Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About whrg
whrg
Motivator
Member since:
11-29-2018
12-07-2022
Community Statistics
| Posts | 311 |
| Solutions | 72 |
| Karma Given | 94 |
| Karma Received | 106 |
| Member Since | 11-29-2018 |
Activity Feed
- Got Karma for Re: How come our Splunk 6.5 REST API calls with curl command are not working?. a week ago
- Got Karma for Re: Can you help me identify when end time overlaps start time for the following events?. 12-11-2022 04:24 PM
- Posted How to prevent automatic translation of input labels? on Dashboards & Visualizations. 12-07-2022 12:25 AM
- Got Karma for Re: What is crc_Salt = means and in which case its used?. 10-03-2022 03:01 AM
- Got Karma for Re: How can I automate the downloading of universal forwarder?. 08-17-2022 02:14 PM
- Got Karma for Re: What is crc_Salt = means and in which case its used?. 09-14-2021 08:01 AM
- Posted Re: table command without changing sort order on Splunk Search. 08-30-2021 01:20 AM
- Got Karma for Re: How can I find out what the deployment errors are?. 08-25-2021 06:27 AM
- Got Karma for Re: How to get the runtime of a dashboard?. 08-18-2021 11:14 AM
- Karma Re: How to append values from a field to all values of a multivalued field? for woodcock. 04-29-2021 05:53 AM
- Posted Re: table command without changing sort order on Splunk Search. 04-29-2021 01:12 AM
- Posted Re: table command without changing sort order on Splunk Search. 04-29-2021 01:00 AM
- Posted Re: table command without changing sort order on Splunk Search. 04-28-2021 02:11 AM
- Posted table command without changing sort order on Splunk Search. 04-28-2021 01:55 AM
- Posted Re: FormatMessage was unable to decode error (193), (0xc1) on Getting Data In. 04-20-2021 01:44 AM
- Got Karma for Re: How can I find out what the deployment errors are?. 03-22-2021 08:45 AM
- Posted Re: Error occured during do run "Custom search command example" on Splunk Search. 01-06-2021 11:52 PM
- Karma Re: tstats timechart for DEAD_BEEF. 01-04-2021 12:18 AM
- Karma Re: i want to refresh the dashboard on button click. is it possible? for niketn. 12-18-2020 03:41 AM
- Posted Re: add field to Selected Fields permanently (bar on left side of search results) on Deployment Architecture. 12-08-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 13 | |||
| 1 | |||
| 0 |
11-01-2019
01:42 AM
Hello @akki2428, use back slashes to escape special characters:
| makeresults | eval _raw="record failed (state error) for ID x1IoGPTIBP"
| rex field=_raw "record failed \(state error\) for ID (?<id1>\w+)"
| table id1
... View more
10-24-2019
04:27 AM
The search command's syntax is FIELD=VALUE. So |search id1=id2 will filter for the field id1 containing the string "id2".
You want to use where instead of seach. where evaluates boolean expressions. Try: |where id1==id2
This should also work:
| regex _raw="record has not been created for id (\w{10}),\1 in DB"
... View more
10-23-2019
06:38 PM
@akki2428 The search query above using makeresults creates only one record for testing purposes. Your search should be something like this:
index=yourindex sourcetype=...
| regex _raw="record has not been created for id \w{10},\w{10} in DB"
If that does not work, perhaps you could post some other records.
... View more
10-23-2019
06:09 PM
Hello @akki2428,
Check out the regex command:
| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"
Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:
| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10
... View more
10-16-2019
04:39 AM
1 Karma
Hello @johnteo
I suggest you create an account on https://my.phantom.us/
Doing so, you will find the system requirements in the Splunk Phantom Installation Manual (found under Learn / Documentation).
... View more
09-27-2019
02:01 AM
"Number of hosts" inside the if statement refers to the string "Number of hosts" instead of the field. I suggest to name the field Number_of_hosts: | stats dc(host) as Number_of_hosts. Now the if statement Number_of_hosts==0 will work.
... View more
09-06-2019
08:54 AM
It would be helpful if you could post some sample data. Does your data have the _time field?
If you want a chart with time as the X-axis, then take a look at timechart.
