All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Splunk experts, I want to compare the response code of our API for last 4 hours with last 2 days data over the same time. And if possible I would need results in a chart/table format where i... See more...
Hi Splunk experts, I want to compare the response code of our API for last 4 hours with last 2 days data over the same time. And if possible I would need results in a chart/table format where it shows the data as below. <Reponse Codes | Last 4 Hours | Yesterday | Day before Yesterday> As of now i am getting results in hours wise. Can we achieve this one in Splunk ? Can you guys please guide me in the right direction to achieve this.  
I tried the below configuration, but it did not help. Can you suggest what could be the reason for it ? 
Hi @sherwin_r , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma P... See more...
Hi @sherwin_r , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Thanks @gcusello @gjanders @isoutamo for your inputs. I will have to decide which solution I am going for. I will update if either worked as expected (however I expect it to take a couple of  days). ... See more...
Thanks @gcusello @gjanders @isoutamo for your inputs. I will have to decide which solution I am going for. I will update if either worked as expected (however I expect it to take a couple of  days). Regards, Sherwin
@ITWhisperer  Today I used query of the default saved searches and manually collected to summary index from UI  ( collect command) rather than to use of python script. Data is not visible to indexes.... See more...
@ITWhisperer  Today I used query of the default saved searches and manually collected to summary index from UI  ( collect command) rather than to use of python script. Data is not visible to indexes.  
Thanks for this. i was able to utilise your solution to build a working process for what i need!
Hi, I requested a Dev license a while ago, but I don't hear anything from Splunk anymore. I have re-requested it a couple times, but still no answer. I even emailed Splunk, yet even that email is be... See more...
Hi, I requested a Dev license a while ago, but I don't hear anything from Splunk anymore. I have re-requested it a couple times, but still no answer. I even emailed Splunk, yet even that email is being ignored. I am new to Splunk and I just want to get started with the Developer license. How do I get my request to be approved? As in for real now, as I already attempted every standard solution. I just want somebody to approve my request, that's all.
Change your lookup to have * at the beginning e.g. *baddomain.com then change / create the definition for the lookup to do WILDCARD searches
Hi @glingaraj , you have a grace period (30 or 60 days I don't remember) after expiration to pass the exam, otherwise you have to pass again Power user exam: I know because I had this problem! Ciao... See more...
Hi @glingaraj , you have a grace period (30 or 60 days I don't remember) after expiration to pass the exam, otherwise you have to pass again Power user exam: I know because I had this problem! Ciao. Giuseppe
I have lookup file bad_domain.csv baddomain.com baddomain2.com baddomain3.com   Then i want to search from proxy log, who people connect to bad domains in my lookup list. But inc... See more...
I have lookup file bad_domain.csv baddomain.com baddomain2.com baddomain3.com   Then i want to search from proxy log, who people connect to bad domains in my lookup list. But include subdomains. Example: subdo1.baddomain.com subdo2.baddomain.com subdo1.baddomain2.com Please help, how to create that condition in spl query?
Is it possible to take splunk Admin certification after Splunk power user certification expired?
This is a different question to the one asked. How do you know the location of the servers and does the data for each panel come from the same search. If it comes from the same search then you would... See more...
This is a different question to the one asked. How do you know the location of the servers and does the data for each panel come from the same search. If it comes from the same search then you would be better of having a base search, see here https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/Savedsearches where your base search does all the data selection and aggregation and then each of the panels only shows the data from that base search that relate to the region of the server/clients they want.  
Hi @KendallW, I tried as you suggested but still it doesn't seem to work. Below is a part of my Dashboard code: "viz_myN1qvY3": {             "type": "splunk.table",             "dataSources"... See more...
Hi @KendallW, I tried as you suggested but still it doesn't seem to work. Below is a part of my Dashboard code: "viz_myN1qvY3": {             "type": "splunk.table",             "dataSources": {                 "primary": "ds_Ir18jYj7"             },             "title": "Availability By Market",             "options": {                 "backgroundColor": "transparent",                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)",                     "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)",                     "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)",                     "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)"                 },                 "headerVisibility": "fixed",                 "fontSize": "small",                 "columnFormat": {                     "Availability": {                         "data": "> table | seriesByName(\"Availability\") | formatByType(AvailabilityColumnFormatEditorConfig)",                         "rowColors": "> table | seriesByName('Availability') | pick(AvailabilityRowColorsEditorConfig)",                         "rowBackgroundColors": "> table | seriesByName(\"Availability\") | rangeValue(AvailabilityRowBackgroundColorsEditorConfig)",                         "align": "center"                     }                 }             },             "context": {                 "AvailabilityColumnFormatEditorConfig": {                     "number": {                         "thousandSeparated": false,                         "unitPosition": "after",                         "precision": 2                     }                 } The Availability column still has values aligned to right.  
