Tag:stackexchange

I have a mixed-language (Python & PHP) web project that leverages any one of several relatively large lists of words (the smallest list is ~13k entries, the largest is >250k entries) Based on user input, the app will spit back a unique word-set (along the lines of how What3Words maps grids on the earth’s surface …
Continue reading When does creating a single large table make more sense than a single file for accessing a list?

Use OR: index=ndx sourcetype=srctp (fieldA="myval" OR fieldB="myval" OR fieldC="myval") Parenthesis added for clarity/readability from User warren – Stack Overflow https://stackoverflow.com/questions/67495862/splunk-streamlined-search-for-specific-fields-only/67496173#67496173 via IFTTT

stats will be your friend here. Consider the following: index=myIndex* source="source/path/of/logs/*.log" "Elephant" carId=* | stats values(*) as * by carId from User warren – Stack Overflow https://stackoverflow.com/questions/67424702/get-distinct-results-filtered-results-of-splunk-query-based-on-a-results-field/67425342#67425342 via IFTTT

First, the Splunk Universal Forwarder is a stand-alone application that’s entire job is to send data to Splunk Enterprise (or Cloud). There is no need to complicate installing a simple, lightweight utility by embedding it in a Docker container – unless, and only unless, you need to have the UF inside a container to read …
Continue reading Answer by warren for Configure Splunk in Springboot and Docker

I suspect you’re going to be most interested in timechart for this Something along the following lines may get you towards what you’re looking for: index=ndx sourcetype=srctp Value=* TimeStamp=* %NStatus=* (Tag=SubstationA_T1_MW OR Tag=SubstationA_T2_MW) earliest=-2h | eval _time=strptime(TimeStamp,"%m/%d/%Y %H:%M:%S.%N") | timechart span=15m max(Value) as Value by Tag timechart relies on the internal, hidden _time field (which …
Continue reading Answer by warren for How Can I Generate A Visualisation with Multiple Data Series In Splunk

The problem you’re seeing is your rangemap has overlapping values. Whereas with the eval format, you’re trimming the ranges "properly" with case. Sidebar – you can make that case simpler thusly: | eval size_group = case(SizeInMB < 150, "0-150 MB", SizeInMB < 200, "150-200 MB", SizeInMB < 300, "200-300 MB", SizeInMB < 500, "300-500 MB", …
Continue reading Answer by warren for Splunk Dashboard – difference between eval case and rangemap result

First, since index=… is unique, there is not reason to add the index!=… clauses. Data in Splunk can only exist in a single index (with a single sourcetype). So your first SPL should read: (index=abc OR index=def) (blocked=* OR RuleAction=*) | eval result=case(blocked=="0","Total Detection",blocked=="1","Total Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Total Detection",RuleAction=="Block","Total Blocked") | stats count by result You …
Continue reading Answer by warren for How to add multile query in one query in splunk

Based on your expanded question, you’re going to need to actually get that REST endpoint’s data into Splunk There are at least two ways to do this First – use the REST API Modular Input and ingest data from the endpoint. If you don’t get data within some timeframe…send an Email. Second – create your …
Continue reading Answer by warren for API monitoring using splunk

Try something like this: index=ndx sourcetype=srctp server=* | stats min(_time) as First max(_time) as Last count as Events by server | rename server as Server | eval First=strftime(First,"%c"), Last=strftime(Last,"%c") | table First Last Events Server Should give you a table like the following: First | Last | Events | Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <time> | <time> | …
Continue reading Answer by warren for Grouping data in a sorted list

You can do this with a search and where clause: | inputlookup myfile.csv | search support_group="mygroup-Linux" u_sec_dom="Normal Secure" | where !match(fqdn,"udc.net$") AND !match(fqdn,"htc.com$") Or just a single search clause: | inputlookup myfile.csv | search support_group="mygroup-Linux" u_sec_dom="Normal Secure" NOT (fqdn IN("*udc.net","*htc.com") You can also rewrite the IN() thusly: (fqdn="*udc.net" OR fqdn="*htc.com") from User warren – Stack …
Continue reading Answer by warren for Splunk query not endswith

It sounds like the event date is being set to the index date What does your props.conf look like for setting the timestamp? from User warren – Stack Overflow https://stackoverflow.com/questions/66641473/siem-plugin-for-sailpoint-and-splunk-timestamp-discrepancy/66642863#66642863 via IFTTT

When I need to do something like this, I have each successive input hidden until the previous is chosen (using the depends="$token_name$" in the input’s tag) Inside the first input tag, then, you’d have a <set token="display_input_2">yes</set> In the second, <set token="display_input_3">yes</set>, etc You can keep the "search on change" active – but if all …
Continue reading Answer by warren for In splunk dashboards, what is the most efficient way to apply user input changes?

