Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About sarit_s
sarit_s
Communicator
Member since:
12-25-2015
07-10-2024
Community Statistics
| Posts | 523 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 6 |
| Member Since | 12-25-2015 |
Activity Feed
- Posted Re: delete multiple alerts from splunk cloud on Splunk Cloud Platform. 07-09-2024 11:19 PM
- Posted task server stopped working on All Apps and Add-ons. 05-05-2024 01:54 AM
- Posted Re: extract field from json file on Splunk Search. 04-24-2024 06:22 AM
- Posted Re: extract field from json file on Splunk Search. 04-23-2024 10:07 PM
- Posted Re: extract field from json file on Splunk Search. 04-22-2024 12:52 AM
- Posted Re: extract field from json file on Splunk Search. 04-22-2024 12:39 AM
- Posted extract field from json file on Splunk Search. 04-21-2024 11:13 PM
- Posted blob storage log does not parse on All Apps and Add-ons. 03-31-2024 01:16 AM
- Posted how to work with transforms.conf on Getting Data In. 01-22-2024 07:11 AM
- Posted Re: summary indexing on Getting Data In. 01-22-2024 02:55 AM
- Posted Re: sourcetypes size trend on Getting Data In. 12-04-2023 01:00 AM
- Posted Re: update dashboard table after changes in filters on Dashboards & Visualizations. 11-30-2023 05:17 AM
- Posted Re: update dashboard table after changes in filters on Dashboards & Visualizations. 11-30-2023 04:53 AM
- Posted Re: update dashboard table after changes in filters on Dashboards & Visualizations. 11-30-2023 04:43 AM
- Posted Re: update dashboard table after changes in filters on Dashboards & Visualizations. 11-30-2023 02:48 AM
- Posted Re: timechart not working on Dashboards & Visualizations. 11-29-2023 03:49 AM
- Posted Re: timechart not working on Dashboards & Visualizations. 11-29-2023 03:48 AM
- Posted Re: timechart not working on Dashboards & Visualizations. 11-29-2023 03:09 AM
- Posted timechart not working on Dashboards & Visualizations. 11-29-2023 02:58 AM
- Posted count unique values and visualize in pie chart on Dashboards & Visualizations. 11-26-2023 07:18 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-09-2024
11:19 PM
ok so i was able to figure it out but now i have new issue that i don't know even where to start i have a list of alerts that i want to move from one splunk app to another is there a way to do it with script ? because doing it one by one will take me forever. i have a file with - alert name, alert id, current app name, new app name
... View more
05-05-2024
01:54 AM
Hello Using Splunk db connect 3.13.0 which worked fine until I've restarted the server since then the task server is not starting and im getting this error : message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" com.splunk.modularinput.Event.writeTo(Event.java:65)\\com.splunk.modularinput.EventWriter.writeEvent(EventWriter.java:137)\\com.splunk.dbx.command.DbxQueryServerStart.streamEvents(DbxQueryServerStart.java:51)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.command.DbxQueryServerStart.main(DbxQueryServerStart.java:95)\\
ERROR ExecProcessor [15275 ExecProcessorSchedulerThread] - message from "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.sh" action=dbxquery_server_start_failed error=java.security.GeneralSecurityException: Only salted password is supported
... View more
Labels
- Labels:
-
troubleshooting
04-24-2024
06:22 AM
this is an example to make results : | makeresults format=json data="[{\"browsers\":{\"0123456\":{\"id\":\"0123456\",\"fullName\":\"blahblah\",\"name\":\"blahblah\",\"state\":0,\"lastResult\":{\"success\":1,\"failed\":2,\"skipped\":3,\"total\":4,\"totalTime\":5,\"netTime\":6,\"error\":true,\"disconnected\":true},\"launchId\":7}},\"result\":{\"0123456\":[{\"id\":8,\"description\":\"blahblah\",\"suite\":[\"blahblah\",\"blahblah\"],\"fullName\":\"blahblah\",\"success\":true,\"skipped\":true,\"time\":9,\"log\":[\"blahblah\",\"blahblah\"]}]},\"summary\":{\"success\":10,\"failed\":11,\"error\":true,\"disconnected\":true,\"exitCode\":12}}]"
... View more
04-22-2024
12:52 AM
this is the output of the query : also, example of my event : browsers: { [+]
}
coverageResult: { [+]
}
libraryPath: libs/funnels
result: { [-]
82348856: [ [+]
]
}
summary: { [+]
}
}
... View more
04-22-2024
12:39 AM
browsers: { [+]
}
coverageResult: { [+]
}
libraryPath: libs/funnels
result: { [-]
82348856: [ [+]
]
}
summary: { [+]
}
}
... View more
04-21-2024
11:13 PM
Hello I have this query : index="github_runners" sourcetype="testing" source="reports-tests"
| spath path=libraryPath output=library
| spath path=result.69991058{} output=testResult
| mvexpand testResult
| spath input=testResult path=fullName output=test_name
| spath input=testResult path=success output=test_outcome
