Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About NanSplk01
NanSplk01
Communicator
Member since:
03-07-2022
02-19-2025
Community Statistics
| Posts | 53 |
| Solutions | 3 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 03-07-2022 |
Activity Feed
- Got Karma for Re: How to create a field on the fly using CASE. 02-19-2025 09:52 PM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-19-2025 04:46 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-18-2025 10:22 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-18-2025 05:01 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-13-2025 10:40 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-13-2025 08:39 AM
- Posted How to create a field on the fly using CASE on Splunk Search. 02-12-2025 09:26 AM
- Tagged How to create a field on the fly using CASE on Splunk Search. 02-12-2025 09:26 AM
- Posted Re: Trying to add a sub_search that brings back the action field to the base search. Any help will be appreciated. on Splunk Enterprise Security. 02-05-2025 03:53 AM
- Posted Trying to add a sub_search that brings back the action field to the base search. Any help will be appreciated. on Splunk Enterprise Security. 02-04-2025 11:39 AM
- Posted Search for triggered save searches and their actions titles and users: Need help with subsearch on Splunk Search. 02-04-2025 09:51 AM
- Got Karma for Re: I have been trying to use the CASE function in splunk, but my results are not correct. 11-19-2024 09:59 AM
- Posted Re: I have been trying to use the CASE function in splunk, but my results are not correct on Splunk Search. 11-19-2024 09:55 AM
- Posted I have been trying to use the CASE function in splunk, but my results are not correct on Splunk Search. 11-19-2024 09:02 AM
- Tagged I have been trying to use the CASE function in splunk, but my results are not correct on Splunk Search. 11-19-2024 09:02 AM
- Posted I want to create a subsearch that will abbreviate all but the first 30 characters of the result. on Splunk Search. 11-13-2024 11:16 AM
- Posted Re: Need assistance in setting a sourcetype--date/time on Getting Data In. 07-30-2024 09:11 AM
- Posted Re: Need assistance in setting a sourcetype--date/time on Getting Data In. 07-29-2024 12:33 PM
- Posted Need assistance in setting a sourcetype--date/time on Getting Data In. 07-29-2024 11:59 AM
- Tagged Need assistance in setting a sourcetype--date/time on Getting Data In. 07-29-2024 11:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-19-2025
04:46 AM
1 Karma
Was able to get it working this way. index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR!=INFO _raw=* | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector") | search error_msg=* | dedup connName | table host connName error_msg ERROR
... View more
02-18-2025
10:22 AM
I think I'm close, but the error_msg does not display: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector") | dedup host | table host connName error_msg
... View more
02-13-2025
10:40 AM
So I have been trying to use if statements, but I don't seem to be getting the if statement correct: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN Action="restart failed" OR Action="disconnected" OR Action="Task threw an uncaught an unrecoverable exception" | eval if(Action="restart failed", "restart failed", "OK", Action="disconnected","disconnected","OK", Action="Task threw an uncaught an unrecoverable exception", "ok") | table Action host connName I've tried several different formats for the if, but it keeps telling me the if statements are wrong. What am I not seeing here?
... View more
02-13-2025
08:39 AM
StatusMsg is the field (on the fly field) that I want to be populated by the message so I'm not certain what you mean by <<some expression>> So that was why I thought maybe this would be an if then type of query. If StatusMsg="some value" then put that in the table along with the other data. If not, then go to the next status message. So I would want: Action Host ConnName "Task through an uncaught..." lx....... CCNBU---- So should this be an if then search?
... View more
02-12-2025
09:26 AM
I have the following values that will go in a field titled StatusMsg: "Task threw an uncaught and unrecoverable exception" "Ignoring await stop request for non-present connector" "Graceful stop of task" "Failed to start connector" "Error while starting connector" "Ignoring error closing connection" "failed to publish monitoring message" "Ignoring error closing connection" "restart failed"| "disconnected" "Communications link failure during rollback" "Exception occurred while closing reporter" "Connection to node" "Unexpected exception sending HTTP Request" "Ignoring stop request for unowned task" "failed on invocation of onPartitionsAssigned for partitions" "Ignoring stop request for unowned connector" "Ignoring await stop request for non-present connector" "Connection refused" I am not certain how to do this. This is the base search: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN I want to create the field on the fly and have it pick up the appropriate CASE value. I would then put it in a table with host connName StatusMsg Any assist would be greatly appreciated.
... View more
- Tags:
- case
Labels
- Labels:
-
eval
02-05-2025
03:53 AM
All I want to get from the subsearch is to bring back the field actions. It can probably be a much smaller search.
