About MuS

MuS · ‎11-21-2016

Hi pavanae, you can try something like this: eval big_and_small = if(A > B, A. "and" .B, B. "and " .A) This should give you something to start, although I know it will not handle cases where the numbers are equal 😉 Hope this helps ... cheers, MuS

MuS · ‎11-21-2016

Hi sravankaripe, one way is to use the Job Manager accessible with this URL /app/search/job_manager?jobStatus=running and check for the [real-time] searches. Another way is to use a rest endpoint with this search: | rest /services/search/jobs/ | search isRealTimeSearch="1" and get all needed fields from there. Hope this helps to get you started ... cheers, MuS

MuS · ‎11-20-2016

Hi mrgibbon, you know how to reach me - Can you send some sample data and the search and I will have a look at it 😉 Cheers, MuS

MuS · ‎11-17-2016

Can you use the code function so the named capturing groups are still in the search, please? 🙂

MuS · ‎11-17-2016

So, did my answer solve your problem? In this case I will give you a gentle reminder on the topic of this question 😉

MuS · ‎11-17-2016

Hi mrgibbon 😉 works like a charm on Splunk 6.5.0: | gentimes start=-1 | eval gibbon="\"Classic,Audit Failure\",11/14/2016 9:32:27 AM,AD FS Auditing,516,-3,\"The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 User: sausages\Abel.Caine Client IP: 103.1.1.1,10.1.1.1 nBad Password Count: 4 nLast Bad Password Attempt: 11/14/2016\"" | rex field=gibbon "Password Count: (?P<count>[^ \n]+)" | table count Here is the result: Can you please add the complete search you are running? cheers, MuS

MuS · ‎10-25-2016

Hi nsshey, You should provide user login information with your curl command: curl -k -u admin:changeme https://hosthere:8089/services/auth/login .... See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.5.0/RESTTUT/RESTbasicexamples Hope this helps ... cheers, MuS

MuS · ‎10-24-2016

Hi uhkc777, you can use something like this - sorry not tested and it is early morning for me so don't blame me if it does not work straight away 😉 index=Pharma_ParMed_STG sourcetype=ParMed-SalesOrder source="DBX:ParMed-Stage" OR index=Pharma_ECC_STG sourcetype=SAP-SalesOrder source="DBX:SE8" | eval OrderId = coalesce(OrderId, SALESORDERNUM) | eval OrderDetailID = coalesce(OrderDetailID, ITEMDETAILID) | stats count(index) AS c_idx by OrderId OrderDetailID | where c_idx = 1 Hope this gets you started ... cheers, MuS

MuS · ‎10-18-2016

Of course facepalm - good spotting in this case!

MuS · ‎10-18-2016

Your regex works on your provided sample event see http://pasteboard.co/gzVlDIRjH.png : Make sure your sourcetype matches, you placed the props.conf on the parsing Splunk instance and restarted splunk afterwards.

MuS · ‎10-18-2016

Hi arkadyz1, Your regex would work! But you have a format issue; your double quotes are windownized and therefore wrong 😉 This is working: CommonPrefix\.1\.name="([^"]*)".*CommonPrefix\.1\.status="([^"]*)" This is not working: CommonPrefix\.1\.name=”([^”]*)”.*CommonPrefix\.1\.status=”([^”]*)” Hope this helps ... cheers, MuS

MuS · ‎10-16-2016

Open a CMD and cd into "D:\Program Files\Splunk\bin". Run the command like this: splunk.exe cmd python generatehello.py __EXECUTE count=5

MuS · ‎10-16-2016

Hi tombog0, what happens if you run the script like this: $SPLUNK_HOME/bin/splunk cmd python generatehello.py __EXECUTE count=5 cheers, MuS

MuS · ‎10-16-2016

Hi splunk_force_ash, Yes, cooked events are sent by default to the indexQueue and skip the other queues. The setting is in inputs.conf /opt/splunk/etc/system/default/inputs.conf route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue Here the snip from the docs http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf about it: [splunktcp] route = [has_key|absent_key:<key>:<queueName>;...] * If a matching rule is found, the receiver sends the payload to the specified <queueName>. * If no matching rule is found, the receiver sends the payload to the default queue specified by any queue= for this stanza. If no queue= key is set in the stanza or globally, the events will be sent to the parsingQueue. Hope this helps ... cheers, MuS

