Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About bhavesh0124
bhavesh0124
Explorer
Member since:
08-22-2023
04-02-2025
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 08-22-2023 |
Activity Feed
- Karma Re: How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? for livehybrid. 04-02-2025 02:44 PM
- Posted Re: How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? on Getting Data In. 04-02-2025 02:43 PM
- Posted Re: How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? on Getting Data In. 04-02-2025 02:29 PM
- Karma Re: How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? for livehybrid. 04-02-2025 02:28 PM
- Posted Re: How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? on Getting Data In. 04-02-2025 02:25 PM
- Posted How to convert "data" Field to "event" in Splunk HTTP Event Collector (HEC)? on Getting Data In. 04-02-2025 01:06 PM
- Posted Re: Delete events after stats operation on Splunk Search. 05-10-2024 08:22 AM
- Posted Re: Delete events after stats operation on Splunk Search. 03-12-2024 11:35 AM
- Posted Delete events after stats operation on Splunk Search. 03-12-2024 10:39 AM
- Posted Re: Remove duplicate columns - column which have single unique value on Splunk Search. 01-29-2024 11:51 AM
- Karma Re: Remove duplicate columns - column which have single unique value for ITWhisperer. 01-29-2024 11:50 AM
- Posted Remove duplicate columns - column which have single unique value on Splunk Search. 01-29-2024 09:15 AM
- Posted Re: How to Dynamically save model name using a column value? on Splunk Search. 08-28-2023 08:41 AM
- Karma Re: How to Dynamically save model name using a column value? for etoombs. 08-28-2023 08:41 AM
- Posted How to Dynamically save model name using a column value? on Splunk Search. 08-22-2023 06:29 AM
- Tagged How to Dynamically save model name using a column value? on Splunk Search. 08-22-2023 06:29 AM
- Tagged How to Dynamically save model name using a column value? on Splunk Search. 08-22-2023 06:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-02-2025
02:43 PM
Thankyou ! From your help I made it work with alternate solution. Props.conf [sourcetype]
TRANSFORMS-extract_data = rename_data_to_event Transform.conf [rename_data_to_event]
REGEX = "data":\s*({.*?})
FORMAT = $1
WRITE_META= true
DEST_KEY = _raw really Appreicate your help @livehybrid
... View more
04-02-2025
02:29 PM
Thankyou for your prompt response. @livehybrid I have no control over the source JSON unfortunately. I tried sending it inside the raw HEC endpoint. It works flawlessly. However the data shows up like this nested json. Any way to make it nice and tidy? { [-]
data: { [-]
message: This is New test
severity: info
}
index: test
sourcetype: test:json
source: telemetry
}
... View more
04-02-2025
02:25 PM
Thankyou for your prompt response. I have no control over the source JSON unfortunately. I tried sending it inside the raw HEC endpoint. It works flawlessly. However the data shows up like this nested json. Any way to make it nice and tidy? { [-]
data: { [-]
message: This is New test
severity: info
}
index: test
sourcetype: test:json
source: telemetry
}
... View more
04-02-2025
01:06 PM
I'm ingesting data into Splunk via the HTTP Event Collector (HEC), but the data is wrapped inside a "data" key instead of "event". Splunk expects events inside the "event" key, and I'm getting the error: Failed to send data: {"text":"No data","code":5} Here’s an example of the data I’m sending: { "data": { "timestamp": "2025-04-01T19:51:07.720Z", "userId": "", "userAgent": "Visual Studio Code/1.98.2 (Continue/1.0.5)", "selectedProfileId": "local", "eventName": "chatFeedback", "schema": "0.2.0", "prompt": "|>\n", "completion": "Sample completion text", "modelTitle": "Llama", "feedback": true, "sessionId": "c36c18eb-25e6-4448-b9b5-a50cdd2a0baa" } index="test" sourcetype="test:json" source="telemetry" } How can I transform incoming HEC data so that "data" is treated as "event" in Splunk? Is there a better way to handle this at the Splunk configuration level? Thanks in advance for any help! @ITWhisperer
... View more
Labels
05-10-2024
08:22 AM
I get this error Error in 'delete' command: This command cannot be invoked after the command 'eventstats', which is not distributable streaming. Anything else can i use here? my data is huge, i cant use a join or subsearch. Thanks in advance @ITWhisperer
... View more
03-12-2024
11:35 AM
Thankyou @ITWhisperer . Quick followup question, instead of index=test, i have a data model that has limited fields. Then how it would work? | tstats dc(Changeset) as count, values(Changeset) as name_versions from datamodel=abc by source, name
| where count>1
| stats min(name_versions) by source, name I want to delete now the events. How could i?
... View more
03-12-2024
10:39 AM
I'm running stats to find out which events I want to delete. Basically I'm finding the minimum "change_set" a particular "source" has. Now, I want to delete these sources with the least "change_set". Note: the events also has a lot of attributes apart from change_set and source. index=test
| stats min(change_set) by source (Now delete the events which has that source and change_set. ``` How can I write the delete operation with this query? (the most optimal way) @gcusello @ITWhisperer @scelikok @PickleRick Thanks
... View more
01-29-2024
11:51 AM
Works perfectly, thanks
... View more
01-29-2024
09:15 AM
Hi, I want to get rid of columns which have single unique value. There could be multiple columns showing this behavior. Test Value1 Value2 Value3 Value4 Test1 2 b a 7 Test2 1 c a 7 I want to get rid of columns "Value3" and "Value4" since they have only one unique value across. @gcusello @ITWhisperer @scelikok @PickleRick
... View more
Labels
- Labels:
-
fields
08-28-2023
08:41 AM
That worked! Thanks a lot
... View more
08-22-2023
06:29 AM
Hi I have the following query for training a model. However, I want to save my model name using a single column value that comes from a lookup. In a nutshell, I want to save the model name dynamically. index = "Abc" fields Days, Count, Target | sample partitions=100 | appendpipe [ | search partition_number < 90 | fields - partition_number | fit DecisionTreeRegressor "target" from * splitter=best into "model_name" apply=false ] So currently the model name is "model_name" but I want it to come from a lookup, where there is single column and a single value. @niketn @gcusello
... View more
Labels
- Labels:
-
eval
-
field extraction
-
fields
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-02-2025
02:03 PM
|
