Splunk uses the GeoLite2-City.mmdb database for the iplocations. You can locate the file at $Splunk_Home/share . To view the City Names in the latest DB you can download the csv version from here or search for the java or python codes to open and read the mmdb file. (Not sure if Splunk has a command to to list all the iplocations stored in the DB) In case you need to update the City location db, see here or see Splunk blog here. Maybe if SAS uses mmdb as well then you can synch up the GeoLite2-City.mmdb file and might see the info as expected. ... View more

your base query to return ips and urls events | transaction url |fields url , ip |eval ipCount=mvcount(ip) | table url, ip,ipCount | where ipCount >=4 And since you know the all 4 IPs at the start, start with searching on those 4 IPs in you base query ... View more

your Panel start tag is missing in the sample code. Can you check If you have this there when Panel tag begins: <panel depends="$hide_panel$"> ... View more

You need to have two radio button inputs as below: First radio input called "First Selection" populates itself using the "query1". From the query output, the field "myField1" is set as the options of radio input as a table; and whatever value of "myField1" user selects gets saved in the token "myToken1" First selection query1 that will populate the fields of first radio button | table myField1 myField1 myField1 Second radio input called "Second Selection" populates itself using the "query2" which uses "myToken1" value. From the query output, the field "myField2" is set as the options of radio input as a table; and whatever value of "myField2" user selects gets saved in the token "myToken2" Second selection query2 making use of $myToken1$ to populate fields of second radio button| table myField2 myField2 myField2 Pay attention to searchWhenChanged="true" and the opening and closing of the fieldset tag. ... View more

Can you have a look at the link provided here which explains both extraction of hour and searching on it or alternatively using date_hour (and what could be the consequences of it in @ppablo_splunk 's comments of the post): https://answers.splunk.com/answers/469147/how-to-adjust-the-time-in-a-timechart.html#answer-469150 However what you should be looking at is something like below: your Query that returns data |eval myHour=strftime(_time, "%H") | where myHour>=12 AND myHour<23 | stats count by severity ... View more

I put in some research and coming back with solution which does following: Outer search matches your lookup strings in events Rename _raw as rewText so not to lose it downstream Take out all the strings in your lookup in a field called foo Split foo as multivalue field Expand the field foo and match it piecemeal in your rawText. When matched table it out with rawText and foo. Let me know if it worked so I can update in answer. Hope that is what you were looking for index=proxysg sourcetype=proxysg_base [|inputlookup aterms.csv | return 10000 $aterms] | rename _raw as rawText | eval foo=[|inputlookup aterms.csv |stats values(aterms) as query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" ""] | eval foo=split(foo,",") | mvexpand foo | eval foo=lower(foo) | eval rawText=lower(rawText) | where like(rawText,"%"+foo+"%") | table rawText, foo ... View more

Can you check this please and see if that's what u need: https://answers.splunk.com/answers/469425/is-it-possible-to-highlight-a-specific-term-from-a.html ... View more

Are you trying to match the strings which get returned from inputlookup to the event strings of outersearch randomly or the outer search will have the text matched randomly but the matched string will happen to be a field value in your outer search. As the latter case might be a good case for lookup command then. ... View more

Assuming you have fields called serviceName and userId and index is called api, try: index=api | stats dc(userId) as "Distinct User Count" by serviceName For B) try index=api earliest=-7d@d| timechart span=1d dc(userId) by serviceName useother=f Change the value of "7" in above to yourNumber to get the results as far back as you like. -30d@d and so on. Use the visualizations or just use the statistics table. Visualization will give options of charting with line chart/bar graph to display the query B) Added useother=f, so that there are no "other" grouping and results show up for each serviceName ... View more

Try this: your base search | rex "The request (?<status>\w+)" | timechart span=1d count(eval(status="failed")) as failed, count(eval(status="succeeded")) as success | eval failureRate=(failed/(failed+success))*100 ... View more

ok, so sounds like extracting the %H using strftime is the way to go as suggested in the read and as was in the initial answer. Thanks @ppablo_splunk ... View more

If say your url is already in the field myUrl, then try this: yourBasequery to get myUrl field |rex field=myUrl "http(s)*\:\/\/([^\/]+)\/(?<uri>[^\?\s]+)" OR, try on _raw yourBasequery to get url field |rex field=_raw "http(s)*\:\/\/([^\/]+)\/(?<uri>[^\?\s]+)" ... View more

Since in your sample data both events (I am assuming event split at date time) have errorCode and errorDescription in different sequences, once errorCode followed by errorDescription and then in other event in vice versa sequence, hence try this below: 1) rex out your error code and error description as multivalue field: your Base query that returns the above two events | rex max_match=0 field=_raw "\"errorCode\":\"(?<errorCode>[^\"]+)\"" | rex max_match=0 field=_raw "\"errorDescription\":\"(?<errorDesc>[^\"]+)\"" 2) Zip these multivalue fields in myField so you end up with values like myField=(errorCode1,errorDesc1 ) and then expand the field | eval myField=mvzip( errorCode, errorDesc) | mvexpand myField 3) Using the "," as delimiter in myField, split up the values again as errC and errD and then table them. |makemv myField delim="," | eval errC=mvindex(myField, 0) | eval errD=mvindex(myField, 1) | table errC, errD Full blown query here: yourBaseQuery | rex max_match=0 field=_raw "\"errorCode\":\"(?[^\"]+)\"" | rex max_match=0 field=_raw "\"errorDescription\":\"(?[^\"]+)\"" | eval myField=mvzip( errorCode, errorDesc) | mvexpand myField |makemv myField delim="," | eval errC=mvindex(myField, 0) | eval errD=mvindex(myField, 1) | table errC, errD ... View more

thanks @Iquinn Let me update that in the query as per suggestions. Awesome stuff. ... View more

you did not put the name of the tag ?<ip_address> which you are tabl(ing) .... | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address ... View more

Since its a case of searching between = and & did you try this yourSearch | rex "\=(?<valueOfField>[^\&]+)\&.*" | eval length=len(valueOfField) |eval numArgs = mvcount(split(valueOfField,",")) | table valueofField, length, numArgs ... View more

can you try below: yourBaseQuery | rex field=Additional_Data "(?<source_path>.*\\)(?<sFileName>[^\.]+)\.(?<source_type>[^\s]+)\schanged\sto\s(?<dest_path>.*\\)(?<dFileName>[^\.]+)\.(?<dest_type>[^\s]+)" | eval source_file=sFileName.".".source_type |eval dest_file=dFileName.".".dest_type | table Additional_Data, source_path, source_file, source_type, dest_path, dest_file, dest_type ... View more

Depending on, when you are charting the values which one out of max or min you want to take as the response time values (given timechart will automatically aggregate results) you can try this: | timechart max(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Or | timechart min(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Or | timechart values(foobar_call_duration) as callRespTime, avg(foobar_call_duration) as callAvgResp by foobar_call Whichever suits your need ... View more