Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About cbiraris
cbiraris
Path Finder
Member since:
06-27-2022
03-27-2025
Community Statistics
| Posts | 55 |
| Solutions | 0 |
| Karma Given | 18 |
| Karma Received | 3 |
| Member Since | 06-27-2022 |
Activity Feed
- Posted Index searchable retentions questions on Getting Data In. 03-27-2025 01:04 AM
- Tagged Index searchable retentions questions on Getting Data In. 03-27-2025 01:04 AM
- Posted Re: rex help on Splunk Search. 12-10-2024 05:23 AM
- Posted Re: rex help on Splunk Search. 12-10-2024 05:20 AM
- Posted rex help on Splunk Search. 12-10-2024 03:32 AM
- Posted Re: How to design query to compare values on Splunk Search. 11-07-2024 04:53 AM
- Posted How to design query to compare values on Splunk Search. 11-07-2024 03:51 AM
- Karma Re: Splunk query to build a table with total event count, sub event count and sub event in percent for ITWhisperer. 10-24-2024 03:43 AM
- Posted Splunk query to build a table with total event count, sub event count and sub event in percent on Splunk Search. 10-23-2024 09:23 AM
- Posted Re: Regex issue on Splunk Search. 08-06-2024 05:11 AM
- Posted Regex issue on Splunk Search. 08-06-2024 03:46 AM
- Tagged Regex issue on Splunk Search. 08-06-2024 03:46 AM
- Posted Splunk alert base on current count vs last week count on Splunk Search. 05-23-2024 12:43 AM
- Posted ServierNow ticket custom fields options/tokens on Alerting. 05-20-2024 08:58 AM
- Posted Re: Alert set for count in range on Splunk Search. 04-29-2024 04:57 AM
- Posted Alert set for count in range on Splunk Search. 04-29-2024 04:31 AM
- Karma Re: Alert with 3 different threshold for 3 different event in on alert for ITWhisperer. 04-26-2024 09:26 AM
- Posted Re: Alert with 3 different threshold for 3 different event in on alert on Alerting. 04-26-2024 09:25 AM
- Karma Re: Alert with 3 different threshold for 3 different event in on alert for gcusello. 04-26-2024 09:25 AM
- Posted Re: Alert with 3 different threshold for 3 different event in on alert on Alerting. 04-26-2024 09:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-27-2025
01:04 AM
Hi team, i have a index with 4 sourcetype. index has searchable retention of 4 months. is there any way we can keep same retention for 3 sourcetype and 1sourcetype can be increased to 8 months ? For example: Index=xyz sourcetype = 1 searchable retention 4 Months sourcetype = 2 searchable retention 4 Months sourcetype = 3 searchable retention 4 Months sourcetype = 4 searchable retention 8 Months
... View more
- Tags:
- retentions
Labels
- Labels:
-
index
12-10-2024
05:20 AM
I have a log which contain multiple countries in same format so it grabbing all other countries from same individual log . for example: Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} So if i use | rex field=_raw "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student. Also as i stated earlier position of "country":"*" is not same for all logs. its coming between anywhere Student:{*}
... View more
12-10-2024
03:32 AM
Hi Team, I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ? sample1 Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} sample2 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu} sample3 :Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"} so its mean, "country":"IND" anywhere in Student":{} should catch by regex
... View more
Labels
- Labels:
-
rex
11-07-2024
03:51 AM
Can you please help me to build eval query Condition-1 ABC=Match XYZ=Match then output of ABC compare to XYZ is Match Condition-2 ABC=Match XYZ=NO_Match then output of ABC compare to XYZ is No_Match Condition-3 ABC=NO_Match XYZ=Match then output of ABC compare to XYZ is No_Match Condition-4 ABC=NO_Match XYZ=NO_Match then output of ABC compare to XYZ is No_Match
... View more
Labels
- Labels:
-
eval
10-23-2024
09:23 AM
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_week | total_week_day|work day of week| Number of work hours | percent work hours 1 | 3 | Mon | 2 | % |Tus | 4 | % |Tus | 4 | % 2 | 2 | Mon | 2 | % |Tus | 4 | % 3 | 3 | Mon | 3 | % |Tus | 5 | % |thu | 4 | %
... View more
Labels
- Labels:
-
table
08-06-2024
03:46 AM
Hi Team i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event. for example: { "class1": { "student1": "123 rollnumber" }, "class2": { "student1": "123 rollno", "student2": "321 rollno" } } 1)class1 and class2 should be under Class field if i search for class1 i should only find student 1 and related info. and if i search for class3 i should only find student 1 and related info. they will be in the field like class, student, number, and type of number Class field class1 class2 student name student1 student1 number 123 123 321 type of number rollnumber rollno rollno
... View more
- Tags:
- search regex issue
Labels
- Labels:
-
regex
05-23-2024
12:43 AM
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count. for example: right now i can able to get count but not sure how to find 10% or more difference to get alert.
