Activity Feed
- Got Karma for Re: Splunk query doesnt show results in dashboard panel but displays results when using search tab. 09-18-2023 07:20 AM
- Posted Re: Dashboard Background Color Formatting Based on Text on Dashboards & Visualizations. 11-04-2021 03:34 PM
- Got Karma for Re: tstats with count() works but dc() produces 0 results. 10-25-2021 01:20 PM
- Posted Re: no results found in dashboard but the query does have on Dashboards & Visualizations. 10-24-2021 09:17 PM
- Posted Re: Trendline for splunk query on Dashboards & Visualizations. 10-24-2021 09:12 PM
- Posted Re: Filter events based on the time range(day of week) on a lookup table on Splunk Search. 10-24-2021 08:25 PM
- Posted Re: TERM(): How does it work under the covers ? on Splunk Search. 10-24-2021 02:31 PM
- Posted Re: Help: Customise Navigation (Help) on Dashboards & Visualizations. 10-24-2021 01:42 PM
- Posted Re: Need to create tab view for dashboard panel on Dashboards & Visualizations. 10-24-2021 11:16 AM
- Posted Re: Alert notifications being incorrectly suppressed on Alerting. 10-24-2021 11:01 AM
- Posted Re: search log on list of server ip without using csv.file on Splunk Search. 10-24-2021 10:32 AM
- Posted Re: tstats with count() works but dc() produces 0 results on Splunk Search. 10-24-2021 10:17 AM
- Posted Re: Real time alert option not available on Alerting. 10-24-2021 09:43 AM
- Posted Re: Splunk query doesnt show results in dashboard panel but displays results when using search tab on Splunk Search. 10-23-2021 09:01 PM
- Posted Re: Search a Datamodel using field values from a lookup csv file on Splunk Search. 02-15-2021 03:13 PM
- Posted Re: How to create a single query that can show Internal AND External users all in one table. on Splunk Search. 07-19-2020 04:21 PM
- Posted Re: How to create a single query that can show Internal AND External users all in one table. on Splunk Search. 07-19-2020 04:14 PM
Topics I've Started
No posts to display.
11-04-2021
03:34 PM
Hi jtoy1986, If visualization is a Statistics Table then you can define rules for coloring as below XML: <table> <search> <query>| makeresults | eval deviceSeverity = "Up" | append [| makeresults | eval deviceSeverity = "Down" ] | stats latest(deviceSeverity) | eval range=case(deviceSeverity == "Up", "low", deviceSeverity == "Down", "severe")</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="latest(deviceSeverity)"> <colorPalette type="map">{"Down":#DC4E41,"Up":#53A051}</colorPalette> </format> </table> ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
09:17 PM
Hi corti77, I have created a test search and referred it inside dashboard panel as mentioned below which worked without any issues Please check permissions associated with those saved search as well as index referred inside it <panel> <title>TEST SAVED SEARCH RESULTS</title> <table> <search ref="WFH TEST SEARCH"></search> <option name="count">5</option> <option name="drilldown">none</option> </table> </panel>
... View more
10-24-2021
09:12 PM
Hi adarshbc, Try using "trendline" command and information around that command can be found here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Trendline Please adjust Product and version that suits your enterprise ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
08:25 PM
Hi mgbersales, Does Saturday / Tuesday refers to any specific dates or irrespective of date, if _time falls between any Saturday 8pm - Tuesday 8am then eliminate those events?
... View more
10-24-2021
02:31 PM
Hi bdunstan, Can you please run searches (3) and (4) to see how lipsy searches differ in the search.log and then we can narrow down to issue for failures In general TERM Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor segmenters, such as periods or underscores. Here's some good documentation on this. https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/UseCASEandTERMtomatchphrases ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
01:42 PM
Hi bdunstan, To modify the app bar for your custom app, edit its navigation definition file, default.xml. You must refresh Splunk Web before you can see your changes. 1) In your text editor, open $SPLUNK_HOME/etc/apps/appname/default/data/ui/nav/default.xml. 2) Make your changes to the XML, then save the file. 3) To view changes, navigate to http://<host>:<mport>/debug/refresh, click Refresh to refresh Splunk Web, then navigate to your app in the web browser. Code for your requirements <collection label="Help"> <a href="link">Tutorials</a> <a href="link">Help with this page</a> <a href="link">File a bug</a> </collection> ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
11:16 AM
Hi sahana, Please use this blog for making a dashboard with tabs https://www.splunk.com/en_us/blog/tips-and-tricks/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked.html ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
11:01 AM
Hi L1mLam, Just use field name in this option and it will work More information around alert suppression configuration attributes can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Savedsearchesconf#alert_suppression.2Fseverity.2Fexpiration.2Ftracking.2Fviewing_settings alert.suppress.fields = <comma-delimited-field-list> * List of fields to use when suppressing per-result alerts. This field *must* be specified if the digest mode is disabled and suppression is enabled. * Default: empty string. ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
10:32 AM
Hi posuw, Can you please elaborate on need to find look match ?
