All Topics

Top

All Topics

Hey Everyone, I currently have a dashboard the has two maps utilizing the "| geom geo_us_states featureIdField=State" and one maps utilizing cities, which i have the longitude and latitude for. For... See more...
Hey Everyone, I currently have a dashboard the has two maps utilizing the "| geom geo_us_states featureIdField=State" and one maps utilizing cities, which i have the longitude and latitude for. For the cities maps, i currently have it in markers mode. Is there a way that when i hover over the cities, or click on them, it can display the count and field name associated with the count? For example, A = 10 B=12 and C=9 For the states map, is there a way to group certain states together to form a region? for example, California, Nevada, and Oregon are the western region and have them colored a certain way. Or is there an app i can download that can help me achieve this. I appreciate all the help!
Hello, Supposing you have a Search Head in Cloud, doing Federated Searches to other Search Heads on-prem, which is the compression ratio (if any)? I have found those useful information about compre... See more...
Hello, Supposing you have a Search Head in Cloud, doing Federated Searches to other Search Heads on-prem, which is the compression ratio (if any)? I have found those useful information about compression between forwarders and Indexers, but not between Search Heads.   https://community.splunk.com/t5/Getting-Data-In/What-kind-of-compression-is-used-between-forwarders-and-indexers/m-p/103239 https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expected/m-p/69899 Splunk Cloud Platform Service Details - Splunk Documentation   Thanks a lot, Edoardo
I've got a search query which outputs 175 rows. I want it to output only top 5%. The row count will change over time so I cannot set a fixed int value. It needs to be dynamic.
Hello All, I'm receiving a warning from our InfoSec app that my data isn't CIM compliant.  We have FortiGate syslogs, Windows Domain Controller Security logs, and Carbon Black Cloud logs being sent ... See more...
Hello All, I'm receiving a warning from our InfoSec app that my data isn't CIM compliant.  We have FortiGate syslogs, Windows Domain Controller Security logs, and Carbon Black Cloud logs being sent to Splunk Cloud.   As far as I can tell, the logs being sent are CIM-compliant.  Is there anything else I can check?   Thanks, Doug
how to join 2 lookup files to combine all the rows.  I used this query but not giving proper values and used join/append no use. | inputlookup fileA table A E F |join  [ inputlookup fileB.csv... See more...
how to join 2 lookup files to combine all the rows.  I used this query but not giving proper values and used join/append no use. | inputlookup fileA table A E F |join  [ inputlookup fileB.csv] table E A B C One file data looks: A E F 234 CAR 2 456 BUS 3 Second file data: A B C 234 MON 3 234 TUES 4 234 WED 5 234 THUR 1 234 FRI 2 234 SAT 1 456 MON 3 456 TUES 4 456 WED 5 456 THUR 1 456 FRI 2 456 SAT 1 Final output be like : E A B C CAR 234 MON 3 CAR 234 TUES 4 CAR 234 WED 5 CAR 234 THUR 1 CAR 234 FRI 2 CAR 234 SAT 1 BUS 456 MON 3 BUS 456 TUES 4 BUS 456 WED 5 BUS 456 THUR 1 BUS 456 FRI 2 BUS 456 SAT 1 Thanks in Advance..!!
Hi, we have deployed a search head cluster with two search head and one deployer. when we run : /opt/splunk/bin/splunk apply shcluster-bundle -target  https://sh1.example.com:8089 we get the follo... See more...
Hi, we have deployed a search head cluster with two search head and one deployer. when we run : /opt/splunk/bin/splunk apply shcluster-bundle -target  https://sh1.example.com:8089 we get the following message: Error when issuing rolling restart on the master: Internal Server Error{"messages":[{"type":"ERROR","text":"Rolling restart cannot be initiated without service_ready_flag = 1, check status through \"splunk show shcluster-status\". Reason :Waiting for 3 peers to register. (Number registered so far: 2)"}]} and when we run the following command: splunk show shcluster-status the initialized_flag equal 0.   Captain: dynamic_captain : 1 elected_captain : Wed Nov 8 13:05:58 2023 id : 84F622C1-C493-4A7C-B12B-D7EDBBCCD3A8 initialized_flag : 0 kvstore_maintenance_status : disabled label : sh2 mgmt_uri : https://sh2.example.com:8089 min_peers_joined_flag : 0 rolling_restart_flag : 0 service_ready_flag : 0 Members: sh2 label : sh2 mgmt_uri : https://sh2.example.com:8089 mgmt_uri_alias : https://sh2.example.com:8089 status : Up sh1-server label : sh1-server last_conf_replication : Pending mgmt_uri : https://sh1.example.com:8089 mgmt_uri_alias : https://sh1.example.com:8089 status : Up
I have the following search index=dsi_splunk host=dev_splunkmanager script=backup | stats earliest(_time) as debut by pid | convert timeformat="%d/%m/%Y %H:%M" ctime(debut)  The result is sorted a... See more...
