Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About t_splunk_d
t_splunk_d
Path Finder
Member since:
05-17-2017
01-07-2025
Community Statistics
| Posts | 36 |
| Solutions | 0 |
| Karma Given | 10 |
| Karma Received | 1 |
| Member Since | 05-17-2017 |
Activity Feed
- Posted Re: How to compare events from two sourcetypes in the same index without using join on Splunk Search. 12-20-2024 02:37 PM
- Posted Re: How to get time from two different sourcetypes on Splunk Search. 12-19-2024 12:30 PM
- Posted Re: How to get time from two different sourcetypes on Splunk Search. 12-19-2024 10:53 AM
- Posted Re: How to get time from two different sourcetypes on Splunk Search. 12-19-2024 09:24 AM
- Posted Re: How to get time from two different sourcetypes on Splunk Search. 12-19-2024 09:18 AM
- Posted Re: How to get time from two different sourcetypes on Splunk Search. 12-19-2024 08:33 AM
- Posted How to get time from two different sourcetypes on Splunk Search. 12-19-2024 06:04 AM
- Posted How to compare events from two sourcetypes in the same index without using join on Splunk Search. 12-18-2024 06:40 PM
- Posted Re: How to get the result of next event by searching for a key word on Splunk Search. 12-22-2023 01:13 PM
- Posted How to get the result of next event by searching for a key word on Splunk Search. 12-20-2023 08:31 AM
- Karma Re: How to correlate across two lists in a stats for ITWhisperer. 06-11-2023 09:34 AM
- Karma Re: How to correlate across two lists in a stats for ITWhisperer. 06-11-2023 09:34 AM
- Posted Re: How to correlate across two lists in a stats on Splunk Search. 06-10-2023 05:44 PM
- Posted How to correlate across two lists in a stats on Splunk Search. 06-10-2023 11:41 AM
- Karma Re: How do I display colored text in a single value dashboard panel? for adonio. 06-05-2020 12:50 AM
- Got Karma for Splunk Alert using Splunk ITSI Notable Event - Creating a Service Now Incident. 06-05-2020 12:50 AM
- Karma Re: How get a count of last Status for gcusello. 06-05-2020 12:49 AM
- Karma Re: Use token or dymanic value in unit parameter of single value panel for niketn. 06-05-2020 12:49 AM
- Karma Re: "Error in 'map' command: Unable to find saved search 'search='" for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Select 1st, 2nd, and 3rd items from dropdown menu. Select from dropdown token as an array? for rjthibod. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-20-2024
02:37 PM
TargetLocation always comes up as Pending which is not correct. Also I tried changing the for each to foreach sourcetype. will it work? sourcetype names are xml and raw_text. Please help to add TargetLocation date.
... View more
12-19-2024
12:30 PM
Filenames match exactly. Targetlocation has the file name. Like I have it in my example the file names are different. It is not related to position. When modify the stats to values(file_name) i get results but it is so weird results
... View more
12-19-2024
10:53 AM
Still i get "Pending" for all the files even though it was success and timestamp is there.
... View more
12-19-2024
09:24 AM
Transaction command is costly and it has limitations for wider timeframe and larger datasets.
... View more
12-19-2024
09:18 AM
@ITWhisperer Can you please help?
... View more
12-19-2024
08:33 AM
Thank you for the help. I always get null for TargetLocation in stats and thus showing "Pending" I notice that latest(TargetLocation) has multiple values and null is the latest. Is there a way to eliminate null so that the latest time can be displayed?
... View more
12-19-2024
06:04 AM
I am trying to track file transfers from one location to another. Flow: Files are copied to File copy location -> Target Location Both File copy location and Target location logs are in the same index but each has it own sourcetype. File copy location events has logs for each file but Target location has a logs which has multiple files names. Log format of filecopy location: 2024-12-18 17:02:50 , file_name="XYZ.csv", file copy success 2024-12-18 17:02:58, file_name="ABC.zip", file copy success 2024-12-18 17:03:38, file_name="123.docx", file copy success 2024-12-18 18:06:19, file_name="143.docx", file copy success Log format of Target Location: 2024-12-18 17:30:10 <FileTransfer status="success> <FileName>XYZ.csv</FileName> <FileName>ABC.zip</FileName> <FileName>123.docx</FileName> </FileTransfer> Desired result: File Name FileCopyLocation Target Location XYZ.csv 2024-12-18 17:02:50 2024-12-18 17:30:10 ABC.zip 2024-12-18 17:02:58 2024-12-18 17:30:10 123.docx 2024-12-18 17:03:38 2024-12-18 17:30:10 143.docx 2024-12-18 18:06:19 Pending I want to avoid join.