... View more
02-04-2025
11:39 AM
index=cim_modactions source=/opt/splunk/var/log/splunk/incident_ticket_creation_modalert.log host=sh* search_name=* source=* sourcetype=modular_alerts:incident_ticket_creation user=* action_mode=* action_status=* search_name=kafka* [| rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo, actions | fillnull value="" | sort -lastUpdated actions] | table user search_name action_status date_month date_year _time
... View more
Labels
02-04-2025
09:51 AM
I want to use the 2nd search as a subsearch only bringing back the actions. How can I do this? SEARCH | rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo | fillnull value="" | sort -lastUpdated SUBSEARCH | rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 | eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user), app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) | rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" | rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" | eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') | rex field=description mode=sed "s/^\\s+//g" | eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) | fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action | eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch") | where is_alert==1 | eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0) | where splunk_default_app=0 | fields - splunk_server, splunk_default_app | search title=*kafka* | table actions title user
... View more
11-19-2024
09:55 AM
1 Karma
Thanks, I used a similar configuration and now it works. I had to use the == rather than the =
index=websphere websphere_logEventType=*
| stats count(websphere_logEventType) BY websphere_logEventType
| eval websphere_logEventType=case(websphere_logEventType=="I", "INFO",websphere_logEventType=="E", "ERROR", websphere_logEventType=="W", "WARNING", websphere_logEventType=="D", DEBUG, true(),"Not Known" )
| dedup websphere_logEventType
... View more
11-19-2024
09:02 AM
This is my search. I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventType | eval websphere_logEventType=case(websphere_logEventType=I, "INFO",websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, DEBUG, true(),"Not Known" ) What am I missing that will bring the count and the case that the count is for instead of always the Not Known case?
... View more
- Tags:
- case
11-13-2024
11:16 AM
index=replicate category=* action=* Message=*
[search index=replicate
| eval Msg=substr(Message,1,30)]
| stats count by action category Msg
| dedup action
This is what I'm trying to do. The Message field is very large and I only need the first sentence of the Message. How can I do this? We want it in a sub-search to show the sub-search function for our users.
This is Splunk Cloud implementation.
... View more
07-30-2024
09:11 AM
Well, I did find another line which has the date and time, but it's over 15 lines into the log file. We need to start with the first line which is the beginning of the stanza, but get the timestamp which is 15th line showing after the opening line shown below C:\Program Files\Universal\UAGSrv\xxxl_p01.nam>set StartDate=Tue 07/23/2024 This is the actual timestamp which I think would work since it has both date and time (hoping that's what the _80514 is the time?? Files\Universal\UAGSrv\xxx_p01.nam>set timestamp=20240723_80514
... View more
07-29-2024
12:33 PM
It is one of several blocks of lines inside the log file. Each starts with the little snippet I put above and then has any number of lines after it. While the file is a .txt, the look to me would be a xml document that pushes out the log file. I've not seen one like it before. I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.
... View more
07-29-2024
11:59 AM
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins. However the StartTime=*** is not with it, but I need both int he logs. How do I create this sourcetype? C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56 any assistance would be very helpful and appreciated.
... View more
Labels
- Labels:
-
sourcetype
-
time
07-17-2024
07:22 AM
Hope someone can assist. My client needs to be able to read word and other binary files from a dashboard without importing them into Splunk. He has a fileshare where they store the documents and would like to read the share and have the list show in the dashboard and be able to click on a document from the file share and view the file in it's native application. Is there a way to do this with Splunk?
... View more
Labels
- Labels:
-
Classic dashboard
06-24-2024
08:31 AM
It's hard to see, but what is need is for the "Message": line to be the breaking line and for the "TimeStamp': line to be the first line of the whole event. "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 14-Jun-24 07:54:50, End: 14-Jun-24 07:56:20, Mode: 5, Status: [-11059] No Good Data For Calculation",-------event break here "TimeStamp": "\/Date(1718366180157)\/", ----event start here In the example I sent it's hard to see the break after message and before Timestamp clearly because they look like one big line.
... View more
06-21-2024
06:46 AM
What I need is for the line that starts with Start: to be the break after line. Start: 14-Jun-24 07:55:05, End: 14-Jun-24 07:56:35, Mode: 5, Status: [-11059] No Good Data For Calculation", Break after the ", but since there are a few ", and not only the ", how do I get it to break at that last comma?
... View more
06-20-2024
10:12 AM
Unfortunately, as you can see, it's still splitting the two lines.