Hi @Joshua2 , as also @KendallW said, this isn't the way to work of Splunk: you cannot locally store data n an UF. UF has a local cache that stores data if the Indexers aren't available, but only f... See more...
Hi @Joshua2 , as also @KendallW said, this isn't the way to work of Splunk: you cannot locally store data n an UF. UF has a local cache that stores data if the Indexers aren't available, but only for a few time and it isn't possible to copy cached logs in an usb drive. You should review your requirements with a Splunk Certified Architect or a Splunk Professional Services specialist to find a solution: e.g. send logs to a local syslog or copy them in text files (using a script) and then store them in the usb drive, but as I said, this solution must be designed by an expert, this isn't a question for the Community. Ciao. Giuseppe
Hi @sidnakvee , If you don't see any other host in _internal, this means that your pcs aren't connected to Splunk Cloud. as descibed at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data... See more...
Hi @sidnakvee , If you don't see any other host in _internal, this means that your pcs aren't connected to Splunk Cloud. as descibed at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsingforwardingagentsCloud, you have to download the Splunk Forwarder app from Splunk Cloud that contains credentials and configurations to connect to your Splunk Cloud instance. so the sequence of activity will be: install, Splunk Universal Forwarder on your pc, download and install the Splunk Forwarder app from your Splunk Cloud instance, download and install Splunk _TA_Windows ad Splunk App for sysmon from apps.splunk.com. enable wanted inputs in both the apps, enable sysmon on your pc, probably you need to restart Splunk on the Forwarder. Let me know. Ciao. Giuseppe
Did someone ever faced or implementing this on Splunk ES?. Im facing an issue when try add TAXII feed from OTX API connection, i already check the connectivity, and made some changes on the config... See more...
Did someone ever faced or implementing this on Splunk ES?. Im facing an issue when try add TAXII feed from OTX API connection, i already check the connectivity, and made some changes on the configuration until disable the prefered captain on my search head, but it still not resolved. I also know there is an app for this, but just want to clarify are this option still supported or not. Here my POST argument URL: https://otx.alienvault.com/taxii/discovery POST Argument: collection="user_otx" taxii_username="API key" taxii_password="foo" But the download status keep on TAXII feed pooling starting, and when i check on the PID information  status="This modular input does not execute on search head cluster member" msg="will_execute"="false" config="SHC" msg="Deselected based on SHC primary selection algorithm" primary_host="None" use_alpha="None" exclude_primary="None"  
As per @ITWhisperer 's comment, yes it is case sensitive. Use eval upper or lower to convert them all to the same case
Hi @Joshua2 I won't judge the solution design, but the intended use of the Universal Forwarder is to forward logs, not store them locally for later manual transfer.  You can do this with the UF by s... See more...
Hi @Joshua2 I won't judge the solution design, but the intended use of the Universal Forwarder is to forward logs, not store them locally for later manual transfer.  You can do this with the UF by setting up local indexing on each machine, however you would have to pay for license usage as the data is indexed at the UF tier, and then again pay for license usage when it is transferred and indexed to your Splunk Enterprise instance later. So you'd be paying twice to index the same data.  Also note there are performance implications for local indexing, and there are very limited parsing options on the UF, so you'd need to set up parsing later at the indexer anyway.  If you're ok with that option, you can do it by setting the indexAndForward setting in ouptuts.conf: [tcpout] defaultGroup = local_indexing [tcpout:local_indexing] indexAndForward = true   A better option to store the logs locally would be to use a third party log collection tool like Fluentd or LogStash, or write your own Powershell scripts. Ideally you would use Splunk for its intended purpose by directly forwarding the logs from the 60 UFs to a Splunk indexer (or HF), however I understand that may not be possible in this case. 
A warm bucket will not be evicted if it is too new on the premise that new data is more likely to be searched than old data.  "new" is defined by hotlist_recency_secs  and hotlist_bloom_filter_recenc... See more...
A warm bucket will not be evicted if it is too new on the premise that new data is more likely to be searched than old data.  "new" is defined by hotlist_recency_secs  and hotlist_bloom_filter_recency_hours  in indexes.conf. Urgent mode eviction comes into play when there are not enough files eligible for normal eviction.  In urgent mode, the hotlist_recency_secs and hotlist_bloom_filter_recency_hours settings are ignored.
Basically what I'm looking for is, I have a Multi Select Server input, if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the cli... See more...
Basically what I'm looking for is, I have a Multi Select Server input, if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the clients (3 total). Whereas UK panel shows the identical thing, but only the 2 clients