All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Howdy   We've got this data:   Each log line is like: {"serverX.somedom.com" : {"key.value.pair1": "0", "key.value.pair2": "1", "key.value.pair3": "2" }} How can I access any of  key valu... See more...
Howdy   We've got this data:   Each log line is like: {"serverX.somedom.com" : {"key.value.pair1": "0", "key.value.pair2": "1", "key.value.pair3": "2" }} How can I access any of  key value pairs I want and  use the serverX.somedom.com  as well?   To produce something like:   |Server|key.value.pair1|key.value.pair2|Time| |serverX.somedom.com|0|1|"time"   I've looked for lots of JSON and/or spath commands/post but I'm needing some more knowledge here..   Thanks!      
I have created a lookup table for the blocked dns/url. I want to see if there are anywhere in my logs or in my environment. May you help with a query. For example if I have example.net on my lookup t... See more...
I have created a lookup table for the blocked dns/url. I want to see if there are anywhere in my logs or in my environment. May you help with a query. For example if I have example.net on my lookup table what query can I use that returns all logs with example.net?
Hello! Rather than manually specifying the indexes I want to perform this heartbeat query on, I was wondering if there was a way to input a .csv lookup instead. | tstats latest(_time) as latest whe... See more...
Hello! Rather than manually specifying the indexes I want to perform this heartbeat query on, I was wondering if there was a way to input a .csv lookup instead. | tstats latest(_time) as latest where index="index1" OR index="index2" earliest=-24h by index | eval recent = if(latest > relative_time(now(),"-1m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 | fields- recent, latest | rename realLatest as "Last Event Timestamp" The .csv would just contain a bunch of index names that we'd want to monitor, but so far I haven't been able to get around the fact that tstats must come first, and that the index argument does not accept complex inputs. Thanks!
I am looking to compare two events in same index and sourcetype differentiated by snapshot id's, the main task is to compare the "instance_list" field between latest and last event and send an alert ... See more...
I am looking to compare two events in same index and sourcetype differentiated by snapshot id's, the main task is to compare the "instance_list" field between latest and last event and send an alert if there is a difference between then as well as display the actual difference. instance_list field contains the list of instances in a snapshot and i want to compare two events and only display the list of values in that field with is not matching. Note: Events are in json Example of instance_list field: instance_1 instance_2 instance_3 . . . Any help here will be appreciated, thanks.
We need to call a search via the API and return a link to a report, produced by this call. Is it doable? So, I have something like the following that returns the result set as json, and the requireme... See more...
We need to call a search via the API and return a link to a report, produced by this call. Is it doable? So, I have something like the following that returns the result set as json, and the requirement is to return it as a link to a report -   curl -k -u 'moogsoft_smart_triage_user:xxxxxx' https://<host>:8089/servicesNS/moogsoft_smart_triage_user/search/search/jobs/export -d search="| savedsearch smart_triage_api_test INC=INCxxxx DeviceType=TestDeviceType" -d output_mode=json -d preview=false  
Dear All I am new to dashboard studio in Splunk. I have  a single value panel displaying a string. There are two possible values to that string i.e. "Up" and "Down" I would like to change the b... See more...
Dear All I am new to dashboard studio in Splunk. I have  a single value panel displaying a string. There are two possible values to that string i.e. "Up" and "Down" I would like to change the background color based on these string values.  
We are currently facing the issue that we are indexing syslog data from beyond trust. The product splits it's syslog messages if the event is bigger than 1kb. (see docu: https://www.beyondtrust.co... See more...
We are currently facing the issue that we are indexing syslog data from beyond trust. The product splits it's syslog messages if the event is bigger than 1kb. (see docu: https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/message-segmentation.htm ) Example: 1st Message: Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="891"] 1427:01:02:site=beyondtrust.instance ;when=1686575343;who=Test User (testuser);who_ip=10.0.0.1;event=api_account_changed;old_bearer_token_long_lived=0;old_client_id=b0mm90956f58a2529gfh414681d877e3a694579b;old_client_secret=***NEW***;old_comments=;old_ecm_group=1;old_enabled=1;old_failed_login_attempts=0;old_failed_login_expiration=1680168524;old_id=3;old_ip_addresses=10.0.0.0/8,10.1.0.0/8;old_name=api-testuser;old_permissions:backup=1;new_permissions:backup=0;old_permissions:command=full_access;old_permissions:configuration=1;old_permissions:configuration_vault_account=1;old_permissions:ecm=0;old_permissions:real_time_state=0;old_permissions:reporting:archive=0;old_permissions:reporting:license=0;old_permissions:reporting:presentation=0;old_permissions:reporting:support=0;old_permissions:reportin 2nd Message: Jun 12 15:09:03 beyondtrust.instance 1 2023-06-12T15:09:03+02:00 btrs BG 22595 - [meta sequenceId="892"] 1427:02:02:g:syslog=0;old_permissions:reporting:vault=0;old_permissions:scim=0;old_permissions:vault_backup=0 The only thing that indicated that an event was segmened are the "Segment Number" and the "Total Segments" fields in the header along with a field that seems to be some kind of "Message ID" - is there a way to index those two events as one by creating a custom source type? Since every event has its own timestamp this seems not possible? Maybe there's a way to merge those two events at search-time into one since I need the whole payload to be displayed on a dashboard?     Thanks for your help!    
