All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Splitting a large multivalue field into multiple multivalue fields based on character count?

by in Splunk Enterprise
‎09-07-2022 02:19 PM
‎09-07-2022 02:19 PM
I've run into a scenario where when running stats over an index, its possible I can generate a multivalue field with over 11K unique 38 character guid values but it can be as small as 1 38 character ... See more...
I've run into a scenario where when running stats over an index, its possible I can generate a multivalue field with over 11K unique 38 character guid values but it can be as small as 1 38 character guid.  I have a need to pass those resulting guids as a string into something that has a character length limit of 999 characters. Is there a way whereby incrementing by 38 characters, I can split the field into multiple fields up to 950 characters max per field (which should be 25 guids), dynamically since I wont know how many are going to come in at any given time?

How do I get total count of a field per host?

by in Splunk Search
‎09-07-2022 01:53 PM
‎09-07-2022 01:53 PM
Hi, I am new to splunk, this might have asked and answered but didn't get the answer when i searched it. here is my query: I have a base query, which basically gets the ids field(ex : 1234,3213) fr... See more...
Hi, I am new to splunk, this might have asked and answered but didn't get the answer when i searched it. here is my query: I have a base query, which basically gets the ids field(ex : 1234,3213) from different hosts. i want to get the total number of ids per host.  data: host : ids: price: details xyz:123:$45:example  cds:143:$45:example
Labels

Combining 2 searches but need help with dedup strategy

by in Splunk Search
‎09-07-2022 01:06 PM
‎09-07-2022 01:06 PM
Hi, I have 2 searches where the dedup strategy is different, i want to combine the 2 searches but need help with dedup strategy.  Search 1: index=prod sourcetype=error AND "IOS" | dedup notificat... See more...
Hi, I have 2 searches where the dedup strategy is different, i want to combine the 2 searches but need help with dedup strategy.  Search 1: index=prod sourcetype=error AND "IOS" | dedup notification, source  Search 2: index=prod sourcetype=error AND "Android" | dedup _time -> For "IOS" i need to dedup with only notification, source  and for "Android" i need to dedup only with _time index=prod sourcetype=error AND ("IOS" OR "Android") | dedup ?????  
Labels

Detail documentation for HttpEventCollectorLogbackAppender

by in Knowledge Management
‎09-07-2022 10:47 AM
‎09-07-2022 10:47 AM
Please share the detail documentation for HttpEventCollectorLogbackAppender where each variable is explained.  Please share some samples for using the HttpEventCollectorLogbackAppender with  <type>... See more...
Please share the detail documentation for HttpEventCollectorLogbackAppender where each variable is explained.  Please share some samples for using the HttpEventCollectorLogbackAppender with  <type>raw</type>

Is Dashboard Studio slow for anyone else?

by in Dashboards & Visualizations
‎09-07-2022 10:11 AM
‎09-07-2022 10:11 AM
Has anyone been using dashboard studio and find that there is an extreme lag when editing? I sometimes get kicked out via browser freezing and closing and without having saved certain changes. Its to... See more...
Has anyone been using dashboard studio and find that there is an extreme lag when editing? I sometimes get kicked out via browser freezing and closing and without having saved certain changes. Its to the point where I cant waste the time and trust that it will save. Others on my team have experienced the same.
Labels

How to Count appearance of containers per company?

by in Splunk Search
‎09-07-2022 08:35 AM
‎09-07-2022 08:35 AM
Hi, I want to count the numbers of containers per company. Each data point has a container id, company id, and much more. If I use     stats count("coreData.containerNumber") BY "coreData.co... See more...
Hi, I want to count the numbers of containers per company. Each data point has a container id, company id, and much more. If I use     stats count("coreData.containerNumber") BY "coreData.companyID"      , it somewhat works, but I don't get any returns. also     stats dc("coreData.containerNumber") as count by "coreData.companyID"     does not return results. Is the code correct?
Labels

How to calculate time difference?

