Tag:stackexchange

| stats count is going to be your friend – and it’ll be faster than trying to use dedup, too: myusername response_status="401" | stats count by website website_url user_name transaction_name user | fields – count And if you want to then merely have a count of websites inside that list, add this: | stats count …
Continue reading Answer by warren for Splunk – Table, print number of rows per selected field

First … don’t dedup on _raw The _raw events are never duplicated (unless you’ve done something wrong on ingest) Second, to your actual question – try something along the lines of this: index="myIndex" "started with profile" BD_L* | eval Platform=case(match(_raw,"LINUX"),"LINUX",match(_raw,"AIX"),"AIX",match(_raw,"DB2"),"DB2", match(_raw,"SQL"),"SQL", match(_raw,"WEBSPHERE"),"WEBSPHERE", match(_raw,"SYBASE"),"SYBASE", match(_raw,"WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform RUNID | join type=left RUNID …
Continue reading Answer by warren for Splunk: Return One or True from a search, use that result in another search

The "correct" answer is the one @RichG gave However, as with most things in life, the "reality" answer is "it depends" It should be the case that filtering before sorting will be more efficient But I have seen instances where filtering later is actually more efficient (depends on a host of factors) – so you …
Continue reading Answer by warren for where vs sort: Which is more efficient?

What you need is a way to get logs off your router to somewhere Splunk can parse them Most typically, this is done by sending the router’s syslog messages to a syslog collector like SC4S. From there, Splunk can then get the messages processed and ingested for anaylsis from User warren – Stack Overflow https://stackoverflow.com/questions/69376301/how-to-monitor-data-traffic-in-wan-using-splunk/69436740#69436740 …
Continue reading Answer by warren for How to monitor data traffic in WAN using splunk?

You can only have a single aggregating function in a timechart call You’re trying to do two count functions timechart will only do one from User warren – Stack Overflow https://stackoverflow.com/questions/69380033/adding-multiple-expressions-to-single-searchmatch-in-splunk-query/69436698#69436698 via IFTTT

If "nothing" has changed, then Submit is supposed to "do nothing". If you want to refresh the page with all the parameters as set, you should be able to click the URL bar and press return (so long as there are no hidden tokens, they’ll all get set in the query portion of the URL). …
Continue reading Answer by warren for Splunk submit button (submitButton) does not refresh dashboard if no inputs are changed

At the least, your regular expression has an error You have: "/\"user_search\"=>{\"name\"=>/(?<result>.*)" There is an extra "/" after the "=>" This seems to pull what you’re looking for: user_search\"=>{\"name\"=>(?<result>.*) from User warren – Stack Overflow https://stackoverflow.com/questions/69294371/extract-data-from-splunk/69304276#69304276 via IFTTT

First, you’re grouping by a field that may not exist (did you mean groupId instead of serviceId?) Second, are you sure your regular expression is correct? This tested one is simpler: | rex field=_raw "Id\W+(?<Id>\d+)\D+groupId\W+(?<groupid>\w+)" from User warren – Stack Overflow https://stackoverflow.com/questions/69288768/splunk-how-to-extract-two-fileds-distinct-count-one-field-by-the-other-field/69290709#69290709 via IFTTT

If you have access to the host(s) Splunk’s running on, you can find the definitions in $SPLUNK_HOME$/etc/*/macros.conf If you don’t have that access, then it’s possible you don’t have permissions to see the definitions of those macros However, you can always use the Job Inspector to see how Splunk translates what you type into what …
Continue reading Answer by warren for Questions related to splunk builtin macros in correlation search

You can, most likely, greatly simplify your regex For example: | rex field=_raw "Id\W+(?<id>\w+)" Will look for the literal string "Id", followed by as many non-word ("\W+") characters as it finds, then put all of the word characters ("\w+") it sees into the new field id from User warren – Stack Overflow https://stackoverflow.com/questions/69286252/splunk-why-is-it-not-counting-by-field/69287527#69287527 via IFTTT

Presuming this is on a Dashboard, you can change the CSS for the element to do what you want. In a hidden panel on the Dashboard, add some CSS styling – then connect the elements to their respective styles. For example, <panel> <html depends="$hideCSS$"> #chooser .table th{ font-size: 0ps !important; visibility: hidden !important; } #chooser …
Continue reading Answer by warren for Gridlines splunk statistical table

SPL doesn’t do "loops". A close [enough] analog is that each line in SPL is similar to a single command in bash (hence the pipe separator between commands). IOW, SPL is purely linear in processing. Use a multi-condition eval..if like this: index=ndx sourcetype=srctp | eval myfield=if(match(fieldA,"someval") AND !match(fieldC,"notthis"),"all true","else val") Or like this: | eval …
Continue reading Answer by warren for nested if loop in splunk

What is preventing you from having a panel whose search includes an earliest=-24h clause? eg the search might look like: index=ndx sourcetype=srctp earliest=-24h <rest of search> from User warren – Stack Overflow https://stackoverflow.com/questions/68938841/changing-panel-time-for-splunk-dashboard-studio-irrespective-of-the-global-timin/68942819#68942819 via IFTTT

