Hi, I have a query as follows index="summary" search_name="ABC" | dedup hostname | table hostname Now I want see the hostnames which are in last week's result and not in this week's result and vice versa? What are the earliest and latest times that I should be specified in subsearch and main search? What could be the query to get that result? ... View more

I have a simple lookup query as follows :- | inputlookup ABC.csv which gives the result as follows :- Which doesn't give me any visualization. Now how can I get a "Line Chart" visualization with 3 line patterns like "time-to-close", "time-to-discover" and "time-to-respond" I assume the current time format for all the 3 columns should be converted to a unique value either by seconds or by minutes inorder to get any visualization like "1 d,0 h, 0 m and 0 s" as "86400s" but I'm not sure how to get the eval logic for that. Any help would be great. ... View more

I am trying to add a documentation link to the splunk dashboard. below is the html code for the dashboard before and after the html tags Detailed instructions of dashboard: <a href="https://abc-app.def.net/ghiklmn/controller/authorsolution/?action=edit&solutionID=161208153937927&page=1&SToken=37F7E60SAD4FDSF54DS45WA5C0">kjgjhg</a> But getting the below error and coudn't able to save the dashboard Error parsing XML on line XX: EntityRef: expecting ';' How to modify the above XML to add the link ... View more

I have a query as below which gives some output index="summary" search_name="ABC" | dedup hostname | join type=outer ip_address [| inputlookup device_list.csv | rename devip as my_ip ] Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below saved search name :- daily_device_list search :- | inputlookup device_list.csv | rename devip as my_ip scheduled :- once everyday will save the results on index "summary" Now, I am trying to replace my query with the saved search like below index="summary" search_name="ABC" | dedup hostname | join type=outer ip_address [index="summary" search_name="daily_device_list" ] Which throws me an error as follows Search Factory: Unknown search command 'index'. Now, could someone assist me on what went wrong or how to modify my query to use the saved search "daily_device_list" by replacing the actuall query? ... View more

I have two different queries like below Query 1 :- field_1!="A" AND field_2="B" OR field_1!="A" AND field_2="C" OR field_1!="A" AND field_2="D" OR field_1!="A" AND field_2="E" Query 2 :- field_1!="A" AND (field_2="B" OR field_2="C" OR field_2="D" OR field_2="E" ) In my view both the queries should give the same result but it's giving me the different result. What's the difference between both the queries and what's the actual order splunk executes? ... View more

I have a query as follows index=abc sourcetype=def | stats count by field_A | eval mb=round(count/1024/1024,2) which gives me the result as follows field_A count mb jjjh 237606517 230.43 gffgf 2763240 2.67 Now, my question is that is the megabytes(mb) calcullation per each field is correct? Also the count for each field value is it in bytes ? I am a bit confused and all I'm trying to get the result as follows Field_A - Count of Event - Average size of that event ... View more

I have a query as follows | inputlookup hosts.csv | table host | format Which gives the result as follows ( ( host="abc" ) OR ( host="def" ) OR ( host="ghi" ) OR ( host="jkl" )) Now, how to modify my current query to get the result as follows ( ( host="abc*" ) OR ( host="def*" ) OR ( host="ghi*" ) OR ( host="jkl*" )) Is there any way that I can add the wildcard to all the host field values either by eval or regex. Please let me know if there is any possibility? ... View more

I have a lookup file which contains a list of hostnames under the field Host like below Host abd addf fdfs Now how can I get the field values for those hosts in lookup from splunk for A,B and C like below Host A B C I am trying to find a simplified way if there is any in splunk instead of searching manually in splunk like below for each host Host="chdg" OR Host="jkhgsdjh"........ | stats values (A), values(B), values(C) by Host ... View more

I always wonder how can I break my big splunk query on the dashboard to multiple parts like by providing spaces in between the lines. For example if below is my query index=blah source=abc | eval abc="jkhdkkjd" | search NOT field="bvc" Now how can I break the above into below by providing a line gap between the next part of the query index=blah source=abc | eval abc="jkhdkkjd" | search NOT field="bvc" Note :- I just wanna add spaces/line gaps between my query and not on the results. ... View more

I am getting the below error on my search head for all the queries. "Unable to distribute to peer named X.X.X.X:PPPP at uri=X.X.X.X:PPPP using the uri-scheme=https because peer has status="Down". Please verify uri-scheme, connectivity to the search peer, that the search peer is up, and an adequate level of system resources are available. See the Troubleshooting Manual for more information." Where X.X.X.X is indexer IP address and PPPP is port. When I tried to look what's happening in the internal logs I only see the below warning message on all the events Query used :-index="_internal" source=/cs/splunk/search/var/log/splunk/splunkd.log X.X.X.X Warning log :- 02-24-2018 16:35:15.331 +0100 WARN DistributedPeerManager - Unable to distribute to peer named X.X.X.X:PPPP at uri=X.X.X.X:PPPP using the uri-scheme=https because peer has status="Down" Please verify uri-scheme, connectivity to the search peer, that the search peer is up, and an adequate level of system resources are available. See the Troubleshooting Manual for more information. I have tried the below to identify the issue removing the cluster and re-adding it doesn’t resolve this problem Rebooting the indexer doesn't help I can see some buckets showing up on indexer when searching it, however, most of them are unavailable. Could anyone suggest what exactly could be the issue? Note :- search head version :- 6.5.3 and indexer version for host X.X.X.X is : 6.6.5 I know that upgrading the search head to the version 6.6.5 would resolve this but I'm trying to find the reason why it fails when the search head version is lesser than the indexer version ... View more

I have a query which displays some tabular results and when a certain condition is matched for 2 field values I want to insert a new value to Field_A like below If field_A="not registered" and field_B="PROVISIONING" for a list of hosts then I want to change the Field_A value from "not registered" to "registered but not monitored" How can I write an eval condition to satisfy the above. I have some how managed to get a little further like below | eval field_A=if(field_A=="not registered" AND field_B=="PROVISIONING") Please complete the above part eval condition above if someone knows how to do it? ... View more