Hi there,
How can I get a list of **unused** lookup defs in my environment - so ones that I have lying around, but not doing anything useful basically? This would need to include lookups in apps, dashboards, etc.
Thanks!
↧
List of unused lookup definitions
↧
join 2 lists
Hi
I would need you help for the following:
I have 2 lists: I want to detect when an item is in the list B and NOT in the A
List A: static (from a lookup)
ListB: Dynamic (from a search)
list A:
1
2
3
List B:
1
2
3
4
Result: 4
I do NOT want to detect the oposite when someting is in A and is NOT in B
list A:
1
2
3
4
list B:
1
2
3
Result: None
I tried all the posibilites with "join" command "inner" and "outer" but no luck
thank you very much!
↧
↧
Xml data to Csv
Hi guys,
I have this xml format Data, I need to transforms these events in index time
67195595 67195596 67195597 67195598 67204206
0 0 0 0 8
to CSV
measTypes . measResults
67195595 . 0
67195596 . 0
67195597 . 0
67195598 . 0
67204206 . 8
any suggestions?
Thanks
↧
DB_Connect timestamp timezone
Hi,
I am having some issues indexing a database.
We are using a database column as a timestamp for events. This "DateTime" column is is UTC time so we added a line in props.conf to specify time format TZ=UTC (we are using CET time).
When we check the events _time field shows us UTC time for that events, so it seems props.conf is not working.
Any idea about this issue?
Best regards
↧
delete a private dashboard
How to delete a dashboard which is in private and they left the company, let me the process please.
↧
↧
Working out Distribution percentage
Hi Splunk Community! ,
I have a simple query which pulls request counts in per node.
sourcetype=test-log New Line
| rex "\'instance1_n_Node1\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| timechart max(Node1), max(Node2), max(Node3)
This brings me back the values of
Node1 - 100
Node2 - 200
Node3 - 300
My Nodes have a capacity of 320 only . I am trying to show the % left on the available instances so i can see where my space is. Whats the best way to do this ?
Thanks in advance !
↧
Join on this field OR that field
Basically I am trying to find hosts on a csv, not sending data to splunk.
The problem is, we have to account for devices that come over with either the short name, FQDN, or the IP as the host value in Splunk.
So essentially, I would like to join on the field host OR the field IP
I have this search:
| inputlookup cmdb_assets.csv
| rename nt_host AS host
| rex field=host mode=sed "s/\.\d+|\.\w+\.\w+$//" | eval host=lower(host)
| join type=left ip host
[ metadata type=hosts | rex field=host mode=sed "s/\.\d+|\.\w+\.\w+$//" | eval host=lower(host) | rex field=host "(?\d+.\d+.\d+.\d+)"]
|where isnull(recentTime)
| fields host dns category city bunit owner recentTime ip
But it is joining on ip AND host and does not accomplish the goal. Basically, I need Splunk to try and match on either the host field or the ip field
Anyone have any ideas?
↧
Splunk tokens with values and quotes in dashboard text form
Hello All again,
Running into another issue where i've got a huge dashboard that takes a form input and plugs it into an eval where it will then call it for a search later.
issue i'm running into is
xml below:
Row 1 - Panel 1 " " Column Chart Line Graph Stats Table Add | makeresults
| eval custom_r1p1_title = "$r1p1_title$"
| eval custom_r1p1_search = $r1p1_search$
| eval custom_r1p1_vi = "$r1p1_viz$"
| outputlookup data_table -15m now
|
**NOTE:** I am using a token **prefix** and **suffix** for the 'r1p1_search' token
however, if someone inputs:
index="test"
the eval breaks with the error "malformed eval" because now there is "index="test""
i tested with this working input:
index=\"test\"
and it works, but no one writes searches like that.
am i missing something very simple? is it possible to pass a token value with quotes in it?
and since this is an open form which allows users to plug in any search, i dont know what the search could be, so quotes could be used anywhere in the input value.
i'm not using any javascript or anything.
thanks so much in advance guys! this is the last piece for my dashboard, too.
