Activity Feed
- Posted Splunk Integration with Umbrella: Problem to show the data on Splunk Search. 12-29-2020 11:27 AM
- Posted Re: Search with three Index with different fields on Getting Data In. 06-12-2020 04:50 PM
- Posted Search with three Index with different fields on Getting Data In. 06-12-2020 04:35 PM
- Tagged Search with three Index with different fields on Getting Data In. 06-12-2020 04:35 PM
- Posted Re: Use stat with two different Index with different fields name to define on Getting Data In. 06-12-2020 09:45 AM
- Posted Use stat with two different Index with different fields name to define on Getting Data In. 06-12-2020 08:44 AM
- Posted Re: Splunk Use multiple index in a same search on Getting Data In. 06-10-2020 04:49 PM
- Karma Re: Splunk Use multiple index in a same search for greg_kollias. 06-10-2020 04:49 PM
- Posted Re: Splunk Use multiple index in a same search on Getting Data In. 06-10-2020 03:01 PM
- Posted Re: Splunk Use multiple index in a same search on Getting Data In. 06-10-2020 02:51 PM
- Posted Splunk Use multiple index in a same search on Getting Data In. 06-10-2020 12:04 PM
- Karma Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work for richgalloway. 06-05-2020 12:51 AM
- Posted Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-04-2020 11:55 AM
- Posted Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-04-2020 08:18 AM
- Posted Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-04-2020 08:18 AM
- Posted Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-04-2020 07:31 AM
- Posted Re: LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-04-2020 06:22 AM
- Posted LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-03-2020 11:53 PM
- Tagged LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-03-2020 11:53 PM
- Tagged LINE_BREAKER with INDEXED_EXTRACTIONS does not work on Getting Data In. 06-03-2020 11:53 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-29-2020
11:27 AM
Hello Splunk Forum TEAM, I have a question refered to the integration because right now I receive the information whitout problems but when I try to check in in a search I can´t find any log. Here is where we use the scripts for pull data and delete after 30 days. ----------------------------------------------------------------------------------------------------------------------------------- -5. In $SPLUNK_HOME/etc/apps/TA-cisco_umbrella/local/inputs.conf create the following stanzas. Make sure you change the path and index in the monitor stanza if necessary! [script://./bin/pull-umbrella-logs.sh] disabled = 0 interval = 300 index = _internal sourcetype = cisco:umbrella:input start_by_shell = false [script://./bin/delete-old-umbrella-logs.sh] disabled = 0 interval = 600 index = _internal sourcetype = cisco:umbrella:cleanup start_by_shell = false [monitor:///opt/splunk/etc/apps/TA-cisco_umbrella/data/dnslogs/*/*.csv.gz] disabled = 0 index = opendns sourcetype = opendns:dnslogs -6. Verify data is coming in and you are seeing the proper field extractions by searching the data. ----Example Search: index=awsindexyouchose sourcetype=opendns:dnslogs ----Note: You can look for script output by searching: index=_internal sourcetype=cisco:umbrella* --------------------------------------------------------------------------------------------------------------------------------------- But when I try to do the next search: index=_internal sourcetype=cisco:umbrella* I dont retrive data.
... View more
06-12-2020
04:50 PM
My problem is: CreatedDate>2020-05-30 Sorry all and thanks!!! 🙂
... View more
06-12-2020
04:35 PM
Hello Splunk TEAM, I have a question about my searchs in splunk. I have 3 index and I want to search and compare some information. But when I do my search Tiempo_Ejecutado its wrong I dont know what happen! (index="inlooxtt" StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* CreatedDate>2020-05-30 ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxtasks" ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxprojects" StatusName!="Completed" StatusName!="Cancelled" StatusName!="Pausado" IsRecycled!="true" FirstTeamMember!="Inloox - Alejandro Donado (deleted)" Name!="Capacit* General" Name!=Preventas*)
| eval Proyectos=coalesce(ProjectName, Name)
| eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount, Tiempo_Vendido=Ventas
| stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado, sum(Tiempo_Vendido) as Tiempo_Vendido by Proyectos
| eval Tiempo_Ejecutado=round(Tiempo_Ejecutado,2)
| eval Tiempo_Planeado=round(Tiempo_Planeado,2)
| sort Proyectos Index1 have ProjectName Index2 ProjectName Index Name Thanks ALL!
