Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tscroggins
tscroggins
Influencer
Member since:
08-13-2014
3 weeks ago
Community Statistics
| Posts | 721 |
| Solutions | 122 |
| Karma Given | 94 |
| Karma Received | 267 |
| Member Since | 08-13-2014 |
Activity Feed
- Got Karma for Re: Need download link for Legacy Splunk Universal Forwarder Compatible With Windows 7 x64. 07-16-2025 02:18 PM
- Got Karma for Re: Splunk Forwarder runs unconfined. 06-30-2025 09:16 PM
- Posted Re: What's the relationship between api_lt/api_et and search_lt/search_et in _audit? on Splunk Search. 06-29-2025 06:07 PM
- Posted Re: Splunk Forwarder runs unconfined on Splunk Enterprise. 06-29-2025 05:28 PM
- Posted Re: Need download link for Legacy Splunk Universal Forwarder Compatible With Windows 7 x64 on Splunk Enterprise. 06-29-2025 05:09 PM
- Karma Re: KV store failing to start in 9.4.3 for Namo. 06-29-2025 04:42 PM
- Karma Re: SPL To only Pull Last Event Per Month for chrisboy68. 06-29-2025 04:40 PM
- Posted Re: Need help receiving and parsing IPFIX data in Splunk using Splunk Stream on Getting Data In. 06-29-2025 04:38 PM
- Got Karma for Re: Need trellis of hourly pie-charts by http_status. 06-28-2025 12:34 PM
- Posted Re: Need trellis of hourly pie-charts by http_status on Dashboards & Visualizations. 06-28-2025 10:05 AM
- Got Karma for Re: Script to lint and validate splunk config?. 06-24-2025 08:19 PM
- Posted Re: SPL To only Pull Last Event Per Month on Splunk Search. 06-21-2025 08:38 AM
- Posted Re: KV store failing to start in 9.4.3 on Splunk Enterprise. 06-21-2025 08:16 AM
- Got Karma for Re: Extract timestamp from two json fields. 06-13-2025 05:41 AM
- Posted Re: Accessing Elasticsearch Data from Splunk Using SPL (Without Data Duplication) on Splunk Search. 05-21-2025 04:37 PM
- Posted Re: Extracting a value from MQTT string before parsing to JSON on Getting Data In. 04-26-2025 10:21 AM
- Posted Re: Cluster Map - Show Country Border on Splunk Search. 03-23-2025 07:42 AM
- Posted Re: geostats cluster map help on Dashboards & Visualizations. 03-16-2025 09:47 AM
- Posted Re: Rest API for Notable Suppression on Splunk Enterprise Security. 03-15-2025 12:43 PM
- Posted Re: Rest API for Notable Suppression on Splunk Enterprise Security. 03-15-2025 12:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
02-20-2021
10:00 AM
Hi Alex, Your fields--c0, c1, c2, and c3--are likely in different events: Sat Feb 20 12:47:40 EST 2021 c0=123 host=host1 sourcetype=st1 Sat Feb 20 12:47:40 EST 2021 c1=456 host=host1 sourcetype=st2 Sat Feb 20 12:47:40 EST 2021 c2=789 host=host1 sourcetype=st3 Sat Feb 20 12:47:40 EST 2021 c3=234 host=host1 sourcetype=st4 You'll need to group your events in some way to sum field values. If your events have synchronized time stamps, for example, you may be able to group by time: host=host1 sourcetype IN (st1,st2,st3,st4,st5,st6) | bin _time span=5m | stats values(c0) as c0 values(c1) as c1 values(c2) as c2 values(c3) as c3 by _time | eval totals=coalesce(c0,0)+coalesce(c1,0)+coalesce(c2,0)+coalesce(c3,0) | delta totals as dtot | timechart fixedrange=f span=5m per_second(dtot) There are many other ways to aggregate/group events. The chart, stats, timechart, and tstats commands are usually the most efficient. The transaction command is very flexible, but it doesn't scale over large result sets. -Trev
... View more
02-20-2021
09:43 AM
1 Karma
In Splunk Enterprise 8.1, when using chart with spans containing fractional values of 0.54, 0.95, and others that result in rounding errors, duplicate bins are created. For example: | makeresults count=1000 | eval x=(random()/2147483647)*20 | chart count over x span=0.54 generates a duplicate bin at 9.72-10.26 with a count of 0. | chart count over x span=1.54 generates a duplicate bin at 15.40-16.94 with a count of 0. | chart count over x span=2.54 generates a duplicate bin at 15.24-17.78 with a count of 0. Changing the x values results in different outcomes, of course, but rounding appears to be the cause. | makeresults count=1000 | eval x=(random()/2147483647)*1000 | chart count over x span=10.54 generates duplicate bins at 31.62-42.16, 52.70-63.24, 94.86-105.40, and 642.94-653.48 with a count of 0. | makeresults count=1000 | eval x=(random()/2147483647)*1000 | chart count over x span=10.95 generates duplicate bins at 32.85-43.80 and 153.30-164.25 with counts of 0. | makeresults count=1000 | eval x=(random()/2147483647)*200000 | chart count over x span=100.54 generates 258 duplicate bins with counts of 0. I haven't tested earlier versions of Splunk yet, but I'm curious if others are seeing the same issue. My personal Splunk account isn't attached to a support agreement, so I can't submit a bug report.
