cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bowesmana
SplunkTrust
Member since: ‎05-09-2011
4 hours ago
Community Statistics
Posts 2823
Solutions 641
Karma Given 243
Karma Received 1046
Member Since ‎09-05-2011
Activity Feed
Topics I've Started
View All

Re: host drop down

by SplunkTrust in Splunk Enterprise
3 hours ago
3 hours ago
Have you added the dropdown - what is the problem you are facing? Simply add the dropdown, set the 8 static options and then in your search use index=bla host=*$my_host_token$* where my_host_token is the token for your dropdown Assuming the table below is the finite list of hosts you will have, then this should work - there are of course other ways to do this, but this is the simplest.   ... View more

Re: Could not have data summary

by SplunkTrust in Splunk Search
4 hours ago
4 hours ago
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Aboutthesearchapp ... View more

Re: Could not have data summary

by SplunkTrust in Splunk Search
4 hours ago
4 hours ago
The data summary option does not exist in Splunk Cloud ... View more

Re: rex field command in props.conf file

by SplunkTrust in Splunk Dev
4 hours ago
4 hours ago
It is probably because your field looks like it has come from JSON and based on the link provided by @isoutamo , means that the field extractions are happening at stage 4, whereas your REPORT extraction is happening at stage 3, therefore the field does not exist. You could try creating a calculated field using an eval replace expression to remove the non-domain part. You can try this in standard SPL by experimenting with your regex using | eval domain=replace('event.url', "(?:https?:\/\/)?(?:www[0-9]*\.)?(?)([^\n:\/]+)", "\1") That is NOT correct above, as I am not sure what the replacement token \1 should be with all the brackets and capturing/non-capturing groups, but you can experiment with regex101.com   ... View more

Re: rex field command in props.conf file

by SplunkTrust in Splunk Dev
yesterday
yesterday
REPORT-url_domain It's the name of the field you want to assign the result to.   ... View more

Re: Saved Search showing old data?

by SplunkTrust in Reporting
yesterday
yesterday
If you use loadjob, it always loads an existing, previously run job. If you run | savedsearch ... then it will run a new search. If that new search returns the wrong results, then it would seem likely that the search has not changed ... View more

Re: Problem with time in Edge Processor

by SplunkTrust in Getting Data In
yesterday
yesterday
OK, I'm unsure where the time will get extracted, but have you looked at this document https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/EdgeProcessor/TimeExtractionPipeline   ... View more

Re: Count is getting mismatched for the fields aft...

by SplunkTrust in Dashboards & Visualizations
yesterday
1 Karma
yesterday
1 Karma
You are deduping 'x' so you need to understand the consequences of that. Your search is not doing any aggregations, so without knowing what combinations of Application, Action and Target_URL you have, it's impossible to know what's going on here. These 3 lines are most likely the source of your problem | mvexpand x | mvexpand y | dedup x   ... View more

Re: Compare inputlookup values and look for partia...

by SplunkTrust in Splunk Search
Monday
1 Karma
Monday
1 Karma
Start with this index=abc sourcetype=kubectl | stats count by pod_name, status, importance | rex field=pod_name "^(?<pod_name_lookup>pod.)" | inputlookup append=t pod_lookup.csv | fillnull value=0 count | stats max(count) as count values(status) as status values(pod_name) as pod_name by pod_name_lookup, importance this gets the data pods seen, creates the lookup name with rex, then appends the control lookup to the end, filling the count/status with 0 and something suitable. The second stats just join them together on the lookup pod name and criticality. If count is 0 then you do not have any pods of that variant. The pod_name and status fields will give you all the values seen for the pod_name in the data - use them if you need, otherwise remove them. So, you can do  | where count=0 to get the missing pods ... View more

Re: Alert Query not working as expected

by SplunkTrust in Splunk Search
Monday
Monday
In your first attempt it should have been like this index=app-logs sourcetype=app-data source=*app.logs* host=appdatajs01 OR host=appdatajs02 OR host=appdatajs03 OR host=appdatajs04 | stats count by host | inputlookup append=t host_lookup.csv | fillnull count value=0 | stats max(count) as count by host | where count<100  but if you want to search at 1 minute granularity, what if one minute is > 100 and 1 is < 100    ... View more