Based on your sample data: 2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45" 2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45" Something like this should work: index=ndx sourcetype=srctp message=* | rex field=message "(?<apiname>\w+).+\,(?<exectime>\d+\.\d+).+:(?<pid>\d+)$" | where exectime>500 | stats values(exectime) as longtimes by apiname pid I’ve assumed you have the field message already extracted, and have …
Continue reading Answer by warren for Splunk panel for calculating grater then operation

The _time field is stored in Unix epoch format – ie in whole seconds Here is a relevant post from /r/Splunk that goes into the format of bucket names (and Unix epoch timestamps) – https://www.reddit.com/r/Splunk/comments/osrcr6/is_splunk_the_best_option_for_storing_data/h6r8vw7 And the Docs.Splunk citation from that post: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/HowSplunkstoresindexes#Bucket_naming_conventions from User warren – Stack Overflow https://stackoverflow.com/questions/68838020/splunk-http-event-collector-why-does-my-time-field-have-000-milliseconds/68838375#68838375 via IFTTT

Something like this should work (so long as you have the automatic field date_hour created by Splunk): index="index_a" sourcetype="pqr" source="prq_source" "Success in api response" earliest=-7d | where (date_hour>=21 AND date_minute>=30) OR date_hour>=22 | stats avg(call_duration) as avg_call by success_id If date_hour & date_minute aren’t being automatically supplied by Splunk, you can create them yourself with …
Continue reading Answer by warren for Splunk panel showing graph for a specific time range

If these are internal applications, I presume this means you also have custom props.conf and transforms.conf for the logs? If you add new field extractions because of newer logging contents, then you will only see those newer fields in the newer data – because they won’t exist in the older data from User warren – …
Continue reading Answer by warren for Find all newer events logged by application after a certain date in splunk

The value that actually goes into _time is in Unix epoch seconds. It doesn’t matter what precision you look for with TIME_FORMAT= … it still only goes into _time in whole seconds. If you want to keep the higher-resolution value for use elsehow, you’ll need to add a specific field extraction for them. Since this …
Continue reading Answer by warren for Why is Splunk not showing miliseconds for JSON?

This ugliness will do what you want (though you may need to strip the ending /, if you don’t want it: \/\/[^\/]+(?<pathnoendingnumbers>\/[a-zA-Z-_][-_\w]+(\/[a-zA-Z-_][-_\w]+(\/[a-zA-Z-_][-_\w]+(\/[a-zA-Z-_][-_\w]+(\/[a-zA-Z-_][-_\w]+)?)?)?)?)[\/\d$]? It’s a 206-step match, which may be improbable – but it’s pretty efficient as is from User warren – Stack Overflow https://stackoverflow.com/questions/68479024/need-to-write-a-regex-to-extract-path-for-first-5-slashes-or-up-to-a-number-for/68488077#68488077 via IFTTT

Unless you add the report as an inline search (or the report generates a lookup via outputlookup), what you’re describing isn’t possible. If you add it as an inline search, you’re back to your initial problem of needing to update it each inline search use as well as the original report I often make use …
Continue reading Answer by warren for It is possible to modify already existing report within Splunk dashboard?

I almost always use multiple rex statement to get what I want … but if you "know" the data is consistent, this will work (tried on regex101.com): | rex field=_raw (?<classname>[^\/]+)\/(?<featurename>[^\.]+)\.[[:punct:]]+(?<project>[\w].+) What this regular expression does: <classname> :: everything from the front of the event to a front slash (/) <featurename> :: whatever follows the …
Continue reading Answer by warren for Splunk – Split a field into multiple fields based on delimiters

(Note – I haven’t tried this specifically, but it should get you close) According to Docs.Splunk on HTTP Event Collector Examples #3, it would seem you can do something very similar to this: curl -k "https://mysplunkserver.example.com:8088/services/collector/raw?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C&sourcetype=splunkd_access&index=main" \ -H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \ -d < $FILE Presuming the content of the file is formatted correctly, it …
Continue reading Answer by warren for How can I send the content of the file to HTTP Event Collector in Splunk?

That column "title" is really a field name (in this case, "y") Field names cannot be just whitespace … because then they "don’t exist" from User warren – Stack Overflow https://stackoverflow.com/questions/68004444/remove-one-column-name-in-splunk-chart/68005365#68005365 via IFTTT

You’re close Do this instead: index=*_abc [| inputlookup deattackerv1.csv | rename ip as src_ip] | stats count by src_ip,index This will use the inputlookup the way you want it to (ie, only match IPs that are in it) from User warren – Stack Overflow https://stackoverflow.com/questions/67874897/subsearch-produced-221180-results-truncating-to-maxout-10000/67878662#67878662 via IFTTT

If you need to connect traditional databases to Splunk, use DB Connect It supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, and Teradata Splunk is a data analysis tool What use case(s) are you trying to solve that you think it should …
Continue reading Answer by warren for Data Analysis in Splunk