All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers!! I need the results as per the below format. I have tried some SPL but not achieved with the expected results. Please help me to achieve the same.   Order Status AU N... See more...
Hello Splunkers!! I need the results as per the below format. I have tried some SPL but not achieved with the expected results. Please help me to achieve the same.   Order Status AU NZ UK 02:00:00 created. 10 11 12   released 9 8 6   shipped 6 7 4               AU NZ UK 03:00:00 created. 10 11 12   released 9 8 6   shipped 6 7 4 What I have done so far In SPL : index="ABC "OrderStatus=created" OR "OrderStatus=Shipped" OR "OrderStatus=Released" OR "OrderStatus=Cancelled" | rex field=_raw "SellerOrganizationCode\=one\_(?<Market>[A-Z]{2})" | search NOT (Market="CA" OR Market="US" OR Market="KO" OR Market="SE" OR Market="NL" OR Market="IE" OR Market="NO" OR Market="LA") | replace CH WITH EU GB WITH UK | bin _time span=1h | eval Time=strftime(_time,"%m/%d-%y %H:%M:%S.%Q %p") | eval newtime=strptime(Time,"%m/%d-%y %H:%M:%S.%Q %p") | eval Time_Hour=strftime(newtime,"%m/%d/%Y %H:%M") | chart count by Time_Hour,Market usenull=f | addtotals col=true row=true label=Total labelfield=Time_Hour | rename Total as "Total orders for the hour"
Hi,  Splunkers,    I have dashboard ,which has a table ouput like  below: | table _time, column1, column2, column3 time    column1 column2    column3 xxx      a                  1234        ... See more...
Hi,  Splunkers,    I have dashboard ,which has a table ouput like  below: | table _time, column1, column2, column3 time    column1 column2    column3 xxx      a                  1234           1234 xxx      b                  3243           3434 xxx      c                  2343           3434 xxx      a                  1234           1234 xxx      b                  3243           3434 xxx      a                   2343          3434 when I add  |stats count by column1: | table column1, column2, column3 | stats count by column1 column1     count a                      3 b                     2 c                     1 I want to have a chart to display this stats count result in different time period, when I select different time/date range, like when I select 7 days, I want this stats count  columns1 result showing in every single hour for each day for 7 days date range I selected. I am a splunk beginner, not sure if I describe my requirement clearly... thx in advance. Kevin  
I have a issue: On one of my UF,  The indexing time of all the logs (including the internal logs) get delayed for 2-3mins, and This delay occurs every 30mins. other UFs looks ok. we have checked t... See more...
I have a issue: On one of my UF,  The indexing time of all the logs (including the internal logs) get delayed for 2-3mins, and This delay occurs every 30mins. other UFs looks ok. we have checked the queue on this UF is not blocked. we have changed [thruput]maxKBps = 0   But the indexing time issue is still there. Can anyone please help with this issue ? Do we need to check more configs or logs?   When indexing time get delayed I can see logs below:  [logs]: INFO Watchdog - No response received from IMonitoredThread=0xxxxxxxxx within elapsed=8000 ms. Looks like thread_name="TcpOutEloop" thread_id=1xxxx is busy !? Starting to trace with timeout=8000 ms interval.   INFO Watchdog - Stopping trace. Response for IMonitoredThread ptr=0xxxxxxxxx - thread_name="TcpOutEloop" thread_id=1xxxx - finally received after 3xxxx ms (estimation only).   INFO HealthChangeReporter - feature="Ingestion Latency" indicator="ingestion_latency_lag_sec" previous_color=green color=yellow due_to_threshold_value=15 measured_value=30 reason="Events from tracker.log are delayed for 30 seconds, which is more than the yellow threshold (15 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked."   Possible is the UF being used to monitor too many files at the same time?  so , make  thread name='TcpOutEloop' busy ?  
below query: index=app_mnt_apl  source=xxxx   note: here the CustomerApp Details:  Countywise or CustomerApp Details:  Worldwise or CustomerApp Details:  Areawise are not in interested fields. ... See more...
below query: index=app_mnt_apl  source=xxxx   note: here the CustomerApp Details:  Countywise or CustomerApp Details:  Worldwise or CustomerApp Details:  Areawise are not in interested fields. Sample logs: 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Worldwise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Areawise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise I want to represent  CustomerApp Details: Areawise, Worldwise and countrywise   in a form of a pie  chart. how to frame the query to get this???
