Cron Expression
Hi, I want a cron expression for executing a query every day @ 12:45PM. The cron expression I used is : **0 45 12 \* \* ?**. But I am getting an error stating "**invalid interval, must be an integer or...
View ArticleSearch-Head crashing std::bad_alloc
Hi, We have reciently updated our customer's enviroment from 6.4.1 to 6.6.2. Ever since, we have a dashboard that is making our search-head to crash due to bad allocation issues. (By the way the server...
View ArticleMissile Map:Why I am getting an error "Failed to load source for Missile Map...
![alt text][1] [1]: /storage/temp/207018-qq图片20170804180300.png My Splunk enterprise version 6.4.3
View ArticleTimeline legend problem
Hi Is there any way to change the behavior of a legend. I would like to highlight the other items rather than the item when it hovers over the selected item instead of highlighting it. For example. On...
View Articletime format in log4j
Hi at all, I have a strange question, strange because it should be easy but it doesn't run! I have log4j logs with a timesamp 2017-07-26 00:05:21 DEBUG that is wrongly read by Splunk as 7/26/17...
View ArticleLookup in column A, grab value from column B, compare to a field in search...
Hey guys, I have a search that gives me a login from a country along with the user and the user's "work country". Unfortunately the work country is an abbreviation so I have a lookup table that...
View ArticleIs it possible to change the table fields being sent with the sendemail command?
Hello, I'm trying to find a way to use search result fields to address an e-mail, but remove those fields in the inline table in the body of the e-mail. Here is an example of the search results:...
View ArticleI was trying to assign dates using eval
hi, here i want to assign Initial_L1_Decision_Date dates to Queue_to_Initial_L1_Days, there are some dates for Initial_L1_Decision_Date but when im giving table for Queue_to_Initial_L1_Days its not...
View ArticleMultiple correlation of different eventtypes.
Hello everybody, I am in the process of building a use case, which consists of 5 real-time alerts. In order to make the logic simpler, cleaner and more readable, I have created 4 eventtypes (EventA,...
View ArticleHow can I delete all double quotes in input data before it import to splunk?
I have a csv file in which it contains random double quotes and I want to remove all these quotes before it actually get import into splunk. Could someone show me how to do this at the add data state?...
View Articlewhy does a ".*" extraction line ruin my query?
Here is my original query: tag=autoexpress_prod level=debug mdc.InvocationName=calculatePremiumAutoProcessc "serviceRequestName" | rex field=message "\(?\w+)" | rex field=message "\(?\w+)" | rex...
View ArticleSplunk REST API json flatening
So i call the splunk rest api and collect results in json format and that is kind of okay Then i would like to pass it to splunk.Intersplunk.outputResults() Intersplunk fails to flatten this kind of...
View ArticleWhy is an app that isn't changing causing a rolling-restart of my SHC?
I have an app that I am pushing out that appears to cause the SHC to do a rolling restart about half the time that I do a `apply shcluster-bundle`. The message in the logs states that the restart was...
View ArticleNeed help editing my search string so it displays correctly on visualization...
Below is my search string: | multisearch [search index="*" host="*" sourcetype="*" user="*" useradd "type=ADD_GROUP" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod"...
View ArticleHow to not create an alert for repeated events over a day
Im currently running an alert, which updates every minute with a range -1m to -2m, for each new log based on unique JOBNAMEs. I want to create an alert each time a new JOBNAME occurs for the first time...
View ArticleNeed help editing custom drilldown time range of events
Below is my drilldown code:$click.value$search?q=index="*" host="*" sourcetype="*" "su:" "session opened for user" | rex "by (%3F<SU>[^(]%2b)" | search SU="$user$" | table _time, SU, user |...
View Articlelookup table renaming a field & map visualisation
**tl;dr** how does renaming a field to "search" help? how to make a map visualization with the lookup table/codes shown?...
View ArticleNeed to extract the store id, mop and amount from the event and restrict the...
900200138203.009999999999990905052982270717620849609375MASTERCARD
View ArticleHow do privacy settings on dashboards work and what path are private...
Hello, As an admin- I am trying to clean up my dashboards by setting unused ones to private, but I want to know what determines where they go. Sometimes when I do it, I can still see the view in all...
View ArticleHow to assign dates using eval
Hi, Here I want to assign `Initial_L1_Decision_Date` dates to `Queue_to_Initial_L1_Days`. There are some dates for `Initial_L1_Decision_Date`, but the table for `Queue_to_Initial_L1_Days` does not show...
View Article