... View more
10-24-2021
10:17 AM
1 Karma
Hi thisissplunk, Tstats search syntax seems correct and able to get a valid output for distinct_count on my end. To my understanding there is no limitations for distinct_count aggregate function. When you enable acceleration for a data model, Splunk software builds the initial set of .tsidx file summaries for the data model and then runs scheduled searches in the background every 5 minutes to keep those summaries up to date. Each update ensures that the entire configured time range is covered without a significant gap in data. This method of summary building also ensures that late-arriving data is summarized without complication. Can you please verify DM accelerations searches executions status using below search index=_internal sourcetype="scheduler" savedsearch_id="<user>;<appname>;_ACCELERATE_DM_<appname>_<DataModelName>_ACCELERATE_" ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-24-2021
09:43 AM
Hi cyber_Maddy, Overuse of real-time search can result in performance costs and in this you are not able to scheduled a real-time alert because of restrictions that have applied in your environment Options for restricting real-time search are as follows: 1) Disable real-time search at the indexer level by editing indexes.conf for specific indexes. 2) Disable real-time search for particular roles and users. 3) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time. 4) Edit limits.conf to restrict indexer support for real-time searches. The documentation, How to restrict usage of real-time search is where you will want to go. https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Restrictrealtimesearch Also, make sure you're reading the documentation for your version of Splunk. ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
10-23-2021
09:01 PM
1 Karma
Hi pk0024, It seems your base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the post-process search using the | fields command. As per splunk best practices around base search usage can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/Savedsearches (adjust version that suits your environment) On another note - In regards to eventtype is that "0" expected or is it a typo mistake eventtype="err0r" ------ An upvote would be appreciated and Accept Solution if it helps!
... View more
02-15-2021
03:13 PM
If current DM doesn't bring all src_ip related information from subsearch then you can add all src_ip's using an additional inputlookup and append it to DM results | tstats count from datamodel=DM where [| inputlookup test.csv | rename src_ip to DM.src_ip | fields DM.src_ip] by DM.src_ip | rename DM.src_ip AS src_ip | inputlookup test.csv append=t | stats values(*) as * by src_ip | iplocation src_ip | fillnull value="NULL" | table src_ip, Country
... View more
07-19-2020
04:21 PM
Hi mztopp, Please check if this helps for alert Query: | makeresults | eval User_Name="a",POP_Address="192.168.0.1" | append [| makeresults | eval User_Name="a",POP_Address="172.16.0.1"] | append [| makeresults | eval User_Name="b",POP_Address="193.168.0.1"] | append [| makeresults | eval User_Name="c",POP_Address="172.16.0.1"] | append [| makeresults | eval User_Name="b",POP_Address="194.168.0.1"] | append [| makeresults | eval User_Name="a",POP_Address="194.168.0.1"] | fields _time User_Name POP_Address | eval Connection_Type=case(LIKE(POP_Address,"192.168%"),"Internal",LIKE(POP_Address,"172.16%"),"Internal",0=0,"External") | stats sum(eval(Connection_Type="Internal")) as Internal sum(eval(Connection_Type="External")) as External count AS Total by User_Name | fillnull value=0 Internal,External Output: Once you have defined condition when this alert needs to be triggered please user "WHERE" command Example: | where External>1 Alert gets triggered including users when External connections are greater than 1 like this Thanks, Pradeep Reddy
... View more
07-19-2020
04:14 PM
Hi mztopp, Please check if this helps Query: | makeresults | eval User_Name="a",POP_Address="192.168.0.1" | append [| makeresults | eval User_Name="a",POP_Address="172.16.0.1"] | append [| makeresults | eval User_Name="b",POP_Address="193.168.0.1"] | append [| makeresults | eval User_Name="c",POP_Address="172.16.0.1"] | append [| makeresults | eval User_Name="b",POP_Address="194.168.0.1"] | append [| makeresults | eval User_Name="a",POP_Address="194.168.0.1"] | fields _time User_Name POP_Address | eval "Internal/External"=case(LIKE(POP_Address,"192.168%"),"Internal",LIKE(POP_Address,"172.16%"),"Internal",0=0,"External") | stats count by User_Name "Internal/External" Tabular Output: Thanks, Pradeep Reddy
... View more