All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks! Do i need to create and designate my cluster manager first and then cluster my indexers? I am trying to figure out what i need to do first after making a new indexer and how i can cluster m... See more...
Thanks! Do i need to create and designate my cluster manager first and then cluster my indexers? I am trying to figure out what i need to do first after making a new indexer and how i can cluster my two indexers. Also, same with my new search head. I dont know what step to take first? 
yes, I already follow that source too.
in my environment i have 4 indexers. daily indexeing is 50gb/day.retention period is 30 days . In these 30 days retention period  for hot bucket 10 days and for cold bucket retention period is 20 day... See more...
in my environment i have 4 indexers. daily indexeing is 50gb/day.retention period is 30 days . In these 30 days retention period  for hot bucket 10 days and for cold bucket retention period is 20 days .how can we calculate indexer storage .
Hello everyone, I am new to Splunk. I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“printing,error”) occurred. How could I do this... See more...
Hello everyone, I am new to Splunk. I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“printing,error”) occurred. How could I do this? So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so what I wanted to do is if a printer has error(status="printing,error") at 6am,  count the events of that printer that has status="spooling"(which is the queue) that occurred after 6am. Desired result format: printer name      |          Counts of spooling(queue)         | Hope this explains better, been dealing with this for days  Thank you so much in advance! 
Exactly what I needed!  Thanks!
Hi @avikc100 , you have to use the eval command to change the source value. so you could use the case statment having many values: | eval source=case( source="*PACA.log", "Canada Pricing Call... See more...
Hi @avikc100 , you have to use the eval command to change the source value. so you could use the case statment having many values: | eval source=case( source="*PACA.log", "Canada Pricing Call", source="*second_value.log" "Second value", source="*third_value.log" "Third value") Ciao. Giuseppe
this is my splunk query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/ExternalPACA.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as ... See more...
this is my splunk query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/ExternalPACA.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over source by timestamp it is showing result as : but I want to add a custom name to it, how should I do that?    
This is what i have so far..     <form version="1.1" theme="light"> <label>AutoSelectMulti</label> <init> <set token="pre_indexes"></set> </init> <fieldset submitButton="true" au... See more...
This is what i have so far..     <form version="1.1" theme="light"> <label>AutoSelectMulti</label> <init> <set token="pre_indexes"></set> </init> <fieldset submitButton="true" autoRun="false"> <input type="multiselect" token="server" searchWhenChanged="true"> <label>Server</label> <fieldForLabel>dns</fieldForLabel> <fieldForValue>dns</fieldForValue> <search> <query>index=summary source=sc dns=eaz* | dedup dns | table dns</query> </search> <delimiter> ,</delimiter> </input> <input type="multiselect" token="ds1"> <label>DS1</label> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=summary source=sc dns=eaz* | search dns IN ($server$) | dedup host | table host</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <delimiter> ,</delimiter> </input> </fieldset> <row> <panel> <table> <title>EAST DS</title> <search> <query>| makeresults | eval ServerclassInfo="[serverClass:serverclass] whitelist.0 = server1 whitelist.1 = server2 Server List which needs to add under whitelist = $server$ EAST Deployment Server : $ds$" | fields ServerclassInfo | fields - _time</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>West DS</title> <search> <query>| makeresults | eval ServerclassInfo="[serverClass:serverclass] whitelist.0 = server1 whitelist.1 = server2 Server List which needs to add under whitelist = $server$ WEST Deployment Server : $ds$" | fields ServerclassInfo | fields - _time</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>       What Ultimately I'm looking is if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the 3 servers with what DS. Whereas other panel shows the identical thing, but only the 2 servers . That's okay if we don't have that Deployment Server input too.    
Hi @arun97 , surely the issue is related to the VPN. Ciao. Giuseppe
I tried setting parallelIngestionPipelines = 2 in server.conf and the behavior did not change.  I also tried stopping sysmon deamon and disabling sysmon journald input. It had no effect on the abo... See more...
I tried setting parallelIngestionPipelines = 2 in server.conf and the behavior did not change.  I also tried stopping sysmon deamon and disabling sysmon journald input. It had no effect on the above behavior.
Hi @gcusello ,    yes. I am using a VPN and a workstation.  The workstation has a memory of 16GB and all other applications are working fine. 
Hi @Easwar.C, Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep t... See more...
Hi @Easwar.C, Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep the conversation going. 
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a V... See more...
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a VPN? this usually give high slowness. Ciao. Giuseppe
  Splunk support portal doesn't let file a case as it expects an input "Splunk Support access to your company data" However no option is available to select.
Hi @sidnakvee , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current r... See more...
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current results Expected values 1102.1.1 1102.01.01 1102.1.2 1102.01.02 Thanks in advance!!
@KendallW Thank you for the response  but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ... See more...
@KendallW Thank you for the response  but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ( most "/example ......a bunch of sensative information" Error: someone stepped on the wire. Goal is to have it like this: D:"//user/local/line500" Error : someone stepped on the wire. D://user/local/line980 ,indo Error : Simon said Look
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question  "Splunk Support access to your company data" , However ther... See more...
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question  "Splunk Support access to your company data" , However there is no Option to select and because of this I am unable to open a case.
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Spl... See more...
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-properly-parse-logs-that-contain-one/m-p/200151 Also see if an app helps, the extractions and such like are useful to inspect and use as needed:  https://splunkbase.splunk.com/app/3186#/overview (from https://community.splunk.com/t5/Getting-Data-In/How-to-parse-Apache-access-logs-in-Splunk/m-p/266983)
Hello ALL,   I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038.... See more...
Hello ALL,   I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038.sh", I continued to setup the Controller (demo profile) and Events Service. The three jobs completed successfully, as shown below. Controller starts OK. But Events Service can not start up. There is Red Critical health status highlighted. The error message: Task failed: Starting the Events Service api store node ... How to make Events Service get started up ? Thanks.