Tag:stackexchange

You may need to custom-extract the value (until you can get the sourcetype’s props.conf and transforms.conf updated). Something like this should work: <search> | rex field=_raw "device=(<device>\S+)" <rest of search> from User warren – Stack Overflow https://stackoverflow.com/questions/75235524/splunk-query-to-get-comma-separated-value-as-single-value/75248139#75248139 via IFTTT

Without knowing what your dashboard looks like (a [sanitized] screenshot, XML, etc), we can only guess at what you’re trying to do That said, if you’re wanting to do what I think you want to do, put the following in its own panel on your Dashboard (you’ll need to do this from the Edit Source …
Continue reading Answer by warren for Splunk-Dashboard – how to add links as field in table visualization?

Yes, there is a limit to how much the HTTP Event Collector (HEC) can accept in a single submission. As of 9.0.3, it’s ~800MB: max_content_length = <integer> * The maximum length, in bytes, of HTTP request content that is accepted by the HTTP Event Collector server. * Default: 838860800 (~ 800 MB) from User warren …
Continue reading Answer by warren for Does splunk server has any limit on data, when being sent through Curl request with groovy script?

In Splunk, to capture multiple matches from a single event, you need to add max_match=0 to your rex, per docs.Splunk But to get them then separated into a singlevalue field from the [potential] multivalue field job_ids that you made, you need to mvxepand or similar So this should get you closer: | rex field=message max_match=0 …
Continue reading Answer by warren for Regex count capture group members

Without knowing what your data looks like, we can only guess, but something like the following should work: index=ndx sourcetype=srctp message=* publicationID=* | fields – _raw | fields publicationID _time | sort 0 publicationID _time | eval message=if(match(message,"Request.+publication"),message+tostring(_time),message) | rex field=message "Request.+publication(?<begin>.+)" | filldown begin | stats min(_time) as start max(_time) as end by begin …
Continue reading Answer by warren for Splunk – Use streamstats with transaction command to find gaps in event logs

Presuming your id field is the same and available in both indices, this form should work: (index=ndxA sourcetype=srctpA id=* source=example.log host=example "ERROR 1234") OR (index=ndxB sourcetype=srctpB id=* "some other string") | rex field=_raw "(?<first_field>ERROR 1234)" | rex field=_raw "(?<second_field>some other string)" | fillnull value="-" first_field second_field | stats count by id first_string second_string | search …
Continue reading Answer by warren for SPLUNK use result from first search in second search

I suspect something like the following will work – but you’re better off either getting this data as proper JSON (so Splunk handles it natively), or fixing your props.conf and transforms.conf | rex field=_raw max_match=0 "id\W+(?<id>\d+)" | rex field=_raw max_match=0 "updatedAt\W+(?<updated>[^\"]+)" | rex field=_raw max_match=0 "createdAt\W+(?<created>[^\"]+)" | rex field=_raw max_match=0 "feature\W+(?<feature>[^\"]+)" | rex field=_raw max_match=0 …
Continue reading Answer by warren for Splunk Event JSON to Table

Without sample data, this is only a guess, but this join form should work: index=ndxA sourcetype=srctpA | timechart span=10m MAX(count) as result | eval temp=if(result > 150 ,1,0) | streamstats sum(temp) AS tempsum window=2 | eval Alert=if(tempsum == 2 , 1,0) | join Alert [| index=ndxB sourcetype=srctpB process_name=* | stats count by process_name | eval …
Continue reading Answer by warren for Using if to get splunk rseslut from another index

Try something like this (the threshold is set for 25% on "minor" and 15% on "major" in this example): index=ndx sourtcetype=srctp earliest=-10m ResponseTime=* request=* | stats count by ResponseTime request | eval major=if(ResponseTime>2000,"yes","no") | stats count(request) as requests by major | eventstats sum(requests) as majreqs | eval majpct=round(requests/majreqs*100) | append [| search index=ndx sourtcetype=srctp earliest=-5m …
Continue reading Answer by warren for Splunk Alert – setting severity based on duration of events

You don’t need to loop through the values, you need to treat them as multivalue fields, and expand/filter appropriately For example: index=ndx sourcetype=srctp fieldname.subname{}.value=* | rename fieldname.subname{}.value as subname | mvexpand subname | stats count by subname | fields – count from User warren – Stack Overflow https://stackoverflow.com/questions/74778740/how-to-extract-values-from-json-array-and-validate-in-splunk/74798777#74798777 via IFTTT

This sounds like an RBAC issue – make sure you have proper permissions to data (indices, KOs, apps, etc), and that the apps have proper permissions from User warren – Stack Overflow https://stackoverflow.com/questions/74737236/using-splunk-mltk-functionality-while-in-another-splunk-app/74744556#74744556 via IFTTT

Don’t use any tokens or time selector on the panel itself You should be able to reference your two time tokens’ .earliest and .latest just fine in any searches on the dashboard from User warren – Stack Overflow https://stackoverflow.com/questions/74657676/how-to-use-tokens-from-2-time-range-inputs-in-single-splunk-dashboard-query/74659181#74659181 via IFTTT