If this data is being brought-in a JSON, you won’t have to rex it out If not, though, the issue is your regular expression Try it out on regex101.com – you’ll see you’re only grabbing the first value because you’re stopping at a literal " Try this instead: … | rex field=_raw "codes\":\[(?<codes>[^\]]+)" | eval …
Continue reading Answer by warren for Print String array of a json payload in splunk

If I understand you correctly, you probably want a timechart instead: index=ndx sourcetype=srctp domain=* source="sourceurl" | timechart span=1m dc(domain) as count by source from User warren – Stack Overflow https://stackoverflow.com/questions/66110589/count-the-number-of-different-value-of-a-field-and-get-the-average-per-minute/66120697#66120697 via IFTTT

Try one of these 2: index=ndx sourcetype=srctp data=* | stats dc(data) as unique_data Or index=ndx sourcetype=srctp data=* | stats values(data) as data_vals from User warren – Stack Overflow https://stackoverflow.com/questions/65997187/how-to-count-the-number-of-event-based-on-json-field-structure-in-splunk/66036420#66036420 via IFTTT

Why are you trying to eval those time values? Just do: index=* earliest=-8d latest=-1d | <rest of search> | appendcols [ search (index=*) earliest=-1d | <rest of appended search> ] There’s no need to explicitly set latest unless you want something other than now() from User warren – Stack Overflow https://stackoverflow.com/questions/66023059/how-to-reference-an-eval-variable-in-query/66032236#66032236 via IFTTT

Splunk doesn’t have "arrays" It has multivalue fields To access/do anything with them, you need to use multivalue commands/functions multivalue eval functions – https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions multivalue stats functions – https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions In your example, you’d want to do something like the following: <search> | eval EventType=case(mvindex(http.request.queryParameters.authIndexValue,0)==Login_FooBar,"LOGIN", mvindex(http.request.queryParameters.authIndexValue,0)==Login_BarFoo,"not a good login",1=1,"error state") from User warren – Stack Overflow …
Continue reading Answer by warren for How do I access an array value inside a case in Splunk?

Something like the following should work to get the most-recent status: index=ndx sourcetype=srctp Id=* Version=* Status=* EventTime=* state=* | stats latest(Status) as Status latest(Version) as Version latest(state) state latest(EventTime) as "Event Time" by Id from User warren – Stack Overflow https://stackoverflow.com/questions/65717013/splunk-search-how-to-loop-on-multi-values-field/65740112#65740112 via IFTTT

Now I want to schedule the alert search to run every 10 minutes. Therefore, I want to run it on cron schedule and chose */10 * * * *. Is that correct? No, that will run it every 6 minutes: you’re dividing the hour (60 minutes) by 10, giving you a schedule of every 6 …
Continue reading Answer by warren for Splunk: Schedule alert to run every 10 minutes

Not knowing the field name is definitely going to be tricky when it comes to processing it later, but what you’ll want to do is this: index=ndx sourcetype=srctp "V1" "V2" Be default, Splunk ANDs all search terms. So if you’re looking for "V1" and "V2" in the same event, you just need to quote all …
Continue reading Answer by warren for Multifields search in Splunk without knowing field names

Not sure exactly what you’re seeing, but the lone example on Docs.Splunk for relative_time uses a negative value. That said, if you want to "look into the future" with your searches, why not just add 1 to argh1 – since you’ve already eval‘d it, you "know" it’s now(). Something like this, perhaps: | eval argh1=now() …
Continue reading Answer by warren for Splunk relative times with + are incorrect in dashboard (out by a week)

Depending on your use case, you either do something like this: index=ndx sourcetype=srctp fieldA=something fieldB=pattern fieldC=* Or you might end up doing this: index=ndx sourcetype=srctp "some literal text" | rex field=_raw "a pattern of stuff (?<fieldtoextract>regex-goes-here)" Or possibly this: index=ndx sourcetype=srctp fieldA=* | stats values(fieldB) by fieldA | where mvcount(fieldB)>3 AND match(fieldA,"something") Or maybe something …
Continue reading Answer by warren for Splunk equivalent to chained greps for searching within a search

If there are no results, you shouldn’t be getting anything sent to you in your Alert/Scheduled Report Why would you expect to see header rows, when they only "exist" if there are rows of data? When you run the Report manually, you’ll note when there are "no results" there are, well … "no results" There …
Continue reading Answer by warren for Blank CSV in splunk report

Don’t use eval and where or eval and search Put it in the initial search: "ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.916" Make Splunk do your work for you – and let it do it in the most efficient manner possible 🙂 from User warren – Stack Overflow https://stackoverflow.com/questions/65212859/splunk-cloud-search-query-with-variable-does-not-return-results/65218708#65218708 via IFTTT

how can I remove line breaks and get a horizontal scroll bar instead? No idea what you’re asking here. how can I increase the pagination size to something reasonable like 1k or 10k? What makes you think "1k or 100k" is "reasonable"? Splunk caps the number of displayed results per page at 100. There is …
Continue reading Answer by warren for configuring Splunk for usability