I have a field in the field t or f is there I need t values only
I have a field like report In the field it's showing t or s Events like service name report One. T Two. ` F I need t values only
View ArticleStats Sum/Count
Hi, I wonder whether someone can help me please. I've put together the following query: w2_wmf(RequestCompleted)`request.detail.Context="*test" | dedup eventId | rename request.ClientId as ClientID |...
View ArticleCreate Alert
Hi, I have a search that looks like this: index=loadbalancer r_host="sport.mtm.com" req="/api/v2/log/exception" Now I want to create an alarm on it. I want it to alarm when it sees a percentage...
View Articleseperating arcsightlogs in heavyforwarder
I decided to send some juniper and fortigate logs to an arcsight smart connector and then send its output to splunk heavy forwarder and then route them to different indexera based on their source( srx...
View ArticleSubtracting 2 time together
I have a time where a ticket is created called: | eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S") If the start time is >=12, it is supposed to be subtracted from 8pm meaning:...
View Articlethreshold line time chart graph.
I have a time chart graph for disk utilization. Requirement is to add a static red color line as a threshold limit at 90% in X axis.. Can some one suggest how can we do that.
View Articleintegration of onpremise data with splunk on azure cloud environment
How can I integrate on-premise Splunk data with splunk on azure cloud.I just wanted High level view like if I can get data from on-premise by installing universal forwarder or need HF in on-prem as...
View ArticleHow to find most common words used by cluster command
Hi All, We are trying to cluster a Description field with cluster command in this way: | cluster t=0.5 labelonly=t showcount=t field=Description match=termset | table cluster_label cluster_count...
View ArticleHow can i set the same color for two columns in column chart
Hi, splunkers I have four hosts and query: index=myIndex | timechart span=20m max(counterMetric.sampleCount) as CounterMetric max(durationMetric.value) as DurationMetric by host so in result i have...
View ArticleConsecutive events by field - only show points in time where number of such...
I'm trying to find points in time where a consecutive event happens 5 times in a row. I currently have this query: partner_id=9991| streamstats count BY timeout reset_on_change=true | table timeout,...
View ArticleSubstring extraction from a field value
My extracted field name X has values such as in the following format /abc/defg/hgi/klmn/p I want to be able to extract the values between any two '/' 1. I want abcdefg to be extracted to Y 2. I want...
View Articlestats count which dont returns the same number of events between 2 different...
hi I use two request which normally have to count the same number of events the first is : | eventtype=Periph | dedup host | stats count For these one I have 106 events the second is : For this one I...
View ArticleHow do you override a default app setting on a search head cluster?
We are using the Palo Alto TA and pushing the default app to our search head cluster. In props.conf there is an automatic lookup which references a KV store that is empty, causing errors when searching...
View ArticleHow do you get the sum of columns by system?
I am trying to figure out how to get the sum of systems_score column by systems. The data model is below: systems systems_score System A 20 System A 10 System A 0 System B 20 System B 20 System B 20...
View ArticleHow to monitor Apache logs i.e create dashboards for them?
Hi All, I want to monitor the error logs using Splunk. And create dashboards for the same. Sample logs : [Sun Jul 09 03:25:02 2017] [info] Apache/2.2.32 (Unix) DAV/2 configured -- resuming normal...
View ArticleExtract the URL into a separate field
Hello, Im trying to extract the URL from the message field, so i can create a separate field called URLs. At the moment all our logs are in the message field, so extracting various parts is essential....
View ArticleCalculate _time difference between subsearch and main search
I'm trying to calculate the `_time` difference between the subsearch and main search; but if I try and pass the time through to the main search it seems to want to include it in the actual search and...
View ArticleProblem with saved searches and job ttl
Hello splunkers, I'm working with savesearches and jobs ttl and with 2 saved searches that the only thing it changes is the sourcetype, nothing more. With the same configuration in savedsearches.conf...
View ArticleValue expiration in query
Hi all, I'm wondering if there is a way to make a query with values that expire. For example my query is: index=checkpoint sourcetype=opsec* src="192.168.1.1" OR "192.168.1.2" | fillnull value=NULL |...
View ArticleInternal configuration file error. Something wrong within the package or...
Internal configuration file error. Something wrong within the package or installation step. Contact your administrator for support. Detail: instance.pages.configuration.tabs[0].entity[0].label does not...
View Article