I have a log file that is coming into splunk in json format.  There appear to be two fields of interest, "key" and "value."   key: originid origintype template starttime endtime justification... See more...
I have a log file that is coming into splunk in json format.  There appear to be two fields of interest, "key" and "value."   key: originid origintype template starttime endtime justification value - (has the values for each of the items in "key."): 12345 (is not always the same id) BuiltInRole (is not always the same) 85750845e54 (is not always the same) 2022-12-03T14:00:00:00.5661018Z 2022-12-04T14:00:00:00.5661018Z some reason to satisfy the justification I want have the following: originid = 12345 origintype = BuiltInRole template = 85750845e54 starttime = 2022-12-03T14:00:00:00.5661018Z endtime = 2022-12-04T14:00:00:00.5661018Z justification = some reason to satisfy the justification Thanks for the help and guidance.                
I need to show only the results of the job. Job try multiple times in case of failure. So if the job passed on 3rd attempt then I do not want to include it in the failed job counter. Sample logs ... See more...
I need to show only the results of the job. Job try multiple times in case of failure. So if the job passed on 3rd attempt then I do not want to include it in the failed job counter. Sample logs {"id":"1", "status": "Failed","retry":"1"} {"id":"1", "status": "Failed","retry":"2"} {"id":"1", "status": "Failed","retry":"4"} {"id":"1", "status": "Failed","retry":"5"} {"id":"2", "status": "Passed","retry":"1"} {"id":"3", "status": "Failed","retry":"1"} {"id":"3", "status": "Passed","retry":"1"} In the above example counter should show value 0f 1 since only job 1 is failed in last try
In the documentation at https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Changethreatintel under  Review the logic for retention the document states, "The threat retention input runs every 24 ... See more...
In the documentation at https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Changethreatintel under  Review the logic for retention the document states, "The threat retention input runs every 24 hours by default" If it runs every 24 hours by default, how do you change that behavior? What process/search/whatever runs the threat retention input?  Where is it defined?  Can it be run manually? Thanks, --Keith
Hi all, I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring nee... See more...
Hi all, I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring needs to be dependent on another number. Example data: Total Sandwiches Made   Name Cheese Ham PB Turkey sum marker topTh Total   1110 270 110 710 Total 2 110 2200 Bill 400 100 20 600   2 110 1120 Pam 700 120 80 100   2 110 1000 Finn 10 50 10 10   1 110 80 And the example SPL: index=food sourcetype=sandwiches | stats sum(Cheese) as Cheese sum(Ham) as Ham sum(PB) as PB sum(Turkey) as Turkey by Name | addtotals row=t col=t labelfield="sum" | eval topTh=case(sum="Total", (Total*.05), 1=1, null()) | sort topTh | filldown topTh | eval marker=if(Total>=topTh, 2,1) Basically, if the marker is 1, I'd like the color of the number to be one color and a different one for 2 while still displaying the 'Total' field. I have the options as this: <option name="colorBy">value</option> <option name="drilldown">all</option> <option name="field">Total</option> <option name="rangeColors">["0x53A051","0xeb5654"]</option> <option name="rangeValues">[$lowerThresh$,$upperThresh$]</option> <option name="refresh.display">none</option> <option name="useColors">1</option> and additional logic above it: <done> <condition match="'result.marker'==2"> <set token="lowerThresh">1</set> <set token="upperThresh">2</set> </condition> </done> Any help would be greatly appreciated.
I have a simple tstats based query that looks for how many hosts have checked in over a period of time and then displays it as a single value visualization on a dashboard. The query and visualization... See more...
I have a simple tstats based query that looks for how many hosts have checked in over a period of time and then displays it as a single value visualization on a dashboard. The query and visualization work perfectly, but I was trying to figure out if I can get the trend indicator and the trendline to use different intervals. | tstats dc(host) WHERE index="$site$" earliest=-14d@d latest=@d by _time span=7d Currently, the visualization will show: Value: The # of hosts that reported in over the past 7 days. Trend Indicator: The difference between the last 7 days and the previous 7-day period. Trendline: A simple line with two points showing that difference. Ideally, I'd like to be able to define a 1d interval for the trendline to communicate to the user when the increases/decreases occurred. 