by in Splunk Search
‎09-07-2022 08:12 AM
‎09-07-2022 08:12 AM
I'm looking to get a difference between both times and create a 3rd field for the results (Properties.actionedDate - _time). My current query is like this   index=* source=* | table Properties.ac... See more...
I'm looking to get a difference between both times and create a 3rd field for the results (Properties.actionedDate - _time). My current query is like this   index=* source=* | table Properties.actionedDate, _time   Here is a screenshot of my current result    
Labels

How to create a search for multiple earliest dates for 7day output?

by in Splunk Search
‎09-07-2022 07:51 AM
‎09-07-2022 07:51 AM
Hi All, Am looking for query to have multiple earliest days  index=something sourcetype=something earliest=-7d@d latest=@d | timechart span=1d dc(id) as total its giving output as  ... See more...
Hi All, Am looking for query to have multiple earliest days  index=something sourcetype=something earliest=-7d@d latest=@d | timechart span=1d dc(id) as total its giving output as  2022-08-31 13548 2022-09-01 13438 2022-09-02 13782 2022-09-03 9831 2022-09-04 13602 2022-09-05 12856 2022-09-06 12849   But actual data per day is something above 25k, but because of data is getting split so number showing very less per day wise as above table. If i use  index=something sourcetype=something earliest=-7d@d latest=@d | stats dc(id) as total output is 26894 index=something sourcetype=something earliest=-8d@d latest=-1@d | stats dc(id) as total output 27099 so on, if I change earliest and latest to get last 7 days i get above 25k or 26k but if use timechart then its half the number. It would be great help If anyone has query to get correct output within single query. Thanks in advance!
Labels

why SplunkUI doesn't render component in browser?

by in Splunk Enterprise
‎09-07-2022 07:09 AM
‎09-07-2022 07:09 AM
Hi! I found a bug in SplunkUI documentation: after installing the test component, the visualization is not displayed. After the command "yarn run start:demo" the compilation succeeds, but the url lo... See more...
Hi! I found a bug in SplunkUI documentation: after installing the test component, the visualization is not displayed. After the command "yarn run start:demo" the compilation succeeds, but the url localhost:8080 does not display anything. Any idea why the visual isn't loading? Documentation page: https://splunkui.splunk.com/Create/ComponentTutorial

How to Integrate Splunk to Web Based Interface?

by in Installation
‎09-07-2022 05:36 AM
‎09-07-2022 05:36 AM
Hi All, we have a web based SAP interface which is called Smart Data Integration tool , which pulls the data from source to HANA database. In this web based SAP interface, few jobs will be runnin... See more...
Hi All, we have a web based SAP interface which is called Smart Data Integration tool , which pulls the data from source to HANA database. In this web based SAP interface, few jobs will be running and need to capture the status of each job and notify the team incase of failures. Could someone please help with the best option to integrate splunk to this SAP web based interface.  
Labels

Time Chart not dynamically changing when I select a different time

by in Dashboards & Visualizations
‎09-07-2022 04:24 AM
‎09-07-2022 04:24 AM
I have added a Time input to my chart, however the display does not update to show the selected time period. I have selected "Search on Change" - but this didn't help. What could I do to fix it? ... See more...
I have added a Time input to my chart, however the display does not update to show the selected time period. I have selected "Search on Change" - but this didn't help. What could I do to fix it? As always, any help greatly appreciated. NM
Labels

How to display single value status indicator with external icons?

by in Getting Data In
‎09-07-2022 04:00 AM
‎09-07-2022 04:00 AM
Hi Community! I am looking for a way to represent a status indicator with red, amber, green status indicator in Dashboard Studio.  My SPL pulls back information which is represented by a number how... See more...
Hi Community! I am looking for a way to represent a status indicator with red, amber, green status indicator in Dashboard Studio.  My SPL pulls back information which is represented by a number however this can be translated to a color using an eval case() function.  I just need to know how to import or utilise icons outside of the what splunk defaultly offer.
Labels

How to calculate time difference between two events?