... View more
- Tags:
- fields
06-12-2020
09:45 AM
Hello @richgalloway It Working!!! Thanks you !!!!!!! 😁
... View more
06-12-2020
08:44 AM
Hello Splunk TEAM, I have a problem with my search because I use to different index and the data which I want to compare when I want to define by a field is different for example. I have two Index in one I have ContactByName and in the other index I have PerformedByName. I the two fields I have the same data but when I want to compare the data in that information I cant. I try to rename ContactByName as PerformedByName to do my search again but is not a good idea. I have this Right now: (index="inlooxtt" StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* CreatedDate>2020-05-30 ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxtasks" ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" ProjectName!="Capac* General" ProjectName!="Preventas*") | rename ContactDisplayName as PerformedByname | eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount | stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado by PerformedByname But I have this: The Tiempo_Ejecutado didnt appear 😞 Thanks all
... View more
- Tags:
- rename
Labels
- Labels:
-
indexer
06-10-2020
04:49 PM
I try with this because we need the position of the indexes. (index="inlooxtt" StatusName!=Pausado StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* ) OR (index="inlooxtasks" ProjectStatusName!="Paused" ProjectStatusName!="Completed" ProjectStatusName!="Cancelled" ContactDisplayName!=Donado* ContactDisplayName!="null") | rename ProjectName as Proyectos | eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount | stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado by Proyectos | eval Tiempo_Ejecutado=round(Tiempo_Ejecutado,2) | sort Proyectos But the solution is the OR thanks for all!
... View more
06-10-2020
03:01 PM
Hello, Its not the same Query we have 2 different Index, Inlooxtt and Inlooxasks. Thanks you
... View more
06-10-2020
12:04 PM
Hello Slunk Team, I have a question about appendcols. When I try to use two index to compare some information I got the information in different orders not in the same to compare the values. SEARCH index="inlooxtt" StatusName!=Paused StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* | eval Horas=(DurationMinutes/60) |stats dedup_splitvals=true sum(Horas) as Tiempo by ProjectName | eval Tiempo=round(Tiempo,2) |rename Tiempo as Tiempo | sort ProjectName | appendcols [search index="inlooxtasks" ProjectStatusName!=Paused ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" | eval Horas2=(WorkAmount) | stats dedup_splitvals=true sum(Horas2) as Tiempo2 by ProjectName | rename ProjectName as Proyecto2 | eval Tiempo2=round(Tiempo2,2) | sort Proyecto2] How I can do to solve my iproblem I will show what happen. I want to have all my data in order to do a exatly data comparison Thanks all!!
... View more
Labels
- Labels:
-
index
06-04-2020
11:55 AM
Hello,
Really Thanks for you help, you helped me fix my issue!!
but When I have all my data correct the first one event and the last continue appearing with problem.
Only two events The fist and the last.
I will show you.
https://ibb.co/zrHfJrG
and
First event.
https://ibb.co/cwV3qGD
... View more
06-04-2020
08:18 AM
https://ibb.co/kh2gRrJ
... View more
06-04-2020
08:18 AM
Well I really don´t understand what happen I change my Line_Breaker for }(,){ and I think all work correctly. look.
Can you explain me what happen, why this only change fix this.
... View more
06-04-2020
07:31 AM
Where I need to add this in props.conf??
Sorry for ask this 😞
... View more
06-04-2020
06:22 AM
How I use spath im so new with splunk can you explain to me please.
... View more
06-03-2020
11:53 PM
Hello Splunk TEAM,
I have a question.
