Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Seawheels51
Seawheels51
Path Finder
Member since:
06-20-2022
07-25-2025
Community Statistics
| Posts | 18 |
| Solutions | 1 |
| Karma Given | 47 |
| Karma Received | 1 |
| Member Since | 06-20-2022 |
Activity Feed
- Karma Re: How to find the missing number sequence from a table? for niketn. 04-23-2025 01:54 PM
- Karma Re: How to find the missing number sequence from a table? for FloSwiip. 04-23-2025 01:54 PM
- Karma Re: How do I add yesterday's date to an emailed report subject? for cmerriman. 03-13-2025 10:20 AM
- Karma Re: How do I add yesterday's date to an emailed report subject? for woodcock. 03-13-2025 10:17 AM
- Karma Re: Report hourly max count events per day over a month for lguinn2. 01-31-2025 07:04 AM
- Karma Re: Data visualization over the day (by hours) for gcusello. 01-31-2025 07:02 AM
- Karma Re: Data visualization over the day (by hours) for rnowitzki. 01-31-2025 07:01 AM
- Karma Re: Results from Collect command not writing to index? for Aroot002. 01-10-2025 01:09 PM
- Posted Re: Results from Collect command not writing to index? on Splunk Search. 01-10-2025 01:07 PM
- Karma Re: Results from Collect command not writing to index? for gcusello. 01-10-2025 01:02 PM
- Karma Re: http event collector truncates event to 10,000 characters for livehybrid. 01-09-2025 02:24 PM
- Got Karma for Re: How to get boolean fields from a stats max count (event number). 01-07-2025 11:34 AM
- Karma Re: How to get boolean fields from a stats max count (event number) for richgalloway. 01-07-2025 09:11 AM
- Posted Re: How to get boolean fields from a stats max count (event number) on Splunk Search. 01-07-2025 09:10 AM
- Karma Re: How to get boolean fields from a stats max count (event number) for ITWhisperer. 01-07-2025 09:05 AM
- Posted Re: How to get boolean fields from a stats max count (event number) on Splunk Search. 01-06-2025 01:49 PM
- Posted Re: How to get boolean fields from a stats max count (event number) on Splunk Search. 01-06-2025 01:41 PM
- Posted How to get boolean fields from a stats max count (event number) on Splunk Search. 01-06-2025 10:52 AM
- Karma Difference between last(X) and latest(X) for strive. 01-06-2025 09:02 AM
- Karma Re: Difference between last(X) and latest(X) for dart. 01-06-2025 09:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-10-2025
01:07 PM
Collect is very time sensitive and as @gcusello pointed out. My search and collect writing to index was working. I changed the _time=now() to use a now time 14 eval statements earlier in the search and it stopped writing to the index. After viewing this thread, I changed it back to these final three lines in search and now successfully writing the results to index every time:
| eval now=now()
| eval _time=now
| collect index=index output_format=raw spool=true source=yourSource sourcetype=stash
... View more
01-07-2025
09:10 AM
1 Karma
Thank you @ITWhisperer In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results. Then I used stats values(field) to extract the values for the fields I am interested in.
... View more
01-06-2025
01:49 PM
@richgalloway the problem is the cached events are delivered more recently (lower priority transmission) than the actual current state event which is why the search for max(triggeredEventNumber) instead of first/last or earliest/latest since I cannot forecast how many cached events may be delivered after current state and before the next current state event is created (as a result of a state change typically battery percent change)
... View more
01-06-2025
01:41 PM
Thank you for the reply @richgalloway The results I want to see are the fields for that triggered event number only.