Using Splunk Enterprise for Windows, v8.2.10 When the KV Store process terminates abnormally, the "Health Status of Splunkd" window still indicates green for everything. How does one restart j... See more...
Using Splunk Enterprise for Windows, v8.2.10 When the KV Store process terminates abnormally, the "Health Status of Splunkd" window still indicates green for everything. How does one restart just the KV Store process on a Windows system? KV Store process terminated abnormally
Hello,   I have a search for a dropdown filter. My goal is to select one of the Tags and show in which ID's this tag matches. I'm a bit confused on how can I do that without the duplicates, and ho... See more...
Hello,   I have a search for a dropdown filter. My goal is to select one of the Tags and show in which ID's this tag matches. I'm a bit confused on how can I do that without the duplicates, and how to match this values. Is there a way?   index= host= sourcetype=csv source=.........\\resul_test.csv | table PR_Tags, PR_ID | eval PR_Tags=split(PR_Tags,",") | mvexpand PR_Tags  
Hello All, I want to create an alert to find certain actions done by users from same Index. Index= myindex sourcetype= mysourcetype action = "session Start" and action=user added Not... See more...
Hello All, I want to create an alert to find certain actions done by users from same Index. Index= myindex sourcetype= mysourcetype action = "session Start" and action=user added Note : From the above actions, the common field are "SessionID"  and user information is only in action=user added.  How to find who started the session based on time?  |table sessionID user src_host  src_ip _time
Hello, as far as I can understand and please correct me if I am wrong. How an index behaves is based on it’s conf. We have 5 IDX cluster and over 300 IDXes at this stage. Our AIM is to keep 9 day... See more...
Hello, as far as I can understand and please correct me if I am wrong. How an index behaves is based on it’s conf. We have 5 IDX cluster and over 300 IDXes at this stage. Our AIM is to keep 9 days (or there about) in Hot/Warm and 31days (or there about in Cold) One day maybe keep data in Frozen (but we are not there yet). So as far as I understand in Splunk this is controlled by working out the Size per day of the data.  Then Take that number and x by 9 and x by 31. To create homePath.maxDataSizeMB = And coldPath.maxDataSizeMB = And maxTotalDataSizeMB = Then finally frozenTimePeriodInSecs =   To further complicate matters there is a compress ration for RAW and the compression ratio for TSIDX and the number of Indexers in the cluster and the replication factor. All of which make for some fun and complicate calculation. My question is this. Have anyone come up with a way to do this? Or at has someone worked out how to extract a list of IDX per INDEX Cluster and the current daily Data Rate.  And doing the same to extract per IDX per INDEX Cluster the compression Ratio of the RAX Data and the TSIDX Then maybe its possible to do some magic in Excel to build out Per IDX homePath.maxDataSizeMB = coldPath.maxDataSizeMB = maxTotalDataSizeMB = Thanks.
Hello I have some kind of data that I want to filter to different index and in the future i would like to stop this index entirely. The data I want to filter is  1. all the logs with debug mode... See more...
Hello I have some kind of data that I want to filter to different index and in the future i would like to stop this index entirely. The data I want to filter is  1. all the logs with debug mode 2. logs that contains  Categories!="" OR Categories!=$* OR Categories!="* *"  How it can be done ? Thanks
Hi All, i am just struck at a point where when i select particular data in the pie chart , there is a detail information table created in another panel in tabular form. but i need that panel to hide... See more...
Hi All, i am just struck at a point where when i select particular data in the pie chart , there is a detail information table created in another panel in tabular form. but i need that panel to hide and unhide when selected and cleared. as per  the screenshot there is no selection made in the pie chart so the detail panel at the bottom of the pie chart shouldn't be seen. it must be visible when there is selection made. kindly help!!!!!  