Try something like this:
... | eval fields=split(_raw," ") | eval pauses=mvindex(fields,8) | timechart span=1mon max(pauses) as Max_pause avg(pauses) as Avg_pause min(pauses) as Min_pause
... View more
07-08-2019
03:28 AM
1) now() and LAST_SEEN_EPOCH are unix time stamp, which is measured in seconds since Jan 01 1970. So now()-LAST_SEEN_DAYS gives you the time difference in seconds. Now /60 gives you the difference in minutes; /60/60 is the difference in hours; and /60/60/24 is the difference in days.
2) Use round((now()-LAST_SEEN_EPOCH)/60/60/24, 2)
3) Try max(LAST_SEEN_DAYS) instead of latest(LAST_SEEN_DAYS)
... View more
07-08-2019
02:01 AM
Looks fine to me.
If you want the number of days, then try something like this:
| eval age_in_days=floor((now()-LAST_SEEN_EPOCH)/60/60/24)
... View more
07-08-2019
01:10 AM
"[| inputlookup host.csv ..." is a subsearch. It requires the "search" command. Try it like this:
...
| where diff_seconds<(60*60*24*30)
| search [inputlookup host.csv |table host | rename host as USERNAME ]
| lookup ...
I removed the pipe symbol | at the beginning of the subsearch. It is not necessary.
In your original post, the subsearch belonged to the initial search. (When you write index=x it translates to | search index=x.) That is why there was no error before.
... View more
07-07-2019
08:29 AM
1 Karma
Use strptime() to convert LAST_SEEN into a UNIX timestamp.
Check this out. This will get all events which are less than 30 days old:
| makeresults
| eval LAST_SEEN="2019-06-07 09:12:40.0"
| eval LAST_SEEN_EPOCH=strptime(LAST_SEEN, "%Y-%m-%d %H:%M:%S.%1N")
| eval diff_seconds=now()-LAST_SEEN_EPOCH
| where diff_seconds<60*60*24*30
... View more
07-02-2019
11:54 PM
I suggest you check out the documentation on "Filter event data and send to queues":
https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues
Set your inputs.conf on all your Linux machines to "index = normal_index".
Now configure routing on your heavy forwarder (or on your indexer if you don't have a heavy forwarder) as follows. props.conf:
[host::host2a]
TRANSFORMS-index = set_secure_index
[host::host2b]
TRANSFORMS-index = set_secure_index
...
And transforms.com:
[set_secure_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = secure_index
... View more
06-06-2019
01:47 AM
I'm still confused. How do you determine which are the top 5 values?
... View more
06-06-2019
01:28 AM
You could create two seperate columns charts; one for SerialNumber and one for pause_reason.
Or do you want only one column chart for both? If so, what are the X axis and the Y axis supposed to be?
... View more
06-06-2019
01:06 AM
What exactly do you want to display? The top 5 SerialNumber or the top 5 pause_reason or something else?
... View more
05-24-2019
04:33 AM
Hello @nabeel652,
I just testet your dashboard. I believe the root of your troubles are missing quotation marks.
This will NOT work:
| makeresults | eval Result=test
This will also NOT work:
| makeresults | eval Result="\""+test+"\""
I got it working by putting quotation marks around $kwsearch$ without using a macro:
<query>|makeresults | fields - _time | eval Result=if($exact$==0,"\"$kwsearch$\"","$kwsearch$")</query>
... View more
05-24-2019
04:19 AM
Do you mean that the axis is showing decimal values?
In the bar chart's "Format" settings, go to "Y-Axis" and set "Interval" to 1.
... View more
05-15-2019
05:45 AM
2 Karma
You should create a field extraction for the activityId field, so that it gets extracted automatically for all events. This way, you don't need the rex command in your search.
You are right: You should use a subsearch for this:
index="myIndex" host="firstHost" NOT [search index="myIndex" host="firstHost" "Request blocked because of blacklisted user" | table activityId] ...
Alternatively, with the rex command (I improved the regex a little):
index="myIndex" host="firstHost" | rex field=_raw "\|(?<activityId>[^\|]+)\|" | search NOT [search index="myIndex" host="firstHost" "Request blocked because of blacklisted user" | rex field=_raw "\|(?<activityId>[^\|]+)\|" | table activityId] ...
This will filter all events in the base search which have a matching activityId in the subsearch.
... View more
04-30-2019
04:24 AM
@garrylean Glad to hear I could help.
I edited my original answer to point to my comment.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-07-2022
03:56 AM
|
Karma from