Re: Alert Query not working as expected

by SplunkTrust in Splunk Search
Monday
Monday
This is the classic proving the negative issue. Splunk will count events based on your search criteria. It's can't create new categories of result for things that are not there. You need to explicitly add the hosts into the final result table if they are not present in the first count. You can do something like this, which will add in zero values for your 4 hosts and then max the count for each host index=app-logs sourcetype=app-data source=*app.logs* host=appdatajs01 OR host=appdatajs02 OR host=appdatajs03 OR host=appdatajs04 |stats count by host | appendpipe [ | where a=1 | makeresults | fields - _time | eval host=split("appdatajs01,appdatajs02,appdatajs03,appdatajs04",",") | mvexpand host | eval count=0 ] | stats max(count) as count by host | where count<100 Note that your statement "|bin span=1m _time" does nothing because you have no time field after the stats command Normally with this proving the negative technique, you would add all the hosts you are interested in into a lookup file and instead of appendpipe, use | inputlookup append=t host_lookup.csv | fillnull count value=0 | stats... ... View more

Re: Matching a field in a string using if/eval com...

by SplunkTrust in Splunk Search
Monday
1 Karma
Monday
1 Karma
Great, thanks - that makes it easier! OK, so it looks like you are trying to compare fields in two separate events - you can't do that unless you collapse the two. You should use rex to extract a single filename and then do something similar to my previous post. Here's an example that hopefully will point you in the right direction. It creates two events 60 seconds apart each containing a filename - the rex statements extract filename and logtype and the stats will join the events together and by using min and max on _time you can get the start and end times for the pair of events. The final where clause will ensure that you have seen both loga and logb events. | makeresults | eval v=split("log a: There is a file has been received with the name test2.txt###log b: The file has been found at the second destination C://user/test2.txt", "###") | mvexpand v | streamstats c | eval _time=now()-(60*c) | rename v as _raw ``` Above is simply a data set up example ``` | rex field=_raw "(/[a-zA-Z0-9]+\/|name )(?<filename>[^\"]*)" | rex field=_raw "log (?<logtype>\w)" | stats count min(_time) as Starttime max(_time) as Endtime values(logtype) as logtype by filename | where count=2 AND logtype="a" AND logtype="b" | eval diff = Endtime - Starttime Hope this helps. ... View more

Re: Saved Search showing old data?

by SplunkTrust in Reporting
Monday
Monday
Where is it showing the same results? Is it a scheduled saved search and you are looking at recent results? Is it a saved search you run manually or from a dashboard?   ... View more

Re: rex field command in props.conf file

by SplunkTrust in Splunk Dev
Monday
Monday
In your rex example you said | rex field=event.url ... that is why SOURCE_KEY is event.url - as that is where the urls are coming from right? Your rex example indicated you are extracting the url into a field called url_domain, which is also what is in the transforms. ... View more

Re: Matching a field in a string using if/eval com...

by SplunkTrust in Splunk Search
Monday
Monday
If you have two events, you can't just match things between events - the text from loga does not exist when running the match statement for the logb data. Without seeing your SPL it's hard to know what you are doing - can you post the entire SPL - please do this in a code block (</> button) If you have two events, you need to correlate them together using stats on a common field, in this case, your file name, so extract the file name from both events and then define a "message type" - log a or b and then you can do something like this logic | eval logtype=if(condition..., "loga", "logb") | rex "....(?<filename>....)" | stats count values(logtype) as logtypes min(_time) as StartTime max(_time) as EndTime by filename | where count>1 AND logtypes="loga" AND logtypes="logb"   ... View more

