All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so wha... See more...
So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so what I wanted to do is if a printer has error(status="printing,error") at 6am, get the events of that printer that has status="spooling"(which is the queue) that occurred after 6am and count them.  Desired result format: printer name      |          Counts of spooling(queue)         | Hope this explains better, been dealing with this for days  Thank you so much in advance! 
Please share some anonymised but representative events that you are dealing with, preferably in a code block to preserve any formatting data.
Yes, the timewrap command can take the output from a timechart to create multiple lines over the 4 hour period
I apologize but could you break this process down barney style for me?
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  ... See more...
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  this is for our company’s printer server. 
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a U... See more...
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a UF to re-ingest old logs that have been exported and archived. I hope I am clear as it is hard for me to articulate the ask.  old .evtx files -> Windows Machine (put the logs back into the Windows machine) Which will then allow me to use a UF to send re-ingested logs to Splunk. I have tried converting the evtx files to text with a PowerShell script, but this would take a significant amount of time due to the size of my current evtx files. On average it was taking about 30 minutes per log file, and I have too many to count. 
But I was looking to can show these 3 timeline values as a chart/table. So that I can create a report on this and send out email to my team. Can this be achieved ?
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders.... See more...
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders. Tried on 3 computers using several different browsers.  All return a blank white screen on this URL only.  All other dashboards on this host work fine, it is only the "Forwarder Manager" link.    Nothing in the logs other than INFO events, and nothing to indicate a problem.  Any ideas what is going on?
Start by changing the time period on your search to (earliest=now-4h latest=now) OR (earliest=-1d-4h latest=-1d) OR (earliest=-2d-4h latest=-2d)
Thanks.... this was the only path we found to work as well.  Appreciate the confirmation
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like somethin... See more...
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like something useful to timechart or trend.
Using Splunk Cloud btw.
Hi,   Finally figured it out as cloud neded UF crednetial to be installed . So did that and no I see my logs . Thanks everyone for your support .  
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result... See more...
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result of this dashboard as a pdf so much of the results get lost. I can solve this by using "streamstats" to show the result in parts but I wonder why the limit is 100 and if it is possible to display more than 100 rows at once (without using tricks like streamstats).
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked... See more...
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked users and roles and they are fine.    any thoughts?
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining ... See more...
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining that the first line must be xml. How do we remove this restriction? Thank you.
Hello Team, I also have same requirement. Please confirm is there a possibility to monitor for Webservices Utilities: Message monitor Thanks Praveen
Hi Splunk community,   I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inp... See more...
Hi Splunk community,   I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inputs.conf file for a WebLogic server within a specific deployment class. After making these changes, I pushed the configurations to the target WebLogic server and triggered a restart. Unfortunately, the new settings in the inputs.conf file are not being applied to the WebLogic server, even though the deployment server logs indicate that the service was successfully restarted. Has anyone experienced this issue or can offer advice on what might be causing the problem and how to resolve it? Thanks in advance!
Hi All, Need help with Timechart and trendline command for below query Both timechart and trendline command are not working index=_introspection sourcetype=splunk_resource_usage component=Hostwi... See more...
Hi All, Need help with Timechart and trendline command for below query Both timechart and trendline command are not working index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | stats Perc90(total_cpu_usage) AS cpu_usage latest(_time) as _time by Env Tenant | timechart span=12h values(cpu_usage) as CPU | trendline sma2(CPU) AS trend
There is a request to provide the list of P1C alerts for  JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C | rest /servicesNS/-/-/saved/searc... See more...
There is a request to provide the list of P1C alerts for  JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C | rest /servicesNS/-/-/saved/searches | table title, eai:acl.owner, search, actions, action.apple_alertaction * This query is giving all the alerts configured but we want only P1C alerts. Its urgent.