HI All I have a lookup table which is populated by a scheduled search once everyday. The lookup table looks like below Tickets, Cases, Events, _time 10, 11, 45, 2019-11-01 14, 15, 79, 2019-11-02 11, 22, 84, 2019-11-03 The query used to populate the lookup table is as below <index> <base search> | timechart span=1d count by actionItem Here the actionItems are Tickets, Cases, Events All this is fine, lookup is created, lookup is populating and fetching etc. But when I want to query the lookup table based on time, I am unable to do so. I tried using the below queries but none of them worked. | inputlookup lookup.csv | where strptime(_time, "%Y-%m-%d") >= "2019-11-01" | table * | inputlookup lookup.csv | search _time >= "2019-11-01" | table * | inputlookup cases_and_events.csv | search earliest="11/01/2019:00:00:00" latest="11/04/2019:00:00:00" | table * Can someone please point me to the right keywords to fetch the details based on _time. I understand that it seems the confusion is created because I have the column name as _time in thelookup csv This is because the initial look up load query was created using timechart. Thanks ... View more

Hi All I have data in the below fomat Market=UK, Question=Where do you live, Answer=London Market=USA, Question=Where do you live, Answer=New York Market=UK, Question=What is you pet, Answer=dog Market=USA, Question=What is you pet, Answer=cat ... and so on And I have pie charts with Trellis to show data with the below query |.... | stats count(Answer) as Count BY Question, Answer So the pie charts has the Answers and when I hover over the pie it shows me the count and the percentage. I want to show the percentage beside the Answer pie in brackets like the below image. (ignore the answers) What should I add in the query to do that. I tried the below but it doesn't work. Seems using Trellis is making is difficult to add any labels | stats count(Answer) as Count BY Question, Answer | eval Answer = Answer."(".Count.")" | table Question, Answer, Count Any help is appreciated. ... View more

Hi All I have data in the below fomat Market=UK, Question=Where do you live, Answer=London Market=USA, Question=Where do you live, Answer=New York Market=UK, Question=What is you pet, Answer=dog Market=USA, Question=What is you pet, Answer=cat ... and so on The problem is the question is not exhaustive and it can keep changing. So I cannot hard code a question in the query. I am trying to create pie charts for each question. I have written a query to get the count of answers based on market for a specific question from a list of question. index=index1 sourcetype=app_logs | dedup Question | stats list(Question) as questions | eval question=mvindex(questions, 1) | where Question = question | chart count as Count over Answer by Market The problem is, when I include the 3rd line (| stats list(Question) as questions ) the query returns all the events and not the statistics So I am not able to get any records for charting. I am sure there is something wrong with the query but not able to figure it out. Can someone help me please. ... View more

Hi Splunkers I have a table in the below format Email, Name email1, name1 email2, name2 email3, name3 email4, name4 I want to view the data in this format. <no headers> Email - email1 Name - name1 Email - email2 Name - name2 Email - email3 Name - name3 Email - email4 Name - name4 Can someone help me with the keywords or queries to be used Thanks ... View more

