All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,   Finally figured it out as cloud neded UF crednetial to be installed . So did that and no I see my logs . Thanks everyone for your support .  
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result... See more...
I use a stats command in a search in a dashboard which results in about 600 rows. Splunk places a "next" button in the dashboard for each 100 rows (option name="count" is 100). We deliver the result of this dashboard as a pdf so much of the results get lost. I can solve this by using "streamstats" to show the result in parts but I wonder why the limit is 100 and if it is possible to display more than 100 rows at once (without using tricks like streamstats).
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked... See more...
Hi,  ok, so updated AME to version 3.0.8. Now i cant access anything, even though I am sc_admin.    cant see the start, cant configure due to the fact that is says I must be sc_admin.    Checked users and roles and they are fine.    any thoughts?
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining ... See more...
The classic dashboard format was xml; the new Dashboard Studio format is json. Our app/launcher/home is failing to load json dashboards with a 400 Bad Request, displaying the "horse" and complaining that the first line must be xml. How do we remove this restriction? Thank you.
Hello Team, I also have same requirement. Please confirm is there a possibility to monitor for Webservices Utilities: Message monitor Thanks Praveen
Hi Splunk community,   I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inp... See more...
Hi Splunk community,   I'm facing an issue with my Splunk deployment server, running on version 9.2.1 (splunk-9.2.1-78803f08aabb-linux-2.6-x86_64-manifest). I’ve added new configurations to the inputs.conf file for a WebLogic server within a specific deployment class. After making these changes, I pushed the configurations to the target WebLogic server and triggered a restart. Unfortunately, the new settings in the inputs.conf file are not being applied to the WebLogic server, even though the deployment server logs indicate that the service was successfully restarted. Has anyone experienced this issue or can offer advice on what might be causing the problem and how to resolve it? Thanks in advance!
Hi All, Need help with Timechart and trendline command for below query Both timechart and trendline command are not working index=_introspection sourcetype=splunk_resource_usage component=Hostwi... See more...
Hi All, Need help with Timechart and trendline command for below query Both timechart and trendline command are not working index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | stats Perc90(total_cpu_usage) AS cpu_usage latest(_time) as _time by Env Tenant | timechart span=12h values(cpu_usage) as CPU | trendline sma2(CPU) AS trend
There is a request to provide the list of P1C alerts for  JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C | rest /servicesNS/-/-/saved/searc... See more...
There is a request to provide the list of P1C alerts for  JMET cluster from Splunk we have provided the following query, but user wants only priority will be P1C | rest /servicesNS/-/-/saved/searches | table title, eai:acl.owner, search, actions, action.apple_alertaction * This query is giving all the alerts configured but we want only P1C alerts. Its urgent.
I got a direct access to the sever again and I checked OS version. It is Red Hat Enterprise Linux release 9.4 (Plow). I will try to add pipeline and I will check if it helps. I am going to check if ... See more...
I got a direct access to the sever again and I checked OS version. It is Red Hat Enterprise Linux release 9.4 (Plow). I will try to add pipeline and I will check if it helps. I am going to check if there is not something connected with sysmon.  It was right. There were only few log entries in audit.log during the period. I checked it on filesystem. After my ssh connection there is more log entrie.  Last 90 minuts /opt/splunkforwarder/var/log/splunk/audit.log 2 /opt/splunkforwarder/var/log/splunk/conf.log 1 /opt/splunkforwarder/var/log/splunk/configuration_change.log 3 /opt/splunkforwarder/var/log/splunk/health.log 26 /opt/splunkforwarder/var/log/splunk/metrics.log 8975 /opt/splunkforwarder/var/log/splunk/splunkd-utility.log 10 /opt/splunkforwarder/var/log/splunk/splunkd.log 1055 /opt/splunkforwarder/var/log/watchdog/watchdog.log 3 /var/log/audit/audit.log 1337 /var/log/messages 9418 /var/log/secure 543 journald://sysmon 6482   I revealed an interesting correlation. You can see a "gap" or change in behavior in the graph. It starts after the UF is restarted. There are messages "Found currently active indexer. Connected to idx=X.X.X.X:9992:0, reuse=1." before UF restart. After 20 minutes from restart they are back.