| spath input=testResult path=skipped output=test_skipped
| spath input=testResult path=time output=test_time
| table library testResult test_name test_outcome test_skipped test_time
| eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", "")))
| stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time
| eval total_tests = passed_tests + failed_tests
| eval success_ratio=round((passed_tests/total_tests)*100,2)
| table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time
| sort + success_ratio And i'm trying to make its dynamic so i will see results for other numbers than '69991058' How can i make it ? i'm trying with regex but it looks like im doing something wrong since im getting 0 results while in the first query there are results index="github_runners" sourcetype="testing" source="reports-tests"
| spath path=libraryPath output=library
| rex field=_raw "result\.(?<number>\d+)\{\}"
| spath path="result.number{}" output=testResult
| mvexpand testResult
| spath input=testResult path=fullName output=test_name
| spath input=testResult path=success output=test_outcome
| spath input=testResult path=skipped output=test_skipped
| spath input=testResult path=time output=test_time
| table library testResult test_name test_outcome test_skipped test_time
| eval status=if(test_outcome="true", "Passed", if(test_outcome="false", "Failed", if(test_skipped="true", "NotExecuted", "")))
| stats count sum(eval(if(status="Passed", 1, 0))) as passed_tests, sum(eval(if(status="Failed", 1, 0))) as failed_tests , sum(eval(if(status="NotExecuted", 1, 0))) as test_skipped by test_name library test_time
| eval total_tests = passed_tests + failed_tests
| eval success_ratio=round((passed_tests/total_tests)*100,2)
| table library, test_name, total_tests, passed_tests, failed_tests, test_skipped, success_ratio test_time
| sort + success_ratio
... View more
Labels
- Labels:
-
field extraction
-
regex
03-31-2024
01:16 AM
Hello I have a csv file in azure i've created an input at "Splunk Add-on for Microsoft Cloudservices Storage Blob" app Also, ive created this in the sourcetype : this is the transforms : and this is the field extraction : but the logs does not parse it indexed as one line Am i missing something ?
... View more
Labels
- Labels:
-
search
01-22-2024
07:11 AM
Hello I have few services that today sends data some index via code. We are going to remove this index and create new one but cannot change the code so i want to change the point with transforms.conf + props.conf using regex that extract the service name from source field and the environment from _raw this is my transforms.conf file : [service_extraction]
SOURCE_KEY = source
REGEX = \/var\/log\/pods\/(.+?)_
FORMAT = complaince_int_front::@service_$environment
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000
[environment_extraction]
SOURCE_KEY = sourcetype::kube:container:mockapiservice
REGEX = "Region":"(.+?)"
FORMAT = complaince_int_front::@service_$1
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000 i guess i did something wrong since its not working
... View more
Labels
- Labels:
-
props.conf
-
transforms.conf
01-22-2024
02:55 AM
Hello Thanks for your reply. I have few heavy dashboards that most of them are using the same base search so i thought that summary index can be the right way to reduce the running time. As I understood from documentation, I need to create a report that running the base search and schedule it to run once a day and send the result to summary index, is it right ? If yes, should I run the dashboards with the summary index and the "regular" index ? also, If the report results are saved in summary index, does it mean the logs are saved twice ? once in the "regular" index and once in summary index ?
... View more
12-04-2023
01:00 AM
Hello It looks good but once im clicking on one of the graphs its shows no results: also, i want to visualize by Level as well
... View more
11-30-2023
05:17 AM
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configure trellis_pie token ? this is the source: <option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<drilldown>
<set token="host_exposure_level">$row.category$</set>
</drilldown>
</chart>
... View more
11-30-2023
04:53 AM
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configure trellis_pie token ? this is the source: <panel>
<chart id="trellis_pie">
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<drilldown>
<set token="host_exposure_level">$row.category$</set>
</drilldown>
</chart>
</panel>
... View more
11-30-2023
04:43 AM
Hello i've tried to add * as the initial value but its not working in default initial value ignored once default value is configured.