... View more
06-19-2024
07:45 AM
unfortunately it still breaks into two events and I wanted to receive only 1 event: Time Event 1 6/14/24 7:56:39.168 AM "TimeStamp": "\/Date(1718366199168)\/", "ID": 7082, "Parameters": null, { }, Show all 6 lines ------------------------------------------------ 2 6/14/24 7:56:39.013 AM "SplunkTime": "1718366199.01303", "Source3": null, "Source2": null, "Source1": null, "ProcessPIUser": null, Show all 15 lines
... View more
06-18-2024
11:38 AM
[ { "Parameters": null, "ID": 2185, "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122575.10669", "Severity": "Warning" } ] "TimeStamp": "\/Date(1718122575106)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:45, End: 11-Jun-24 12:16:15, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122570.13029", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122570130)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:40, End: 11-Jun-24 12:16:10, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122565.16875", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122565168)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:35, End: 11-Jun-24 12:16:05, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122564.42661", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122564426)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:34, End: 11-Jun-24 12:16:04, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122555.14693", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122555146)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:25, End: 11-Jun-24 12:15:55, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122550.12819", "Severity": "Warning" },
... View more
06-18-2024
04:33 AM
I have been trying to get the following sourcetype into Splunk for PI. This whole stanza should go in as 1 event, but I've been unable to get the breakdown to multiple events from happening:
{
"Parameters": null,
"ID": 2185,
"TimeStamp": "\/Date(1718196855107)\/",
"Message": "User query failed: Connection ID: 55, User: xxxxx, User ID: 1, Point ID: 247000, Type: summary, Start: 12-Jun-24 08:52:45, End: 12-Jun-24 08:54:15, Mode: 5, Status: [-11059] No Good Data For Calculation",
"ProgramName": "sssssss",
"Category": null,
"OriginatingHost": null,
"OriginatingOSUser": null,
"OriginatingPIUser": null,
"ProcessID": 5300,
"Priority": 10,
"ProcessHost": null,
"ProcessOSUser": "SYSTEM",
"ProcessPIUser": null,
"Source1": "piarcset",
"Source2": "Historical",
"Source3": null,
"SplunkTime": "1718196855.10703",
"Severity": "Warning"
},
I have even tried using the _json defaulted with Splunk, but it keeps breaking it into multiple lines/events. Any suggestions would be helpful.
... View more
Labels
- Labels:
-
JSON
-
sourcetype
06-11-2024
10:56 AM
We have created what we call apps--which is just a inputs.conf file in a directory structure. We push that out to our clients. However, these do not create a drop-down in the Apps drop-down from the main screen. How can we convert them so that they do show on the drop-down menu under Apps? Our client wants that and I'm not certain how to take what I already have and wrap it into "real" application. for instance: ourcompany_thisapp_forwarder local inputs.conf That is our current structure on the deploymentclient servers. It's small and does not do much but handle the inputs. Our new client wants it to really be an app with multiple types of folders for adding other data into Splunk. Does anyone know how to convert the "app" to a true app?
... View more
- Tags:
- apps
- sourcetype
Labels
- Labels:
-
app
10-31-2023
10:40 AM
I am trying to create a dashboard panel that will have dropdowns different by the row you select. I am using one of the searches that comes with the monitoring application as my search: index=_internal sourcetype=splunkd TERM(group=tcpin_connections) TERM("cooked") OR TERM("cookedSSL") (hostname!=*.splunk*.*) | dedup hostname | stats c as fwdCount by version | rex field=version "^(?<fwdV>\d+.\d+)" | eval splV= [ | makeresults | eval VERSION=7.0 | append [ | rest splunk_server=local count=1 /services/server/info | stats max(version) as VERSION] | rex field=VERSION "^(?<version>\d+.\d+)" | stats max(version) as splV | return $$splV ] | eval fwd_7_3_eos=relative_time(strptime("22-Oct-2021", "%d-%b-%Y"), "+1d@d"), fwd_8_0_eos=relative_time(strptime("22-Oct-2021", "%d-%b-%Y"), "+1d@d"), fwd_8_1_eos=relative_time(strptime("19-Apr-2023", "%d-%b-%Y"), "+1d@d"), fwd_8_2_eos=relative_time(strptime("30-Sep-2023", "%d-%b-%Y"), "+1d@d"), fwd_9_0_eos=relative_time(strptime("14-Jun-2024", "%d-%b-%Y"), "+1d@d"), fwd_9_1_eos=relative_time(strptime("28-Jun-2025", "%d-%b-%Y"), "+1d@d"), fwd_default_eos=relative_time(strptime("01-Jan-1971", "%d-%b-%Y"), "+1d@d") | eval expTimestamp = case( match($$fwd_version$$, "^7\.3"), fwd_7_3_eos, match($$fwd_version$$, "^8\.0"), fwd_8_0_eos, match($$fwd_version$$, "^8\.1"), fwd_8_1_eos, match($$fwd_version$$, "^8\.2"), fwd_8_2_eos, match($$fwd_version$$, "^9\.0"), fwd_9_0_eos, match($$fwd_version$$, "^9\.1"), fwd_9_1_eos, 1==1, fwd_default_eos) | fields - fwd_*_eos | eval warn=case( (now() > expTimestamp), fwdCount, 1==1, 0) | eval info=fwdCount-warn | rename warn as "Out of date", info as "Up to date" | fields - fwdV, splV, fwdCount, expTimestamp What I want to do is to drop down based on the row I select (see attached snapshot)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-19-2025
11:19 AM
|