... View more
12-18-2024
06:40 PM
I am trying to track file transfers from one location to another. Flow: Files are copied to File copy location -> Target Location Both File copy location and Target location logs are in the same index but each has it own sourcetype. File copy location events has logs for each file but Target location has a logs which has multiple files names. Log format of filecopy location: 2024-12-18 17:02:50 , file_name="XYZ.csv", file copy success 2024-12-18 17:02:58, file_name="ABC.zip", file copy success 2024-12-18 17:03:38, file_name="123.docx", file copy success 2024-12-18 18:06:19, file_name="143.docx", file copy success Log format of Target Location: 2024-12-18 17:30:10 <FileTransfer status="success> <FileName>XYZ.csv</FileName> <FileName>ABC.zip</FileName> <FileName>123.docx</FileName> </FileTransfer> Desired result: File Name FileCopyLocation Target Location XYZ.csv 2024-12-18 17:02:50 2024-12-18 17:30:10 ABC.zip 2024-12-18 17:02:58 2024-12-18 17:30:10 123.docx 2024-12-18 17:03:38 2024-12-18 17:30:10 143.docx 2024-12-18 18:06:19 Pending Since events are in the same index and more events I do not want use join.
... View more
12-22-2023
01:13 PM
@dtburrows3 We are so close. Actually I did not mention about the error. The logs looks like this: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start Processing XXX---------- So I want to get the Person name for only "error in checking status"
... View more
12-20-2023
08:31 AM
I want to get the result of the next line of the log message when I encounter a key word. Example log: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start Processing XXX---------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start Processing XXX---------- ----Person Name: abcd, address:yzgj--------- -----Check for Person------ ------success : true-------- -----Start Processing XXX---------- In the above log I want to capture the person name after the "Check for Person". The log is indexed by _time. I want to display the following result: _time Process Person Name XXX abcd I don't want to use map or transactions as those are expensive as there are lot of events. Thank you for the help.
... View more
Labels
- Labels:
-
field extraction
-
fields
-
join
-
subsearch
-
transaction
06-10-2023
05:44 PM
I also see for some file received the file name is: PD0018MM-220385-20230609211505.20230609211740-success.csv How to modify so that the filename is extracted as PD0018MM-220385-20230609211505 | rex field=fullfilename "(?<filename>\S+)(?<event>\.pdf|\-success\.csv)$" Also how display "Pending" if no corresponding file_received for the file_sent?
... View more
06-10-2023
11:41 AM
I want to correlate across two lists and display the results. Log data: 06/10/2023 05:04:12 ACMIUY-6500-2345-20230610050412.pdf 06/10/2023 05:05:12 ACMIUY-6500-2345-20230610050412-success.csv 06/10/2023 07:14:22 DCCOUB-86895-20230610071422.pdf Note: The data is in the same index and I don't want to use join mysearch | stats list(file_sent) list(file_received) list(sent_time) list(received_time) Sent Time File_Sent Received Time File_Received Elapsed_time 06/10/2023 05:04:12 ACMIUY-6500-2345-20230610050412.pdf 06/10/2023 05:05:12 ACMIUY-6500-2345-20230610050412-success.csv 00:01:00 06/10/2023 07:14:22 DCCOUB-86895-20230610071422.pdf Pending Pending -
... View more
Labels
- Labels:
-
stats
01-15-2019
05:25 PM
1 Karma
In Splunk Enterprise I have alerts. Now I want to create Servicenow incidents by adding the alert action using ITSI Notable Events.
Following are my questions:
Whether the above approach is doable ( assuming that all required apps are in-place and configurations complete and working)
Is it possible to create an incident by sending all the ServiceNow field's value? Is this out of the box? I am sure it is not. Because I can only see few basic fields.
What needs to be done to pass all the values to ServiceNow? I want to populate all the field's values in a ServiceNow incident. Do i need to change the .py (not able to remember the name)?
The existing Splunk alert has all the values (including resolution etc.). Currently it is a manual effort of copy and paste in the ServiceNow incident which I want to automate.
... View more
12-04-2018
04:25 AM
Thanks, but my question is not to filter out. I am able to match the holiday, but not able to suppress alert on holidays.
Format of holidays.csv
Date. description
12/25/2018 Christmas
... View more
12-03-2018
06:00 PM
I want to supress splunk alert during holidays.
I have a holidays.csv lookup.
For example: my search is like below:
index=abc sourcetype=something "look for events"
in the alert condition- if the record count is less than 3 then i trigger the alert.
I don't want to trigger this alert on a holiday when it runs ( the record count will be 0) it will fire a false alert.
and i want to retain the search and condition because during the business day i want it to fire if it returns less than 3.
Also I have another alert which fires has to suppressed holiday+1 day with the same condition as above.
Any suggestions?
... View more
08-01-2017
06:06 PM
I trying figure out what is the best search query for reporting on the count of different unique status.