-John|
↧
how to create and schedule an alert to run at 1am daily that extract event from yesterday 0:00am to yesterday 23:59pm
log event from yesterday 0:00am to yesterday 23:59pm.
schedule alert to run at 1:00am daily
↧
↧
Splunk tokens with quotes in values with dashboard text form
Hello All again,
Running into another issue where i've got a huge dashboard that takes a form input and plugs it into an eval where it will then call it for a search later.
issue i'm running into is
xml below:
Row 1 - Panel 1 " " Column Chart Line Graph Stats Table Add | makeresults
| eval custom_r1p1_title = "$r1p1_title$"
| eval custom_r1p1_search = $r1p1_search$
| eval custom_r1p1_vi = "$r1p1_viz$"
| outputlookup data_table -15m now
|
**NOTE:** I am using a token **prefix** and **suffix** for the 'r1p1_search' token
however, if someone inputs:
index="test"
the eval breaks with the error "malformed eval" because now there is "index="test""
i tested with this working input:
index=\"test\"
and it works, but no one writes searches like that.
am i missing something very simple? is it possible to pass a token value with quotes in it?
and since this is an open form which allows users to plug in any search, i dont know what the search could be, so quotes could be used anywhere in the input value.
i'm not using any javascript or anything.
thanks so much in advance guys! this is the last piece for my dashboard, too.
-John|
↧
Issues with Splunk Workday Add-on, not saving configuration, spinning wheel 'Loading'
We had the workday app (4.1) running on a HF (6.6.5) that apparently stopped working on Oct 24th.
Error:
File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\packages\splunklib\binding.py", line 1221, in request
raise HTTPError(response)
HTTPError: HTTP 503 Service Unavailable -- KV Store initialization failed. Please contact your system administrator.
I am now attempting to move that add-on to a new HF...as recommended by support for another case.
1. I have copied the TA from the HF that was working, restarted Splunk - it didnt work.
2. I have re-installed v 4.1 on the HF from the .tgz file, restarted - it didnt work
3. I have re-installed with v 5.0 on the HF from .tgz, restarted - it didnt work
4. I've pushed the security settings down from the \etc\apps folder down to all subfolders...to eliminate any permissions issues.
When i log into the web ui, go to workday app, then go to configuration> add-on settings...the loading icon appears and shows about 4-5 bars and is stuck...it eventually shows the setting options, i configure them, hit save, but it never saves them.
The ta never attempts to call out to the internet to grab files, looking in the workday ta log, the splunkd and splunkaccess logs i see 404 and 500 http server errors.
splunkd.log:
11-07-2018 01:18:53.847 -0600 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.
11-07-2018 01:19:05.427 -0600 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.
11-07-2018 01:23:52.873 -0600 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.
11-07-2018 01:24:02.461 -0600 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\handler.py", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\splunktaucclib\rest_handler\credentials.py", line 389, in _get\n string = mgr.get_password(user=context.username())\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "D:\Program Files\Splunk\etc\apps\TA-workday\bin\ta_workday\solnlib\credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.
