Hello Splunk Gurus I need help with the following. I am sure it is pretty simple command but my head stopped working. i have the following search that brings up the total logon count in 1month span in table format for the last 2 months. How do i create a chart or timechart from this? (total number of logons by each month) Message="An account was successfully logged on." | bucket _time span=30d | search Message="An account was successfully logged on." AND Source_Port="0"|stats count(Message) AS "Total_Logon_Count" by _time | convert timeformat="%B %d %Y" ctime(_time) | rename _time AS Date |table Date Total_Logon_Count thanks in advance for all the help! ... View more

I have a really weird problem. I have 3 users that cannot see the results on a dashboard that i've created, it says "No results found". When I click on open in search and run it there the results come in. I looked into job, inspect and cannot find anything that why this is happening. When I inspect the job this is what I get: This search has completed and found 594 matching events. However, the transforming commands in the highlighted portion of the following search: search index="pas" host="pa1pv" Name="C:" OR Name="D:" OR Name="E:" OR Name="P:" FreeSpace | eval DiskFreeSpace = round((FreeSpace/1024/1024/1024), 2) | eval DiskSpace = round((Size/1024/1024/1024),2) | rename Name AS Disk host AS Host | table Host,Disk,DiskSpace,DiskFreeSpace | dedup Disk over the time range: 5/28/18 11:00:00.000 AM – 5/29/18 11:43:24.000 AM generated no results. Possible solutions are to: check the syntax of the commands verify that the fields expected by the report commands are present in the events The following messages were returned by the search subsystem: INFO: No matching fields exist. User has the same privileges as me and by the way the highlighted part is | table Host,Disk,DiskSpace,DiskFreeSpace | dedup Disk Next I decided to take the source code for the dashboard and created the same dashboard with a different name but this time i had the user create the dashboard, and the result was the same. Then i thought maybe there is a problem with extractions, so I found another dashboard with no extractions on it and had the user create the same dashboard and still issue was there. When the user goes to dashboard, it gets "No results found" but when opening the same dashboard search from search, the results come in. And for the failing dashboards when I look into jobs, it is always the same error as above and usually the error is in table command. Next, I looked into search log for the query that runs under jobs and I looked for Error and the only difference that I can find from the logs between the same job that I ran and the user ran is below: ERROR SearchResultsWriter - Unable to open output file: path=C:\Program Files\Splunk\var\run\splunk\dispatch\_dmVlcmFuamFuZXl1bHUubWFra2VuYS5jd0BjYXJseWxlLmNvbQ_dmVlcmFuamFuZXl1bHUubWFra2VuYS5jd0BjYXJseWxlLmNvbQ__search__search1_1527608604.658154\prereport_99d3ce4676a3f904_0.csv.gz.ED59C342-22E5-470D-B6C0-89CD922229FB.tmp error=The system cannot find the path specified. But then when I search this error on the web it talks about character limit etc which does not apply to me. Like I said the user has the same access as I have and if he didn't he wouldn't be able to see the dashboards or antyhing Our Environment is AD auth integrated. I know that it will be very hard to pinpoint the issue here, but I am curious to see if anyone had a similar issue like I have and know where to look or know of any other additional troubleshooting steps that I need to perform. Thanks ... View more

Hi there, I am pulling physical disk info and just putting it in Dashboard. I want DiskFreeSpace field to be colored automatically depending on the value. Is this possible? Splunk Version 6.2.3 Splunk Build 264376 Here is what I have setup so far. |eval DiskFreeSpace=round((FreeSpace/1024/1024/1024),2)|eval DiskSpace=round((Size/1024/1024/1024),2)|rangemap field=DiskFreeSpace blue=10-60 red=0-9 |rename Name AS Disk host AS Host|table Host Disk DiskSpace DiskFreeSpace|dedup Disk I even added this to my source code range Thanks for the help ... View more