Re: rex field command in props.conf file

by SplunkTrust in Splunk Dev
Monday
Monday
You can do this in the UI - go to Settings->Fields-Field Transformations and add the regex and the field you want to extract from and then in Field Extractions add a new Extraction using transforms and reference the Field Transformation. This will translate to something like this in props/transforms conf files In transforms.conf you will need   [url_domain] CLEAN_KEYS = 0 REGEX = ^(?:https?:\/\/)?(?:www[0-9]*\.)?(?)(?<url_domain>[^\n:\/]+) SOURCE_KEY = event.url    In props.conf    [sec-web] REPORT-file_name = url_domain     ... View more

Re: Matching a field in a string using if/eval com...

by SplunkTrust in Splunk Search
Monday
Monday
Does logb come from "index=a env=a account="? If not, then you need to search both data sets to find loga and logb. I am not sure what your SPL  |field filename from log b | field filename2|  is doing, as that's not SPL. your match statement is not valid either, you are using SQL wildcards (%) - match takes regular expressions. Can you give an example of your data that you'd like to match ... View more

Re: How to populate percentage on bar chart

by SplunkTrust in Dashboards & Visualizations
Monday
Monday
You have not done what I suggested, you have changed the SPL to something that will not work. Please use the exact code I provided after your timechart command   ... View more

Re: i am reading from log file and have query to r...

by SplunkTrust in Dashboards & Visualizations
Monday
Monday
Here's a simple example <form version="1.1"> <label>HostDropdown</label> <fieldset submitButton="false"> <input type="dropdown" token="hosts" searchWhenChanged="true"> <label>Host Types</label> <choice value="prodhost*">Production</choice> <choice value="qahost*">QA</choice> <choice value="testhost*">Test</choice> </input> </fieldset> <row> <panel> <table> <search> <query> index=aaa source="/var/log/test1.log" host=$hosts$ |stats count by host </query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> I suggest you look at this and have a look through the documentation that describes this https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML   ... View more

Re: License Usage

by SplunkTrust in Installation
Thursday
Thursday
This will show you your ingest usage by sourcetype   index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage | timechart limit=40 sum(b) as data by st   Look at the monitoring console, that will also give you information on your sourcetypes/index ingestion ... View more

Re: Problem with time in Edge Processor

by SplunkTrust in Getting Data In
Thursday
Thursday
That looks like it is more than 128 characters into the event, so you should set up MAX_TIMESTAMP_LOOKAHEAD and optionally TIME_PREFIX for your sourcetype for that data.   ... View more

Re: Need help to combine queries

by SplunkTrust in Splunk Search
Thursday
1 Karma
Thursday
1 Karma
My code was an example using your data - you are using that fixed set of strings in your code - you should do the rex against your raw data not the fixed msgs field - remove the eval msgs.... and the mvexpand, that was just example code. Your rex statement should either use _raw or if you have those messages extracted to a separate field, use that field. ... View more

Re: Compare search results

by SplunkTrust in Splunk Search
a week ago
3 Karma
a week ago
3 Karma
Try this on the end of your query | transpose 0 header_field=Tipo_Traffic | eval diff='APP DELIV REPORT'-MT | where diff!=0   ... View more

Re: Need help to combine queries

by SplunkTrust in Splunk Search
a week ago
1 Karma
a week ago
1 Karma
What do you want to extract? See this example which extracts parts  of the text  | makeresults | fields - _time | eval msgs=split("Initial message received with below details,Letter published correctley to ATM subject,Letter published correctley to DMM subject,Letter rejected due to: DOUBLE_KEY,Letter rejected due to: UNVALID_LOG,Letter rejected due to: UNVALID_DATA_APP",",") | mvexpand msgs | rex field=msgs "(Initial message |Letter published correctley to |Letter rejected due to: )(?<reason>.*)" you'll need to decide what you want and what you intend to use it for. ... View more

Re: Problem with time in Edge Processor

by SplunkTrust in Getting Data In
a week ago
a week ago
Look at the raw text rather than the JSON to see what Splunk may be using for timestamp detection. The JSON view is sorted and Splunk will only look a certain distance into the event to detect a timestamp (128 bytes by default). If it cannot find a timestamp, then it will use current time https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Propsconf#Timestamp_extraction_configuration ... View more
Contact Me
Online Status
Offline
Date Last Visited
4 hours ago
Karma from
Karma given to