Hi All,
Can you please help us to find if there is there possibility in splunk db connect 3.0 two join two tables from two different connections at data input level or next. But it should return all 3 lakh records back in the results.
Thanks in advance!
↧
Splunk DB connect 3: left Join two tables from different db connections with each table has nearly 3 lakh records
↧
How to extract only date from the mentioned string
Below is the kind of string i have and I want to extract only date from it.
Available string: 2019-02-24T16:05:37.000ZT16:05:37.000Z
Desired output: 2019-02-24
Thanks
↧
↧
How to extract a fieldvalue after a specific string in unstructured data?
Hi,
I would like to extract a new field from unstructured data. FX does not help for 100%, so I would like to use regex instead.
Is it possible to extract a string that appears after a specific word? For example, I always want to extract the string that appears after the word *testlog*:
Sample events (the value for my new fieldA should always be the string after testlog):
1551079647 the testlog **13000** entered the system
1551079652 this is a testlog **for** fieldextraction
Result of the field extraction:
fieldA=13000
fieldA=for
Thanks in advance
Heinz
↧
Disable user account temporary
I would like to disable some local accounts temporary. I cannot find disable or suspend button in access controls settings menu. Is there a way to disable the account?
↧
need help with regex expression
Hi Team,
I m stuglling to get the regex expression for the following values, i want to capture the text bfore the first _ symbol into one filed and after the _symbol value into another field. I need common expression that works for all.
**broadridge_endur_exch_trades_parent
1end_endur_exch_trades_parent
1end_endur_comp_trades_parent
1img_img_gl_000
1img_gl
1gmi_GNACMFF1
1lst_agr_trd
epx_epx_afs_file
fxcal_balance_report**
i m using the following epxression, but its not working
**rex field=Datafeed_name "^(?\w{3,10})_(?\w+)$"**
can you please help
@vnravikumar @jakt54
↧
↧
EventGen in a Windows Enviroment can´t error in jinja.py Can´t import jinja2
Hi ,
I download splunk enterprise to my Windows 7 notebook and I am trying to put eventgen to work . I followed the github tutorials and others tutorials that I found here in splunk answers. So, my conf files are in the right places , my data sample also and i enabled the data input . Exploring more I found the log files /var/log/ and I got this message :
file "C:\Program Files\Splunk\etc\apps\SA-Eventgen\lib\splunk_eventgen\lib\plugins\generator\jinja.py", line 9, in
from jinja2 import nodes
ImportError: No module named jinja2
Can anyone help me with that ?
Thanks in Advance
Nelson
↧
sending email after the throttle time is over.
I have added throttling to alert i.e if event from the same id appears again within 30 minutes from it last occurrence email will not be sent. NOW I NEED TO GENERATE AN EMAIL AUTOMATICALLY AFTER 30 MINUTES SHOWING THE COUNT OF HOW MANY ALERT OCCURRED IN THE LAST 30 MINUTES WITH THAT ID. HOW CAN WE DO IT.?
↧
avoid duplicate file ingestion in splunk
how to remove duplicate files from ingesting in splunk?
i am monitoring a folder in which there is a file names abcd.csv now i make a copy of this file and paste it again in that folder its getting ingested again hot o restrict splunk from doing so ?
↧
Installation stops every time.
In the middle of installation, the following message is output and it stops.
Error writing to file: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\js\shim\splunk.pdf.js.
Verify that you have access to that directory.
I can not proceed even if I change the "shim" folder to "Full control" and then press the "Retry" button.
There is no choice, I have to roll back and I can not install it.
What should I do?
OS
Windows 10 home edition
10.0.17134.523
Installer
splunk-7.2.4-8a94541dcfac-x64-release.msi
↧
↧
How to Apply color coding to a column based on the condition applied to a different column in the same table?
Hi All,
I have 3 columns forecast, actuals and percentage. what i need is based on the values of the percentage column i want to apply a condition to it and color the forecast and actuals columns accordingly.
example:
forecast actuals percentage
100 150 1%
300 200 10%
500 400 50%
condition i want to apply is **if Percentage is Greater than 1% and less than 10%** apply color red to forecast and actuals
**if Percentage is Greater than 10% and less than 50%** apply color green to forecast and actuals
how can i achieve this using java script and css?
↧
Show Failed Login by user, IP Address
Experts,
We are a financial institution using Splunk to capture Failed login count by username and IP address. We use 100s of application within our enterprise, and not every application writes failed login attempts with username and IP details. There are 10s of vendor applications that only provide username, but, no IP address. So, we are thinking to get the Failed Login and username from the logs and do an automatic lookup for IP address matching the username. Please advise
a) if this is feasible as IP address is not going to be static all the time
b) From where to get the user, IP address details as I have no knowledge on Networking. Please advise if that will be available in LDAP, AD, Firewall Logs etc.. so that I can request our network team to provide it
↧
How to Get the yearly Count data?