Hi, i do have a simple dashboard with 1 time 2 dropdown panels.i will also attach my source code so i hope that helps. i am looking into iis log files and looking into cs_referer field a;ong with cs_username and using eval i am creating an Time field where it hows the time_taken for that page and corresponding user. what i am tyring to achieve is that i want to populate users dynamically for each environment i have.what i have setup so far is environment field user field and condition field which is basically giving me option to select low high medium etc(low =0 -50 sec,high 60=300 secs etc)these fields are all static which i have populated.how can i achieve this? i think the user dropdown will be dependent on the environment dropdown so when i select qa or prod it will only bring users(AD AUTHENTICATED) for those environments.or,is it possible to get all the users for each environment in csv and create a lookup?i've never done that so not sure how that would work. i am just looking for ideas on how to achieve this if its possible Thanks Here is my source code ... View more

Hi, I have a simple search that brings up the total count of logons in a day but I want the time part to say April,16,17,18 and so on instead of 2018-04-16 00:00:00. How can one achieve that? ... View more

Hi, i've asked this question before and never got it to work.maybe it was my fault that i was not clear on what i wanted to accomplish. i am forwarding windows system logs.i have a service called "RS word processing service" where it starts and stops thru out the day.but as you can see from the logs as well the recovery time is quick.the problem is when the srevice stops and does not recover/start in timely manner, such as the one highlighted in the attached screenshot.from the logs i know that the recovery time is less than less than 5 seconds when it stopped,so it will start back up in 5 seconds.i hope it is clear up to this point. what i am trying to achieve is to get only the result/results where the time between stop and start is more than a minute or 2 and based on that set an alert.is this possible?can anyone help me with this? ... View more

Hi there, I know there is an answer related to my question but I don't understand it. I already have this sourcetype in my forwarder inputs file and this is the original post. https://answers.splunk.com/answers/578392/field-extraction-issue-on-events-with-no-sourcetyp.html Splunk Version 6.2.3 Splunk Build 264376 I have extracted some fields and here is my search: index=pas host=pa5pv sourcetype=ProxyService | transaction startswith="Saving changes to Deal*" endswith="error" maxevents=25| rex "Saving changes to Deal: (?.*)" | rex "ERROR FundAccounting.* - (?.*)"|rename host AS Host _time AS Time|convert timeformat="%Y/%m/%d-%H:%M:%S" ctime(Time)| search Exception_Message>0|table Host,Company,Exception_Message,Time I get the exact results that I want but my left hand navigation side is empty and only visible item is "Extract new fields" and when I click on it I get an error message. The events associated with this job have no sourcetype information: 1522944752.672061 I am lost, is there something wrong with my query? Any help is appreciated. ... View more

Hi all, I am trying to understand how to use and implement tokens in email alerts. Before asking the question I tried reading the document and apply it to my search with trial and error but no luck. Unfortunately, I find the documentation not very helpful. I am the kind of person who finds it easier to understand a concept when someone shows me with an example. It is just the way I am:) and I hope someone can explain it to me in a way they explain to someone with no knowledge. There is no shame in asking:) and I hope this will help a lot of people at my level to understand this concept. Thanks for all the help in advance my query is really simple. host=pa01 sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval FreeSpace = round((FreeSpace/1024/1024/1024),2)| eval Size = round((Size/1024/1024/1024),2)|table host,Name,Size,FreeSpace|dedup Name|search FreeSpace<157 If my c drive is less than certain amount I will get an email alert. I can manually set the fields in edit for the alert and which would be fine, but for learning purposes, I would like to populate the subject field and message body with tokens if possible. In documentation it says "Splunk Alert: $name$" in the subject field, so for someone who's never used tokens before I tried replacing "$name$" with "$host$" since I have that field in my search and when alert triggered, I got the email but that field was blank in subject line. So basically, I wanted to get " Splunk Alert: search results from pa01" appear in the subject line. I tried "$results.host$" that did not work documentation talks about using results, action, server and bunch of other tokens. what are they?The documentation talks about it and gives a bunch of examples but NONE OF THEM simplifies it why can't they explain it in a way that so people like myself can understand it? For the message body I tried using the below; "The alert condition for '$host$' was triggered.Disc space is at $results.FreeSpace$ GB" I basically used the same logic from above since I have those fields in my search result. I guess, once I understand how this all works, I can apply the same logic to other fields. I started using Splunk almost 3 or 4 months ago, and if it wasn't for this forum I would be completely lost. Thank you all for what you do. ... View more