... View more
Labels
- Labels:
-
chart
01-20-2021
09:47 PM
I'm not sure how you're parsing the data, of course, but I'm not seeing any issues with a combination of spath and eval: | makeresults
| eval json="{ \"paused_time\" : \"14585\", \"completed_calls\" : \"8\", \"paused_since\" : \"2021-01-20 13:20:23\", \"talking_to_name\" : \"\", \"login_type\" : \"login\", \"order\" : \"1\", \"login_time\" : \"24593\", \"extension\" : \"4826\", \"max_talk_time\" : \"2045\", \"time_of_last_call\" : \"2021-01-20 13:12:23\", \"paused\" : \"1\", \"account_id\" : \"1503\", \"missed_calls\" : \"1\", \"logged_in_status\" : \"logged_in\", \"fullname\" : \"*******\", \"talking_to_number\" : \"\", \"avg_talk_time\" : \"896\" }"
| spath input=json
| eval login_time=tostring(login_time, "duration")
| table _time login_time _time login_time 2021-01-21 00:44:26 06:49:53
... View more
01-20-2021
06:01 PM
1 Karma
CPU and memory use vary with input volume and complexity, but local disk use of 1500 MB to 2000 MB is normal given how Splunk manages the fishbucket directory.
... View more
01-20-2021
05:56 PM
1 Karma
Hi @splunkcol, There are other ways to get data into Splunk, the most common being raw TCP or UDP ports, i.e. syslog, and the HTTP Event Collector. Do you have a use case that precludes or prohibits using Splunk Universal Forwarder?
... View more
01-20-2021
05:53 PM
That implies TimeLoggedInSecs is null. Can you post an extended example with source events, if applicable?
... View more
01-20-2021
04:42 PM
Hi @achauhan2098, Your whitelist should work, but if you have other WinEventLog stanzas present and do not want to index their events, do set disabled = 1 in those stanzas. By default, all events in the referenced event log will be indexed.
... View more
01-20-2021
04:36 PM
Hi @willryals, Have you tried converting the field to a number first? | eval TimeLoggedIn=tostring(tonumber(TimeLoggedInSecs), "duration") strftime treats 25595 as a Unix epoch value, which is why it's converted to (1970-01-01) 07:06:35 UTC or a time dependent on your locale, e.g. 01:06:35 for US Central Time.
... View more
01-20-2021
04:29 PM
Hi @aaronhernandez, Did you review the contents of the peer's search log? What were the last errors logged before the process terminated?
... View more
01-20-2021
04:20 PM
Similar to @woodcock's answer, Splunk 8.1 adds the mvmap function to iterate over multi-valued field values. This makes it easy to replace characters in a string: | makeresults
| eval value="randomize this"
| eval mask=" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
| eval random_value=mvjoin(mvmap(split(value, ""), substr(mask, random()%len(mask), 1)), "") The replace function and rex command can also be used to mask values, but the replacement value is only evaluated once: | makeresults
| eval value="randomize this"
| eval masked_value=replace(value, ".", "*") | makeresults
| eval value="randomize this"
| rex field=value mode=sed "s/./*/g" Hash functions, lookup tables, and other methods are also useful, depending on why you want to randomize, mask, or deidentify your data.
