Stats count by when field exists, otherwise use another
I am trying to create a dashboard that graphs the parsing queue size for a HF by `ingest_pipe`. I noticed that most of these logs have that field but some don't (i'm not sure why). **sample logs**...
View ArticleHow to resolve error in rex command when parsing a long string with escaped...
Hi everybody, When parsing a long string containing escaped double-quotes I get this error: Error in 'rex' command: regex="^(?([^"]|\")) has exceeded the configured depth_limit, consider raising the...
View ArticleERROR ScriptRunner - ERROR:root:Connection unexpectedly closed while sending...
ERROR ScriptRunner - stderr from '/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/search/bin/sendemail.py...
View ArticleI want to move my unwanted logs into nullQueue.But no luck
#### #### #### #### 2020-05-12 14:34:52,060 2020-05-12 14:34:52,060 2020-05-12 14:34:52,060 I want to remove ####< from my events, so i used props.conf along with transforms.conf with this below...
View ArticleHow to use stats to identify largest number and use that as horizontal line...
I am trying to make an area chart which shows the average size of the parsing queue over time. I would like to add a horizontal bar as a threshold. I noticed that some logs have different values for...
View ArticleHow to create an area chart that displays an average of data over time, using...
I am trying to make an area chart which shows the average size of the parsing queue over time. I would like to add a horizontal bar as a threshold. I noticed that some logs have different values for...
View ArticleHow to join two sources with summary indexing to improve performance?
Hello, I am quite green at Splunk and have a problem I could use some help with. My data is coming from a postgres database via the Splunk DB Connect App, where each input (source) into Splunk is a...
View ArticleField extraction from data within backslashes
Hi, I have dateset that contains IP addresses. IP Addresses are coming in variations due to ranges they are assigned to separated by \ backslashes. I need them to be extracted in multiple fields...
View ArticleHow to display the value of the difference result in Splunk?
Hi, How can I display the actual value of the difference in a new column? The value is "cts16k1sacc". Row 1 in attached screenshot....
View ArticleSplunk Enterprise Security: Add a Filter to the Traffic Size Analysis Dashboard
I'd like to add a filter to the Traffic Size Analysis Dashboard. The filter I'd like to add is the "src_ip" field. Currently, this dashboard doesn't allow you to search by one IP and I think having...
View ArticleUsing a macro causes count of 1 on single value panel
Splunk is 8.0.2.1. Somewhat similar to...
View ArticleWhy does search only display 24 hours of event data on Linux, but all-time on...
1. There are approximately 1.5 Billion ingested entries from 40 forwarders. 2. Performing a search with any criteria on Windows hosts lists all events as all-time. 3. Performing the same search on...
View ArticleHow do I loop through a list of regular expression patterns stored in a KV...
I am new to Splunk. The `cluster` command gives me results that I am looking for and some. I would like to filter the results of this command with a list of regular expression patterns that I have...
View ArticleHow to create a search that calculates the percentage between two rows?
Hello!!! I need to calculate the percentage between the rows in my table, like this, for example: Search: | bucket span=10m _time | stats count by _time Result: _time count 1 2020-06-03 16:10:00...
View ArticleWhy doesn't Fundamentals 1 recognize some of my completed labs for the course?
I completed the entirety of Fundamentals 1 and it is not recognizing my lab 12 or 13 being done. Any help as to why or what i can do?
View ArticleHow to resolve ScriptRunner Error Message "ERROR:root:Connection unexpectedly...
ERROR ScriptRunner - stderr from '/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/search/bin/sendemail.py...
View ArticleCan I upload raw SAR text files to Splunk?
Hi, I'm trying to upload raw SAR text files to Splunk, is it possible? Is there an add-on or other method to do this directly into Splunk? Or is the only way to use sysstat, then the add-on for Linux...
View Articlehow to search for AWS non-active users with active secret keys?
I would like to search for AWS non-active users, who have not logged in or using their Access Key ID for more than 60 days, but have active Access Key ID. I am very new to Splunk. Please help. Thanks.
View Articlehow to fix error "The external search command 'xmlkv' did not return events...
I am getting error as ** "The external search command 'xmlkv' did not return events in descending time order, as expected"** along with my search results. Dashboard functionality works as expected and...
View Articleneed to use SQL query in Splunk
i need to convert my sql query into splunk by dbx query could some one help me ? here is my query. SELECT * FROM [Systems] AS D RIGHT JOIN (SELECT * FROM [Users] WHERE ProductName = 'Platform' ) AS C...
View Article