cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
harishalipaka
Builder
Member since: ‎02-14-2017
‎06-12-2020
Community Statistics
Posts 255
Solutions 45
Karma Given 5
Karma Received 56
Member Since ‎02-14-2017
Activity Feed

Re: How to remove decimal precision in single valu...

by in Dashboards & Visualizations
‎04-24-2020 12:14 AM
‎04-24-2020 12:14 AM
hi @Dherom just go to edit mode ... View more

Re: How to display 0 when there is No Records Foun...

by in Archive
‎04-19-2020 11:38 PM
‎04-19-2020 11:38 PM
@splunkbeginner try like this | tstats count where host=linux01 sourcetype="linux:audit" by _time span=1d prestats=t | timechart span=1d count as total | appendcols [ search host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi, rm, ls) | timechart span=1d count as filter] | stats count as total by sourcetype | appendpipe [ stats count as total | where total=0 | eval total=0,filter=0] ... View more

Re: How to subtract _time field from Multifield va...

by in Splunk Search
‎04-17-2020 04:35 AM
‎04-17-2020 04:35 AM
@zhonk Did you check individually -- query debug are u getting Heart Beat epoch and _time epoch converting or not.. ... View more

Re: How to subtract _time field from Multifield va...

by in Splunk Search
‎04-17-2020 01:36 AM
‎04-17-2020 01:36 AM
hi @zhonk Updated my Answer Please try like below @zhonk |makeresults |eval HeartBeatTime="2020-04-16 12:23:32.9",heartbeatEpoch=strptime(HeartBeatTime,"%Y-%m-%d %H:%M:%S.%3N"),Time=_time|eval TimeDiff=Time-heartbeatEpoch,diff=tostring(TimeDiff,"Duration") ... View more

Re: Alert not triggering

by in Splunk Enterprise Security
‎04-16-2020 11:50 PM
‎04-16-2020 11:50 PM
hi @miguelangelclemente have a look into this https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-alerts-using-gmail-twitter-phone-calls-and-much-more.html ... View more

Re: match function is not working

by in Archive
‎04-16-2020 11:27 PM
‎04-16-2020 11:27 PM
hi @Allampally try below -- |eval results1=if(match(field1,field2),"Yes","No") |eval results1=if(like(field1,field2),"Yes","No") |eval results1=if(field1==field2,"Yes","No") If you not get results using this.check your fields contains any spaces. |eval field1=upper(trim(fied1)),field2=trim(upper(field2)) ... View more

Re: how i can compare last 5 fields and exclude fr...

by in Archive
‎04-16-2020 04:54 AM
‎04-16-2020 04:54 AM
hi @saghiralmani base search . . .. |eval test=substr(user_id_field,-5) |eventstats count by test |where count > 1 ... View more

Re: Add x hours to epoch time

by in Splunk Enterprise
‎04-16-2020 12:27 AM
‎04-16-2020 12:27 AM
hi @willadams add milliseconds to direct epoch 1 day = 86400 1 hour=3600 | eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600 ... View more

Re: Subsearch map command doesn't work

by in Splunk Search
‎04-15-2020 02:44 AM
‎04-15-2020 02:44 AM
@slipinski Yes do like that stats range(_time) as "booking time" by ID ? or go with Join command Join Id ... View more

Re: How to split data based on a field

by in Getting Data In
‎04-15-2020 01:56 AM
‎04-15-2020 01:56 AM
@angersleek try this ns=name* TEST_DECISION PRODUCT IN (PRODUCT1) | timechart span=1d limit=0 count by TEST_DECISION PRODUCT | eval total= VALID+INVALID | eval VALID=round(VALID/total,4)*100 | eval INVALID=round(INVALID/total,4)*100 | fields - total ... View more

Re: How can i format a table as rows into columns?

by in Archive
‎04-15-2020 01:51 AM
‎04-15-2020 01:51 AM
HI @rarangarajansplunk Can u try this way..same content but table view is different | makeresults | eval _raw=" A1 A2 B1 B2 /Test1 /Test22 /Test1 /Test22 /Test2 /Test23 /Test2 /Test23 /Test3 /Test24 /Test3 /Test24 " | multikv |table A1 A2 B1 B2|transpose |transpose header_field=column ... View more

Re: How can i format a table as rows into columns?

by in Archive
‎04-15-2020 01:19 AM
‎04-15-2020 01:19 AM
hi @rarangarajansplunk try transpose and chart over by command ... View more

Re: How to split data based on a field

by in Getting Data In
‎04-15-2020 01:16 AM
‎04-15-2020 01:16 AM
hi @angersleek try like this |where Product in ["CH1276578"," FH7623138","DD81236812"] ... View more

Re: using lookup data to filter event

by in Archive
‎04-14-2020 04:01 AM
‎04-14-2020 04:01 AM
hi @chookp use this | where NOT match(DATE,strftime(_time,"%d/%m/%Y")) istead of | where DATE!=strftime(_time,"%d/%m/%Y") ... View more

Re: How to get count by unique value?

by in Splunk Search
‎04-14-2020 03:44 AM
‎04-14-2020 03:44 AM
hi @vel4ever try this | makeresults | eval raw="Header product-id, 12345678900" |eval ID=mvindex(split(raw," "),-1) |stats count by ID ... View more

Re: Regex parse message to multiple lines help

by in Getting Data In
‎04-14-2020 03:35 AM
2 Karma
‎04-14-2020 03:35 AM
2 Karma
Hi @kevincai79 try this -- |makeresults |eval hari="[32minfo: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test" |table hari |rex field=hari "\] (?<Newfield>.*) were" |eval hari=trim(split(Newfield,",")) |rex field=hari mode=sed "s/\// /g" |table hari ... View more

Re: Correlating events from 2 different indexers w...

by in Splunk IT Service Intelligence
‎04-14-2020 03:15 AM
‎04-14-2020 03:15 AM
@vijaya5 Can you provide sample data ? ... View more

How to extract Json array of objects data into tab...

by in Splunk Search
‎03-11-2020 01:00 AM
‎03-11-2020 01:00 AM
Example data : We need to extract below json data into table format in Splunk ?link text "assets": [ { "id": 1, "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 100, "port_number": 111, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: Ajay" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/1012/tests" }, "ip_address": "1.1.0.91", "database": null, "hostname": "swetha", "asset_groups": [ { "id": 191300, "name": "All examples" } ] }, { "id": 1012, "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 331, "port_number": 135, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: NorthCEE" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/2/tests" }, "ip_address": "1.1.0.92", "database": null, "hostname": "sweety", "asset_groups": [ { "id": 191300, "name": "All exs" } ] }, ] ... View more

split specific values from list

by in Splunk Search
‎03-05-2020 03:49 AM
‎03-05-2020 03:49 AM
Hi All, I have data like below Drive Free_Space C:,D: 500 GB,450 GB E:,D: 250 GB,150 GB C:,E: 250 GB,1 TB S:,D:,C:,G 120 GB,450 GB,250 GB,800 GB I want output as Please help me for this urgent Thank you ... View more

Re: rex command help...

by in Splunk Search
‎02-26-2020 02:17 AM
‎02-26-2020 02:17 AM
Hi @gcusello It is not working for me .am getting empty fields. | rex field=HostName "^\s+(?<url>[^\.]+).*\s+(?<ip>\d+\.\d+\.\d+\.\d+)" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-12-2020 01:50 AM
Karma from
Karma given to