... View more
01-06-2025
10:52 AM
How do I return field values from a specific max(eventnumber)? This was helpful but did not solve my issue Solved: How to get stats max count of a field by another f... - Splunk Community We are ingesting logs from test devices. Each log has an event number, which I can search on to find the most recent event. When the devices disconnect from our cloud instance, they cache events which are transmitted at a lower priority (newest to oldest) than real time events. For example: event #100 connected to cloud, event 101-103 disconnected from cloud and cached, events, #104 re-connected to cloud (latest status) received, then event 103 is transmitted, then 102, so using latest/earliest or first/last does not return the most recent status The logs consist of an event number and boolean (true/false) fields. Searching for max(event number) and values(boolean field value) results in both true/false for any time picker period that has multiple events, for example: | stats max(triggeredEventNumber) values(isCheckIn) values(isAntiSurveillanceViolation) BY userName userName max(triggeredEventNumber) values(isCheckIn) latest(isAntiSurveillanceViolation) NS2_GS22_MW 92841 false true FALSE In the example the actual value of isCheckIn was true. Here is a complete example event: { "version": 1, "logType": "deviceStateEvent", "deviceSerialNumber": "4234220083", "userName": "NS2_GS22_MW", "cloudTimestampUTC": "2025-01-06T18:17:00Z", "deviceTimestampUTC": "2025-01-06T18:16:46Z", "triggeredEventNumber": 92841, "batteryPercent": 87, "isCheckIn": true, "isAntiSurveillanceViolation": false, "isLowBatteryViolation": false, "isCellularViolation": false, "isDseDelayed": false, "isPhonePresent": true, "isCameraExposed": false, "isShutterOpen": false, "isMicExposed": false, "isCharging": false, "isPowerOff": false, "isHibernation": false, "isPhoneInfoStale": false, "bleMacAddress": "5c:2e:c6:bc:e4:cf", "cellIpv4Address": "0.0.0.0", "cellIpv6Address": "::" }
... View more
Labels
- Labels:
-
stats
12-13-2024
05:49 AM
Worked for me, thank you
... View more
12-13-2024
05:48 AM
Fix for me was to rename the expired server.pem certificate file name, restart Splunk which automatically created a new server.pem certificate, then splunk clean kvstore --local , then splunk migrate kvstore-storage-engine --target-engine wiredTiger
... View more
12-13-2024
05:38 AM
Thank you, it worked for me
... View more
08-19-2024
08:42 AM
I have the collect search working, eval _raw="field1","field2", ... Conversion functions - Splunk Documentation Thank you for pointing me in the right direction and well done @PickleRick
... View more
08-19-2024
08:21 AM
Appreciate the clarification, I have 30%+ headroom with my license so a couple of onetime events should not be an issue.
... View more
08-19-2024
07:47 AM
I was not aware of the licensing implications, thank you and I'll stay in compliance.
... View more
08-16-2024
11:09 AM
I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba SNMP log format to send in raw format to an index
Background: We had a power outage at one of our sites. Report and Alert searches look for active user Wi-Fi sessions. Because the access points were offline, when users left for the day the Wi-Fi session end log events were not sent from Aruba to Splunk , which is causing false positive alerts.
The Aruba SNMP logs look like this:
timestamp=1723828026 notification_from_address = "172.20.0.69" notification_from_port = "34327" SNMPv2-SMI::mib-2.1.3.0 = "10679000" SNMPv2-SMI::snmpModules.1.1.4.1.0 = "1.3.6.1.4.1.14823.2.3.1.11.1.2.1219" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = "0x07e808100a0706002d0700" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = "192.168.50.54" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = "0xd8be1f2f9c1a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = "0x2462ce8053b1" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = "RAP1053a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = "2" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = "11" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = "1"
My search:
| makeresults
| eval timeStamp=now()
| eval logEvent="timestamp=1723830464 notification_from_address = \"172.20.0.17\" notification_from_port = \"43015\" SNMPv2-SMI::mib-2.1.3.0 = \"2063900\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = \"0x07e8080e0d310f002d0700\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = \"192.168.50.67\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = \"0xd8be1f7d1076\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = \"0x482f6b06b171\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = \"AP7\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = \"2\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = \"10\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = \"1\""
| collect index=aruba_snmp sourcetype=snmp_traps output_format=raw testmode=true
The search result looks like what I want but when sent in raw format the escape \ are visible. How do I obscure or remove the \ in raw format? Thank you for any help in advance.
... View more
Labels
- Labels:
-
eval
06-15-2023
11:46 AM
