All Topics

Top

All Topics

I have events like the below that are saying when a particular pool member was out of rotation for a particular period of time.  What would be an ideal search would be to match all events that have t... See more...
I have events like the below that are saying when a particular pool member was out of rotation for a particular period of time.  What would be an ideal search would be to match all events that have the "was down for" and then the length of time and simply average that, and take the 95th percentile of that duration.   Probably more difficult than it seems and I'm not sure how to approach it. <133>Feb 13 13:01:33 slot2/US66666-CORE-LTM1.company.COM notice mcpd[8701]: 01070727:5: Pool /Common/pool-generic member /Common/servernamew006:8080 monitor status up. [ /Common/mon-xxx-prod-xxx-liveness: up ] [ was down for 0hr:0min:15sec ] host = US66666-core-ltm1.company.com source = /var/log/HOSTS/US66666-core-ltm1.company.com/xxx.xxx.com-syslog.log sourcetype = syslog_alb
Hi, I have an index that doesn't show events anymore.  Could you help me please? On November I had a problem with Mongo DB and I tried this solutions: - https://community.splunk.com/t5/Knowledge-M... See more...
Hi, I have an index that doesn't show events anymore.  Could you help me please? On November I had a problem with Mongo DB and I tried this solutions: - https://community.splunk.com/t5/Knowledge-Management/Why-are-we-getting-these-errors-KV-Store-Process-Terminated/m-p/449940  --> doing this I noticed that permissions of files inside this folder have changed. May this be the cause of the problem? This solutiion didn't work - I solved the problem doing this Could you help me please? Thank you
Hi, I created a column chart that displays avg(totalTime) over a 5min increment by the organization. I am looking to add in the bottom corner of the chart the latest count of the organization. I ju... See more...
Hi, I created a column chart that displays avg(totalTime) over a 5min increment by the organization. I am looking to add in the bottom corner of the chart the latest count of the organization. I just want to display the count at the bottom of the chart where the legend is. How do I accomplish this? Column Chart query to graph avg(totalTime) by organization index | timechart span-5m avg(totalTime) as avg Volume (where I want to display the value of the latest count on the chart above near the legend) index | timechart span=5m count by organization Kindly help. 
Hi,  I am trying to create a column chart that if the value is greater than 3 then the column of the Column chart turns red while if the value is less than or equal to 3, the column of the chart is... See more...
Hi,  I am trying to create a column chart that if the value is greater than 3 then the column of the Column chart turns red while if the value is less than or equal to 3, the column of the chart is green.  Below is my search that I started off with: index | timechart span=5m avg(totalTime) as avg_value limit=20 | eval threshold=3 I tried: index | timechart span=5m avg(totalTime) as avg_value limit=20 | eval threshold=3 | eval "red"=if(avg_value > threshold, avg_value,0) | eval "green"=if(avg_value<threshold, avg_value,0) |fields - avg_value Then I went into the source code and defined the colors but the column chart did not change colors.   <option name="charting.fieldColors">{"red":0xFF0000,"green":0x73A550}</option>  I do not want the columns stacked.  Kindly help. 
Hi All We are starting to look at application monitoring and our first target will definitely be SAP. I can see there are a number of SAP apps in Splunkbase. Does anyone have any info on a compariso... See more...
Hi All We are starting to look at application monitoring and our first target will definitely be SAP. I can see there are a number of SAP apps in Splunkbase. Does anyone have any info on a comparison of these, and any Splunk guides or best practises to start looking at this? I've not worked with any monitoring at this application level previously so really starting at first principles and gathering as much info as possible. Thank you for reading. All the best.   
Hi. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. We have 4 indexes to monitor with a lot of log sources. So, having the log sources in input looku... See more...
Hi. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. We have 4 indexes to monitor with a lot of log sources. So, having the log sources in input lookup would not be a good idea as it would have to be maintained every time new log source is added. Thus, i am looking for a query which alerts me if any of the log sources currently configured in any of the 4 indexes goes silent for 24 hours. Would prefer not to have lookup command in the query as file would have to be maintained in that scenario. Need to run this query on all the currently configured log sources. Thank you.
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ when i give this command Operation!="Disable Strong Authentication."  i am getting the MFA enabled users details. But whe... See more...
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ when i give this command Operation!="Disable Strong Authentication."  i am getting the MFA enabled users details. But when the below query is executed i am not getting any output. Can some one help me in sharing some docs `o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter` as per the  
hi I have created a tag for the field "counter" called "a" But when I run a search with tag=a or with tag::counter="a", there is no results what is the problem please?
Could I create my own certificate for SAML configuration if the IDP certificate if the IDP certificate setup isn't working as expected? if so, how can I do this?  
We are rolling out a customer service chatbot. Has anyone needed to collect the data such as input/output and logs between an chatbot and OpenAI to monitor it in Splunk? If so, what did you use to GD... See more...
We are rolling out a customer service chatbot. Has anyone needed to collect the data such as input/output and logs between an chatbot and OpenAI to monitor it in Splunk? If so, what did you use to GDI?   One other note; there is the possibility for customers to share images or video with the chatbot; wondering if anyone has tried to collect this type of data in Splunk?  
