About balcv

balcv · ‎02-09-2026

I'm trying to work out how I execute a saved search / report using the REST API. I have created the token and have all the correct permissions. An "inline" search in the curl command works and returns the required search results, however I have not been able to successfully get a saved search / report to run. I know that my saved searches reside in $SPLUNK_Home/etc/users/[user]/[app]/local/savedsearches.conf and I can see the required search of "LV - WiFi Users" in the .conf file. My problem is how to reference that in the curl api call. I'm executing: curl -s -k -H "Authorization: Bearer [key]" "https://[splunk_host]:8089/users/[user]/[app]/local/?output_mode=csv" --data-urlencode search="savedsearch \"LV - WiFi Users\"" and results in "The requested URL was not found on this server." error. Does anyone have any hints on how I can execute the "LV - WiFi Users" saved search using a curl API call? Thanks

balcv · ‎12-17-2023

Perfect. Thank you @dtburrows3

balcv · ‎12-17-2023

I have a search that returns a list of users and the country logins have occurred from grouped by user. index=o365 UserloginFailed* | iplocation ClientIP | search Country!=Australia | stats values(Country) by user So if a user logins from one Country, then a get a single record for the user (user, Country). If a user logins in from multiple locations, I get the user name in one column and a list of the source locations in the values(County) column. I would like to construct the search so that only see those users who have logins from multiple Countries. Thanks

balcv · ‎10-15-2023

Thanks @hoangs. I did read that in some documentation but unfortunately I do not have those switches when I go to edit my dashboards or panels.

balcv · ‎10-12-2023

How can I remove the "Open in Search" (search magnifying glass) icon/option from a panel in a Dashboard Studio dashboard? I know how it's done in the Classic dashboard, but cannot work out how to do it in Dashboard Studio. Thanks

balcv · ‎10-05-2023

Thanks @bowesmana . I had a fleeing it was not going to be as easy as I had hoped. I'm rethinking my approach to see if I can find a way to achieve what I need. Thanks again.

balcv · ‎10-04-2023

I have a search and subsearch that is working as required but there is a field in the subsearch that I want to display in the final table output but is not a field to be searched on. index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*" | eval stuff=split(message," ") | eval mac=mvindex(stuff,4) | eval mac=substr(mac,1,17) | eval denyListAction=mvindex(stuff,3) | eval denyListAction= replace (denyListAction,":","") | eval reason=mvindex(stuff,5,6) | search mac="*:*" [ search index=main host=thestor Username="*adgunn*" | dedup Client_Mac | eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*" | rename Client_Mac AS mac | fields mac ] | dedup mac,denyListAction,reason | table _time,mac,denyListAction,reason What I want is for the value held in field Username to be included in the table command of the outer search. How do I pass it from the subsearch to be used in the table command and not used as part of the search? Thanks.

balcv · ‎10-02-2023

Perfect @chris_barrett . Thanks for the response.

balcv · ‎10-01-2023

Is it possible to have the true and false parts of an if statement contain eval statements. | eval pwdExpire=if(type="staff", | eval relative_time(_time, "+90day") , | eval relative_time(_time, "+180day") ) Desired results is: If type="staff" calculate pwdExpiry as _time + 90 days, else calculate pwdExpiry as _time + 180 days. I will then format pwdExpiry and display in a table.

balcv · ‎05-07-2023

Perfect thanks @scelikok

balcv · ‎05-07-2023

I have a field returned with some search data that contains a date and time in UTC. I would like to be able to add 10 hours to the time. a) Field contents(dateTime UTC): 2023-05-08T00:24:37.6079338Z b) New field (Local dateTime): 2023-05-08 10:24:37.607 Is there a way to do the conversion from a) to b) in the search syntax?

balcv · ‎11-02-2022

Thanks @richgalloway . I've removed the escape and added the index and source as suggested but that data is still appearing. [monitor:///var/log/tomcat9] blacklist= catalina.out index= main source= catalina.out disabled = 0 Can the order of the monitor statements have an impact? For example could a preceding statement override this statement if the previous statement is for ///var/log but does not specifically reference tomcat9?