I have the following search index=dsi_splunk host=dev_splunkmanager script=backup | stats earliest(_time) as debut by pid | convert timeformat="%d/%m/%Y %H:%M" ctime(debut)  The result is sorted as I need: I use this search as input for a dropdown on dashboard studio but de result is sorted differently: It seems the list is sorted by "value".   How may I have an unsorted dropdown to conserve the result order?   Thanks   
I am a beginner in Splunk queries. I might would be asking for some simple query but I am not able to construct it after searching a lot. Below is my sample event from message field    REPORT Reque... See more...
I am a beginner in Splunk queries. I might would be asking for some simple query but I am not able to construct it after searching a lot. Below is my sample event from message field    REPORT RequestId: 288f34e9-5572-4816-d21e-9fcf5965fad0 Duration: 206.64 ms ..   I can get all events matching this criteria, but I want to do average, min and max of value present in duration in millisecond. Any help on this would be appreciated.
Hallo. Don't know if it's a bug or not, but... SPLUNK 8.2.12... 1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log" 2. The ... See more...
Hallo. Don't know if it's a bug or not, but... SPLUNK 8.2.12... 1. Create a simple EventType for "MYTEST" with tag "MYTEST", with a simple search like "index=_internal source=*splunkd.log" 2. The EventType and Tag are created OK 3. Change the permission to share EventType in App for */RW 4. ALL IS OK NOW, delete both the objects, System is now empty. 1. ReCreate a simple EventType for "MYTEST" with tag "MYTEST", as before 2. The EventType and Tag are created OK 3. Change the permission to share EventType in App for */RW 4. NOW WE GET "Splunk could not update permissions for resource saved/eventtypes [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]" 5. We can only CANCEL and get back, where the EventType is shared in App, BUT WITH NO TAG ASSOCIATED! 5. Now we edit the EventType and add the Tag 6. From now on we have a double Tag and need to leave it so to preserve the shared Tag/EventType   Is this behavious normal??? Thanks.
Hello! Could you advise, please, how can I compare results of 2 searches, which returns results in a different format? First search: ... <first part of the search> ... | eval output3 = js... See more...
Hello! Could you advise, please, how can I compare results of 2 searches, which returns results in a different format? First search: ... <first part of the search> ... | eval output3 = json_extract(output1, "data.affected_items{}.id") | table output3   The result of this search looks like that:   ["112","114","267","456"] (ony one row)   Second search:   ... <first part of the search> ... | table id   The result of this search looks like that:   id (header) 111 (first row) 112 (second row) 255 (third row) etc.   The number of elements in results of the first and the second searches is different. I need to combine this searches in the one search that will have in the result common elements in both searches. For example, if the first search has the following output: ["112","114","267","456"] And the second search has the following output: id (header) 111 (first row) 112 (second row) 255 (third row)   I need to have the following result: id (header) 112 (first row)   Which Splunk functions or tools could you recommend for this purpose? The Splunk version is 8, so some new functionality from version 9 does not work.   Thank you.   Best regards,
I have below query which shows values in line chart with up to 5 decimals and I want to limit it to max 2 decimals.   search text .. | eval reqs = 1 | timechart span=24h per_hour(reqs) as AvgReqPer... See more...
I have below query which shows values in line chart with up to 5 decimals and I want to limit it to max 2 decimals.   search text .. | eval reqs = 1 | timechart span=24h per_hour(reqs) as AvgReqPerHour    
My regular expression has been working fine.. but now theres data with "[]" and it is being skipped   here is the regex  | rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Proce... See more...
My regular expression has been working fine.. but now theres data with "[]" and it is being skipped   here is the regex  | rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)" | search Log_level="ERROR" this log entry is being skipped 13:42:21 [gaming-run-9999999-hit-99999991-step-6129] [[FALSE] Gaming Cans Gaming Redesigned API v.2.6.3] [Consolidated Card Refund Business Process  (Gaminggaming)] [] GameTask [ERROR] Do I need to update my reg expression?  
reference table:   My query: | eval time_period= "01-Nov-23" | eval time_period_epoc=strptime(time_period,"%d-%b-%y") |where epoc_time_submitted <= time_period_epoc |join max=0 type=left cu... See more...