I have a search from which i produce a trellis of  the sum of various error codes from multiple machines  I would like to enhance the charts  with a short description of text. I  could  add the tex... See more...
I have a search from which i produce a trellis of  the sum of various error codes from multiple machines  I would like to enhance the charts  with a short description of text. I  could  add the text to the code value  and create a new  value name  and do the split on the new  "codetext". But, then I can't use the drill down  feature. Is there another way to add some text to the individual graphs
Hi Team, We have DB alerts for server sitpdb0033 are assigning to windows support team first , it needs to be assign to SQL team, How to change the assignment group from windows support team to SQL... See more...
Hi Team, We have DB alerts for server sitpdb0033 are assigning to windows support team first , it needs to be assign to SQL team, How to change the assignment group from windows support team to SQL team. The index=mssql there are 30+ host's are configured. We want only change the group for this server sitpdb0033 we have using this SPL query: index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE" | eval assignment_group = case(like(source,"%mssql_mfg%"),"Winows_Support - Operations",1=1, "Sql_Production Support") Can you please help on this requirement. Thank you Nandan
I have a list of comma separated names (lastname, firstname) that I need to reverse. So "Smith, Suzy" becomes "Suzy Smith".  What's the easiest way to do this? 
Log ingesting intermittently We could not find the path referenced . We have Univerasal forwarder is Windows server and Heavy forwarder is *nix server. How to get the diag files with debug enable of ... See more...
Log ingesting intermittently We could not find the path referenced . We have Univerasal forwarder is Windows server and Heavy forwarder is *nix server. How to get the diag files with debug enable of the UF and the HF? Can you please provide the detailed explanation with commands
I can run the below command in a search successfully -    | eval message=replace(Message, "^Installation Successful: Windows successfully installed the following update: ", "")    How can I conv... See more...
I can run the below command in a search successfully -    | eval message=replace(Message, "^Installation Successful: Windows successfully installed the following update: ", "")    How can I convert this to work in a data model?   Below is my base search sample result.  Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad) In my data model I would like to use eval expression on the field message and take off - Installation Successful: Windows successfully installed the following update:  Desired results -  Message= Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad)
Hello I have a working dashboard where I have various fields that can be defined (field1 and field2 in the example), and some events have a field that is an extracted JSON object. I have successfull... See more...
Hello I have a working dashboard where I have various fields that can be defined (field1 and field2 in the example), and some events have a field that is an extracted JSON object. I have successfully accessed various elements within the JSON object... but what I am trying to do is create ONE column called "Additional Details" where only certain elements, IF THEY EXIST, will populate in this column.  The search below technically works, but as you can probably see, it will just add a NULL value if the specified element from field3 does not exist. Is there a way to check for other values in the JSON object, and populate those values in that single column, only if they exist? i.e. If field3 has "Attribute Name", "Resource Name", and "ID", but many events have only one of these fields, is it possible to have the value from the field, only if it exists, populate in the "Additional Details" column?   index=test field1=* field2=* | spath input=field3 #(which is a json_object)# | fillnull value=NULL | eval type=if(isnotnull(element_from_field3), ElementName, NULL) | stats count values(type) as "Additional Details" by Other    
There is some configuration, to be able to expand the characters of the explanation of another query to be able to see the complete query.
Hello, Is there any way where we can know what are all applications are accessed by the user instead of just logon/log off activities from the winevent logs? Can someone help me with the search?   ... See more...
Hello, Is there any way where we can know what are all applications are accessed by the user instead of just logon/log off activities from the winevent logs? Can someone help me with the search?   Thanks
Good morning, I come to you because after looking for an answer to my problem, my last solution is to come and seek help on the splunk forum. Here is the context: I have hundreds of message... See more...
Good morning, I come to you because after looking for an answer to my problem, my last solution is to come and seek help on the splunk forum. Here is the context: I have hundreds of messages with identical node parameters, only the parameter values change. example: "jobs": dev "position": 3 "city": NY "name": Leo ....... “jobs”: HR "position": 4 “city”: CA "name": Mike ........ The goal is that these hundreds of messages are sometimes truncated because their responses are too large, I would like to find a solution to display them in full? I had thought about increasing the capacity in splink but this is not possible for my project and the truncated logs are -1% so a big change for few logs, not really good moves. My second solution, I thought of making a regex which finds the truncated message grouped into several pieces, is this possible?   I also try some regex to find my message like this, but it not working index="" | eval key="<value i want>" | table _raw If not, maybe you have another idea ?   Thank you for your help and time. Have a good evening
my splunk query results are getting truncated when creating a table Is there any workaround to avoid this ?? index=gbi_* (AppName=*) | table SQL