All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Easwar.C, Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep t... See more...
Hi @Easwar.C, Have you been able to review the comment your post got? If it helped, please click the 'Accept as Solution" button on the reply that helped. If no, reply back to the thread and keep the conversation going. 
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a V... See more...
Hi @arun97 , usually these issues are related to the network bandwidth or low workstation memory. Did you experienced this isuue on all Splunk dashboards or only in some of them? Are you using a VPN? this usually give high slowness. Ciao. Giuseppe
  Splunk support portal doesn't let file a case as it expects an input "Splunk Support access to your company data" However no option is available to select.
Hi @sidnakvee , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current r... See more...
Hello Splunkers!! I want to achieve below results in Splunk. Please help me how to achieve this in SPL. Whenever the field is carrying number string then I want below expected results. Current results Expected values 1102.1.1 1102.01.01 1102.1.2 1102.01.02 Thanks in advance!!
@KendallW Thank you for the response  but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ... See more...
@KendallW Thank you for the response  but it returned only a single word no the whole sentence ('testing', when I table it it splits it into like this: Starting logs recent logs) : ( most "/example ......a bunch of sensative information" Error: someone stepped on the wire. Goal is to have it like this: D:"//user/local/line500" Error : someone stepped on the wire. D://user/local/line980 ,indo Error : Simon said Look
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question  "Splunk Support access to your company data" , However ther... See more...
Opening a Splunk Support case is not a straight forward task. If you notice the screenshot, It asks me to provide answer to the question  "Splunk Support access to your company data" , However there is no Option to select and because of this I am unable to open a case.
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Spl... See more...
These might be useful: https://community.splunk.com/t5/All-Apps-and-Add-ons/parsing-log-text-to-get-a-specific-info/m-p/484283 https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-properly-parse-logs-that-contain-one/m-p/200151 Also see if an app helps, the extractions and such like are useful to inspect and use as needed:  https://splunkbase.splunk.com/app/3186#/overview (from https://community.splunk.com/t5/Getting-Data-In/How-to-parse-Apache-access-logs-in-Splunk/m-p/266983)
Hello ALL,   I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038.... See more...
Hello ALL,   I installed On-Premises AppDynamics 24.7 on Rocky Linux 9.4 host. After complete the Enterprise Console installation (through installation script "platform-setup-x64-linux-24.7.0.10038.sh", I continued to setup the Controller (demo profile) and Events Service. The three jobs completed successfully, as shown below. Controller starts OK. But Events Service can not start up. There is Red Critical health status highlighted. The error message: Task failed: Starting the Events Service api store node ... How to make Events Service get started up ? Thanks.
Hi, Did you consult this page?  https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Downloadthreatfeed  
Thanks.  I got it to work, but had to modify the syntax slightly to remove the backslashes - this worked. [yoursourcetype] SEDCMD-singletodouble=s/'/"/g  
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrew... See more...
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrewise, revalidate that you deployed the configs correctly. Inspecting the splukd.log in var/log folder is also useful for gathering more details about what might be going wrong.  
So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so wha... See more...
So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so what I wanted to do is if a printer has error(status="printing,error") at 6am, get the events of that printer that has status="spooling"(which is the queue) that occurred after 6am and count them.  Desired result format: printer name      |          Counts of spooling(queue)         | Hope this explains better, been dealing with this for days  Thank you so much in advance! 
Please share some anonymised but representative events that you are dealing with, preferably in a code block to preserve any formatting data.
Yes, the timewrap command can take the output from a timechart to create multiple lines over the 4 hour period
I apologize but could you break this process down barney style for me?
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  ... See more...
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  this is for our company’s printer server. 
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a U... See more...
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a UF to re-ingest old logs that have been exported and archived. I hope I am clear as it is hard for me to articulate the ask.  old .evtx files -> Windows Machine (put the logs back into the Windows machine) Which will then allow me to use a UF to send re-ingested logs to Splunk. I have tried converting the evtx files to text with a PowerShell script, but this would take a significant amount of time due to the size of my current evtx files. On average it was taking about 30 minutes per log file, and I have too many to count. 
But I was looking to can show these 3 timeline values as a chart/table. So that I can create a report on this and send out email to my team. Can this be achieved ?
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders.... See more...
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders. Tried on 3 computers using several different browsers.  All return a blank white screen on this URL only.  All other dashboards on this host work fine, it is only the "Forwarder Manager" link.    Nothing in the logs other than INFO events, and nothing to indicate a problem.  Any ideas what is going on?