... View more
09-10-2019
06:55 AM
I don't think you can do this in a column chart. The tooltip HTML is created from a single series using the point value (X,Y) under the mouse pointer.
Are you open to custom solutions, or are you restricted to pure SimpleXML?
... View more
09-03-2019
10:17 AM
You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model.
... View more
09-03-2019
09:40 AM
Can you provide more context? The search contains no tokens, and as written, the search will fail with an unbalanced parentheses parsing error.
... View more
09-03-2019
09:29 AM
Can you clarify your question? "Totips" isn't a field in your search. If you want to display e.g. "Totips: 19" in place of "C: 19" in the tooltip, then simply replace C with Totips in your search:
sourcetype="securitycenter" asset=AMER_MS_SRV OR asset=EMEA_MS_SRV OR asset=APAC_MS_SRV
| rex field=asset "(?.)_MS_SRV|"
|chart eval(round(latest(crit),0)) as **Totips* by name |eval pos = case(name=="AMER","1",name=="EMEA","2",name=="APAC","3",name==name,"4") | sort pos| eval target=1 | table name, Totips, target
... View more
09-03-2019
09:17 AM
Splunk uses C-style escape sequences in strings. Escape the inner quotation marks with a backslash:
| eval Name=case(Name == "{\"XXX\":[]}", "NULL", Name == "{\"XXX\":[\"ABC\"]}", "ABC" )
... View more
09-03-2019
09:13 AM
Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2:
sourcetype,ghi
1,"some ghi value"
2,"another ghi value"
| lookup sourcetype_ghi_lookup.csv sourcetype output ghi
You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically.
... View more
09-03-2019
09:06 AM
The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.:
SplunkforPaloAltoNetworks/local/eventtypes.conf:
[pan_wildfire_report]
search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report)
Splunk_TA_paloalto/local/eventtypes.conf:
[pan]
search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*)
Replace "your_index" with your actual index. These are just examples. There are more event types in both apps.
... View more
09-03-2019
08:58 AM
Try adding MAX_TIMESTAMP_LOOKAHEAD to your props stanza:
MAX_TIMESTAMP_LOOKAHEAD = 320
if the content length varies, use a value appropriate for the variance:
MAX_TIMESTAMP_LOOKAHEAD = 512
I use multiples of 64 on x86-64 "just in case" Splunk allocates this as a separate buffer. Different architectures have different cache line sizes.
... View more
09-03-2019
08:33 AM
Yes. The limiting factor would most likely be the subsearch, not the lookup. After the subsearch executes, Splunk translates the outer search to:
| inputlookup url_lookup where NOT (url=foo OR url=bar OR url=baz OR url=qux OR ...)
up to the number or live URLs. Internal Splunk limits apply, but the search string itself can be quite long. I don't think the limit is documented, but it's probably related to the maximum request size accepted by splunkweb for manually typed searches and splunkd for derived searches.
... View more
09-01-2019
07:05 PM
If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf.
The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf.
... View more
09-01-2019
04:23 PM
(Edit: Removed note about limit option. It's only applicable to split-by groups.)
If your goal is to display 86400 points, you'll need a browser viewport at least 86400 pixels wide plus chart overhead. On smaller displays, the chart will show a subset of evenly distributed values across the timeline. Depending on your desired chart width, you may want to optimize how data is aggregated in the timechart command rather than letting the chart drawing code handle it.
... View more
09-01-2019
04:14 PM
1 Karma
The original poster. "This" was shorthand for agreeing with you.
... View more
09-01-2019
08:21 AM
This. You don't want to lose precision by rounding before the aggregation. You may also want to look at sigfig, various rounding modes, and the settings and capabilities of floating point math on your architecture, all depending on your use cases.
... View more
09-01-2019
08:11 AM
What sort of problem are you having? If you don't have access to Splunk support or if the zip installation doesn't work as expected, folks here can help with Windows issues, too.
... View more
09-01-2019
07:59 AM
I've been under the impression that both the = and IN operators require that a field be defined. If you want to include events where username is not defined, i.e. null is valid but not in your value set, add the following to your search:
NOT username IN (Johndoe Mikesomeone Jennifersomeoneelse) OR NOT username=*
The search optimizer itself may treat =, IN and !=, NOT IN as equivalent and expand IN to = internally irrespective of the search bar formatter. Perhaps a Splunk employee can confirm.
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