Hi all, I installed splunk enterprise 9.2.1 on my machine recently. There are no other external apps or components installed. But the UI is very slow. The loading time for each webpage, including th... See more...
Hi all, I installed splunk enterprise 9.2.1 on my machine recently. There are no other external apps or components installed. But the UI is very slow. The loading time for each webpage, including the login page is slow. It takes around a minute to finish loading. Could anyone provide some suggestions as to why this is happening and how to fix it?
I cloned the "access_combined" sourcetype for the access logs, and now the fields are being extracted as desired. However, I'm unable to parse the request logs as expected. If anyone has some time, ... See more...
I cloned the "access_combined" sourcetype for the access logs, and now the fields are being extracted as desired. However, I'm unable to parse the request logs as expected. If anyone has some time, I would appreciate assistance with parsing the request logs. It would be really helpful.   Request Logs Format: [09/Aug/2024:07:50:37 +0000] xx.yyy.zzz.aa TLSv1.2 ABCDE-FGH-IJK256-LMN-SHA123 "GET /share/page/ HTTP/1.1" xxxxx [09/Aug/2024:07:50:37 +0000] xx.yyy.zzz.aa TLSv1.2 xxxxx-xxx-xxx256-xxx-xxx123 "GET /share/page/ HTTP/1.1" -
Hi Splunk experts, I want to compare the response code of our API for last 4 hours with last 2 days data over the same time. And if possible I would need results in a chart/table format where i... See more...
Hi Splunk experts, I want to compare the response code of our API for last 4 hours with last 2 days data over the same time. And if possible I would need results in a chart/table format where it shows the data as below. <Reponse Codes | Last 4 Hours | Yesterday | Day before Yesterday> As of now i am getting results in hours wise. Can we achieve this one in Splunk ? Can you guys please guide me in the right direction to achieve this.  
I tried the below configuration, but it did not help. Can you suggest what could be the reason for it ? 
Hi @sherwin_r , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma P... See more...
Hi @sherwin_r , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Thanks @gcusello @gjanders @isoutamo for your inputs. I will have to decide which solution I am going for. I will update if either worked as expected (however I expect it to take a couple of  days). ... See more...
Thanks @gcusello @gjanders @isoutamo for your inputs. I will have to decide which solution I am going for. I will update if either worked as expected (however I expect it to take a couple of  days). Regards, Sherwin
@ITWhisperer  Today I used query of the default saved searches and manually collected to summary index from UI  ( collect command) rather than to use of python script. Data is not visible to indexes.... See more...
@ITWhisperer  Today I used query of the default saved searches and manually collected to summary index from UI  ( collect command) rather than to use of python script. Data is not visible to indexes.  
Thanks for this. i was able to utilise your solution to build a working process for what i need!
Hi, I requested a Dev license a while ago, but I don't hear anything from Splunk anymore. I have re-requested it a couple times, but still no answer. I even emailed Splunk, yet even that email is be... See more...
Hi, I requested a Dev license a while ago, but I don't hear anything from Splunk anymore. I have re-requested it a couple times, but still no answer. I even emailed Splunk, yet even that email is being ignored. I am new to Splunk and I just want to get started with the Developer license. How do I get my request to be approved? As in for real now, as I already attempted every standard solution. I just want somebody to approve my request, that's all.
Change your lookup to have * at the beginning e.g. *baddomain.com then change / create the definition for the lookup to do WILDCARD searches
Hi @glingaraj , you have a grace period (30 or 60 days I don't remember) after expiration to pass the exam, otherwise you have to pass again Power user exam: I know because I had this problem! Ciao... See more...
Hi @glingaraj , you have a grace period (30 or 60 days I don't remember) after expiration to pass the exam, otherwise you have to pass again Power user exam: I know because I had this problem! Ciao. Giuseppe