Greetings community experts Search results for JSON data received via curl and Rest API from AWS are five times the actual events. Seeking help understanding why events are counted more than once. Indexed using sourcetype _JSON Looking at the data Splunk reports 4 deviceConnectivityUpdate events and 1 deviceStateEvent which agrees with the data. However when I run stats count by("hits{}._source.logType") by "hits{}._source.userName I get 5x count of events. Same is true with this search using dedup | eval DCU=mvfilter(match('hits{}._source.logType',"deviceConnectivityUpdate")) | eval DSE=mvfilter(match('hits{}._source.logType',"deviceStateEvent")) | dedup DCU DSE | stats count(DCU) count(DSE) by hits{}._source.userName The data _raw {"total":{"value":5,"relation":"eq"},"max_score":1,"hits":[{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"zbIdu4gBwP_vIV4KexH0","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390007","userName":"gary.whitlocks22","cloudTimestampUTC":"2023-06-14T18:14:11Z","isDeviceOffline":false}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"z7Ieu4gBwP_vIV4KARGG","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390007","userName":"gary.whitlocks22","cloudTimestampUTC":"2023-06-14T18:14:45Z","isDeviceOffline":true}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"0LIeu4gBwP_vIV4KHxHn","_score":1,"_source":{"version":1,"logType":"deviceStateEvent","deviceSerialNumber":"4931490086","userName":"NSSS","cloudTimestampUTC":"2023-06-14T18:14:53Z","deviceTimestampUTC":"2023-06-14T18:14:55Z","batteryPercent":49,"isCheckIn":false,"isAntiSurveillanceViolation":false,"isLowBatteryViolation":false,"isCellularViolation":false,"isDseDelayed":false,"bleMacAddress":"7d:8e:1a:be:92:5a","cellIpv4Address":"0.0.0.0","cellIpv6Address":"::"}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"zrIdu4gBwP_vIV4KsxFQ","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390006","userName":"PennyAndroid","cloudTimestampUTC":"2023-06-14T18:14:25Z","isDeviceOffline":true}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"0bIeu4gBwP_vIV4KhBGr","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390006","userName":"PennyAndroid","cloudTimestampUTC":"2023-06-14T18:15:19Z","isDeviceOffline":false}}]} JSON format { "total": { "value": 5, "relation": "eq" }, "max_score": 1, "hits": [ { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "zbIdu4gBwP_vIV4KexH0", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390007", "userName": "gary.whitlocks22", "cloudTimestampUTC": "2023-06-14T18:14:11Z", "isDeviceOffline": false } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "z7Ieu4gBwP_vIV4KARGG", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390007", "userName": "gary.whitlocks22", "cloudTimestampUTC": "2023-06-14T18:14:45Z", "isDeviceOffline": true } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "0LIeu4gBwP_vIV4KHxHn", "_score": 1, "_source": { "version": 1, "logType": "deviceStateEvent", "deviceSerialNumber": "4931490086", "userName": "NSSS", "cloudTimestampUTC": "2023-06-14T18:14:53Z", "deviceTimestampUTC": "2023-06-14T18:14:55Z", "batteryPercent": 49, "isCheckIn": false, "isAntiSurveillanceViolation": false, "isLowBatteryViolation": false, "isCellularViolation": false, "isDseDelayed": false, "bleMacAddress": "7d:8e:1a:be:92:5a", "cellIpv4Address": "0.0.0.0", "cellIpv6Address": "::" } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "zrIdu4gBwP_vIV4KsxFQ", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390006", "userName": "PennyAndroid", "cloudTimestampUTC": "2023-06-14T18:14:25Z", "isDeviceOffline": true } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "0bIeu4gBwP_vIV4KhBGr", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390006", "userName": "PennyAndroid", "cloudTimestampUTC": "2023-06-14T18:15:19Z", "isDeviceOffline": false } } ] }
... View more
Labels
- Labels:
-
data
-
field extraction
-
JSON
06-14-2023
03:40 PM
Greetings experts Big picture: using Bash script and curl to download Rest API/JSON from an AWS instance. The beginning of each download is unstructured followed by the structured JSON. Four different "logType", two logTypes (deviceConnectivityUpdate and deviceStateEvent) shown in a five event example below _raw example {"total":{"value":5,"relation":"eq"},"max_score":1,"hits":[{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"zbIdu4gBwP_vIV4KexH0","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390007","userName":"gary.whitlocks22","cloudTimestampUTC":"2023-06-14T18:14:11Z","isDeviceOffline":false}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"z7Ieu4gBwP_vIV4KARGG","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390007","userName":"gary.whitlocks22","cloudTimestampUTC":"2023-06-14T18:14:45Z","isDeviceOffline":true}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"0LIeu4gBwP_vIV4KHxHn","_score":1,"_source":{"version":1,"logType":"deviceStateEvent","deviceSerialNumber":"4931490086","userName":"NSSS","cloudTimestampUTC":"2023-06-14T18:14:53Z","deviceTimestampUTC":"2023-06-14T18:14:55Z","batteryPercent":49,"isCheckIn":false,"isAntiSurveillanceViolation":false,"isLowBatteryViolation":false,"isCellularViolation":false,"isDseDelayed":false,"bleMacAddress":"7d:8e:1a:be:92:5a","cellIpv4Address":"0.0.0.0","cellIpv6Address":"::"}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"zrIdu4gBwP_vIV4KsxFQ","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390006","userName":"PennyAndroid","cloudTimestampUTC":"2023-06-14T18:14:25Z","isDeviceOffline":true}},{"_index":"index_44444444-4444-4444-4444-444444444444","_id":"0bIeu4gBwP_vIV4KhBGr","_score":1,"_source":{"version":1,"logType":"deviceConnectivityUpdate","deviceSerialNumber":"4931390006","userName":"PennyAndroid","cloudTimestampUTC":"2023-06-14T18:15:19Z","isDeviceOffline":false}}]} JSON { "total": { "value": 5, "relation": "eq" }, "max_score": 1, "hits": [ { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "zbIdu4gBwP_vIV4KexH0", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390007", "userName": "gary.whitlocks22", "cloudTimestampUTC": "2023-06-14T18:14:11Z", "isDeviceOffline": false } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "z7Ieu4gBwP_vIV4KARGG", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390007", "userName": "gary.whitlocks22", "cloudTimestampUTC": "2023-06-14T18:14:45Z", "isDeviceOffline": true } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "0LIeu4gBwP_vIV4KHxHn", "_score": 1, "_source": { "version": 1, "logType": "deviceStateEvent", "deviceSerialNumber": "4931490086", "userName": "NSSS", "cloudTimestampUTC": "2023-06-14T18:14:53Z", "deviceTimestampUTC": "2023-06-14T18:14:55Z", "batteryPercent": 49, "isCheckIn": false, "isAntiSurveillanceViolation": false, "isLowBatteryViolation": false, "isCellularViolation": false, "isDseDelayed": false, "bleMacAddress": "7d:8e:1a:be:92:5a", "cellIpv4Address": "0.0.0.0", "cellIpv6Address": "::" } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "zrIdu4gBwP_vIV4KsxFQ", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390006", "userName": "PennyAndroid", "cloudTimestampUTC": "2023-06-14T18:14:25Z", "isDeviceOffline": true } }, { "_index": "index_44444444-4444-4444-4444-444444444444", "_id": "0bIeu4gBwP_vIV4KhBGr", "_score": 1, "_source": { "version": 1, "logType": "deviceConnectivityUpdate", "deviceSerialNumber": "4931390006", "userName": "PennyAndroid", "cloudTimestampUTC": "2023-06-14T18:15:19Z", "isDeviceOffline": false } } ] } CSV version logType deviceSerialNumber userName cloudTimestampUTC isDeviceOffline deviceTimestampUTC batteryPercent isCheckIn isAntiSurveillanceViolation isLowBatteryViolation isCellularViolation isDseDelayed bleMacAddress cellIpv4Address cellIpv6Address 1 deviceConnectivityUpdate 4931390007 gary.whitlocks22 6/14/2023 18:14 FALSE 1 deviceConnectivityUpdate 4931390007 gary.whitlocks22 6/14/2023 18:14 TRUE 1 deviceStateEvent 4931490086 NSSS 6/14/2023 18:14 6/14/2023 18:14 49 FALSE FALSE FALSE FALSE FALSE 7d:8e:1a:be:92:5a 0.0.0.0 :: 1 deviceConnectivityUpdate 4931390006 PennyAndroid 6/14/2023 18:14 TRUE 1 deviceConnectivityUpdate 4931390006 PennyAndroid 6/14/2023 18:15 FALSE Indexed using sourcetype _JSON Looking at hits{}._source.logType Splunk reports 4 deviceConnectivityUpdate events and 1 deviceStateEvent which agrees with the data. However when I run stats count by("hits{}._source.logType") by "hits{}._source.userName I get 5x count of events (see attachment) Help please, what am I missing or doing wrong?
... View more
Labels
- Labels:
-
field extraction
-
JSON
06-30-2022
01:52 PM
I was able to obtain the results I desired with this search index=test earliest=-1d@d+6h+30m latest=-0d@d-5h-30m | stats count by SerialNumber | stats count(eval(count>=4314)) as Con count(eval(count<4314)) as Dcon | eval Percent=round((Con)/Dcon*10, 2)."%" | fields Percent
... View more
06-29-2022
04:48 PM
Greetings Community Experts I have a group of devices that each should report state to a portal every 10 seconds. If a device fails to report for 6 periods - one minute, I am categorizing the device as disconnected. The time period is a workday of 6:30 AM - 6:30 PM (12 hours / 720 minutes). I am trying to use the search results to generate a percentage of connected devices. The calculation fails in the last step. Requesting your assistance to develop a working search. Here is the search I am using. Thanks in advance! index=test earliest=-2d@d+6h+30m latest=-1d@d-5h-30m | bucket span=1m _time | stats count by _time, SerialNumber | eval state=if(count>=1, "Con", "Dcon") | stats count by SerialNumber, state | eval status=case(count=720, "Connected", count<720, "Disconnected") | stats count by status | eval Percent=round((Connected-Disconnected)/Connected*100, 2)."%"
... View more
06-22-2022
11:36 AM
Thank you, that achieved the desired results! I appreciate the prompt and accurate response, well done!
... View more
06-20-2022
03:05 PM
Hello gurus
I'm trying to return a percentage from the results of sub searches. The value User_count and Device_count are numerical but the eval returns nothing. If I convert either of the values to a number and leave the other named the eval works. Could you offer a suggestion to make this search work please? Thank you!
index="test" earliest=-2d@d latest=-1d@d
| dedup User
| stats count(User) as User_count
| append [search index="test" | stats dc(SerialNumber) as Device_count]
| eval perc=round(User_count/Device_count*100, 2)."%"
... View more