... View more
11-30-2023
02:48 AM
Hello Each filter have default value "*" this is an example for the source of 2 filters : <input type="multiselect" token="Account_Label_Azure">
<label>Account Label Azure</label>
<choice value="*">ALL</choice>
<default>*</default>
<fieldForLabel>Account_Label_Azure</fieldForLabel>
<fieldForValue>Account_Label_Azure</fieldForValue>
<search>
<query>index=report Account_Label_Azure=*</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="multiselect" token="Account_Label_VMware">
<label>Account Label VMware</label>
<choice value="*">ALL</choice>
<default>*</default>
<fieldForLabel>Account_Label_VMware</fieldForLabel>
<fieldForValue>Account_Label_VMware</fieldForValue>
<search>
<query>index=report Account_Label_VMware=*</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search> and this is the source of the table <table>
<search>
<query>index="report" Category__Severities_of_Patches="$host1$" OR Category__Categories_of_Patches="$host2$" OR Category__Sources_of_Patches="$host3$" OR exposure_level=$host_exposure_level$ OR Computer_Name="$computer_name$" OR Account_Label_Azure="$Account_Label_Azure$" OR Account_Label_VMware="$Account_Label_VMware$" OR BigFix_Groups="$BigFix_Groups$" OR Category__Sources_of_Patches="$Category__Sources_of_Patches$" OR Custom_Attributes="$Custom_Attributes$" OR Custom_Site_Names="$Custom_Site_Names$" OR IP_Address="$IP_Address$" OR Operating_System="$Operating_System$" OR OS="$OS$" OR Pending_Restart="$Pending_Restart$" OR Power_State_VMware="$Power_State_VMware$" OR Provider_Name="$Provider_Name$" OR Relay="$Relay$" OR State_Azure="$State_Azure$" OR VM_Region="$VM_Region$" OR Tags_Azure___cost_environment=$Tags_Azure___cost_environment$ OR Tags_Azure___cost_servicegroup=$Tags_Azure___cost_servicegroup$ OR Tags_Azure___cost_team=$Tags_Azure___cost_team$ OR Custom_Attributes=$Custom_Attributes$
| table Computer_ID Computer_Name Account_Label_VMware Account_Label_Azure Provider_Name OS Relay VMware_Tags Tags_Azure Custom_Site_Names Pending_Restart Custom_Attributes Last_Report_Time Last_Updated Free_Space_on_System_Drive_(GB) Power_State_VMware State_Azure BigFix_Groups Category__Names_of_Patches Category__Severities_of_Patches Category__Categories_of_Patches Category__Sources_of_Patches Category__CVEs_of_Patches Category__Release_Dates_of_Patches</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
... View more
11-29-2023
03:48 AM
so what sould i do ? replacing it with timechart returns also no results
... View more
11-29-2023
03:09 AM
Well, ive changed it to this : | eval category=exposure_level
| timechart span=1d count(Computer_Name) as totalNumberOfPatches by category but still no results
... View more
11-29-2023
02:58 AM
Hello I have this query : index="report" Computer_Name="*" |chart dc(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
totalNumberOfPatches >= 3 AND totalNumberOfPatches <= 6, "Low Exposure",
totalNumberOfPatches >= 7 AND totalNumberOfPatches <= 10, "Medium Exposure",
totalNumberOfPatches >= 11, "High Exposure",
totalNumberOfPatches == 2, "Compliant",
totalNumberOfPatches == 1, "<not reported>",
1=1,"other"
)
| stats count(Computer_Name) as totalNumberOfPatches by exposure_level
| eval category=exposure_level Looks like I've lost the _time field on the way so when im trying to run timechart im getting no results
... View more
Labels
- Labels:
-
timechart
11-26-2023
07:18 AM
Hello I have this query : index="bigfixreport" | timechart count(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
totalNumberOfPatches >= 2 AND totalNumberOfPatches <= 5, "Low Exposure",
totalNumberOfPatches >= 6 AND totalNumberOfPatches <= 9, "Medium Exposure",
totalNumberOfPatches >= 10, "High Exposure",
totalNumberOfPatches == 1, "Compliant",
1=1, "<not reported>"
)
| eval category=exposure_level
| xyseries category exposure_level totalNumberOfPatches The purpose of this query is to count the number of patches for each computer name and visualize it in pie chart - one for each category and color each pie in different color ("Low Exposure" - blue, "Medium Exposure" - yellow, "High Exposure" - red, "Compliant" - green, <not reported> - gray) I have few problems 1. since i count numbers, <not reported> not count and does not display in the list 2. i have new file every day and it is possible the for few day the number of patches for some computer will be the same (for example, it will be 3 patches for specific computer for 5 days) if i just count the number of patches it will count 3+3+3+3+3 and it is not true since its the same 3 patches
... View more
Labels
- Labels:
-
chart
-
timechart
-
trellis layout
11-22-2023
11:18 AM
Hello Thanks ! it looks good but i still have few issues : i configured this : <style>
#trellis_pie div.facets-container div.viz-panel:nth-child(1) g.highcharts-series path
{
fill: blue !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(2) g.highcharts-series path
{
fill: yellow !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(3) g.highcharts-series path
{
fill: red !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(4) g.highcharts-series path
{
fill: green !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(5) g.highcharts-series path
{
fill: gray !important;
}
</style> if i understand correctly, the order of the colors is the order of the conditions in the "case" so, in that case, "High Exposure" supposed to be red but actually its blue, "Low Exposure" supposed to be blue but its yellow and "Medium Exposure" supposed to be yellow but its red, the other two does not shown but it supposed to. also, i don't see the number of results in the pie, i just see "other" even thought Minimum size set to 0
... View more
11-22-2023
04:23 AM
sorry , category = exposure_level
... View more
11-22-2023
04:18 AM
exactly and will show the number of the count for the specific category
... View more
11-22-2023
04:16 AM
separate once
... View more
11-22-2023
04:10 AM
Thanks It looks better I just want to color the pie in different colors so : "Low Exposure" - blue "Medium Exposure" - yellow "High Exposure" - red "Compliant" - green <not reported> - gray I couldn't find an option to do it
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-10-2024
04:45 AM
|