Hello, I'm kinda blocked on how to retrieve data from a csv file. Need to get each value from a line to be shown in a dropdown filter. But don't know how Exactly to retrieve the strings. For exampl... See more...
Hello, I'm kinda blocked on how to retrieve data from a csv file. Need to get each value from a line to be shown in a dropdown filter. But don't know how Exactly to retrieve the strings. For example: Each line has a different set of tags that I have to show in the filter. How can I retrieve each of these values individually to show in the filter?
Hi, I have a Splunk alert where the trigger condition should be: search ABC == "" , where ABC is a string field and the alert is only triggered for records with such values as empty. How... See more...
Hi, I have a Splunk alert where the trigger condition should be: search ABC == "" , where ABC is a string field and the alert is only triggered for records with such values as empty. However, no alert is triggered so far. What can I do? Thanks.
Hello All, I wanted to search  "field_A" data value from "field_B" data values into "field_C" but only if field_A values match with field_B Data example Sr.     field_A                            ... See more...
Hello All, I wanted to search  "field_A" data value from "field_B" data values into "field_C" but only if field_A values match with field_B Data example Sr.     field_A                                               field_B 1.    AD_Name_A                                    AD_Name_C; AD_Name_Z; AD_Name_A;AD_Name_B 2.   AD_Name_K                                      AD_Name_K; AD_Name_C; AD_Name_D 3.  AD_Name_M                                      AD_Name_J;AD_Name_K 4.  AD_Name_Z                                       AD_Name_C;AD_Name_Z;AD_Name_L;AD_Name_O;AD_Name_D   I am trying to use below mentioned command but not working. | makemv delim=";" field_B | eval field_C =mvfilter(if('field_A'='field_B',"Match",'field_A'))   I am also tried below command but no luck.   | eval field_C=mvfilter(match('field_A'='field_B')   Please help me to on it.                                                                                
In the below table i have divided the statistics Table of splunk  if low of x - axis and low y-axis is considered id1 is present i was it in one color but its x-axis: low and y-axis: high i want i... See more...
In the below table i have divided the statistics Table of splunk  if low of x - axis and low y-axis is considered id1 is present i was it in one color but its x-axis: low and y-axis: high i want in different color for each of these cases how to do ?    
Hello. Could you tell if a customer has Azure MSSQL DB with DTU modeling (not vCPU) https://learn.microsoft.com/en-gb/azure/azure-sql/database/purchasing-models?view=azuresql How many IBL licenses... See more...
Hello. Could you tell if a customer has Azure MSSQL DB with DTU modeling (not vCPU) https://learn.microsoft.com/en-gb/azure/azure-sql/database/purchasing-models?view=azuresql How many IBL licenses do we need for 400DTU and does AppDynamics counts vCPU in this case?
I am trying to extract multi value fields and set dynamic fields with values based on the extracted data. I am able to extract the data but am unable to do the last part and generate dynamic fields, ... See more...
I am trying to extract multi value fields and set dynamic fields with values based on the extracted data. I am able to extract the data but am unable to do the last part and generate dynamic fields, only the first is generated:     | makeresults | eval DICOMQuery="(0008,0052) Query/Retrieve Level [SERIES] | (0010,0020) Patient ID [1234567] | (0020,000D) Study Instance UID [1.2.34.567890.12.3456.789.123456.7.20230501130047.4915859] | (0020,000E) Series Instance UID [1.2.345.678.90.1.23456789012.34567890.20230508110959]" | eval temp=split(DICOMQuery,"|") | rex field=temp "(?<DICOMGroup>([\dA-Fa-f]{4})),\d?(?<DICOMElement>([\dA-Fa-f]{4}))\)\s+(?<DICOMLabel>[^\[]+)\s\[(?<DICOMValue>[^\]]+)\]" | eval {DICOMLabel}=DICOMValue | fields - DICOMQuery DICOMLabel, DICOMValue temp     Which yields the following: It seems I am nearly there, but I fail to get them as individual searchable fields which is what I am after. Any pointers?
Hi, I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eva... See more...
Hi, I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eval fileName if condition is working fine, in the stats I could see the correct results(desired files I'm looking for).  But I'm wondering whether I could use the filename in makeresults and search for lookup file. Could someone please assist. Thanks in advance.   index=main sourcetype="dummySource" events | stats by EventCode | append [ | inputlookup states.csv | stats count as isAvailable ] | stats sum(isAvailable) as available, values(EventCode) as EventCode | eval fileName = if(available > 0, "1.csv", "2.csv") | stats values(available) as available values(EventCode) as EventCode by fileName | join type=left fileName [| inputlookup [ | makeresults | eval search=fileName | table search ]]