balcv · ‎11-02-2022

I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk. The file is being sent to my heavy forwarder and I have the following in inputs.conf [monitor:///var/log/tomcat9] blacklist=(catalina\.out) disabled = 0 The data continues to be processed. What am I missing?

balcv · ‎08-21-2022

I have a group of 6 hosts logging into splunk but I am having trouble getting the specific log files in. An example of the path and file is: /opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/20220817205900_iC1V4/resuming_20220817205900_iC1V4.log Both the last directory name and the log filename are always going to be different each time a log is generated so I'm trying to use wildcards such as /opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/*/*.log but this is not working. My $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf file in the looks like this: [monitor:///opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/.../*.log] disabled = 0 Any suggestions as to why this does not work and what I should use or try? Many thanks

balcv · ‎06-21-2021

How do I take the results of a search pass a field into a dbxquery and then display results from both the search and the dbxquery? In this example, the search returns data about specific emails where the sender domain is found in the csv file lookup. I then want to take the Sender email address, use it in the WHERE clause of the dbquery to return the accoutname field from the db. Then finally, display various fields in a table including results from the search and the field returned by the dbxquery select. index=email Act IN ("Acc") Sender!="*mydomain.com" [ | inputlookup susDomains.csv | stats values(domain) AS search | format ] | eval senderEmail=split(Sender,"@") | eval senderDomain=mvindex(senderEmail,1) | eval acctCode=if ((acc="CAU3A274"),"Admin","Manager") | eval SQLRcpt = "'".Rcpt."'" | map search="| dbxquery query=\"SELECT accountname FROM [IDM].[drip].[usr_hist_tbl] uht WHERE uht.mail = $SQLRcpt$ ; \" connection=\"Subscriber_History\"" | table _time,senderDomain,Sender,Rcpt,Subject,acctCode,accoutname,SQLRcpt | sort -_time This search returns no data when I know there are records that should be returned. Can anyone see where I may have gone wrong? Thanks Leigh

balcv · ‎06-08-2021

Thanks @venkatasri . I think it's to do with the timestamp. If I expand the time period then records start appraising for some of the older files, however the more current files still only show a few records. I'm working on getting the leading text removed from the log files so that all I have is the log data. Hopefully that will resolve things. Thanks for your help. Cheers

balcv · ‎06-08-2021

Thanks @venkatasri . That seems to have fixed that problem in that the files are now appearing which is awesome. The problem now is that when the files appear on the search head, they only contain 6 rows rather than the several thousand rows per file that should be there. I have read that it may be because the first 5 rows in each log file is the same and has "descriptive" text about the log file. Could this be a cause? Thanks Leigh

balcv · ‎06-08-2021

Hi @venkatasri I have reviewed the file /opt/splunkforwarder/var/log/splunk/splunkd.log and the following message appears: 06-09-2021 09:29:42.407 +1000 INFO TailingProcessor - Parsing configuration stanza: monitor:///mnt/nfs/Yul/Splunk_Backup/DHCP/2021-06-01-xxx.xxx.xxx.xxx.log.0.ExtractedOption82Data. 06-09-2021 09:29:42.413 +1000 INFO TailingProcessor - Adding watch on path: /mnt/nfs/Yul/Splunk_Backup/DHCP/2021-06-01-xxx.xxx.xxx.xxx.log.0.ExtractedOption82Data. 06-09-2021 09:29:42.590 +1000 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/mnt/nfs/Yul/Splunk_Backup/DHCP/2021-06-01-xxx.xxx.xxx.xxx.log.0.ExtractedOption82Data). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info I hope this helps shed some light on the issues. Thanks Leigh

balcv · ‎05-25-2021

I have a host that I am receiving logs into my heavy forwarder and that works fine. I now have a new log source on the same host and the entry in my inputs.conf is not passing the data I need through. [monitor:///mnt/nfs/host/Backup/DHCP/2021-05-*] disabled = 0 The wildcard is to cover a longish string of text that forms the file name. For example /mnt/nfs/host/Backup/DHCP/2021-05-22-192.168.64.88.log.0.ExtractedOption82Data I am not getting the data from this log file no matter what variation or combination I try. Even if I specify a specific file name, the data is not appearing in the search. I've tried using the full path and file in the monitor stanza, I've tried just the path in monitor and then the filename in whitelist=() but the same result. No Data yet I know the files exist and they contain data. This is driving me crazy as I have done similar things previously with no issue. What am I missing??