index=ABC sourcetype=XYZ | timechart span=1h count | timewrap d series=short
... View more
Labels
- Labels:
-
timechart
05-20-2024
08:58 AM
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts. I am trying to add tokens which show me query result in serviceNow ticket description as same as we are getting in email notification when we check Inline Table fields. can you help me to add same in serviceNow ticket as well. so that I can get query result in ticket as well. right now its showing me only title of the alerts. due to which I need to go to splunk every time when alert trigger and need to run alerts search to validate alerts manually.
... View more
Labels
- Labels:
-
alert action
04-29-2024
04:31 AM
Hi Team, I am trying to setup an alert if the count of errors are in range of between 10 to19(more then 10 and less than 19). for example: index=abc sourcetype=xyz "errors" only if count >= 10 AND count <=19, should only trigger alert. please help thank you
... View more
Labels
- Labels:
-
stats
04-26-2024
09:17 AM
Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals
... View more
04-26-2024
09:16 AM
Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals
... View more
04-26-2024
08:58 AM
Hi team, I need help to create a query with with 3 different threshold for 3 different event in single splunk alert. for example : index= abc sourcetype=xyz "warning" OR "Error" OR Critical If any of these ("warning" OR "Error" OR Critical) occurred 5 times in events in last 15 minutes alert should be triggered .
... View more
- Tags:
- alert
Labels
- Labels:
-
alert action
-
alert condition
12-18-2023
12:36 AM
@gcusello Thank you for response I also want result of previous 8hrs with 2hrs interval to be displayed in alert result.
... View more
12-17-2023
11:42 PM
Hi Team, I am looking for the help to get an alert trigger if the latest result of timechart command is 0. Suppose i am running a search for last 8hrs with span=2hrs. so, if the result is something like below should raise an alert. 12-18-23 00:00 ---> is "0" and also it should is display if there is "0" events in last 8hrs. as i am getting nothing, if no events during that time. Thank you,
... View more
Labels
- Labels:
-
alert condition
11-27-2023
03:10 AM
Hi Team, I am trying to create a search which show me the list of all sourcetype and index which are not in use or let's say zero/less events from last few days. Can you please advise. Thanks
... View more
- Tags:
- index
10-13-2023
06:44 AM
Actually, I have 2 separate events start event one unique ID and few other fields for exampled = "Job initiated" if the events contains "JOB initiated" , that means the evets is first event. and if the events contains "JOB Completed" that means the last event. so, I want to calculate how much total time taken for that particular Job ID to complete ?
... View more
10-11-2023
08:06 AM
Hi Team, Is there any way we can calculate time duration between 2 different events like start and end. For example: we have start event at 10/10/23 23:50:00.031 PM, and End evet at 11/10/23 00:50:00.031 AM how can we calculate this. please help. Thank you
... View more
Labels
- Labels:
-
alert action
09-13-2023
02:44 AM
Hi Team, I am looking for the help to created search query for my daily run report which is running 3 time in a day. we are putting the files in directory which we are monitoring in splunk. is there any way we can grab events from only latest sourcefile? For example: Index=abc sourcetype=xyz source=/opt/app/file1_09092023.csv source=/opt/app/file2_09102023.csv source=/opt/app/file3_09112023.csv..... new file can be placed time to time. I wanted report can be show only events from latest file, is it possible? Thank you
... View more
- Tags:
- splunk search
Labels
- Labels:
-
alert condition
09-05-2023
02:26 AM
Also, can we define 2 different search run interval in this query ? like below--- index=ABC sourcetype=XYZ login |stats count |where count =0 between23:00 to 07:00, search can be run every after 2 hours to check last 2 hours events AND index=ABC sourcetype=XYZ login |stats count |where count <=20 between 07:00 to 23:00, , search can be run every after 1 hours to check last 1 hours events
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-27-2025
08:32 AM
|