I have this data:
{
"@odata.context":"https://app.inlooxnow.de/odata/$metadata#workpackageview","value":[
{
"PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation"
},{
PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation"
},{
PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation"
},{
PlanningReservationId":"5345345","DoneDate":null,"WorkAmount":261.0,"IsDone":false,"Name":"Informaci","StartReminderDateTime":null,"EndReminderDateTime":null,"ProjectId":"4d7a-8fb1-b69918c35e25","ContactId":null,"ChangedDate":"2017-10-24T13:51:03.277Z","CreatedDate":"2017-09-04T14:16:31.147Z","PositionNumber":0,"CardPositionNumber":0,"PositionOrderedByContact":null,"PlanningId":null,"GroupId":"76879d8a-482b-b17d-4d0cb8eee218","CreatedByContactId":"b-85a6-4af8-a7b2-ca8dc38cd601","WorkPackageStartDateTime":null,"WorkPackageEndDateTime":"2017-10-17T23:00:00Z","IsBillable":true,"IsBilled":false,"CostPerHour":null,"SecondaryCostPerHour":null,"CustomColor":null,"IsRead":true,"AssignedByContactId":null,"HasStartDate":false,"HasEndDate":true,"StartDateTime":null,"EndDateTime":"2017-10-17T23:00:00Z","PlanningReservationStatusName":"To do","PlanningReservationStatusId":"263d4762-dc54-46ec-95a7-36391f9ef4b5","MindMapNodeId":null,"PlanningTypeId":null,"Location":null,"PSPCode":null,"ColorFlag":null,"PlanningCustomColor":null,"PlanningProgress":null,"CalendarId":null,"ConstraintType":null,"ConstraintDate":null,"DurationTicks":null,"PlanningStartDateTime":null,"PlanningEndDateTime":null,"IsFixed":null,"IsMilestone":null,"IsGrouping":null,"IsCollapsed":null,"IsCritical":null,"PlanningSnapshotId":null,"OriginalPlanningId":null,"IsProjectGrouping":null,"IsVIP":null,"PlanningPositionNumber":null,"DisplayName":null,"ParentPlanningId":null,"ProjectName":"Hospital","ProjectNumber":"1257","Priority":1,"FirstManager":"pepe raul","FirstTeamMember":"Inloox - Heremias","FirstCustomer":null,"FirstPartner":null,"FirstAdditionalContact":null,"ComputedProgress":100.0,"IsEndDateFixed":false,"IsRecycled":false,"IsArchived":true,"IsRequest":false,"ProjectImageId":"2b797791-ccb5-490b-9939-2dfda829f3f4","ClientName":"hospitalo","ClientNumber":"0114","ProjectStatusName":"Completed","ProjectStatusProgress":100,"DivisionName":null,"ContactName":null,"FirstName":null,"LastName":null,"ContactDisplayName":null,"ContactImageId":null,"AssignedByDisplayName":null,"AssignedByImageId":null,"GroupName":"Preventa","WorkpackagePredecessorDone":null,"AllWorkpackagePredecessorDone":null,"CustomExpand@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/CustomExpand","DocumentObjectRelation@odata.navigationLink":"https://app.inlooxnow.de/odata/workpackageview(50c9fca1-b316-4b96-abb6-0018d1a58c61)/DocumentObjectRelation"
},{
But When I Download this data from the Rest API with JSON format and sourcetype _JSON I got all the events in one event.
I need to break this event in multiple events and extract the fields.
I try to use this:
props.conf
pulldown_type = true
LINE_BREAKER = (},{)
KV_MODE = none
category = Structured
SHOULD_LINEMERGE = false
And the data breaks correctly with (},{) but no one value is extracted to a field.
And when I try to extract data from the events I cant because never pass pass when I check regular expression and click in the event which I need to extract, after that it looking stuck.
I try to use
INDEXED_EXTRACTIONS = json
But nothing works.
Please I need a hand please!!
... View more
Labels
- Labels:
-
field extraction
05-08-2020
09:16 AM
Hello all,
Right now I started to use Splunk, and I have so many doubts.
When I GET the data via REST-API, I get a lot of data and well I finally find how to create fields and other things.
How do I make Splunk get only new data and not collect old data to evade duplicate data?
... View more
