My situation with this error: I had established my own certs (including a CACert.pem file) and placed them in a folder: /opt/splunk/etc/auth/my_certs ... and everything worked fine, except for ldap-search it was complaining of an 'invalid CA public key file' in the SA-ldapsearch/default folder is the file ssl.conf with an entry: [sslConfig] sslVersions = tls caCertFile = cacert.pm Well.. because my CA cert was named "CACert.pem" -- the add-on couldn't find it. I copied my CACert.pem to 'cacert.pem' -- and everything worked well again. @jreuter_splunk wrote: sslConfig is case sensitive. Indeed it is. Good luck.
... View more
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
... View more
What is your search time frame?
A user would have to fail 40 times within your search time frame to qualify as an alert.
Is that what you're expecting?
... View more
Do you mean something like this?:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
So maybe with your criteria, it'd be:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
Alerts generally have actions so you could add a filter for those, or there may be other ways to do it:
|rest /servicesNS/-/-/saved/searches
| search NOT actions=""
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
... View more
You're looking for a way to persist some search results -- and then further filter them?
There's a few mechanisms for that with Splunk.
I think one is the closest to what you're looking for:
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob
See also:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing
There's likely a few others that also would help.
Good luck.
... View more
@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.
If you change your last line to display:
|table human_epoch_time sub_time human_time
You should see the diff between human_epoch_time and sub_time
... View more
_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:
| makeresults
| eval serv_time = 44432
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
... View more
No problem. I believe $click.value$ will give you the field that is clicked. However, you may want to use a specific field regardless of where on the row the click occurs. When that occurs I think $row.$ is the choice for that behavior. At any rate... good luck.
... View more
You'll likely need some form of this:
<drilldown>
<link target="_blank">/app/some_app/some_dashboard?token=$click.value$&token2=$row.fieldname$</link>
</drilldown>
https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/tokens
... View more
Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are...
Broadly you can look at these:
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch
... View more
Here's a search with numeric values - that you can look at:
index=_internal sourcetype=splunkd kb=*
| table _time sourcetype kb
| eval threshold = if(kb<80,"UNDER","OVER")
| streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold
| eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","")
| eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","")
... View more
How we did that was to pull together the list of inputs and then add a streamstats like this:
| streamstats current=t window=3 values(status) AS last_three by input_name
Something like this:
index=_internal sourcetype=dbx_job_metrics
| sort input_name _time
| table input_name _time status
| streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name
| search values_three != "COMPLETED"
You'll need to adjust a little to get your > 80% in there.. but that's the basics of it.
... View more
That's a tougher question.
The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.
| makeresults
| eval message = "this,is,the,fourth,fifth,sixth,value"
| eval new_mvfield = split(message,",")
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)
... View more
You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.
| makeresults
| eval there = "NOTNULL"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")
or
| makeresults
| eval there = "NOTNULL"
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),newfield, there)
... View more
Does your resulting table only have a single row in it? Or are there multiple rows?
dc returns a single value, but I think values returns a multi-value field.
I'm just shooting in the dark at this point but maybe:
Change dc(dest) AS host count -> values(dest) AS host count
Swap the field names -> dc(dest) AS hash values("match_hash") as host_count
Remove the "by "intel_name".
I did notice that you seem to be quoting the other fields, but not dc(dest)?
... View more
hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory.
I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it.
... View more
So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search?
If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache?
... View more