All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

i have a field as createddate where the DateTime format is as below 2023-02-28T21:55:35.646-08:00 2022-03-24T02:42:16.983-07:00 i'm trying to calculate the difference between now and createddate. ... See more...
i have a field as createddate where the DateTime format is as below 2023-02-28T21:55:35.646-08:00 2022-03-24T02:42:16.983-07:00 i'm trying to calculate the difference between now and createddate. can some help me in doing so. i tried to convert createddate and get the difference but no luck Thanks in advance
Hi All, I have created an alert which checks the status of the server and if it down, then alert will be triggered.  Query:  index=performance host=hostname1  source!=sar status!=UP | dedup ho... See more...
Hi All, I have created an alert which checks the status of the server and if it down, then alert will be triggered.  Query:  index=performance host=hostname1  source!=sar status!=UP | dedup hostname | table hostname status Sample Event: 2023-05-10 17:50:18 hostname1 server is DOWN 2023-05-10 17:55:18 hostname2 server is DOWN Now, I want to create an alert whenever the status changes from DOWN to UP. Can someone help with query? Thanks.
Hi I'm trying to identify   the registry key use for persistence,  what filter do  I need to apply apply? index=* Thanks Tony  
Hello! I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in time... See more...
Hello! I'm looking to get a time range from two events, one from a standard search, the other from a different search based on a regex derived from a third search and report the difference in times between the events. However I'm struggling to either make the multisearch work with map, or multireport/append work in a panel, even though those searches work just fine in the regular search bar. To give you an idea, I have the failed multisearch (which doesn't work due to me using map): | multisearch [| search index=index1 "First text string"] [| search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference  Obviously this doesn't work due to non-streaming commands, but multireport does, however it does not work in a standard statistics table panel, or any other panel that I've tried, just giving me a "search is waiting for input" message: | multireport [| search index=index1 "First text string"] [| search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference The other option is append which once again works in the regular search but not in the panel search: index=index1 "First text string" | append [ search index=index1 "text string for regex lookup" | rex field=message "^(?<LookUp>\d+)\s" | map search="search index=index1 message = $LookUp$*"] | stats earliest(_time) as time1, latest(_time) as time2 | eval difference=time2-time1 | eval difference=tostring(difference, "duration") | table time1 time2 difference I've been  trying to find a way to do this but with no luck - if anyone has anything they can spot or advise that would be greatly appreciated. Thank you!
Hi , I have a list of applications (40 to 50). I want to create a dashboard where I want to show health status of those (like cpu , memory, service status etc) in  panels for those in single da... See more...
Hi , I have a list of applications (40 to 50). I want to create a dashboard where I want to show health status of those (like cpu , memory, service status etc) in  panels for those in single dashboard. How can I achieve it in best way. I cannot create 50 panels for each application displaying all those details. Data is already coming to splunk , i just want to view that in a dashboard. And I want to show all applications details in single view.  How can I achieve this ?
I am planning to build a dashboard where all the extracted traceId # are collected and injected to another search criteria where only the extracted traceId # from 1st search is passed to 2nd search a... See more...
I am planning to build a dashboard where all the extracted traceId # are collected and injected to another search criteria where only the extracted traceId # from 1st search is passed to 2nd search and have a results, total count for the 1st search and total count for second search only with those regex traceId. I used the drop down and used regex but when passing the token, I.m selecting all the traceId where it passes as * in second search which is searching all not from the 1st search. is there a way to inject the 1st searched traceId to 2nd search ? 
I have created a post curl to add data in Splunk, internally my api hits Splunk api and in that api I send data in body & that data would get created in my splunk table. I want to add dynamic value ... See more...
I have created a post curl to add data in Splunk, internally my api hits Splunk api and in that api I send data in body & that data would get created in my splunk table. I want to add dynamic value in search query of splunk api. How can i achieve that, please help here   method: "POST", path: "/api/addSplunk", handler: async (request, h) => { const ccmData = getServerConfig(request); const url = ccmData["splunkApiUrl"]; const ChannelName= request.payload.channel_name;  // I want to use this value in search query const Channel= request.payload.channel_type; function xmlTranslate(resp) { return resp.text() } const httpsAgent = new https.Agent({ rejectUnauthorized: false }); const options = { method: "POST", headers: { "Authorization": "dr356654fy6, "Content-Type": "application/x-www-form-urlencoded" }, agent: httpsAgent, translate: xmlTranslate, body: 'search=| makeresults | eval Channel ="372864u31564719" | eval ChannelName = "4P customer" | table Channel,ChannelName | outputlookup channel.csv append=true' };   const res = await fetch(url, options, xmlTranslate);   Right now I have hardcoded like this eval Channel ="372864u31564719" | eval ChannelName = "4P customer", I want to add dynamic value for diff use case in channel and channelName of search query (i.e coming from request payload)
As you can see in the screenshot, if Windows TA is enabled (https://splunkbase.splunk.com/app/742/), it shows the event in the time field and time in the i field. Why could this be? 
Please how do i resolve this error  
Hello all. I've been having some trouble with a tricky query. Essentially, I want to return all events that contain a certain field, with a specific value excluded, and combine that with all events... See more...
Hello all. I've been having some trouble with a tricky query. Essentially, I want to return all events that contain a certain field, with a specific value excluded, and combine that with all events that also contain nothing for that particular field. For excluding the field value, I would use:     ... field!=value     And for all events that do not have a value for that field, I would use:     ... NOT field="*"     I have no idea how to combine these, as one requires the field and the other completely excludes it. I have tried:     <search> field!=value | fields -field     But it doesn't work, as I believe I'm basically applying a filter but doing nothing with it. Any help will be greatly appreciated! Thank you.
