All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, Did you consult this page?  https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Downloadthreatfeed  
Thanks.  I got it to work, but had to modify the syntax slightly to remove the backslashes - this worked. [yoursourcetype] SEDCMD-singletodouble=s/'/"/g  
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrew... See more...
Hello refahiati, Have you verified with a manual inspection of the conf files on the weblogic server that the desired changes were made? If so, restart the agent on the weblogic server again. Othrewise, revalidate that you deployed the configs correctly. Inspecting the splukd.log in var/log folder is also useful for gathering more details about what might be going wrong.  
So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so wha... See more...
So I have events with: sourcetype=winprintmon host=bartender2020 type=PrintJob printer="*"(gets all printer) ex: zebra1065 could have status of "printing"/"printing,error"/"spooling" so what I wanted to do is if a printer has error(status="printing,error") at 6am, get the events of that printer that has status="spooling"(which is the queue) that occurred after 6am and count them.  Desired result format: printer name      |          Counts of spooling(queue)         | Hope this explains better, been dealing with this for days  Thank you so much in advance! 
Please share some anonymised but representative events that you are dealing with, preferably in a code block to preserve any formatting data.
Yes, the timewrap command can take the output from a timechart to create multiple lines over the 4 hour period
I apologize but could you break this process down barney style for me?
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  ... See more...
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance.  this is for our company’s printer server. 
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a U... See more...
Good morning,  I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a UF to re-ingest old logs that have been exported and archived. I hope I am clear as it is hard for me to articulate the ask.  old .evtx files -> Windows Machine (put the logs back into the Windows machine) Which will then allow me to use a UF to send re-ingested logs to Splunk. I have tried converting the evtx files to text with a PowerShell script, but this would take a significant amount of time due to the size of my current evtx files. On average it was taking about 30 minutes per log file, and I have too many to count. 
But I was looking to can show these 3 timeline values as a chart/table. So that I can create a report on this and send out email to my team. Can this be achieved ?
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders.... See more...
We were running Splunk Enterprise v9.2 on our Deployment Server.  Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders. Tried on 3 computers using several different browsers.  All return a blank white screen on this URL only.  All other dashboards on this host work fine, it is only the "Forwarder Manager" link.    Nothing in the logs other than INFO events, and nothing to indicate a problem.  Any ideas what is going on?
Start by changing the time period on your search to (earliest=now-4h latest=now) OR (earliest=-1d-4h latest=-1d) OR (earliest=-2d-4h latest=-2d)
Thanks.... this was the only path we found to work as well.  Appreciate the confirmation
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like somethin... See more...
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like something useful to timechart or trend.
Using Splunk Cloud btw.
Hi,   Finally figured it out as cloud neded UF crednetial to be installed . So did that and no I see my logs . Thanks everyone for your support .  
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result... See more...
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result of this dashboard as a pdf so much of the results get lost. I can solve this by using "streamstats" to show the result in parts but I wonder why the limit is 100 and if it is possible to display more than 100 rows at once (without using tricks like streamstats).
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked... See more...
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked users and roles and they are fine.    any thoughts?
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining ... See more...
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining that the first line must be xml. How do we remove this restriction? Thank you.
Hello Team, I also have same requirement. Please confirm is there a possibility to monitor for Webservices Utilities: Message monitor Thanks Praveen