Hi,
index="os" sourcetype="Service" CaseNumber="Test-2018*" (Group="Secure" OR Group="health") AND (Section="Connectivity Problem" OR Section="Local data") AND (Component="connectivity" OR Component="data health")| dedup _time,CaseNumber| stats count by Group,status| xyseries Group,status,count| addtotals|
I want to display total number of Cases status in 2018 year.for example in 2018 year how many cases still "in progress",how many closed,How many waiting like this.But above query showing all status information for particular casesnumbers.One casenumber life cycle "new",Waiting","Inprogress","Closed".but this query displaying all status for particular case.How to do this?
↧
Schedule PDF delivery of a dashboard not attaching pdf in email
I have scheduled PDF delivery of a dashboard in Splunk. I was getting the attachment in email with **Splunk version 6.5.7**. But after upgrading from **6.5.7 to 7.1.6 Splunk version**, I am not getting the attachment. only emails, along with content I am getting.
I have not made any changes to my PDF schedule.
↧
↧
how to extract fields that ends with question
I wanted to extract a field to capture the data before the question mark as below.
api_call "Get \search\ip\6789\?=number\90"
where api_call is an already extracted field.
I wrote it as rex field = api_call "/"(?[^/?])" ---- result required is Get \search\ip\6789\
buit it doesnt seem to work
↧
help to match events with inputlookup search
Hi
I use the basic query below in order to collect the model of an host (workstation)
index="xx" sourcetype="WMI:Model" | table host Model
In parallel, I have a CSV file called "cmdb" where there is a fiel called "HOSTNAME" which refers to the field "host" in my search
I want to match these 2 fields (host and HOSTNAME) in order to collect in a same table the host, the Model and other fields of my CSV file like CLIENT_USER COUNTRY STATUS ROOM SITE & TOWN
Could you help me please??
↧
Stats Count Eval If
Hi, I wonder whether someone can help me please.
I'm using number the following as part of a query to extract data from a Summary Index
| stats count(eval(repayments_submit="1")) as repyaments_submit count(eval(forms_ChB="1")) as forms_ChB
The code works find, except that where the null value is null it's shown as a zero and I'd like it to be blank.
I've tried `count(eval(if(signout="1", "")))` but I receive the following error:
> Error in 'stats' command: The eval> expression for dynamic field> 'eval(if(signout="1", ""))' is> invalid. Error='The arguments to the> 'if' function are invalid.'
Could someone look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
↧
dashboard eval token not working correctly
I have two “parallel” multi value fields. One had friendly names and the other has the actual URL. In the example below, given the friendly name (cnn), it finds the corresponding URL:
| makeresults
| fields - _time
| eval friendly_names="google,facebook,cnn", urls="http://google.com,http://facebook.com,http://cnn.com"
| makemv friendly_names delim=","
| makemv urls delim=","
| eval url=mvindex(urls, mvfind(friendly_names,"cnn"))
| table url
This works exactly as I expect it to. When I try to use it in a dashboard event handler, it doesn’t work. Anyone have any thoughts on what i might be doing wrong or an alternative way to do this. My desire is to generate some custom ugly URLs behind the scenes, but to present the user with friendly names on the dashboard.
|
↧
↧
Why does search complain about eventtype errors when no eventtype is used?
Hi, and sorry for the somewhat fuzzy question!
I'll try to explain the scenario, so bare with me if the explanation gets a bit long ;)
We have lots of eventtypes in our environment, where most of them are defined within specific apps.
The problem here is that when I (or anyone for that matter) run a search from the standard search tab, the job result complains that one particular eventtype is missing or disabled. This eventtype is defined within a specific app, but is never used in the query.
Example, search executed in the "standard" search and reporting app space:
index=network "10.20.30.40" <-- No eventtype used!
The search query displays all results containing 10.20.30.40 - as expected, but the job-inspector complains that "eventtype login_failure_wdm does not exist or is disabled".
This error would make sense if I tried to use this particular eventtype (since I am running the query outside the app where the eventtype is defined), but no eventtype is used!
As expected there are no complaints if I run the same query from within the app space where login_failure_wdm is defined.
The thing is that it does not matter what indexes and searches I do - the error is there.
The eventtype in question is "nested" from another eventtype, but we use a lot of those without any issues.
login_failure_wdm: eventtype=wdm "authorization error"
where 'wdm' is an eventtype defined as:
index=network host=itc*wdm*
This environment consists of a 2 node indexer cluster (+ 1 master node) and one searchhead (where all searches are performed).
I have run a recursive grep through the entire config on my searchhead, cluster master and the indexer servers, but the eventtype is not included anywhere (except for the definition of the eventtype itself) on the searchhead.
Has anyone seen this phenomena, and found a solution?
↧
Get notified of Splunk errors
Splunk only notifies of errors like file system permission issues in the top right messages drop down.
Since I rarely use Splunk web interface, I'm always missing them.
Is there a way to get notified of these errors? Can I setup alerts for them?
↧
Any future release for Splunk Enterprise 7.x for the App HP Operations Orchestrator?
This module is very interesting for Automation, is there any roadmap to upgrade it to the next release?
↧