11-07-2018 01:24:02.651 -0600 ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\TA-workday\bin\workday.py"" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\handler.py\", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\handler.py\", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\credentials.py\", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\credentials.py\", line 389, in _get\n string = mgr.get_password(user=context.username())\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\credentials.py\", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\credentials.py\", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\". See splunkd.log for more details."}]}
11-07-2018 01:24:03.173 -0600 ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\TA-workday\bin\workday.py"" ERRORHTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\handler.py\", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\handler.py\", line 299, in _format_response\n masked = self.rest_credentials.decrypt_for_get(name, data)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\credentials.py\", line 184, in decrypt_for_get\n clear_password = self._get(name)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\splunktaucclib\\rest_handler\\credentials.py\", line 389, in _get\n string = mgr.get_password(user=context.username())\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\credentials.py\", line 118, in get_password\n all_passwords = self._get_all_passwords()\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"D:\\Program Files\\Splunk\\etc\\apps\\TA-workday\\bin\\ta_workday\\solnlib\\credentials.py\", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\". See splunkd.log for more details."}]}
splunkaccess.log
127.0.0.1 - splunk-system-user [06/Nov/2018:15:48:45.336 -0600] "GET /servicesNS/nobody/TA-workday/properties/TA-workday HTTP/1.1" 404 143 - - - 1ms
↧
How to add new capability
Is it possible to add new capability other than the ones available in authorize.conf, if so how do we do it
↧
How to assign a value to field if it is missing the event
I have the sample data which has all the fields like below
[11/07/2018 09:59:00] CAUAJM_I_40245 EVENT: ALARM ALARM: JOBFAILURE JOB: HYGIEIA_EC2_LOAD_ROOT **MACHINE: hexx.com** EXITCODE: 110
The below is the event with machine field missing
[11/07/2018 09:17:13] CAUAJM_I_40245 EVENT: ALARM ALARM: JOBFAILURE JOB: FADB_OUT_CROSSINVEST_PFX_BOX EXITCODE: 9
Below is the search I am using
index=abc |rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time=strftime(_time,"%Y/%m/%d %H:%M:%S")
| eval node=host
| eval resource="Auto"
| eval type="Alarm"
| eval severity=1
| eval Machine_Name=case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown")
| eval description="CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP"
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
The description part shows blank as for the second event as there is no machine in it.How can I populate that so that the description part is not empty .I have attached a screen shot for better understanding
![alt text][1]
[1]: /storage/temp/255372-auto.png
Thanks,
↧
↧
How can I add logo to a report?
Hello
Looking for a way to add an image to a report. This report is not scheduled or on a dashboard. Meaning, in my nav menu I select Reports and then chose a report and then the report view is displayed. I have added logos to dashboards and to exports/emails but haven't found a way to get it on a simple report.
Thanks for the assistance!
↧
How do you search only by value?
Hi
I am completely new in Splunk and coming from SQL so I cannot understand something.
If I query by this —`sourcetype="linux_secure"`— then I get data in result ->ok.
But then as I am an SQL guy, in my world, if I change the query to linux*, then I expect to get all the data where Linux exists no matter the source type. But, I get nothing in the result.
Another small question:
Is source type by itself a key in Splunk language and Linux?
↧
How do I use the join command to detect if an item is in one list and not another?
Hi
I need your help for the following:
I have 2 lists: I want to detect when an item is in the list B and NOT in the A
List A: static (from a lookup)
ListB: Dynamic (from a search)
list A:
1
2
3
List B:
1
2
3
4
Result: 4
I do NOT want to detect the oposite when someting is in A and is NOT in B
list A:
1
2
3
4
list B:
1
2
3
Result: None
I tried all the posibilites with "join" command "inner" and "outer" but no luck
thank you very much!
↧
Can you help us with our DB_Connect timestamp timezone issue?
Hi,
I am having some issues indexing a database.
We are using a database column as a timestamp for events. This "DateTime" column is is UTC time so we added a line in props.conf to specify time format TZ=UTC (we are using CET time).
When we check the events _time field shows us UTC time for that event, so it seems props.conf is not working.
Any idea about this issue?
Best regards
↧
↧
How do you create and schedule a daily alert that extracts events that happened the day before?
I want to create and schedule an alert to run at 1am daily that extracts event from yesterday 0:00am to yesterday 23:59pm.
How do I do this?
↧
Convert month number to month string
Some timestamps use month numbers like "11" rather than strings like "Nov".
I'm using this eval to make the conversion:
| eval month=if(isnotnull(MM),if(MM="01","Jan",if(MM="02","Feb",if(MM="03","Mar",if(MM="04","Apr",if(MM="05","May",if(MM="06","Jun",if(MM="07","Jul",if(MM="08","Aug",if(MM="09","Sep",if(MM="10","Oct",if(MM="11","Nov",if(MM="12","Dec","INV")))))))))))),MM)
Is there a better way?
↧
Does Splunk monitor and alert on changes to servers (and potentially desktops) configurations?
Does Splunk monitor and alert on changes to servers (and potentially desktops) configurations?
↧