by in Splunk Enterprise
‎09-07-2022 03:01 AM
‎09-07-2022 03:01 AM
 I have two events with start and end process and i need to calculate the time difference between the start process and end process of id but the fields are not configured,  The data is like below: ... See more...
 I have two events with start and end process and i need to calculate the time difference between the start process and end process of id but the fields are not configured,  The data is like below: Start process: {"log":"[16:43:39.451] [INFO ] [] [c.c.n.m.a.n.a.b.i.DefaultNotificationAuthService] [] - Creating notification auth flow for idempotencyKey 8532923_default as entityId Qb4RmEiaR6-zp8FU8MsyQQ \n","stream":"stdout","docker":{"container_id":"cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81"},"kubernetes":{"container_name":"mms-au","namespace_name":"msaas-t5","pod_name":"mms-au-b-1-685f9fd75d-4bz87","container_image":"pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725",} End process : {"log":"[16:43:39.876] [INFO ] [] [c.c.n.m.a.n.s.j.NotificationJMSProducer] [akka://MmsAuCluster/system/sharding/notificationAuthBpmn/5/Qb4RmEiaR6-zp8FU8MsyQQ_5/Qb4RmEiaR6-zp8FU8MsyQQ] - Submitting Enriched Notification for id 8532923 \n","stream":"stdout","docker":{"container_id":"cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81"},"kubernetes":{"container_name":"mms-au","namespace_name":"msaas-t5","pod_name":"mms-au-b-1-685f9fd75d-4bz87","container_image":"pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725", Need to calculate time difference between the above 2 events called "Creating notification auth flow " and "Submitting Enriched Notification". Is this possible to do in splunk and if possible,how can we achieve it? Thanks in Advance
Labels

Connect to Azure and collect the Azure Managed Application metrics

by in Splunk Cloud Platform
‎09-07-2022 02:52 AM
‎09-07-2022 02:52 AM
Can the Splunk Observability Cloud collects the Azure Managed Application metrics when we connected the Azure successfully?

How to change the color of the table field?

by in Dashboards & Visualizations
‎09-07-2022 02:28 AM
‎09-07-2022 02:28 AM
Hi all, how can I change the top row highlighted columns background-color. With HTML, CSS ?    
Labels

Why does my SPLUNK RETS API return 0 eventCount?

by in Splunk Search
‎09-07-2022 02:22 AM
‎09-07-2022 02:22 AM
Hello,   I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.   When calling the services/search/jobs/{search_id} API i get back the proper... See more...
Hello,   I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.   When calling the services/search/jobs/{search_id} API i get back the proper results with dispatchState: DONE and eventCount: 0 but I know for sure that there are results because I also tried running the same query from the Splunk UI and I do get results back.   Has anything changed since yesterday (since it was working), I don't think its user related because I tried with several users and got the same results.
Labels

Compare x hours vs last 1 week ago

by in Splunk Search
‎09-07-2022 01:12 AM
‎09-07-2022 01:12 AM
@ITWhisper As per the Below Screenshot I want to add Custom time frame. Where user can able to select any time frame and compare the results. Please help to understand the logic.  

How to extract second field between quotes and add url?

by in Splunk Search
‎09-07-2022 12:49 AM
‎09-07-2022 12:49 AM
I have logs of the format... 2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "G... See more...
I have logs of the format... 2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "GET url HTTP/1.1" 404 125 ...and I want to extract a count of missing URLs by microservice.  I can get a count of microservice using... index=myIndex "404 125" | rex "^\S+\s(?<microService>\S+).*" | bucket _time span=day | stats count by microService ...but I would like to know how to add the url Any help appreciated  
Labels

index = aws_ubs_n | search log IN ("*error*","*info*","*warn*") | stats count as log

by in Splunk Search
‎09-07-2022 12:04 AM
‎09-07-2022 12:04 AM
How to count each log value separately? ("*error*","*info*","*warn*")
Labels

Why aren't Risk Score, Risk Event and Risk Object showing in the notable event?

by in Splunk Enterprise Security
‎09-07-2022 12:04 AM
‎09-07-2022 12:04 AM
Hi peeps, We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value und... See more...
Hi peeps, We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value under the Risk Analysis Tab.  Please assist us on this. Thank you.