Following is the records:
ID NAME STATUS LASTUPDATEDTIME
1 Group1 Started 12:15
1 Group1 Processing 12:30
1 Group1 Transfering 12:45
1 Group1 Completed 1:06
2 Group1 Started 12:17
2 Group1 Processing 12:32
2 Group1 Transfering 12:46
3 Group1 Started 12:55
When I try | stats count by STATUS - it does give me the correct numbers.
I am looking for the result:
Started - 1
Completed - 1
Transferring - 1
I want to report count of last Status.
Thank you.
... View more
06-18-2017
02:27 PM
Yes!! No doubt you are an Expert! Thank you!
... View more
06-17-2017
02:25 PM
Experts - Any thoughts?
The event is sometimes 20000 or more and appears in the search. But field values does not shows up (if it is above the 10000) or truncates ( when in the 10000 borderline). Is this limitation of splunk?
... View more
06-16-2017
05:31 AM
Splunk Enterprise 6.5.2
... View more
06-16-2017
03:47 AM
It is not the truncation of event, the field/keyword is present in the event but not searchable.
Is there a limitation to search for a keyword if it is located beyond 10000? I consistently see that in my search results that if I search for a field which is located beyond 10000 it is not able to locate it, whereas if the same filed is located before 10000 then it is able to locate. I am sure that there is limitation because when I search for the keyword/field the value is returned truncated. Whereas when i copy the whole event into an editor and search the keyword/field it is present. I see this truncation/no results if the keyword/field values are located beyond 10000.
... View more
06-15-2017
06:59 PM
I am searching on an event with has on an average 25000 - 30000 characters. When I search on the auto extracted fields or regex extracted fields I do not get results for the field value as it is not matching. I think there is a limit for search on the events.
For example:
index=test status=true is returning incorrect match results.
It returns the events if status=true is within first 10000 characters of the event otherwise it does not.
Is there a limit and how this can be changed? Any index specific change or any search keyword can overcome this?
... View more
06-04-2017
10:05 PM
@woodcock Thanks.I am able to get around the _time to limit the events. I will incorporate your suggestions. But the main issue is getting to the assignment_groups . Your query of counting the assignment group will not work out as assignment groups change dynamically.
I have made some progress and almost there:
index=snow
| eval dv_opened_at=strptime(dv_opened_at, "%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| eval trackingStr=_time."__".assignment_group_name
| fields _time trackingStr
| stats values(trackingStr) as trackingStr by number
| sort 0 -number
| eval track1= if(match(trackingStr,"Service Desk"1,0)
| where trackstr = 1
| eval last = mvindex(trackingSTR, -1)
|eval final = if(match(last,"Service Desk),1,0)
| where final = 1
The above shows the last assignment to Service Desk . I need your expert advice if the search query can be fine tuned. I will still need to validate if my numbers match with SN.
@rmarcum - Is your query similar to this to calculate the opened incidents?
... View more
06-04-2017
05:42 PM
After struggling for almost two weeks, I concede that I lack the skill in getting the results. Following is the query I have come up but it is not providing me the results for opened incidents for assignment_group_name - device desk .
Index=snow | deduplication dv_sys_id
| eval dv_opened_at=strptime(dv_opened_at, "%Y-%m-%d %H:%M:%S")
| sort 0 - _time
| eval trackingStr=_time."__".assignment_group_name
| fields _time trackingStr
| stats values(trackingStr) as trackingStr values(number) as number
| eval track1= mvfilter(match(trackingStr,"Service Desk"))
| table track1
I am not able to figure out how I can find the incidents handled by service desk.
... View more
06-01-2017
08:47 AM
Thanks for you detailed reply. I have a basic question.
index=x assignment_group_name="ServiceDesk" | ...| stas ...
Will this above query to restrict only servicedesk eliminate other assignments groups?. I am trying to restrict the results so that I can work with smaller dataset. For example, if a ticket is assigned to some x group and then assigned to ServiceDesk will the above query catch it. Alternatively, if the ticket is assigned to ServiceDesk and then reassigned to some other group will it also be in the results? I want to be sure if my base query for the search is alright before proceeding on your excellent logic/approach.
... View more
06-01-2017
04:02 AM
With your help I am able to restrict the results for a given month, I am still struggling to find a solution for the assignment_group_name. If I am search for tickets for ServiceDesk how can I accomplish. I am using transaction to group the incident by sys_id and get the last assigned group using mvlist.
.... Assignment_group_name="ServiceDesk" | transaction sys_id mvlist=assignment_group_name | eval last_assign = mvindex(assignment_group_name, 0) .....
This does not take in to account a scenario where service desk is assigned intially but reassigned to some other group. Is there a way to iterate through and eliminate the results and take only results which ends with the "ServiceDesk"?
... View more