Dear Splunk community:   I have the following search query: <BASIC_SEARCH> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [ eval "percent_<<... See more...
Dear Splunk community:   I have the following search query: <BASIC_SEARCH> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2), "<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total Attached is a sample of the current output based on the above search. I am trying to do the same thing except only show the 500, 502,503 columns (but still do all the calculation based on the total count of everything). How do i change the above search to achieve this? Thanks, Daryoush
I created a report, chose the accelerated report option and selected a 7 day time range. One of the panel is referring to the accelerated reports in the source code this way:       <row> <p... See more...
I created a report, chose the accelerated report option and selected a 7 day time range. One of the panel is referring to the accelerated reports in the source code this way:       <row> <panel> <title>Accelerated report - test</title> <chart> <search id="BaseSearch" ref="NbOfEventsByEventType"> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> </chart> </panel> </row>         I made a panel below this one (an another one in a different dashboard to make sure there was no overlapping at all), with the search being the original query instead of a ref to the accelerated report. I then choose with a dropdown a time range of the last 7 days, which starts the update of both panels. Their searches are done at the same time (and thus display the chart at the same time).  Why does the ref to the accelerated reports has no effect on the performance of the panel?
Hi, we are trying to configure a MSSQL query in DB Connect App. Some how we are not be able to select timestamp field. Field is present in output results. Any idea what could be issue. ... See more...
Hi, we are trying to configure a MSSQL query in DB Connect App. Some how we are not be able to select timestamp field. Field is present in output results. Any idea what could be issue. Query:       use XXXXX DECLARE @OFF_SET NUMERIC(1), @PREV_START_DATE VARCHAR(21), @PREV_END_DATE VARCHAR(21) SET @OFF_SET = (select DATEDIFF(HH, GETUTCDATE(), GETDATE())) SET @PREV_START_DATE = (SELECT CONVERT(VARCHAR(11),DATEADD(d,-1,DATEADD(dd, DATEDIFF(d,0,GETDATE()), 0)),106)+' 00:00:00') SET @PREV_END_DATE = (SELECT CONVERT(VARCHAR(11),DATEADD(d,-1,DATEADD(dd, DATEDIFF(d,0,GETDATE()),0)),106)+' 23:59:59') SELECT SUBSTRING(J.JOB_NAME,CHARINDEX ('_',J.JOB_NAME)+1, CHARINDEX ('_',J.JOB_NAME, CHARINDEX ('_',J.JOB_NAME)+1) - CHARINDEX ('_',J.JOB_NAME)-1) as APP_CODE, J.JOB_NAME, J.JOB_TYPE, DATEADD(HH,@OFF_SET,R.START_DATE_TIME) START_DATE_TIME_EST, DATEADD(HH,@OFF_SET,R.END_DATE_TIME) END_DATE_TIME_EST, DATEDIFF(ss,DATEADD(HH,@OFF_SET,R.START_DATE_TIME),DATEADD(HH,@OFF_SET,R.END_DATE_TIME)) as RUN_TIME_IN_SECONDS, S.NAME as JOB_STATUS, R.EXIT_CODE FROM dbo.RPT_AS_JOB_DEF_DIMENSION J, dbo.RPT_AS_JOB_RUN_FACT R, dbo.RPT_AS_STATUS_DIMENSION S, dbo.RPT_AS_MACHINE_DIMENSION M WHERE J.JOB_DEF_ID=R.JOB_DEF_ID and R.STATUS_ID=S.STATUS_ID and R.RUN_MACHINE_ID=M.MACHINE_ID and J.JOB_NAME like 'PAT_%' and (DATEADD(HH,@OFF_SET,R.START_DATE_TIME) > @PREV_START_DATE AND DATEADD(HH,@OFF_SET,R.START_DATE_TIME) < @PREV_END_DATE) ORDER BY SUBSTRING(J.JOB_NAME,CHARINDEX ('_',J.JOB_NAME)+1, CHARINDEX ('_',J.JOB_NAME, CHARINDEX ('_',J.JOB_NAME)+1) - CHARINDEX ('_',J.JOB_NAME)-1), R.START_DATE_TIME        
Hello all, I am trying to figure out the following: 1. If an alert for rule_id1 occurs at the same time on the same host as an alert for rule_id2 then don’t report the alert on rule_id2. 2. ... See more...
