cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
CoryC
Engager
Member since: ‎12-05-2023
‎03-14-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎12-05-2023
Activity Feed
View All

Re: Create Dynamic Drop-down

by in Splunk Search
‎03-14-2024 11:44 AM
‎03-14-2024 11:44 AM
Thank you,  This worked for what I asked for.  Group Policy runs every 90-120 minutes so this should return most PCs with errors without duplicating them.  We have about 1000 computers and seem to have about 100 with errors, so this will return about 100 results for the 90 min.  90 min is all I really need to search, maybe 120, but I chose 90.  I can dig into the data more after getting these quick results.  I did realize I probably need all results, not just errors if I Enter a PC, but I can work on that.  I think if I enter a PC, I want all EventIDs, and if I enter an EventID, I want all PCs with that EventID.   Thank you again.  This is working as asked. ... View more

Create Dynamic Drop-down

by in Splunk Search
‎03-11-2024 02:39 PM
‎03-11-2024 02:39 PM
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search? 2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search? 3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?     <form version="1.1" theme="light"> <label>GP Errors</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats values(EventCode)</query> <earliest>-90m@m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$ | table host, EventCode, Message, _time | rename host AS Host, EventCode AS EventID | sort _time desc</query> <earliest>-90m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>     ... View more

How do I limit a search to everything except the t...

by in Splunk Search
‎12-05-2023 10:06 AM
‎12-05-2023 10:06 AM
How do I grab all of the versions of Splunk EXCEPT the top 1, basically the opposite of index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*" | top limit=1 Version | table Version It would be nice if there was a top limit=-1 component.   Or, How do I negate a subsearch? index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*" [search index=winconfig sourcetype="WMIC:InstalledProduct" Name="*UniversalForwarder*" | top limit=1 Version | table Version] | dedup host, Version | table host Name Version I want to search for all computers with other versions of Splunk ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-14-2024 03:05 PM
Karma given to
View All
Top