Hi All So I have a batch job that creates flat files per day. Each line in the flat files is an individual event. The flat files are forwarded to Splunk using Universal forwarders. Now Splunk has somehow managed to bundle some individual events into one single event. This is completely random and at the choice of our dear splunk which all events it wanted to bundle. Since this has happened, my searches do not return those events that are bundled inside the single event though each event has its own date and time. Can anyone please help me get the events broken back to being distinct individual events so that I can query all events. Below is how my events are being displayed. 6/19/17 5:00:00.000 AM ... 2 lines omitted ... 2017-06-19 02:00:00|SLC1|API|TRUE|46.82|0.05|0.00|0.00 2017-06-19 03:00:00|SLC1|API|TRUE|46.82|0.05|0.00|0.00 2017-06-19 04:00:00|SLC1|API|TRUE|43.59|0.05|0.00|0.00 ... 21 lines omitted ... 2017-06-19 06:00:00|SLC1|API|TRUE|5567.02|6.46|0.00|0.00 ... 11 lines omitted ... 2017-06-19 15:00:00|SLC1|API|TRUE|502.20|0.58|0.00|0.00 Show all 50 lines host = 10.40.10.89 source = /reporting/MIPS_SLC1_MIPS_METRICS_20170619.txt sourcetype = mips_reports 6/19/17 4:00:00.000 AM 2017-06-18 23:00:00|SLC1|API|TRUE|36.33|0.04|0.00|0.00 host = 10.40.10.89 source = /reporting/MIPS_SLC1_MIPS_METRICS_20170618.txt sourcetype = mips_reports 6/19/17 4:00:00.000 AM 2017-06-18 23:00:00|SLC1|API|API|14332.96|16.65|0.00|0.00 host = 10.40.10.89 source = /reporting/MIPS_SLC1_MIPS_METRICS_20170618.txt sourcetype = mips_reports ... View more

Hi All I have followed the regular expression method to anonymize data during indexing as mentioned in the below Splunk documentation. https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Anonymizedata Path : {Splunk_home}/etc/system/local props.conf entry: [access_log] TRANSFORMS-anonymize = cardType1-anonymizer, cardType2-anonymizer transforms.conf entry: [cardType1-anonymizer] REGEX = (.*?)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*?)$ FORMAT = $1$2##$3######$4#$5$6##$7######$8#$9 DEST_KEY = _raw [cardType2-anonymizer] REGEX = (.*?)(37)\d{2}(-|%20)\d{6}(-|%20)\d{1}(.*?)$ FORMAT = $1$2##$3######$4#$5 DEST_KEY = _raw When I am loading data from Search Head UI using Settings > Add Data > Upload from My Computer the masking is working and card numbers are getting masked properly. However when the same data is coming from universal forwarders installed on application servers the masking is not working. In both cases I have the same sourcetype. I am not able to understand what is it that I am missing. Can anyone help me to resolve this. Thanks Nirmalya ... View more

Hi All I am trying to mask account numbers at indexing. So I have the respective entries in props.conf and transforms.conf The transforms.conf entry looks like this REGEX = ^(.*)([+,\s,=,A-Z])37\d{9}(.*)$ FORMAT = $1$237#########$3 DEST_KEY = _raw This is working fine for masking except that it is removing a part of the matched pattern. So my log entry is as below sysISN=0104B382&TRN=0010FDF1&pf=SYSTEM&gxn=ACCOUNT&gxf=37123456789 HTTP/1.1" 200 31513 112258 After masking the entry is something below sysISN=0104B382&TRN=0010FDF1&pf=SYSTEM&gxn=ACCOUNT&gxf7######### HTTP/1.1" 200 31513 112258 So though ideally the value should have been =37########, the masked value leaves out the =3 And this happens for all the combinations. The value of $2 and 3 from teh acoount number gets removed at masking. Can any one help me identify the fault and resolve it. Thanks ... View more

Hi All I quite new to splunk and I am trying to install splunk universal forwarder 6.2.2 on linux systems. Below are the commands that I have in a shell script which is executed by root user. tar -zxvf splunkuniversalforwarder-6.2.2-255606-Linux-x86_64.gz -C /opt groupadd splunk useradd -g splunk splunk chown -R splunk:splunk /opt/splunkforwarder export SPLUNK_HOME=/opt/splunkforwarder export PATH=$SPLUNK_HOME/bin:$PATH splunk enable boot-start -user splunk --accept-license --answer-yes service splunk start The script is executing perfectly till step 6. On step 7 the script gets hung and there is no output and neither the script proceeds ahead. I am unable to understand if this is an issue with the linux server where I am trying to install the forwarder or something is wrong with the installer. Can someone please help me on this. Thanks Nirmalya ... View more