I am expecting : index=mulesoft environment=PRD applicationName IN ("Test1" OR "TEST2" OR "Test3") OR priority IN ("ERROR", "WARN") | stats values(*) AS * BY correlationId applicationName | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search InterfaceName IN ("aa" OR "bb" OR "cc") AND FileList="*" | sort -timestamp | sort -timestamp DropDown Code </input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup applicationName | sort applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort InterfaceName | table InterfaceName </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>InterfaceName</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input>    
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make ... See more...
Dears, kindly support why am I getting Invalid key in stanza [clustermaster:one] in /opt/splunk/etc/apps/org_cluster_search_base/local/server.conf,  pass4SymmKey  in my search heads cluster i make sure that the same passkey in SHC and the deployer is the same. Thank you  
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the us... See more...
I added the 'edit user' capability but retrieved only one user from this URL: /services/authentication/users   However, when I added 'power user' permissions, I was able to access most of the users. Could you please clarify what the minimum permissions are to retrieve all users? Additionally, I encountered a similar issue with the URL for fetching triggered alerts: /services/alerts/fired_alerts/{ALERT_NAME}   What permissions are necessary for accessing this information? Thanks
Hi all,   I'm new to this forum and I want to start studying for my Power user certification. I have enrolled with Splunk account and trying to register for below modules: Working with Time (WWT)... See more...
Hi all,   I'm new to this forum and I want to start studying for my Power user certification. I have enrolled with Splunk account and trying to register for below modules: Working with Time (WWT) Statistical Processing (SSP)  Comparing Values (SCV)  Result Modification (SRM) Correlation Analysis (SCLAS)  Creating Knowledge Objects (CKO)  Creating Field Extractions (CFE)  Data Models (SDM)  However, when i click on register it takes me to a different page and then I don't see anything to register or see the video modules.     Can someone please guide me on how can I register for all these modules so I can start studying?
Hi Is it possible in SplunkBase, as an App Publisher, to edit the "Release Notes" of own App ? I mean in an existing version, without publishing a new one regards Altin
Hi team,   Could you please help me on how to get health alert notification in phantom. Thanks in advance.   Regards, Harisha
Hi Team, Could you please help me on below requirement, how to make manual task approval without  approver login to the phantom. Thanks in advance Regards, Harisha
Hi !  I want to try splunk UBA on a single linux machine.  But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that... See more...
Hi !  I want to try splunk UBA on a single linux machine.  But, on the app download page, I'm seeing error saying app installation is restricted to certain users and your user profile is not in that list. Any suggestions to resolve this ? Thanks, Abhishek
Hi Team, I require merging three queries originating from the identical index and sourcetypes, yet each query necessitates extraction and manipulation of its output. Query 1: A single index is ... See more...
Hi Team, I require merging three queries originating from the identical index and sourcetypes, yet each query necessitates extraction and manipulation of its output. Query 1: A single index is linked to three unique sourcetypes. index = abc sourcetype= def, sourcetype=ghi & sourcetype=jkl Query 2 : Its same like Query 1  index = abc sourcetype= def, sourcetype=ghi & sourcetype=jkl Query 3: Its same like Query 1 & 2 index = abc sourcetype= def, sourcetype=ghi & sourcetype=jkl The index and sourcetype details remain consistent across all three queries, but the keywords differ. Thus, I aim to merge the three queries, compare them, and extract the desired output.   For instance, in the initial query, the "Step" field is extracted during the search process, containing diverse data such as computer names and OS information. In the second query, our aim is to ascertain the count of successful occurrences in the "Step" field, specifically the count of computer names indicating success. Likewise, in the third query, we intend to retrieve information regarding failures. Query1: index="abc" ("Restart transaction item" NOT "Pending : transaction item:") | rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:"| table Step |stats Count by Step Query 2: index="abc" ("Error restart workflow item:") | rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:"| table Success |stats Count by Success Query 3: index="abc" "Restart Pending event from command," | rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid"| table Failure |stats Count by Failure Thus, in the initial query, the Step field is extracted, and our objective is to extract both success and failure data from this field, presenting it in a tabular format. Despite attempting to use a join query, it was unsuccessful. Assistance in this matter would be greatly appreciated. Kindly help on the same.
I have Splunk Installed on a windows machine and configured PaloAlto app along with Add on.  I have done configurations on Palo Alto. I can see from packet Capture that palo alto is sending logs suc... See more...
I have Splunk Installed on a windows machine and configured PaloAlto app along with Add on.  I have done configurations on Palo Alto. I can see from packet Capture that palo alto is sending logs successfully to the windows machine where splunk is installed but I cannot see anything in splunk itself. Can anyone help?   Regards Rabab
I am needing to find earlier version number of linux patches. I have to compare many patches, so I was wanting to use a join for two queries (assuming patching happens once a month, but not all packa... See more...
I am needing to find earlier version number of linux patches. I have to compare many patches, so I was wanting to use a join for two queries (assuming patching happens once a month, but not all packages have an update every month). The first query would get the latest packages patched (with in the last 30 days) - depending on what day of the month the patching occurred - I would like to pass the earliest datetime stamp found minus X seconds (as MaxTime)  to the second query. So, the second query could use the same index, source, sourcetype but where latest=MaxTime. Don't try this at home, putting  latest=MaxTime-10 in the second query caused Splunk to laugh at me and return "Invalid value 'MaxTime-10' for time term 'latest'"...no hard feelings, Splunk laughs at me often.   Thanks for any assistance in advance. JLund  
I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResou... See more...
I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResources. Do I need to query this data in a different manner?   index="directoryaudit" | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime