Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About tscroggins
tscroggins
Champion
Member since:
08-13-2014
2 weeks ago
Community Statistics
| Posts | 793 |
| Solutions | 127 |
| Karma Given | 106 |
| Karma Received | 295 |
| Member Since | 08-13-2014 |
Activity Feed
- Got Karma for Re: Regarding rex in SPL2 supports raw string literals.. 2 weeks ago
- Posted Re: Splunk for Cisco ISE on All Apps and Add-ons. 2 weeks ago
- Karma Re: Metadata token inside macro for VatsalJagani. 2 weeks ago
- Posted Re: How do I check that the UFs are being used? on Splunk Enterprise. 2 weeks ago
- Posted Re: Regarding rex in SPL2 supports raw string literals. on Splunk Enterprise. 2 weeks ago
- Posted Re: SPL query to track status change on Splunk Search. 2 weeks ago
- Posted Re: Custom fonts in ITSI/Dashboard Studio on Dashboards & Visualizations. 04-12-2026 01:15 PM
- Posted Re: Numerical Precision in Metrics on Getting Data In. 04-12-2026 10:09 AM
- Posted Re: How to change Cluster colours in Map+? on All Apps and Add-ons. 04-12-2026 09:23 AM
- Got Karma for Re: Change to div's id in xml not reflected when inspected in the browser. 04-11-2026 04:36 PM
- Posted Re: Change to div's id in xml not reflected when inspected in the browser on Dashboards & Visualizations. 04-11-2026 03:49 PM
- Got Karma for Re: Solution to allow blank text inputs in Dashboard Studio???. 04-01-2026 03:50 AM
- Got Karma for Re: Rest API for Notable Suppression. 03-31-2026 07:15 AM
- Posted Re: Solution to allow blank text inputs in Dashboard Studio??? on Dashboards & Visualizations. 03-30-2026 09:29 AM
- Posted Re: Solution to allow blank text inputs in Dashboard Studio??? on Dashboards & Visualizations. 03-29-2026 11:03 AM
- Posted Re: Regex if else condition posibilties on Splunk Enterprise. 03-22-2026 02:30 PM
- Posted Re: Regex if else condition posibilties on Splunk Enterprise. 03-22-2026 07:10 AM
- Posted Re: Solution to allow blank text inputs in Dashboard Studio??? on Dashboards & Visualizations. 03-21-2026 07:49 AM
- Posted Re: Formatting in ServiceNow Splunk Drilldown button on All Apps and Add-ons. 03-15-2026 07:24 AM
- Posted Re: OWL data feed keeps stopping on Getting Data In. 03-14-2026 09:38 AM
Topics I've Started
03-03-2021
04:21 AM
@goncalosilva123 Insert a tail command between streamstats and eval: | tail 2 If your input CSV is very large, you can additionally limit the results before streamstats with an inputlookup where predicate, a separate where command, or even | tail 3. | inputlookup | tail 3 | streamstats | tail 2 | eval
... View more
03-01-2021
05:10 PM
@szheng6699 Try this in a search: | rex "error=\"(?<error>(?:\\\\\"|[^\"])+)" Or in an inline transform: error="(?<error>(?:\\"|[^"])+)
... View more
02-28-2021
12:37 PM
@ramamohangaddam You can use the REST API to update saved searches. POST parameters are documented here: https://docs.splunk.com/Documentation/Splunk/8.1.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D The parameters of interest are alert.track and alert.severity. To enable "Add to Triggered Alerts," set alert.track to 1. The default severity is Medium (3). To change the severity, set alert.severity to the numeric severity value: Info => 1 Low => 2 Medium => 3 High => 4 Critical => 5 E.g. $ curl -k -s -u admin:password 'https://localhost:8089/services/saved/searches/{name}' -d alert.track=1 -d alert.severity=5 Replace {name} with the name of the search. You can enumerate searches in different ways, e.g.: $ curl -k -s -u admin:password 'https://localhost:8089/services/saved/searches?count=0&f=title' $ $SPLUNK_HOME/bin/splunk cmd btool savedsearches list | grep '^\[' | sed -e 's/[][]//g' However, you probably don't want to modify every search on your instance. Generate a list of curl commands using whatever method is easiest for you.
... View more
02-28-2021
10:36 AM
@klim @niketn summarized a set of possible solutions here: https://community.splunk.com/t5/Archive/Custom-search-app/m-p/440882
... View more
02-28-2021
10:29 AM
In your example search, app_name is the set {abc, xyz, lmn, deg}. If your producation data contains app_name values like foo-a or bar-b, you can leave your eval commands in place, but I'll remove them here. xyseries only works with three fields, but you can easily resummarize your data with timechart: index=epaas_epaas2_idx ns=xyz365 (app_name="abc" OR app_name="xyz" OR app_name="lmn" OR app_name="deg") method!=GET (process=start OR (process=end AND (status="500"OR status="429" OR status="506"))) NOT("C360-GraphiQL-Postman") NOT("C360-GraphiQL-UI") NOT(MATCHBOX) NOT(TEST) | bucket span=h _time | stats count(eval(process="start")) as total count(eval(process="end")) as error by _time app_name | eval rate=round ((1-(error/total))*100,4) | timechart span=h values(rate) as rate values(error) as error by app_name On the Visualization tab, enable Trellis and split by app_name with an independent scale. Select Column Chart and format the chart with error selected as the overlay field on a separate axis (View as Axis: On). Splunk should display a series of column charts with success rate columns on the primary y-axis and an error count line on the secondary y-axis. You can set Show Data Values to On in the chart configuration, but even with a large trellis size, the charts will be difficult to read. Unfortunately, core Splunk does not excel at labeling values in charts with many data points.
... View more
02-28-2021
09:37 AM
1 Karma
@swagatam1308 These may just be typos in your message, but just in case: Field names are case-sensitive. "index" is all lowercase. Your regular expression includes a space before the caret. The "fields" command is plural. Your fields command refers to fields that don't exist in your chart output. Was this meant to be a filter? In your code sample, you also have this: searchQuery = 'index=main host="splunk1" source="/var/log/secure"|stats' That works and produces a set of preselected statistics for all fields, but it's probably not what you intended. "AND" is implied in Splunk searches, and you can include search terms directly in the base search. There's no need to use a separate "search" command unless you've used one intentionally when constructing your search in code. I'm assuming your source type really does include a space after the colon: plasma: ops-gateway. You can correct it if it does not. Try this: index="ti-p_plasma" sourcetype="plasma: ops-gateway" earliest=-1h source="/home/zsvg9ky/deployments/ops-gateway/ops-gateway/logs/access*" ogw_uri!=.js ogw_uri!=.css ogw_uri!=.gif ogw_uri!=.jpeg ogw_uri!=.png ogw_uri!=.jpg ogw_uri!=.fonts ogw_uri!=.assets/ ogw_status_code!=201 ogw_status_code!=405 ogw_status_code!=206 | rex field=ogw_uri "^/(?<end_point_services>[A-Za-z0-9_-]+)[/|?].*$" | chart count by end_point_services, ogw_status_code You can also make the search a little easier to read: index="ti-p_plasma" sourcetype="plasma: ops-gateway" earliest=-1h source="/home/zsvg9ky/deployments/ops-gateway/ops-gateway/logs/access*" NOT ogw_uri IN (.js .css .gif .jpeg .png .jpg .fonts .assets/) NOT ogw_status_code IN (201 405 206) | rex field=ogw_uri "^/(?<end_point_services>[A-Za-z0-9_-]+)[/|?].*$" | chart count by end_point_services, ogw_status_code If ogw_uri is a complete URI and not just an extension, you probably meant to include wildcards: index="ti-p_plasma" sourcetype="plasma: ops-gateway" earliest=-1h source="/home/zsvg9ky/deployments/ops-gateway/ops-gateway/logs/access*" NOT ogw_uri IN (*.js *.css *.gif *.jpeg *.png *.jpg *.fonts *.assets/) NOT ogw_status_code IN (201 405 206) | rex field=ogw_uri "^/(?<end_point_services>[A-Za-z0-9_-]+)[/|?].*$" | chart count by end_point_services, ogw_status_code If your search works in the Splunk web user interface, it should work over REST as well. Try breaking your problem down into three distinct steps: Test search using Splunk web UI. Test search using cURL. Test search using Python.
... View more
02-28-2021
09:03 AM
@woodcock If your date format is fixed, e.g. %Y-%m-%d, you could use terms to limit the initial result set. If the date is in _raw with a field name and only minor breakers, e.g. FINISHDATE=%Y-%m-%d, you can further reduce the result set. E.g.: With %Y-%m-%d and FINISHDATE>1607299625, FINISHDATE is 2020-07-06, and your terms would include (assuming latest=now as of this message): (TERM(2020-07-07) OR TERM(2020-07-08) OR TERM(2020-07-09) OR TERM(2020-07-1*) OR TERM(2020-07-2*) OR TERM(2020-07-3*) OR TERM(2020-08-*) OR TERM(2020-09-*) OR TERM(2020-1*-*) OR (TERM(20*-*-*) NOT TERM(2020-*-*))) With FINISHDATE=%Y-%m-%d: (TERM(FINISHDATE=2020-07-07) OR TERM(FINISHDATE=2020-07-08) OR TERM(FINISHDATE=2020-07-09) OR TERM(FINISHDATE=2020-07-1*) OR TERM(FINISHDATE=2020-07-2*) OR TERM(FINISHDATE=2020-07-3*) OR TERM(FINISHDATE=2020-08-*) OR TERM(FINISHDATE=2020-09-*) OR TERM(FINISHDATE=2020-1*-*) OR (TERM(FINISHDATE=20*-*-*) NOT TERM(FINISHDATE=2020-*-*))) The first set of terms will return more events than you need, but you'll have reduced the number of events piping through a subsequent where or search command. The challenge becomes writing a family of date comparison macros (eq, ne, gt, lt, etc.) that convert an epoch value to a set of reduced terms, perhaps including a time format string parameter. A similar set of reduced terms can be constructed for time values in e.g. %H:%M:%S format. The only reference to "schema-accelerated search optimization" I can find in documentation is "improved data model drilldown" in the release notes for Splunk Enterprise 7.1. I believe this is a reference to data model search modes: search, flat, and acceleration_search. As a test, I created an eval field: EVAL-FINISHDATE_EPOCH = strptime(FINISHDATE, "%Y-%m-%d") I then created an accelerated data model named change_with_finishdate with a root data set also named change_with_finishdate and a single auto-extracted field: FINISHDATE_EPOCH. Searching the data model: | datamodel summariesonly=t change_with_finishdate change_with_finishdate search | search change_with_finishdate.FINISHDATE_EPOCH>1607299625 Or to strip data set prefixes from field names: | datamodel summariesonly=t change_with_finishdate change_with_finishdate flat | search FINISHDATE_EPOCH>1607299625 Splunk adds directives to the search: | search (FINISHDATE_EPOCH=* index=main sourcetype=change_with_finishdate FINISHDATE_EPOCH>1607299625 (index=* OR index=_*)) DIRECTIVES(READ_SUMMARY(allow_old_summaries="false" dmid="CB3E9141-C5FE-4B9D-A458-16D364E70DC6_DM_search_change_with_finishdate" name="change_with_finishdate.change_with_finishdate" predicate="*" summariesonly="true"),READ_SUMMARY(predicate="\"change_with_finishdate.FINISHDATE_EPOCH\">1607299625")) | fields + _time, host, source, sourcetype, FINISHDATE_EPOCH Even with hints (DIRECTIVES, READ_SUMMARY, dmid), I can't find documentation, .conf presentations, etc. on this feature. In any case, raw events are returned, presumably filtered by the accelerated data model search. In my very small test environment, a direct search using TERM as above is faster than using a data model. I'm very curious about what your results will be in a larger index. Day to day, I do find that effectively using index terms often outperforms data models.
... View more
02-27-2021
11:47 AM
@rholm01 This may work: | streamstats current=f last(Value) as previous_Value by host counter | eval delta_Value=round(Value - previous_Value, 3) If you want the absolute difference: | eval delta_Value=round(abs(Value - previous_Value), 3) If you find Splunk's rounded values disagreeing with exact calculations, you can tell Splunk to use exact math to the limits of the operating environment's floating point precision: | eval delta_Value=exact(round(abs(Value - previous_Value), 3))
... View more
02-27-2021
11:38 AM
The management console searches bundled with Splunk Enterprise provide examples of working with metrics.log data. From Settings > Management Console, navigate to Indexing > License Usage > Historic License Usage. If your category of interest is squelched, you can summarize over indexes directly using e.g. tstats: | tstats count where index=main earliest=-7d@d latest=@d by _time span=1d host | streamstats current=f last(count) as previous_count | eval percent_change=100*(count-previous_count)/count | where NOT isnull(percent_change) You could alternatively look at third-party solutions, e.g. Meta Woot! by @DiscoveredIntel.
... View more
02-27-2021
11:29 AM
In most cases, your search time range should accommodate this directly. For example, to show today's current count on refresh, set the time range to earliest=@d latest=now in whichever way makes sense for your dashboard: | tstats count where sourcetype=example earliest=@d latest=now If your solution is more complex than that, please provide an example.
... View more
02-27-2021
11:22 AM
The Building Splunk Solutions books provide examples of building custom user interfaces, but they're a bit dated. PDF copies of the first and second editions used to be published on dev.splunk.com and may still be available. If you have a Splunk support agreement, your sales engineer or account manager may be able to send you a hard copy of the second edition. Alternatively, you can buy a copy of the second addition from Amazon. Just note that it was published six years ago. The Splunk Enterprise SDK for JavaScript is up to date, but the examples aren't as rich.
... View more
02-27-2021
11:05 AM
It helps me to visualize the summary time ranges using earliest and latest. E.g. For a rolling window of three days covering the last three days: 1: earliest=-3d@d latest=-0d@d 2: earliest=-4d@d latest=-1d@d 3: earliest=-5d@d latest=-2d@d -0d@d is equivalent to @d, but using -0d@d keeps the formatting consistent. The base search earliest and latest values are the range (the total span) of the desired earliest and latest values: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d At the end of the search, we'll add a where command to truncate search results to the last three summarized days: | where _time>=relative_time(relative_time(now(), "-0d@d"), "-3d@d") We first summarize the distinct count of dest by day, signature, and severity. (Substitute signature with another fields or fields as needed to uniquely identify a vulnerability.) I.e. We count each occurrence of dest once per day per signature and severity combination: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d | bin _time span=1d | stats dc(dest) as subtotal by _time signature severity We use streamstats to summarize the subtotal by severity over a span of three days: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d | bin _time span=1d | stats dc(dest) as subtotal by _time signature severity | streamstats time_window=3d sum(subtotal) as total by severity I previously used timechart to pivot the results over _time, but you can also use xyseries: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d | bin _time span=1d | stats dc(dest) as subtotal by _time signature severity | streamstats time_window=3d sum(subtotal) as total by severity | xyseries _time severity total Finally, add the where command we prepared earlier: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d | bin _time span=1d | stats dc(dest) as subtotal by _time signature severity | streamstats time_window=3d sum(subtotal) as total by severity | xyseries _time severity total | where _time>=relative_time(relative_time(now(), "-0d@d"), "-3d@d") The result is the distinct count of dest values by signature and severity over _time. If you'd like, you can a SUBTOTAL column for each day and a TOTAL row for all days: tag=report tag=vulnerability earliest=-5d@d latest=-0d@d | bin _time span=1d | stats dc(dest) as subtotal by _time signature severity | streamstats time_window=3d sum(subtotal) as total by severity | xyseries _time severity total | where _time>=relative_time(relative_time(now(), "-0d@d"), "-3d@d") | addtotals fieldname=SUBTOTAL | addcoltotals labelfield=_time label=TOTAL You can also refactor the base search and stats to use the Vulnerabilities data model and tstats. With or without acceleration: | tstats dc(Vulnerabilities.dest) as subtotal from datamodel=Vulnerabilities where earliest=-5d@d latest=-0d@d by _time span=1d Vulnerabilities.signature Vulnerabilities.severity | streamstats time_window=3d sum(subtotal) as total by Vulnerabilities.severity | xyseries _time Vulnerabilities.severity total | where _time>=relative_time(relative_time(now(), "-0d@d"), "-3d@d") | addtotals fieldname=SUBTOTAL | addcoltotals labelfield=_time label=TOTAL With accelerated summaries only: | tstats summariesonly=t dc(Vulnerabilities.dest) as subtotal from datamodel=Vulnerabilities where earliest=-5d@d latest=-0d@d by _time span=1d Vulnerabilities.signature Vulnerabilities.severity | streamstats time_window=3d sum(subtotal) as total by Vulnerabilities.severity | xyseries _time Vulnerabilities.severity total | where _time>=relative_time(relative_time(now(), "-0d@d"), "-3d@d") | addtotals fieldname=SUBTOTAL | addcoltotals labelfield=_time label=TOTAL
... View more
02-23-2021
12:57 PM
To keep everything up to and including {host n.n.n.n}, try: "s/(.*{host \d+\.\d+\.\d+\.\d+}).*/\1/g"
... View more
02-22-2021
09:27 PM
@bp32795 You can nest subsearches, rename fields, etc. when using inputlookup: [ | inputlookup lookup2 where [ | inputlookup lookup1 | rename UserId as AccountNumber | return AccountName ] | return UserId ] => [ | inputlookup lookup2 where (AccoutNumber="123" OR AccountNumber="456") | return UserId ] => (UserId="ima.sample" OR UserId="john.doe")
... View more
02-22-2021
09:03 PM
If your Splunk environment is properly configured, you can find memory usage with this: tag=performance tag=memory | stats max(eval(100*mem_used/mem)) as mem_used_percent by host | where mem_used_percent>90 This isn't the best place to discuss AppDynamics, but you can use the machine agent to collect basic hardware metrics, reports to display them, and health rules to alert on them. Extended metrics require a Server Visibility license.
... View more
02-22-2021
08:44 PM
1 Karma
@to4kawa It should be a field alias in recent versions of Splunk_TA_nix. I just verified 8.2.0 and 8.3.0. It's not present in 5.2.4, which is the only other version I have handy. [top] ... FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
... View more
02-22-2021
08:36 PM
The union of the two searches is simply the base search: index=abc dest="xyz.com" uri_path="access.html" http_method=POST | stats count by _time src
... View more
02-22-2021
08:27 PM
@goncalosilva123 Here's an alternative with similar performance: | inputlookup a_CSV_file.csv | streamstats current=f last(Date_1) as last_Date_1 last(Total) as last_Total by Item_Name | eval Diff_Date="Diff_".substr(last_Date_1, -2)."_".substr(Date_1, -2) | appendpipe [ | stats values(eval((Total - last_Total)." (".Total."-".last_Total.")")) as Diff by Diff_Date Item_Name ] | eval Date_1=coalesce(Date_1, Diff_Date), Total=coalesce(Total, Diff) | xyseries Item_Name Date_1 Total
... View more
02-22-2021
07:37 PM
1 Karma
The DBA_DATA_FILES, DBA_TEMP_FILES, and DBA_FREE_SPACE views do not contain date columns. If your Oracle DBAs want to track changes to those views over time, a more appropriate solution would be e.g. a daily DB Connect input with the timestamp set to the current time in the input configuration. After the input is in place, you can just search the data in Splunk: index=foo sourcetype=bar | timechart span=1d values(total_size)
... View more
02-22-2021
07:28 PM
@tod_s I've not done this with Flash specifically, but I recommend asking your vendor to suggest or provide methods of logging access to Flash content as an indicator of compromise. I mentioned proxies because they're often configured to re-encrypt traffic for inspection and logging.
... View more
02-22-2021
07:24 PM
@rneel If I understand correctly, that's actually much simpler: index=_internal sourcetype=splunkd source=*/splunkd.log* earliest=-7d@d latest=@d | bin _time span=1d | stats dc(_time) as days by log_level In this example, I've binned _time into days and then counted the distinct number of days per log level. Just replace the base search and log_level field with your data. If your severity field is indexed, you can use tstats for better performance. Here's an example using the source field: | tstats values(source) as source where index=_internal sourcetype=splunkd earliest=-7d@d latest=@d by _time span=1d | mvexpand source | stats dc(_time) by source If your severity is not index but does exist in raw data as e.g. severity=critical, you can combine tstats with TERM and PREFIX for similar performance gains: | tstats count where index=_internal sourcetype=scheduler TERM(priority=*) earliest=-7d@d latest=@d by _time span=1d PREFIX(priority=) | rename "priority=" as priority | stats dc(_time) as days by priority The key is the raw data containing some field name and some value separated by a minor breaker. For example, raw data containing severity_critical could be parsed with: | tstats count where index=main TERM(severity_*) earliest=-7d@d latest=@d by _time span=1d PREFIX(severity_) | rename "severity_" as severity | stats dc(_time) as days by severity PREFIX is very powerful!
... View more
02-21-2021
09:44 PM
1 Karma
@arunkuriakose0 appendpipe [ | makeresults ] will add a row/event with only a _time value.
... View more
02-21-2021
02:01 PM
@jboustead How is the value of xxx derived? Do you see the same issue using another numeric field with a known derivation, e.g. sum(_time)? You may be receiving different events each time the search executes, but it's not possible to verify that without an understanding of your deployment.
... View more
02-21-2021
01:55 PM
@sarit_s Limits depend on context and function. Which limit do you specifically want to adjust?
... View more
02-21-2021
01:51 PM
@zenmay See the requireClientCert setting in the sslConfig stanza in server.conf. This will require connections to the management port to present a client certificate from a CA trusted by the Splunk instance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Karma from
Karma given to