MuS · ‎10-13-2016

Just did the same :))

MuS · ‎10-13-2016

Hi tmontney, If I understand your request correct you can try something like this: your base search here host=* cpuusagefield>=50 | timechart span=5min count by host WHERE count > 5 you can learn more about timechart and its options here http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timechart#Description Hope this helps ... cheers, MuS

MuS · ‎10-11-2016

Just an update on this; check this app https://splunkbase.splunk.com/app/2776/ which can monitor directories or file information. cheers, MuS

MuS · ‎10-11-2016

Hi aggie4life, The easiest way to over come it is not to use a sub search at all. There are other options like lookups or summary indexes and you can always check if a simple stats will do it as well. Have a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html to learn more about it or have look at the March 2016 session of the virtual .conf you can find here http://wiki.splunk.com/Virtual_.conf. Hope this helps ... cheers, MuS

MuS · ‎10-09-2016

Adding my 2 cents here: Check this answer https://answers.splunk.com/answers/114447/splunk-to-splunk-communication-stuck-in-close-wait.html cheers, MuS

MuS · ‎10-05-2016

upvoted, because the regex is matching faster 😉

MuS · ‎10-04-2016

Of course: using $VAL$ in a dashboard is a token, which Splunk tries to replace before a search starts using $$VAL$$ is telling Splunk to not replace the $VAL$ with a token and use the literal $VAL$ in the search, it is like escaping the $ . Hope that makes sense ... cheers, MuS

MuS · ‎10-03-2016

Yes, it breaks because you are still using format=$VAL$:::$AGG$ instead of format=$$VAL$$:::$$AGG$$ in the timechart 😉

MuS · ‎10-03-2016

Okay, but here is the format=$VAL$:::$AGG$ missing and therefore it works. You need to change the format option to this format=$$VAL$$:::$$AGG$$ in your timechart chart in the dashboard and it works - at least it worked for me on Splunk 6.5 😉 cheers, MuS

MuS · ‎10-02-2016

Hi pavanae, they are the same. I reckon SA-eventgen is based on the older naming for service add-ons SA and technical add-ons TA . If you search eventgen on Splunkbase you will find the github link here https://splunkbase.splunk.com/app/1924/ Hope this helps ... cheers, MuS

MuS · ‎10-02-2016

Can you post the complete dashboard XML please?

Posts	4458
Solutions	814
Karma Given	2144
Karma Received	3944
Member Since	‎05-02-2011

Online Status	Offline
Date Last Visited	Wednesday

Report Capture app for Splunk: Exception capturing...

How to use eval if there is no result from the bas...

How to compare fields over multiple sourcetypes wi...

Splunkbase Apps update bug?

docs.splunk.com wrong link to answers

splunkbase feature request

splunkbase colored background

Captain Picard's Star fleet messages

the pony command

max throughputs of forwarders

Re: How to display 2 fields as a single field in S...

Re: How to search for user details, the search que...

Re: REX issue, quite an interesting one, potential...

Re: REX issue, quite an interesting one, potential...

Re: Deployment client is not indexing data to the ...

Re: REX issue, quite an interesting one, potential...

Re: Why do I receive REST API "login failed" messa...

Re: How can I modify this query without the join c...

Re: Need advice on a complex field extraction

Re: Need advice on a complex field extraction

Re: Need advice on a complex field extraction

Re: custom command logging error

Re: custom command logging error

Re: Does cooked data from a HF forwarder automatic...

Re: Where can I blog my Splunk experiences?

Re: How to create an alert to trigger when a host ...

Re: Monitor My application

Re: How to overcome the subsearch limit of 10500?

Re: Linux Forwarder Opened Hundreds of Sockets

Re: rex expression

Re: Why am I getting a "Search is waiting for inpu...

Re: Why am I getting a "Search is waiting for inpu...

Re: Why am I getting a "Search is waiting for inpu...

Re: Difference between eventgen and SA-eventgen?

Re: Why am I getting a "Search is waiting for inpu...

Join the Conversation