I have added a Time filter for my charts in splunk but i want the default to be from 01-JAN-23, But the issue is when i use "since jan 2023" as default my values are not displayed can anyone help out... See more...
I have added a Time filter for my charts in splunk but i want the default to be from 01-JAN-23, But the issue is when i use "since jan 2023" as default my values are not displayed can anyone help out how to add a time filter with default as "from 01-jan-23"
Hi, I am trying to create a line graph where I want to show job status overtime. So I want 1 line for failed and another for passed jobs. query | | rex field=event "'job_name': '(?<job_name>.+?)',... See more...
Hi, I am trying to create a line graph where I want to show job status overtime. So I want 1 line for failed and another for passed jobs. query | | rex field=event "'job_name': '(?<job_name>.+?)'," | rex field=event "'job_status': '(?<job_status>.+?)'," | timechart count by job_status   Above query is grouping by staus all jobs together. I want to split the status by jobs.  Thanks
Hello, I have 2 csv files created using outputcsv. Because of their size (500K records +) AND because they are really data sources and not true lookups (requiring bundle replication) outputcsv and ... See more...
Hello, I have 2 csv files created using outputcsv. Because of their size (500K records +) AND because they are really data sources and not true lookups (requiring bundle replication) outputcsv and not outputlookup was used. The issue of having is how to find what records are in the larger of the csv files. If these were generated with outputlookup, no problem.     | inputlookup csv1 | lookup csv2 field2 as field1 output field2a | where isnull(field2a)     However, with outputcsv files, Splunk doesn't know the csv is NOT in the app/lookups folder. *There should be a way to override the default location within the SPL. Thanks and God bless, Genesius Edited: 500K+ records each. Not 500 each. This is why have to use the | outputcsv command. The | outputlookup command will create very large bundles on the indexer.
Hi Splunkers, I want to add some extra mount points in the Monitoring console for reporting purposes. Currently, I can see only the following: Looking into the CLI for this instance (clien... See more...
Hi Splunkers, I want to add some extra mount points in the Monitoring console for reporting purposes. Currently, I can see only the following: Looking into the CLI for this instance (client X): So, I want to add "/opt/splunk-frozendata". (also adding the "/" is a great addition to the list) What I have done is editing to the "indexes.conf" by adding the following: [volume:frozenprimary] path = /opt/splunk-frozendata After this, I restarted the Splunk machine and went back to the Monitoring console to see if this did the trick, but it didn't. Going to "Monitoring Console" by clicking on the "Settings" menu, then "Monitoring Console.", then selecting the "Indexes" tab, under the "Indexes and Volumes" I can see the following: So, for the sake of testing, I went back to the "indexes.conf" and edited: [volume:frozenprimary] path = /opt/splunk-frozendata maxVolumeDataSizeMB = 3670016 After this, I restarted the Splunk machine and went back to the Monitoring console to see what changed, I found the following: And also nothing changed under the "Disk Usage" panel. Can someone please help me with this? what am I missing here? Thanks.    
Hello everyone Now I'm trying to configure the alert of Multi-KPI and Single-KPI. But I don't have any idea about how to configure the correlation search to create the notable events for the status ... See more...
Hello everyone Now I'm trying to configure the alert of Multi-KPI and Single-KPI. But I don't have any idea about how to configure the correlation search to create the notable events for the status change of the single KPI (e.g. one KPI like CPU utilization or Memory usage in 1 service). Could anyone teach me how to setup the correlation search for Single KPI in ITSI? Thank you
Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI? The actual search being used uses the |where command which seems to be the iss... See more...
Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI? The actual search being used uses the |where command which seems to be the issue. index=* OR index=_* sourcetype="XmlWinEventLog" | where sourcetype="XmlWinEventLog" | head 100     
Hi All, I have two events as below. In both the events, data format is different. We can observe extra "/" from few events. How to capture the logEntryType from both of them by using rex command ? ... See more...
Hi All, I have two events as below. In both the events, data format is different. We can observe extra "/" from few events. How to capture the logEntryType from both of them by using rex command ? ,\"logEntryType\":\"SUMMARY\", ,"logEntryType":"Detail", Field Name should be "logEntryType" and values should be "SUMMARY" and "Detail".
Hi All, I want to identify the alerts/usecases which are high in resources utilizing i.e., CPU consumption, RAM utilization etc.   BR, RK
for e.g. input :   I am getting result in an table format like  statuscodeUSB   35 but i wan to transform the result into some thing  like Us Bank    35. Basically I want to implement logic somet... See more...
for e.g. input :   I am getting result in an table format like  statuscodeUSB   35 but i wan to transform the result into some thing  like Us Bank    35. Basically I want to implement logic something like this  if  statuscodeUSB  then  return Usbank if statuscodeIND then return indian bank   can anyone suggest smething on this
I am using Splunk Add-on for AWS and what to ingest data from S3 bucket. I have referred the below document which says there are multiple inputs for S3 configuration. Please assist me with an informa... See more...
I am using Splunk Add-on for AWS and what to ingest data from S3 bucket. I have referred the below document which says there are multiple inputs for S3 configuration. Please assist me with an information on which input has to be used in which condition. Also can we ingest html data from S3 or cloudwatchlog to splunk using the same app? https://docs.splunk.com/Documentation/AddOns/released/AWS/S3