balcv · ‎04-14-2021

Hi @96nick . Thanks for your repsonse. This it not giving me exactly what I wanted. It appears that it lists all the addresses found in the firewall log with a count rather than using the addresses in the lookup file. I tested this by running the search then manually looking then up in the file lookup file and most did not exist in the file. I need to take each address in the lookup file, compare to the firewall data and give a count for the number of matches against that file. Cheers Leigh

balcv · ‎04-14-2021

Hi @richgalloway . Having had this running for a couple of days, it would appear that this search only takes the first address in the lookup file. I tested this by manually adding addresses I knew were valid and each time it only ever returned a count for the first address in the file and a count of that address. It did not move through the entire lookup file. Cheers Leigh

balcv · ‎04-12-2021

Thanks @richgalloway That appears to have done the trick but I'll need to wait until I have data that matches, but I think it should be fine. Thanks Leigh

balcv · ‎04-12-2021

I have a list of source ip addresses in a csv file loaded into Splunk as a lookup file. The file has a single field, src_ip, and about 4000 rows of unique ip address. I want to take the contents of the lookup file and compare each entry to a search of filewall logs and report the number of times each entry in the lookup file is present in the firewall data. I have this so far but the src_ip listed in the result is not always present in the lookup file. index="firewall" src_ip!="192.168.0.0/16" | fields src_ip | append [ | inputlookup RYUK.csv | fields src_ip] | stats count by src_ip Any suggestions greatly appreciated. Thanks Leigh

balcv · ‎11-24-2020

Thanks for replying @thambisetty , but what is TA?

balcv · ‎11-23-2020

I have a data source that is being ingested into Splunk using a default field extraction which is working fine. The data looks like: DateTime=2020-11-24-10.38.00.869407,type=New-Request,Username=9999999,Client-Mac=F8-4E-73-xx-xx-xx,Called-Station-Id=A0-D3-C1-zz-zz-zz,SSID=myWiFi,NAS-IP=192.168.141.130,Nas-Identifier=CISCO_AP:CN3AD338P5,NAS-Port-Type=Wireless-802.11,Campus=SMB,Location=SMB Buildings HI The data is being parsed correctly and I get the field name / value pairs in Splunk no problem (field_name=value). The issue I have is the last field, Location. The default field extraction is extracting the Location field however if the value contains spaces I am only getting up to the first space as the value in the indexed data. From the above example, my Location data is returning "SMB" only and not "SMB Buildings HI". Is there any way to resolve this to either prevent it splitting the value at the space, or to replace the space with another character such as '_'.

Posts	107
Solutions	4
Karma Given	41
Karma Received	9
Member Since	‎09-01-2013

Online Status	Offline
Date Last Visited	‎03-17-2026 08:42 PM

REST API

Search data by result count

Dashboard Studio

Moving fields from a subsearch

Eval function as result of IF statement

Add a number of hours to a search field?

How to exclude a specific file?

How to set the path for specific log?

dbxquery inside a search

inputs.conf issue

REST API

Re: Search data by result count

Search data by result count

Re: Dashboard Studio

Dashboard Studio

Re: Moving fields from a subsearch

Moving fields from a subsearch

Re: Eval function as result of IF statement

Eval function as result of IF statement

Re: Add a number of hours to a search field

Add a number of hours to a search field?

Re: How to exclude a specific file?

How to exclude a specific file?

How to set the path for specific log?

dbxquery inside a search

Re: inputs.conf issue

Re: inputs.conf issue

Re: inputs.conf issue

inputs.conf issue

Re: Search incorporating inputlookup

Re: Search incorporating inputlookup

Re: Search incorporating inputlookup

Search incorporating inputlookup

Re: Modifying Field Extraction

How to modify field extraction?

Join the Conversation