Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance. ...
See more...
Hello everyone, I am trying to get the queue or event counts with status=“spooling” that happened after the very first error(status=“*error*”) occurred. How could I do this? Thank you in advance. this is for our company’s printer server.
Good morning, I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a U...
See more...
Good morning, I have been looking for a solution to this problem for a while. What I am trying to accomplish is re-ingesting .evtx files back into the system or another system so that I can use a UF to re-ingest old logs that have been exported and archived. I hope I am clear as it is hard for me to articulate the ask. old .evtx files -> Windows Machine (put the logs back into the Windows machine) Which will then allow me to use a UF to send re-ingested logs to Splunk. I have tried converting the evtx files to text with a PowerShell script, but this would take a significant amount of time due to the size of my current evtx files. On average it was taking about 30 minutes per log file, and I have too many to count.
But I was looking to can show these 3 timeline values as a chart/table. So that I can create a report on this and send out email to my team. Can this be achieved ?
We were running Splunk Enterprise v9.2 on our Deployment Server. Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders....
See more...
We were running Splunk Enterprise v9.2 on our Deployment Server. Everything worked fine.... Upgraded to v9.3.0, now the path "https://<fqhn>/en-US/manager/system/deploymentserver" no longer renders. Tried on 3 computers using several different browsers. All return a blank white screen on this URL only. All other dashboards on this host work fine, it is only the "Forwarder Manager" link. Nothing in the logs other than INFO events, and nothing to indicate a problem. Any ideas what is going on?
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like somethin...
See more...
What is it you are trying to achieve? At the moment, you are getting one stats result for each Env Tenant combination with the latest time stamp for that Env Tenant. This doesn't sound like something useful to timechart or trend.
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result...
See more...
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result of this dashboard as a pdf so much of the results get lost. I can solve this by using "streamstats" to show the result in parts but I wonder why the limit is 100 and if it is possible to display more than 100 rows at once (without using tricks like streamstats).
Hi, ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin. cant see the start, cant configure due to the fact that is says I must be sc_admin. Checked...
See more...
Hi, ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin. cant see the start, cant configure due to the fact that is says I must be sc_admin. Checked users and roles and they are fine. any thoughts?
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining ...
See more...
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining that the first line must be xml. How do we remove this restriction? Thank you.
Hi Splunk community, I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inp...
See more...
Hi Splunk community, I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inputs.conf file for a WebLogic server within a specific deployment class. After making these changes, I pushed the configurations to the target WebLogic server and triggered a restart. Unfortunately, the new settings in the inputs.conf file are not being applied to the WebLogic server, even though the deployment server logs indicate that the service was successfully restarted. Has anyone experienced this issue or can offer advice on what might be causing the problem and how to resolve it? Thanks in advance!
Hi All,
Need help with Timechart and trendline command for below query Both timechart and trendline command are not working
index=_introspection sourcetype=splunk_resource_usage component=Hostwi...
See more...
Hi All,
Need help with Timechart and trendline command for below query Both timechart and trendline command are not working
index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct')
| stats Perc90(total_cpu_usage) AS cpu_usage latest(_time) as _time by Env Tenant
| timechart span=12h values(cpu_usage) as CPU
| trendline sma2(CPU) AS trend
There is a request to provide the list of P1C alerts for JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C
| rest /servicesNS/-/-/saved/searc...
See more...
There is a request to provide the list of P1C alerts for JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C
| rest /servicesNS/-/-/saved/searches
| table title, eai:acl.owner, search, actions, action.apple_alertaction *
This query is giving all the alerts configured but we want only P1C alerts.
Its urgent.
I got a direct access to the sever again and I checked OS version. It is Red Hat Enterprise Linux release 9.4 (Plow). I will try to add pipeline and I will check if it helps. I am going to check if ...
See more...
I got a direct access to the sever again and I checked OS version. It is Red Hat Enterprise Linux release 9.4 (Plow). I will try to add pipeline and I will check if it helps. I am going to check if there is not something connected with sysmon. It was right. There were only few log entries in audit.log during the period. I checked it on filesystem. After my ssh connection there is more log entrie. Last 90 minuts /opt/splunkforwarder/var/log/splunk/audit.log 2 /opt/splunkforwarder/var/log/splunk/conf.log 1 /opt/splunkforwarder/var/log/splunk/configuration_change.log 3 /opt/splunkforwarder/var/log/splunk/health.log 26 /opt/splunkforwarder/var/log/splunk/metrics.log 8975 /opt/splunkforwarder/var/log/splunk/splunkd-utility.log 10 /opt/splunkforwarder/var/log/splunk/splunkd.log 1055 /opt/splunkforwarder/var/log/watchdog/watchdog.log 3 /var/log/audit/audit.log 1337 /var/log/messages 9418 /var/log/secure 543 journald://sysmon 6482 I revealed an interesting correlation. You can see a "gap" or change in behavior in the graph. It starts after the UF is restarted. There are messages "Found currently active indexer. Connected to idx=X.X.X.X:9992:0, reuse=1." before UF restart. After 20 minutes from restart they are back.
Hi all, I installed splunk enterprise 9.2.1 on my machine recently. There are no other external apps or components installed. But the UI is very slow. The loading time for each webpage, including th...
See more...
Hi all, I installed splunk enterprise 9.2.1 on my machine recently. There are no other external apps or components installed. But the UI is very slow. The loading time for each webpage, including the login page is slow. It takes around a minute to finish loading. Could anyone provide some suggestions as to why this is happening and how to fix it?
I cloned the "access_combined" sourcetype for the access logs, and now the fields are being extracted as desired. However, I'm unable to parse the request logs as expected. If anyone has some time, ...
See more...
I cloned the "access_combined" sourcetype for the access logs, and now the fields are being extracted as desired. However, I'm unable to parse the request logs as expected. If anyone has some time, I would appreciate assistance with parsing the request logs. It would be really helpful. Request Logs Format: [09/Aug/2024:07:50:37 +0000] xx.yyy.zzz.aa TLSv1.2 ABCDE-FGH-IJK256-LMN-SHA123 "GET /share/page/ HTTP/1.1" xxxxx [09/Aug/2024:07:50:37 +0000] xx.yyy.zzz.aa TLSv1.2 xxxxx-xxx-xxx256-xxx-xxx123 "GET /share/page/ HTTP/1.1" -