×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jcraumer
Explorer
Member since: ‎11-02-2017
‎11-11-2021
Community Statistics
Posts 7
Solutions 1
Karma Given 0
Karma Received 2
Member Since ‎11-02-2017
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Find Events in one index based on a result set

by in Splunk Search
‎11-10-2021 10:52 AM
‎11-10-2021 10:52 AM
The join command works much like it would in SQL.  If Index A has the field idb, it will display the events where idb matches found in both Index A and B.  The query as you stated will only provide events where the value is found in both Indexes. If you wanted all events from A and any events from B that match on idb you can add the type: index=a sourcetype=test |join type=left id [search index b | rename id as idb] |stats count by id, idb     ... View more

Re: Subsearch not returning any results

by in Splunk Search
‎11-10-2021 10:41 AM
‎11-10-2021 10:41 AM
Glad you were able to figure it out. ... View more

Re: Subsearch not returning any results

by in Splunk Search
‎11-09-2021 07:21 AM
‎11-09-2021 07:21 AM
Try adding a join: The sub search should produce the GUID based on your logic, however the format of the GUID in the outer search would need to match.  If the inner search shows the GUID as 7c10cfbc-6892-4590-a05c-c12acf16932b after you replace and rex then the outer search would also need to have a match GUID field of  7c10cfbc-6892-4590-a05c-c12acf16932b index="myIndex" sourcetype="mySourceType" | join GUID [search index="myIndex" host="myHost" sourcetype="mySourceType" <phoneNumber> | rex field=_raw "(?<GUID>\].*$$)" | rex field=GUID "(?<GUID>[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | fields GUID ] | table GUID, <other fields from the outer search you want to display>   ... View more

Re: Assigning multiple roles to user with Python

by in Splunk Dev
‎11-09-2021 06:56 AM
‎11-09-2021 06:56 AM
Hurricane Labs did a sample demo regarding changing user permissions with a dashboard and custom endpoints.   https://hurricanelabs.com/splunk-tutorials/splunk-custom-endpoints-part-3-posting-the-data/ I think the endpoint posting is included in part three, video 7 & 8, about cleaning and posting the data to python.  This is a good example demo as it needed to be slightly updated in certain parts to work correctly making it a nice tutorial with some trouble shooting involved.   Aside from that aspect it shows the required format that can be used to send a user name with multiple roles assigned to update the Splunk ACL backend.   Hopefully this helps solve your issue.     ... View more

Re: How to Stop SubmitButton when there is a valid...

by in Splunk Dev
‎11-09-2021 06:42 AM
‎11-09-2021 06:42 AM
Do not use the default submit button provided by the dashboard editor.  Create a custom button that will submit the form once validation is complete.  This can be done in the same Javascript file used for the validation but create a if statement that if the validation fails the form doesn't submit. ... View more

Re: Need a hand. How is it possible to restart a U...

by in Splunk Enterprise
‎11-05-2021 10:30 AM
1 Karma
‎11-05-2021 10:30 AM
1 Karma
If Unix is the OS it's possible to create a service for Splunk. Using MONIT you can monitor the running services and if it detects an abnormal shutdown it can be set up to restart the service and send email alerts for the admin team Ms. Burwell has a good point.  This will restart the Splunk instance but not identify why it's crashing so you could start a loop of crash/restarts. For windows you can set up a batch file but you would needs to find a Monitoring service to handle watching the processes.  ... View more

Re: How do I read the values from a dashboard tabl...

by in Splunk Enterprise
‎11-05-2021 10:21 AM
1 Karma
‎11-05-2021 10:21 AM
1 Karma
I would probably have done search parsing through Python but it can be done using Javascript. Create a blocking search which will wait until the search in finished then reference the job object results field.  The results can then be mapped to a list or dictionary for use.  Once you have completed the tasks associated with the search values it can be rendered back to the dashboard.   require([], function() { var splunkWebHttp = new splunkjs.SplunkWebHttp(); var service = new splunkjs.Service(splunkWebHttp); var searchQuery = "search index=_internal | head 5"; var searchParams = {exec_mode: "blocking"}; service.search( searchQuery, searchParams, function(err, job) { job.fetch(function(err){ console.log("Job ID: " + job.sid); console.log("Max Results: " + job.properties().resultCount); // iterate results by row job.results({}, function(err, results) { var fields = results.fields; var rows = results.rows; for(var i = 0; i < rows.length; i++) { var values = rows[i]; console.log("Row " + i + ": "); for(var j = 0; j < values.length; j++) { var field = fields[j]; var value = values[j]; console.log(" " + field + ": " + value); } } }) }); }); })   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-11-2021 11:10 AM
Karma from
View All