cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
victorsalazar
Explorer
Member since: ‎08-13-2019
‎11-06-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎08-13-2019
Activity Feed
View All

Re: Clustermaps not loading properly using a base ...

by in Dashboards & Visualizations
‎11-06-2023 12:10 PM
‎11-06-2023 12:10 PM
Hello All  I had exactly the same Issue and this only happens when u use the base search directly to get the cluster map populated. I solved the issue and maybe is a silly way to do it but it was the only way to make it workg for me. In your cluster map  edit search --> search string text box do something like this mainQuery: it is your base search, in my case is a Macro used in differnt dashboads ###################  Code ############################### | fields 1   ``` there is no fields called 1 - the idea is to get an empty result from the base search ``` ```  The idea about the code below is to use the query mainQuery and get the fields to pass them to geostats ``` | append        [  search `mainQuery`           | fields lat lon country sales        ] | geostats latfield=lat longfield=lon count(sales) by country globallimit=0 locallimit=0 ###################  end of Code ############################### ... View more

Re: How to use @myFile.spl to query Splunk API?

by in Security
‎09-22-2023 07:41 AM
‎09-22-2023 07:41 AM
Hello All I was able to solve this issue, I was digging on cURL capabilities and the answer is cURL -K configFile. Below is how it works: First suppose you require to send an extremely long query to Splunk API from your app or script with your cURL command (SPL search command in my case 121852 chars) 1. curl command curl -K query.spl --noproxy '*' -H "Authorization: Splunk myTOKEN" https://mySearchHEAD:8089/servicesNS/admin/search/search/jobs  ### --noproxy '*' it is optional and depends on your network setup 2. Your config file query.spl content and synaxis  [someUser@algunServidor:~/myDirectorio]$ more query.spl -d exec_mode=oneshot   ## this can be normal -d output_mode=json       ## this can be xml or csv -d "search=| search index=myIndex sourcetype=mySourcetype _raw=*somethingIamLooking for* field1=something1 field2=something2 .... fieldN=somethingN earliest=-1h latest=now"   ### really important to pay attention to the quotes in red above you need them to make it work.  I hope this help someone 🙂     ... View more

How to use @myFile.spl to query Splunk API?

by in Security
‎09-19-2023 08:49 AM
‎09-19-2023 08:49 AM
Hello All I need to send a request to Splunk API from a Linux server but the Curl is complaining because the search argument is too long (could be up to 500000 chars). my question is: how we can use @myFile.spl to query splunk api? This is what I have done so far but no luck yet   curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=`echo $myVar`  error  Argument list too long curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d  @query2.spl  (Format1 in query2.spl file--> "search= | search index=myIndex ...."    up to 500000 char) error {"messages":[{"type":"FATAL","text":"Empty search."}]} curl --noproxy '*' -k -H "Authorization: Splunk myToken"  https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d  @query2.spl  (Format2 in query2.spl file --> search= "| search index=myIndex ...."    up to 500000 char -- difference with 3 is quotes position) error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '\"'. Error at position '0' of search query '\"| search index...." curl --noproxy '*' -k -H "Authorization: Splunk myToken" https://mySearchHead:8089/servicesNS/admin/search/search/jobs/export?output_mode=json -d search=@query2.spl   (Format2 in query2.spl file --> "| search index=myIndex ...."    up to 500000 char -- difference with 3 is quotes position) error {"messages":[{"type":"ERROR","text":"Error in 'SearchParser': Missing a search command before '@'. Error at position '0' of search query '@query2.spl'.","help":""}]} ... View more
Labels

Re: Dynamic variable fields generation

by in Splunk Search
‎09-08-2020 07:56 AM
‎09-08-2020 07:56 AM
Thanks a lot both answer solved my problem ... View more

Dynamic variable fields generation

by in Splunk Search
‎09-04-2020 01:28 PM
‎09-04-2020 01:28 PM
Hello Splunk Community I would like to know if I can create a new column field from a multivalue field MV field =  1, 2, 3, 4  then I have another MV field a, b,c,d  after that I want my search result to look like in the picture Thanks in advance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-06-2023 09:52 PM
Karma given to