All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Do you understand WHY you are getting duplicates from the API? At what point would you want a 'new' event not to be treated as a duplicate? Forever? Last 60 minutes? Depending on that, you could ma... See more...
Do you understand WHY you are getting duplicates from the API? At what point would you want a 'new' event not to be treated as a duplicate? Forever? Last 60 minutes? Depending on that, you could make your alert look back at a longer time window and aggregate common events together with first and last timers and then ignore any 'new' events in the window you are interested in that have a count > 1 in the larger window.  
If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing. On a separate point, are the double quotes surroundin... See more...
If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing. On a separate point, are the double quotes surrounding the SPL or is that your post? Because it looks like it is a macro, but if the double quotes are really surrounding the macro, then it's not a macro, but a string. Anyway, the token is your problem.
The developer made a release available and gave a talk on it some months ago at one of the user groups. I tried it then and it generally worked OK, but didn't give it some hard problems to look at. ... See more...
The developer made a release available and gave a talk on it some months ago at one of the user groups. I tried it then and it generally worked OK, but didn't give it some hard problems to look at. It's running in a Cloud instance I have access to.
Missing indexes Any one have a way to investigate what causes indexes to suddenly disappear? Running a btool and indexes list… my primary indexes with all my security logs are just not there. I also... See more...
Missing indexes Any one have a way to investigate what causes indexes to suddenly disappear? Running a btool and indexes list… my primary indexes with all my security logs are just not there. I also have a NFS mount for archival and the logs are missing from there too. Going to the /opt/splunk/var/lib/splunk directory I see the last hot bucket was collected around 9am. I am trying to parse through whatever logs to find out what happened and how to recover.
We you'll have to look on a case by case basis - there are some use cases where objects are defined in first JS load and then they can be reloaded, but the same object already exists the second time ... See more...
We you'll have to look on a case by case basis - there are some use cases where objects are defined in first JS load and then they can be reloaded, but the same object already exists the second time around.
That's so true. turning on option " ON" for showing data looks pretty bad on graph. 
Mine was caused by browser cache it can impact you in the same browser in both normal and in private /incognito session I've validated by using a different browser and the view appeared in the navig... See more...
Mine was caused by browser cache it can impact you in the same browser in both normal and in private /incognito session I've validated by using a different browser and the view appeared in the navigation. Clearing all browser cache and restarting the affected browser fixed this issue.
Hi @Paul.Mateos , Kindly raise case ticket with Support team to share this extension. 
I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes. I think the Wi... See more...
I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes. I think the Windows/wmi equivalent reports traffic (bytes/sec) through the network adapter.
On Splunk Enterprise 9.2 and  DBConnect 3.17.2 I'm in the process of replacing our old Splunk instance, and with the new version of DBConnect, I seem to be unable to disable SSL ecryption on connect... See more...
On Splunk Enterprise 9.2 and  DBConnect 3.17.2 I'm in the process of replacing our old Splunk instance, and with the new version of DBConnect, I seem to be unable to disable SSL ecryption on connection to the database. It's a Microsoft MS-SQL database. I connect using the generic MS SQL driver. I do not have "Enable SSL" checked, I have encrypt=false in the jdbc URL:       jdbc:sqlserver://phmcmdb01:1433;databaseName=CM_PHE;selectMethod=cursor;encrypt=false       and yet, it cannot connect, throwing the error       "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: SQL Server did not return a response.       The old system running DBConnect 3.1.4 on Splunk Enterprise 7.3.2 can connect just fine without ssl enabled.  Why is DBConnect insisting on attempting an SSL connection? The SQL server is obviously not requiring it, or the old server would not work. Or is this a false error message and diverting me from some other problem?
 
Hi Team  Could you please advice why the below query is not showing any data  " `secrpt-active-users($select321$)`"   Thanks 
Hi  Yes the spl query is working 1 - If i select the date range last 30 days the same spl query pulling out the data  2 - if i select last 20 days i cant see the data, which means no information a... See more...
Hi  Yes the spl query is working 1 - If i select the date range last 30 days the same spl query pulling out the data  2 - if i select last 20 days i cant see the data, which means no information are coming in
Solution: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-background-colour-to-single-value-visualisation-based/td-p/616565
rex "HTTP\/1\.1\"\s*(?<http_response>\d{3})" try above
You could try to calculate transfer time based your network and disk I/O values. Or just start that work and estimate it after sometimes.
Try adding a limits.conf with the following [kv] maxchars = 40000
Hi!  The log in question reads as: HTTP/1.1" 200 365 3 in our splunk, we don't have a "HTTP status" field to pivot off of.. So I see that the HTTP response always shows as it does above, So ... See more...
Hi!  The log in question reads as: HTTP/1.1" 200 365 3 in our splunk, we don't have a "HTTP status" field to pivot off of.. So I see that the HTTP response always shows as it does above, So I'd need a regex that gives me something like: | rex field=HTTP response "   HTTP/1.1" *** 
If you have more than a small number of prompts at a time, you need to change how your playbooks are working. Speaking from experience, that will lead to things being missed and waiting for too long.... See more...
If you have more than a small number of prompts at a time, you need to change how your playbooks are working. Speaking from experience, that will lead to things being missed and waiting for too long. To answer your question, you could try changing your link to point at the container holding the prompt instead of the prompt on its own.  That would look something like https://10.250.74.118:8443/mission/[number]/analyst/approvals   
What does you msiexec command look like that you're using to install the Splunk UF ?