×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
JyPl4wNYu7GV1uL
Explorer
Member since: ‎02-07-2018
‎01-22-2025
Community Statistics
Posts 7
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎02-07-2018
Activity Feed
View All

return results even when the count of a field valu...

by in Splunk Search
‎01-21-2025 12:17 PM
‎01-21-2025 12:17 PM
Stupid form editor adds extra CRs. Having trouble getting this search to work as desired. I've tried these 2 methods and can't them to work:   eventtype="x" Name="x" | fields Name, host | dedup host | stats count by host | appendpipe [stats count | where count=0 | eval host="Specify your text here"]     and using the   fillnull   command. Here is my search:   index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 (field2="20005") OR (field2="20006") OR (field2="20007") OR (field2="666") | stats count(field2) by field2, field3 | sort count(field2)   In this case the value for field2="666" does not exist in the results. Here're the results I get:   field2 field3 count(field2) 1 20005 This is field3 value 1 2 2 20006 This is field3 value 2 6 3 20007 This is field3 value 3 13   To summarize, I want to search for all the values of field2 and return the counts for each field2 value even if the field2 value is not found in the search; so, then, count(field2) for field2=666 would be 0. As follows:   field2 field3 count(field2) 1 666 <empty string> 0 2 20005 This is field3 value 1 2 3 20006 This is field3 value 2 6 4 20007 This is field3 value 3 13   This is a simplified example. The actual use case is that I want to search one data set and return all the field2 values and then search for those values in the first data set. This actual search I'm running looks like this:   index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 [search index=idx1 host=host1 OR host=host2 source=*filename*.txt field1=20250106 | fields field2 | dedup field2 | return 1000 field2] | stats count(field2) by field2, field3 | sort count(field2)   I want to find all the field2 values when field1=20250106 and then find the counts of those values in the field1!=20250106 events (even for when the count of some field2 values have count=0 in results). ... View more
Labels

Re: About warning showing in Splunk Cloud message ...

by in Splunk Cloud Platform
‎10-28-2024 09:41 AM
2 Karma
‎10-28-2024 09:41 AM
2 Karma
Disregard.  I had put the setting in the [default] stanza, moved it to the [email] stanza, now the warning has resolved. ... View more

Re: About warning showing in Splunk Cloud message ...

by in Splunk Cloud Platform
‎10-28-2024 09:33 AM
‎10-28-2024 09:33 AM
I just upgraded to 9.3.1 and was also getting that warning.  I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to post in case other experience the same behavior. ... View more

Re: Events return blank results

by in Splunk Search
‎02-26-2024 01:41 PM
‎02-26-2024 01:41 PM
I know this is ancient, but I had the same issue with blank results because of this: https://community.splunk.com/t5/Splunk-Search/What-would-intermittently-cause-less-events-to-return-the-raw/m-p/490525 ... View more

Re: Splunk Upgradtation tar/rpm

by in Installation
‎02-16-2024 08:12 AM
‎02-16-2024 08:12 AM
Anybody got opinions on the opposite situation? I've always upgraded splunk using a tarball and extracted over top the prior /opt/splunk installation: ~6 upgrades. Now I'd like to switch to RPM, for all the stated advantages.  Any issues I need to worry about by installing the RPM over a prior tarball install?   ... View more

Re: Permission error after upgrade during restart

by in Splunk Enterprise
‎10-02-2023 10:33 AM
‎10-02-2023 10:33 AM
Similar has happened to me for my last 2 upgrades (9.0.5 and 9.1.0.2).  In both cases after the upgrade, some conf files end up with root:root ownership.  Before the upgrade they were splunk:splunk. Offending files (plus 1 .pyc file and migration.log in var/log/splunk): etc/system/local/eventtypes.conf etc/system/local/web-features.conf etc/system/local/authorize.conf Primary concern are the conf files.  The upgrade is by .tgz file run as splunk:splunk.  The initial start is run by root cuz it needs root permissions to create the systemd boot-start file.  Is this just going to keep happening since I need to run "splunk enable boot-start . . . " as root? It's not a big deal to run chown to fix everything, but it is a manually step when is sometimes forgotten. ... View more

Re: Is it possible to create submenus in the time ...

by in Dashboards & Visualizations
‎02-08-2018 04:16 PM
‎02-08-2018 04:16 PM
I'm curious about this answer because in my 6.5.2 version, when setting up a range value for a preset I'm offered a checkbox for create submenu. But the submenu does not work. So I'm wondering if it was removed or if it's just broken. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-22-2025 05:46 PM
Karma from
Karma given to
View All