I plopped a few extra single value fields in a row (no custom CSS), and Splunk renders them all centered in their panels from User warren – Stack Overflow https://stackoverflow.com/questions/74600562/splunk-dashboard-css-unable-to-center-on-panels-in-a-dashboard-row/74604375#74604375 via IFTTT

Some of the answers on here are on a good track (especially @Adrian Hall‘s suggestion to use eval … coalesce() But this is simpler: (index=ndx1 sourcetype=srctp userId=* client=* version=*) OR (index=ndx2 sourcetype=srctp2 fooid=* speed=*) | rename fooid as userId | stats values(client) as client values(version) as version values(speed) as speed by userId | where isnotnull(version) …
Continue reading Answer by warren for How can I conditionally create splunk field aliases?

I have a table generated by chart that lists the results of a compliance scan These results are typically Pass, Fail, and Error – but sometimes there is "Unknown" as a response I want to show the percentage of each (Pass, Fail, Error, Unknown), so I do the following: | fillnull value=0 Pass Fail Error …
Continue reading Conditionally remove a field in Splunk

Something like the following should work: index=ndx sourcetype=srctp ip=* | stats min(_time) as early by ip | where early>strptime("10/01/2022","%m/%d/%Y") from User warren – Stack Overflow https://stackoverflow.com/questions/74533136/splunk-find-new-values-that-only-appear-after-a-certain-date/74535545#74535545 via IFTTT

lookup will always run, always outputting the fields you tell it to – even if they are null And therein lies the key: | rename user_email AS email | lookup identity_ad email OUTPUTNEW bunit memberOf identity first last | where isnotnull(bunit) Will skip all of the entries that didn’t return a bunit field If you …
Continue reading Answer by warren for Splunk create value on table with base search and eval from lookup

Something like this should work: index=ndx sourcetype=srctp rating="bad" color="blue" price=* | top price by color rating from User warren – Stack Overflow https://stackoverflow.com/questions/74526812/splunk-display-top-values-for-only-certain-fields/74535396#74535396 via IFTTT

You seem to be trying to write SQL, but in SPL I suggest starting here for how to change your approach – https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk That said, I believe this will get you toward your goal: index=ndx sourcetype=srctp ip=* path=* | fields path ip _time | fields – _raw | sort 0 path -_time +ip | streamstats …
Continue reading Answer by warren for Splunk query to find previous requests from different ip

The depends="$token$" format works on almost every XML element in Splunk Dashboards I do this to force choices to happen in a certain order For example, if you must choose a Region before a Datacenter, you might have the dropdown for Datacenter have depends="$regiontok$", so that Region has to be set first from User warren …
Continue reading Answer by warren for In splunk Dashboard How to hide/unhide input radio choice options based on previous input?

Sans sample data, something like the following will probably work: index=crowdstrike sourcetype=crowdstrike:device:json falcon_device.hostname=* falcon_device.reduced_functionality_mode=yes | stats max(_time) as yestime by falcon_device.hostname | append [| search index=crowdstrike sourcetype=crowdstrike:device:json falcon_device.hostname=* falcon_device.reduced_functionality_mode=no | stats max(_time) as notime by falcon_device.hostname ] | stats values(*) as * by falcon_device.hostname | eval elapsed_seconds=yestime-notime from User warren – Stack Overflow https://stackoverflow.com/questions/74351588/comparing-two-splunk-events-to-see-which-one-is-larger/74364838#74364838 via …
Continue reading Answer by warren for Comparing Two Splunk Events To See Which One Is Larger

Why not do: index=* source=*.csv Requester=* NOT Requester="Requested For" This ensures there is a Requester field present, and that it is not equal to "Requested For" from User warren – Stack Overflow https://stackoverflow.com/questions/74310836/splunk-two-fields-not-equal-to-each-other/74319434#74319434 via IFTTT

If you insist on using a regular expression to parse XML … this is far simpler: | rex field=_raw "PrivilegeList\"\>(?<privilege>[\w\s]+)" | eval privilege=split(privilege," ") But… there are better ways to handle XML Like xmlkv or xpath from User warren – Stack Overflow https://stackoverflow.com/questions/74306508/splunk-regex-try-to-have-one-group-with-multiple-values/74308787#74308787 via IFTTT

You could try using append followed by a grouping stats and eventstats: <first SPL> | append [| search <second SPL> ] | stats values(*) as * by clientIP instanceID | eventstats dc(instanceID) as instances by clientIP from User warren – Stack Overflow https://stackoverflow.com/questions/74121673/splunk-how-to-display-multiple-stats-queries-in-table/74124736#74124736 via IFTTT

Please note that I don;t have an option to use replace/sub since I have to do this splunk. Splunk most certainly has ways of replacing values in strings – either by using rex in sed mode, or by using eval replace() This regular expression will pull what you’re looking for: | rex field=_raw "\"(?<subject>[^\"]+)" Follow …
Continue reading Answer by warren for Exclude string from matched result in regex