Is it possible to use if else condition based on the search to create stats?
index=concourse sourcetype="deployments: csv" if project = * and team=$team$ | stats count by project, team elif team=* and project=$project$ | stats count by team, project Can we do something like...
View ArticleMicrosoft Azure Add-on Error setting/pulling Event Hub
Hello, I'm trying to integrate with Event Hub I've entered my Connection String: Endpoint=sb://.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey= And EventHub Name...
View ArticleTime related checks
Hi Guys, is it a relevant check to base your _time validation on difference between _indextime and _time values (when events are supposed to be delievered real-time)? please consider a world wide...
View ArticleHow do I filter string values from a greater-than-or-equal-to numerical...
I have a field in my query called `Attempt` that is either a non-negative integer or a special value "null". I use the special "null" string value because I am creating a summary query and don't want...
View ArticleAfter upgrading "splunk add on for Salesforce" from 2.0 to 3.0, the "inputs"...
The inputs and configuration tab in the app keeps loading and can't seem to get to the configuration page.
View ArticleBlocked Field Values
Trying to find the definition of the various values of the Blocked field. Yes and No are self explanatory, but I have also seen Would and 2. I have been unable to locate the answer in the documentation...
View ArticleDoes Splunk log falling back to automatic timestamp extraction?
*After* Splunk (I'm using 7.3.0) has indexed an event, is there any way to tell whether: - Splunk successfully used the `TIME_FORMAT` et al configuration settings in `props.conf` to extract the...
View ArticleSplunk rex help: regex for windows and unix path
Hi, I am a newbie to SPL. I am trying to write a regex that will extract the unix/windows path from the full_log field. I am having no luck with that. Can you please help? The following regex is for...
View Articlemax of two column
Hi , my search output is like mysearch | table col1 col2 col3 I want col4 as max(col1,col2) Thanks
View ArticleIs there a better way to join two sub-searches and 2 lookup-tables to main...
So lets say i have three searches i need to join data from: Main search (search_int) has the following fields: Computer_name ip_address data_to_be_joined_1 data_to_be_joined_2 subsearch (search_vul)...
View ArticleLatest time and the corresponding raw data
Hi, Can anyone help me how to get the latest time of an event and its corresponding raw logs(_raw). When i use stats latest(_time),values(_raw).. I get the latest time but a consolidated list of raw logs.
View ArticleIIS Logs Parsing
Hi Splunk Ninjas, we have different web portals for different purposes. I categorize them as internal and external web portal. now under the cs_host field I have different values but both type of...
View ArticleAdd additional fields to the end of timechart
Hello, I have a bar chart that looks like this: ![alt text][1] What I want to do is move the "Backlog" field to the end of the bar chart (chart overlay). In this case, I want it to appear on Thu Oct...
View ArticleChange the background colour on my dashborad depending on the text displaying
![alt text][1] [1]: /storage/temp/275025-add-colour-range-to-dashboard.jpg I want to build this dashboard such that when Healthy shows as the status of the cassette the background colour will be green...
View ArticleCreating Bookmarks in Splunk dashboard.
Hi all, I have a multiselect input that has "StudentIDs" . I need to bookmarks student id's and give it name to the id bookmarked. How can i Do it ?? Also i need to output data of bookmarked id (in...
View ArticleSave configuration in dedicated input.conf in version 8.0
Hi, I've installed Splunk 8.0 to check my Python modular inputs with Python 3.7 and, with this version, the configurations are not stored in input.conf file in my app folder, but in "launcher" or...
View ArticleHow to pass agrument to Endpoint URL in REST API Configuration?
Hi, I want to pass the (current day's) date, to the endpoint URL, which i am configuring in REST API Modular Input. I am getting the tab of URL Arguments, but how to give entry in that? Regards, Sarvesh
View ArticleHow to get Splunk Data into PowerBI?
Hi All, I have requirement to extract splunk data into PowerBI for dashbaords and reports could you please point me in right direction?
View ArticleHow do I configure my sourcetype to deal with a log that creates events with...
Hello all, I have a structured log that doesn't contain a headers but contains fields with a fixed lengths. Here is a simplified example that considers 4 fields with names `exit_code`, `id`,...
View ArticleWhy ResultsReaderJson taking more time to parse a simple stream returned by...
I am having an issue with consuming results using splunk API. I am using a oneshotsearch where the result is returned immediately less than a second and using ResultrenderJson for parsing and it takes...
View Article
