update done ... View more

Ahh, sorry my bad ! I'll update the answer .... ... View more

Hi fredkeiser, Your regex is missing the double escaped backslashes and you can test it with Splunk's internal regex functions: splunk cmd pcregextest test_str="C:\Program Files (x86)\LIC\Current\test\filename.log" mregex=".+\\(.+)\\[^\\]*" returns: Original Pattern: '.+\(.+)\[^\]*' Expanded Pattern: '.+\(.+)\[^\]*' ERROR: Regex: unmatched parentheses But if you double escape the backslashes it works: splunk cmd pcregextest test_str="C:\Program Files (x86)\LIC\Current\test\filename.log" mregex=".+\\\(.+)\\\[^\\\]+" returns: Original Pattern: '.+\\(.+)\\[^\\]+' Expanded Pattern: '.+\\(.+)\\[^\\]+' Regex compiled successfully. Capture group count = 1. Named capturing groups = 0. SUCCESS - match against: 'C:\Program Files (x86)\LIC\Current\test\filename.log' #### Capturing group data ##### Group | Name | Value -------------------------------------- 1 | | test Hope this helps ... cheers, MuS ... View more

Hi napomokoetle, did you open a support case? ... View more

Hi Rob, the Browse More Apps from Splunk UI will only list Apps that are support with your running Splunk version. See this answer for some details https://answers.splunk.com/answers/327251/why-cant-i-find-the-timewrap-app-in-the-find-more.html cheers, MuS ... View more

Hi debanjankundu, take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/Understandbasictableandchartdrilldownactions or download the Dashboard examples App https://splunkbase.splunk.com/app/1603/ where you can find pre-build drill down examples. Hope this helps ... cheers, MuS ... View more

Hi xbbj3nj, let's say your lookup file is called cities.csv and the lookup is called cities then you can run this search : your base search here to get back city name | lookup cities | geostats latfield=Latitude longfield=Longitude count and use the map visualisation to show it on a map. See the docs for more details: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Lookup http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Geostats Hope this helps ... cheers, MuS ... View more

The Add on provides a script that connect to the Service Now REST API and processes the returned information which then will be available in Splunk for further reporting. ... View more

I assume this could be done with some css and/or js hacks, but not out of the box as far as I know - sorry. ... View more

Hi dernst, take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html which provides an example to the same question. You simply have to use this "([^"]+)"\s:\s"([^"]+)" as your regex in transforms.conf . Hope this helps ... cheers, MuS ... View more

Hi chustar, You can put your image in the etc/apps/YourAppName/appserver/static folder and use it in the dashboard: <row> <panel> <html> <p> <img src="/static/app/YourAppName/image.png" align="left" height="75" width="75"/> </p> </html> </panel> </row> Hope this helps ... cheers, MuS ... View more

Hi IRHM73, just had a quick look at it; your subsearch (which is executed first) uses user1="Y" but this is set in the outer search so this will not match. It will be bed time for me soon - no time to think about this further...maybe tomorrow cheers, MuS ... View more

and to add two important notes: The indexed events still contain the original source type name. The renaming occurs only at search time. Also, renaming the source type does only that; it does not fix any problems with the indexed format of your event data caused by assigning the wrong source type in the first place. and Data from a renamed source type will only use the search-time configuration for the target source type ... View more

hmmm, fschange is deprecated since Splunk 5.x and therefore could possibly disappear some when in the future. Also, from my point of view, the idea to have something watching itself is a bit - sorry - strange. If I want something to watch/monitor something, I would use a different software that uses external checks. cheers, MuS ... View more

Hi Jeffland, Yes, this works - but it will give you a 6 digit value for milliseconds and I reckon @IRHM73 was after a 2-3 digit millisecond value. cheers, MuS ... View more

For your sake I hope you won't need hours in the search run time ?!? If you still need it add it in the eval |eval stringSecs=strftime(numSecs, "%Hh %Mm %Ss %2Nms") ... View more

Hi IRHM73, try this search: |rest /services/search/jobs |rename custom.search as customSearch |search NOT author="splunk-system-user" |eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch) |search SearchString!="" |addtotals fieldname=duration *duration_secs |eval groupduration=case(duration<=300, "Less Than 5 Minutes", duration>300 AND duration<=600, "Between 5 and 10 Minutes", duration>600 AND duration>=1200, "Between 10 and 20 Minutes", duration>1200, "Greater Than 20 Minutes" ) |convert rmunit(duration) as numSecs |eval stringSecs=strftime(numSecs, "%Mm %Ss %2Nms") |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d/%b/%Y" ctime(earliestTime) |eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d/%b/%Y" ctime(latestTime) |eval daterange= "From: ".earliestTime.", To: ".latestTime |makemv delim=", " daterange |sort +author |table author,SearchString , daterange, request.earliest_time, request.latest_time, duration, stringSecs |rename author as "Author", SearchString as "Search Performed", earliestTime as "Earliest Date Used", latestTime as "Latest Date Used", request.earliest_time as "Earliest Time Query Setting", request.latest_time as "Latest Time Query Setting", stringSecs as "Query Runtime" cheers, MuS ... View more

Hi jmartens, un-tested and not sure if this will work, but your assumption about the spaces is correct - this causes havoc. What you could try is to use FORMAT = "$1"::$2 in props.conf . Another approach would be to remove/replace all whitespace from the left hand part of the string with sed in a first transform and in the second transform use the extract to get left hand side as key and right hand side as value. Hope this helps ... cheers, MuS ... View more

Hi IRHM73, can you provide your search, because the link provides multiple different approaches. cheers, MuS ... View more

Okay, you must misunderstand something here; it's not ServiceNow updating Splunk. There is an input in the ServiceNow App which reads all the data in ServiceNow from Splunk, check if they are enabled. Also, enable debugging in the TA and check what the logs report see http://docs.splunk.com/Documentation/ServiceNow/latest/Install/Troubleshoot for more details. Again, Splunk is creating/pushing Incidents or Events in ServiceNow and also Splunk is reading from ServiceNow; it's never that ServiceNow is pushing anything into Splunk. Hope this helps ... ... View more