Hello all, I am trying to figure out the following: 1. If an alert for rule_id1 occurs at the same time on the same host as an alert for rule_id2 then don’t report the alert on rule_id2. 2. Otherwise report alerts on rule_id2 I have triend the if(match) and if(like) method and neither are able to yield the results I am hoping for.  Also not sure how to incorporate the time check as well to ensure the fired at the same-ish time. Any and all help greatly appreciated!   Thanks!
Working within Dashboard Studio, how can I stop my labels being truncated on different charts? Even if I set the truncation option in a bar chart to Off, it's still truncating my labels. I tried work... See more...
Working within Dashboard Studio, how can I stop my labels being truncated on different charts? Even if I set the truncation option in a bar chart to Off, it's still truncating my labels. I tried working around it with a column chart and rotating the labels but there appears to be no such option. Sankey seems to lack these options as well. Thank you
Hi, Could you help in extracting the fields from this json events. sample json event1 {"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","se... See more...
Hi, Could you help in extracting the fields from this json events. sample json event1 {"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK", sample jason event 2 {"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY" output of the new field : IPBLOCK BURST SUMMARY   Thanks..
I have a problem. I installed the .NET application with a Windows 2008 R2 computer. If it works, I have communication, I configure it step by step and everything works correctly. But there is anothe... See more...
I have a problem. I installed the .NET application with a Windows 2008 R2 computer. If it works, I have communication, I configure it step by step and everything works correctly. But there is another computer that contains Windows 2016 version .NET 22.8.0 compatible with 4.4.1.0, we have the same thing and it does not work, it sends a communication error and a certificate does not exist. Has anyone happened to it? Attached evidence:
Hello Splunkers,    I come to you in order to gather some tips and tricks around look-ups management. For example, I have several look-ups used to whitelist some machine, and after a time a part o... See more...
Hello Splunkers,    I come to you in order to gather some tips and tricks around look-ups management. For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these?  I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything.  I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround?   Thanks for your tips! Happy Splunking, A-D
I have a use case where about 50% of my windows clients have IIS running on them.  I'd like to have a server class just for those 50% to ingest IIS logs.  I have IIS logs coming in but I have to manu... See more...
I have a use case where about 50% of my windows clients have IIS running on them.  I'd like to have a server class just for those 50% to ingest IIS logs.  I have IIS logs coming in but I have to manually list each client in the whitelist.  Is there a way to determine if a server has IIS, then deploy a specific server class?  I was thinking by an installed Windows Feature perhaps?  I'm at a loss.
Hello, this is my first experience with Splunk Cloud and I would like to know how to configure the sending of events from my fortinet firewall to my splunk cloud using a Heavy Fowarder. In my fire... See more...
Hello, this is my first experience with Splunk Cloud and I would like to know how to configure the sending of events from my fortinet firewall to my splunk cloud using a Heavy Fowarder. In my firewall I put the IP of my Heavy Fowarder and configured the UDP port 514 to send the events to the Heavy Fowarder. In my heay fowarder in data inputs I configured port 514 with source fgt_log and index=Firewall. The app Context I placed my Cloud instance. Even running all this process I can't see the events from my firewall in the Splunk Cloud. NOTE: The Heavy fowarder is communicating with the Cloud, I validated the communication in Deployment Instances. Port 514 is enabled on the firewall, so I think I'm making a mistake in some configuration. Can you help me please?
Hi all, When a alert fires I have it such that the ticket adds the full list of events returned from the search into a CSV file, which is fine, but I am wanting to output say the first 5 events from... See more...
Hi all, When a alert fires I have it such that the ticket adds the full list of events returned from the search into a CSV file, which is fine, but I am wanting to output say the first 5 events from the search into the description of the jira ticket similarly into a table format. Is that possible? As far as i've seen its either a single ticket per result or as in my current deployment, single ticket, single event in description but the entire results in attached CSV file. First time asking a question, but the splunk community has been so helpful and insightful i've manage to go this long without asking one.