reference table:   My query: | eval time_period= "01-Nov-23" | eval time_period_epoc=strptime(time_period,"%d-%b-%y") |where epoc_time_submitted <= time_period_epoc |join max=0 type=left current_ticket_state [|inputlookup monthly_status_state_mapping.csv|rename Status as current_ticket_state|table current_ticket_state "Ageing Lookup"] |eval age= Final_TAT_days |eval total_age=round(age,2) |rangemap field=total_age "0-10days"=0-11 "11-20 Days"=11.01-20.00 "21-30 Days"=20.01-30 "31-40 Days"=30.01-40 "41-50 Days"=40.01-50 "51-60 Days"=50.01-60 "61-70 Days"=60.01-70 "71-80 Days"=70.01-80 "81-90 Days"=80.01-90 "91-100 Days"=90.01-100 ">100 Days"=100.01-1000 |chart count as count1 over work_queue by range |rename work_queue as "Owner Group" |table "Owner Group" "11-20 Days" "21-30 Days" "31-40 Days" "41-50 Days" "51-60 Days" "61-70 Days" "71-80 Days" "81-90 Days" "91-100 Days" ">100 Days" |addtotals|addcoltotals |fillnull value="Grand Total" my result:  
I am  having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of... See more...
I am  having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of them worked. I just simply want to select the rows where age > expectedAge. Expected behaviour : Return rows where the above mentioned condition is met.   Actual behaviour : Returns nothing.   | eval age=bla..bla..bla | lookup "expected_age_lookup" dummy_s as s OUTPUT expected_age | fillnull value=777 expected_age | rename expected_age as expectedAge | search age > expectedAge | convert ctime(dummy_Time) | table age,s,dummy_Time,expectedAge     If I remove the lines following (and including) the where/search clause, I see the results of the lookup.  How can I achieve this correctly ?
Hi All! I am trying to put together a way to track any attempts made to print in an environment where ONLY a certain user group is allowed to print. It is otherwise not possible for any regular user... See more...
Hi All! I am trying to put together a way to track any attempts made to print in an environment where ONLY a certain user group is allowed to print. It is otherwise not possible for any regular user to add a printer through the print server. I would like to know if there's a search where I can see any attempts from another group is made. Thank you!    
I have a fairly hefty search that are looking for potential brute-force attempts in my network. I have verified that the search works and results in a table with the following fields: end_time r... See more...
I have a fairly hefty search that are looking for potential brute-force attempts in my network. I have verified that the search works and results in a table with the following fields: end_time reason signature src start_time user title   This is completely as I would expect. However, when I try to push the reason into my notable description using $reason$ the resulting notables simple has the word "Success" in their description. I know for a fact that every hit on the search has a fairly descriptive reason, which I can see when I perform the search manually. Pushing the title to the title of the notable works without any problems, even though both appears to be multi value fields, and there should be no difference between them. I have no idea where to start looking for a solution for this.
Good morning community, I'm currently ingesting a volume of data inside an analytics schema. I'm interest in specific dynamic when some of the results are in failed status: Is it possible to a... See more...
Good morning community, I'm currently ingesting a volume of data inside an analytics schema. I'm interest in specific dynamic when some of the results are in failed status: Is it possible to alert from AppDynamics when single results are failing and transform the problem into a payload? For an example : when I do have one row with status failed, generate an alert with the following message: The message <take the value from the analytics MessageGuID> has status <take the value from the analytics  Status> with Exception < value from the analytics Exception> Thank for any feedback and experience shared, regards
Hello, I have below code for a dropdown menu and the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. How can this be fixed. S... See more...
Hello, I have below code for a dropdown menu and the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. How can this be fixed. Submit Button code: <fieldset submitButton="true" autoRun="false"> <input token="field1" type="time" searchWhenChanged="false"> <label>Time Picker</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> Dropdown and Token <input type="dropdown" token="subsummary" depends="$loadsummary$" searchWhenChanged="false"> <label>Summary Selection</label> <choice value="FUNC">Function Summary</choice> <choice value="MQ">MQ Summary</choice> <change> <condition value="FUNC"> <set token="funcsummary">true</set> <unset token="funcsummaryMQ"></unset> </condition> <condition value="MQ"> <set token="funcsummaryMQ">true</set> <unset token="funcsummary"></unset> </condition> </change>   Sample Panel: <row depends="$funcsummaryMQ$"> <panel depends="$funcsummaryMQ$"> <title>ABC</title> <table> <search > <query>index="SAMPLE" </query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> </row>
I want to show the drop down value automatically about data name "landing_time". So I wrote my code like this. | eval st_time= round(landing_time,0) | where st_time<=90 | stats values by st_time ... See more...
I want to show the drop down value automatically about data name "landing_time". So I wrote my code like this. | eval st_time= round(landing_time,0) | where st_time<=90 | stats values by st_time | sort st_time  But it show all landing_time less than 90, not fil the landing_time. For example.. lading_time : 7, 15, 17, 24, 30.. drop down data show : 0, 1, 2, 3, 4, .......17, 18, 19,....30, 31...  How could I show only landing_time in the drop down?
Hello team, I have a requirement to add a single Refresh button to refresh all the panels that are loaded with current token. Is there a way to add refresh button at top of the panel ?   Thanks