×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ycho1
Explorer
Member since: ‎03-18-2021
‎11-24-2021
Community Statistics
Posts 11
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎03-18-2021
Activity Feed
View All

Re: assign the value to another variable and set a...

by in Splunk Search
‎11-24-2021 07:28 AM
‎11-24-2021 07:28 AM
It works great. Thank you for your help. ... View more

Re: assign the value to another variable and set a...

by in Splunk Search
‎11-23-2021 02:13 PM
‎11-23-2021 02:13 PM
Thank you richgalloway for your input. However, I need to know the shipper name that becomes above the threshold. since there a multiple shippers, I need to specify which shipper has greater than the threshold. your solution "where count > 10" doesn't tell me which shipper name though. My guess would be I need to assign each shipper value for example: | eval TX_UPS_VAL = (count AND where shipper = TX_UPS) does it make sense? ... View more

assign the value to another variable and set an al...

by in Splunk Search
‎11-23-2021 01:11 PM
‎11-23-2021 01:11 PM
hello, I would like to ask a question on how to assign the value to another variable and set an alert. I have a this data output from Splunk. I would like to assign the value to another variables and set an alert when the value become(s) is greater than a threshold like 10 or 20. for example when TX_UPS value >= 10, then I send an alert. how should I approach this in Splunk Alert job? shipper count TX_UPS 10 TX_USPS 15 TX_FedEx 5 CO_UPS 5 CO_USPS 9 CO_FedEx 2 MO_UPS 5 MO_USPS 20 MO_FedEx 3 GA_UPS 15 GA_USPS 10 GA_FedEx 5 PA_UPS 9 PA_USPS 21 PA_FedEx 8 NY_UPS 30 NY_USPS 99 NY_FedEx 20 index=main AND "*TRACKING*" | stats count by shipper     ... View more
Labels

Re: how to exclude the subsearch result from main ...

by in Splunk Search
‎10-28-2021 11:08 AM
‎10-28-2021 11:08 AM
Is there any other suggestion? I have not made much progress on this,  I was looking for some examples with selfjoin, transaction or stats commad, it won't go anywhere.   ... View more

Re: how to exclude the subsearch result from main ...

by in Splunk Search
‎10-27-2021 07:30 AM
‎10-27-2021 07:30 AM
Can you provide me a good example on how to write selfjoin or other solution with my intention if you are willing to help?   ... View more

how to exclude the subsearch result from main sear...

by in Splunk Search
‎10-26-2021 06:37 PM
‎10-26-2021 06:37 PM
hello, Can anyone tell me how to exclude the subsearch result from main search? I want to exclude the result that failed at 1st attempt, but later the person purchased successfully. I only want to capture PURCHASEID(s) that failed and has not been able to purchase yet. Here's my pseudo code that I am trying to accomplish index=main sourcetype="access_combined_wcookie" AND ("*TIME_OUT*") | rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]" | search NOT [ search index=main sourcetype="access_combined_wcookie" AND ("*Successfully Ordered*")" | rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]" | table PURCHASEID] | table PURCHASEID, _raw | dedup PURCHASEID | sort +PURCHASEID ... View more
Labels

NOT IN Subquery syntax

by in Other Usage
‎10-11-2021 06:18 PM
‎10-11-2021 06:18 PM
hello, everyone I have a question about how to write a subquery in Splunk. for example I would like to get a list of productId that was returned, but later was not purchased again. NOT IN Subquery part. How can I accomplish this? index=main sourcetype=access_combined_wcookie action=returned NOT IN [search index=main sourcetype=access_combined_wcookie action=purchase |table clientip] | stats count, dc(productId) by clientip Thank you in advance   ... View more

Re: what java JRE version should I install for Spl...

by in All Apps and Add-ons
‎05-17-2021 02:28 PM
‎05-17-2021 02:28 PM
I am trying to connect to Microsoft SQL Server Microsoft SQL Server 2016 (SP2-GDR) (KB4532097) - 13.0.5102.14 (X64) Enterprise Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) Any recommendation for error free version(s)? Java JRE Splunk DB Connect     ... View more

what java JRE version should I install for Splunk ...

