Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dariusz_kwasny
dariusz_kwasny
Explorer
Member since:
09-04-2012
11-03-2021
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 09-04-2012 |
Activity Feed
- Got Karma for Re: Non-enforcement license and license expiration. 06-05-2020 12:49 AM
- Karma Re: Alternative to mvexpand in order to count values in multi-value field? for MuS. 06-05-2020 12:46 AM
- Got Karma for Re: sum the number of events based on list of possible values. 06-05-2020 12:46 AM
- Posted Twilio SMS Alerting - Error: Module six was already imported on All Apps and Add-ons. 06-12-2019 11:50 PM
- Tagged Twilio SMS Alerting - Error: Module six was already imported on All Apps and Add-ons. 06-12-2019 11:50 PM
- Tagged Twilio SMS Alerting - Error: Module six was already imported on All Apps and Add-ons. 06-12-2019 11:50 PM
- Posted Re: Non-enforcement license and license expiration on Splunk Enterprise. 04-26-2018 09:58 AM
- Posted Non-enforcement license and license expiration on Splunk Enterprise. 04-26-2018 02:32 AM
- Tagged Non-enforcement license and license expiration on Splunk Enterprise. 04-26-2018 02:32 AM
- Tagged Non-enforcement license and license expiration on Splunk Enterprise. 04-26-2018 02:32 AM
- Posted Re: groupby and ends with value andcount on Splunk Search. 09-30-2016 12:44 AM
- Posted Re: Simple searching by extracted field doesn't work on Splunk Search. 11-21-2014 07:30 AM
- Posted Re: Simple searching by extracted field doesn't work on Splunk Search. 11-21-2014 07:26 AM
- Posted Re: Simple searching by extracted field doesn't work on Splunk Search. 11-21-2014 01:20 AM
- Posted Simple searching by extracted field doesn't work on Splunk Search. 11-20-2014 05:53 AM
- Tagged Simple searching by extracted field doesn't work on Splunk Search. 11-20-2014 05:53 AM
- Posted Re: Field Extraction using regex command on Splunk Search. 08-13-2013 12:49 AM
- Posted Re: sum the number of events based on list of possible values on Splunk Search. 07-29-2013 10:59 AM
- Posted Re: Can't index new data..? :S on Getting Data In. 07-24-2013 02:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-12-2019
11:50 PM
Hello,
I've configured alert with "Twilio SMS Alerts" action. The alerts are triggered but there are some twilio errors and SMS messages are not sent. The error message is:
ERROR sendmodalert - action=twilio STDERR - /opt/splunk/etc/apps/twilio_alert/bin/pytz-2015.4-py2.7.egg/pytz/__init__.py:29: UserWarning: Module six was already imported from /opt/splunk/lib/python2.7/site-packages/six.pyc, but /opt/splunk/etc/apps/twilio_alert/bin/six-1.9.0-py2.7.egg is being added to sys.path
and final error message:
ERROR sendmodalert - action=twilio - Execution of alert action script failed
Does anybody have an idea how could I resolve this issue?
... View more
04-26-2018
09:58 AM
1 Karma
There is no information in documents you've mentioned about how Splunk will behave when the non-enforcement license expires. There is only information what happen in case of five warning during 30 days.
Could you tell me how do you know that Splunk disable searching when non-blocking enterprice license espires?
... View more
04-26-2018
02:32 AM
Hi,
I'm looking for information how Splunk 7.0 will behave when Non-enforcement enterprise license expires.
Specifically I would like to know if Splunk allows users to keep searching as in the case of acquiring five warnings in a 30 day window.
... View more
09-30-2016
12:44 AM
If this is a multivalue field you can use this spl query:
yoursearch | eval onprem=mvcount(mvfilter(match(yourfield,"^.+_onprem"))) | eval aws=mvcount(mvfilter(match(yourfield,"^.+_aws")))
best
Darek
... View more
11-21-2014
07:30 AM
sorry, I've made mistake it should be:
[app_portal_antivirus_scan]
search = index=app_portal sourcetype=app_portal_systemout AntivirusScan
priority = 1
... View more
11-21-2014
07:26 AM
In the eventtype.conf file I have:
[app_portal_antivirus_scan]
search = index=app_portal sourcetype=portal_app_systemout AntivirusScan
priority = 1
... View more
11-21-2014
01:20 AM
My sourcetype name is app_portal_systemout
Search:
sourcetype=app_portal_systemout eventtype=app_portal_antivirus_scan
returns expected events.
Search:
sourcetype=app_portal_systemout
also retrus expected events and I can see scan_result field in the "interesting fields" view.
Search:
eventtype=app_portal_antivirus_scan | rex "Scanning result: (?\d+)"
works perfectly. I have scan_result field.
But still I can't search by scan_result field. Searches:
sourcetype=app_portal_systemout scan_result=*
or
eventtype=app_portal_antivirus_scan scan_result=*
don't work despite the fact that they are on "interesting fields" list.
I attach field extraction to eventtype because the log file includes lines formatted in different ways and it dont make sense to perform extraction on each line of the log.
... View more
11-20-2014
05:53 AM
Hello,
I have following field extraction and eventtype related definitions:
In props.conf:
[eventtype::app_portal_antivirus_scan]
REPORT-scan-result = app-portal-scan-result
In transforms.conf:
[app-portal-scan-result]
REGEX = Scanning result: (?<scan_result>\d+)
I search events with query (from search app):
eventtype=app_portal_antivirus_scan
and I have expected results. I can see scan_result field in interesting field view. And it has values. Everything seems to be ok.
But when I try search using query:
eventtype=app_portal_antivirus_scan scan_result=*
there is no events displayed. I see message "No results found"
The strange thing is that when I use query:
eventtype=app_portal_antivirus_scan | search scan_result=*
expected events are displayed.
Why query
eventtype=app_portal_antivirus_scan scan_result=*
doesn't work but
eventtype=app_portal_antivirus_scan | search scan_result=*
works perfectly.
How can I search by scan_result field.
... View more
- Tags:
- field-extraction
08-13-2013
12:49 AM
You use ':' character as the field separator. And you have no ':' character after 'Exception:' in events number 2 and 3 therefore they don't much the ":" at the end of your regexp.
... View more
07-29-2013
10:59 AM
1 Karma
Let's assume you have your list of possible values in the lookup named message_id_lookup, your events sourceytpe is named messages and you have the message_id field in your events ant the lookup file looks like that:
message_id
value1
value2
value3
value4
value5
value6
Then, you can use following search:
| inputlookup message_id_lookup
| stats count by message_id
| eval count=count-1
| append [search sourcetype=messages | stats count by message_id ]
| stats sum(count) by message_id
To raise an alert if the message_id doesn't appear in your events you can define the saved search:
| inputlookup message_id_lookup
| search NOT [search sourcetype=messages | dedup message_id | fields message_id]
Then build the alert on this search.
... View more
07-24-2013
02:47 AM
Try to add index=* at the beggining of your search. By default, Search App is searching default index only. Maybe, somehow, your events went to different index.
... View more