by in All Apps and Add-ons
‎05-16-2021 05:33 PM
‎05-16-2021 05:33 PM
hello, Can any one help me which Java version I need to install for Splunk Enterprise 7.3.8 with DB Connect  Splunk DB Connect Version: 3.5.0 Build: 3  and what JAVA_PATH should look like?   ... View more
Labels

Re: Cannot communicate with task server, please ch...

by in All Apps and Add-ons
‎05-16-2021 07:11 AM
‎05-16-2021 07:11 AM
The log shows this C:\Program Files\Splunk\var\log\splunk\splunk_app_db_connect_server.log 2021-05-16 08:58:50.106 -0500 5600@dsql [main] INFO io.dropwizard.server.DefaultServerFactory - Registering jersey handler with root path prefix: / 2021-05-16 08:58:50.109 -0500 5600@dsql [main] INFO io.dropwizard.server.DefaultServerFactory - Registering admin handler with root path prefix: / 2021-05-16 08:58:50.109 -0500 5600@dsql [main] INFO com.splunk.dbx.server.TaskServer - action=starting_dbx_task_server 2021-05-16 08:58:50.143 -0500 5600@dsql [main] INFO com.splunk.dbx.server.TaskServer - action=registering_managed_objects_to_server_lifecycle 2021-05-16 08:58:50.144 -0500 5600@dsql [main] INFO com.splunk.dbx.server.TaskServer - action=collect_http_metrics interval_in_seconds=60 2021-05-16 08:58:50.328 -0500 5600@dsql [main] INFO org.quartz.impl.StdSchedulerFactory - Using default implementation for ThreadExecutor 2021-05-16 08:58:50.354 -0500 5600@dsql [main] INFO org.quartz.core.SchedulerSignalerImpl - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl 2021-05-16 08:58:50.354 -0500 5600@dsql [main] INFO org.quartz.core.QuartzScheduler - Quartz Scheduler v.2.3.2 created. 2021-05-16 08:58:50.355 -0500 5600@dsql [main] INFO org.quartz.simpl.RAMJobStore - RAMJobStore initialized. 2021-05-16 08:58:50.357 -0500 5600@dsql [main] INFO org.quartz.core.QuartzScheduler - Scheduler meta-data: Quartz Scheduler (v2.3.2) 'QuartzScheduler' with instanceId 'NON_CLUSTERED' Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally. NOT STARTED. Currently in standby mode. Number of jobs executed: 0 Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 32 threads. Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered. 2021-05-16 08:58:50.357 -0500 5600@dsql [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler 'QuartzScheduler' initialized from an externally provided properties instance. 2021-05-16 08:58:50.357 -0500 5600@dsql [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler version: 2.3.2 2021-05-16 08:58:50.357 -0500 5600@dsql [main] INFO org.quartz.core.QuartzScheduler - JobFactory set to: org.easybatch.extensions.quartz.JobFactory@27abb83e 2021-05-16 08:58:50.357 -0500 5600@dsql [main] INFO com.splunk.dbx.server.TaskServer - action=start_loading_jdbc_drivers driversFolder=C:\Program Files\Splunk/etc/apps/splunk_app_db_connect/drivers/   The Splunk DB Connect shows this message on the top Cannot communicate with task server, please check your settings. ... View more

Cannot communicate with task server, please check ...

by in All Apps and Add-ons
‎05-15-2021 05:47 PM
‎05-15-2021 05:47 PM
hello, I downloaded and installed Splunk Enterprise 7.3.8 64 bits and Splunk DB Connect on Windows 2012 R2 64 bits. Splunk DB Connect Version: 3.5.1 Build: 4 I keep getting the error when I set up Splunk DB  Cannot communicate with task server, please check your settings. I installed  C:\Program Files\Java\jre1.8.0_291 JAVA_HOME C:\Program Files\Java\jdk1.8.0_291 Can anyone give me an advice?   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-24-2021 11:16 AM