All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

From the screen shot, you have started the ALD session and the Summary showed you have successfully started  & stop CollectionCapture... unfortunately, no Java Collections were eligible for evaluatio... See more...
From the screen shot, you have started the ALD session and the Summary showed you have successfully started  & stop CollectionCapture... unfortunately, no Java Collections were eligible for evaluation. If you look at the middle section of the screen, it gives the explanation/details. To qualify for evaluation, a Collection must have a certain size and elements.  2 App Server Agent settings/parameters are mentioned: minimum-size-for-evaluation-in-mb - The default value is 5MB(I think). Depending on your application, you may want to increase of decrease this value. minimum-number-of-elements-in-collection-to-deep-size - The default is 1000 elements, maybe  large for an application(?). If your application is small and we’re not sure if any collection has about 1000 elements, we can try lowering this value. Next, is Start On Demand Capture Session: If Session Duration is too small, we may not have sufficient time window to capture those Collections (objects/classes). If the default 10 mins shows nothing, then try 15. If Collection Age is too small, this means the Collection is too “young” and hence the size may not be enough as candidate for evaluation. Go with default 2 mins. If all the criteria are good, you should see something below: thanks.
Do you have the link to this extensions?. I cannot find it.
Hi Joe, yes, you can download the app, patch it and upload it as a private app. Cheers, Andreas
Basically what I'm looking for is, I have a Multi Select Server input, if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the cli... See more...
Basically what I'm looking for is, I have a Multi Select Server input, if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the clients (3 total). Whereas UK panel shows the identical thing, but only the 2 clients  How do I achieve this ?
I tried those but if i select multiple index the sourcetype multi select is not working. 
Exactly. Disabling default apps is a bit tricky. Combine this with the 9.1.x version running a search on every instance and then an automated method like this helps on large indexer clusters, cluste... See more...
Exactly. Disabling default apps is a bit tricky. Combine this with the 9.1.x version running a search on every instance and then an automated method like this helps on large indexer clusters, cluster managers et cetera. The application works on most apps, I did find the splunk assist app cannot be disabled using the REST API. Thanks @isoutamo
The below log entry includes different format within it. Not sure how to write props.conf for proper field extractions and line breaking. each log entry has text, delimitter(|) and json. 2024-03-11T... See more...
The below log entry includes different format within it. Not sure how to write props.conf for proper field extractions and line breaking. each log entry has text, delimitter(|) and json. 2024-03-11T20:58:12.605Z [INFO] SessionManager sgrp:System_default swn:99999 sreq:1234567 | {"abrMode":"NA","abrProto":"HLS","event":"Create","sUrlMap":"","sc":{"Host":"x.x.x.x","OriginMedia":"HLS","URL":"/x.x.x.x/vod/Test-XXXX/XXXXX.smil/transmux/XXXXX"},"sm":{"ActiveReqs":0,"ActiveSecs":0,"AliveSecs":360,"MediaSecs":0,"SpanReqs":0,"SpanSecs":0},"swnId":"XXXXXXXX","wflow":"System_default"} 2024-03-11T20:58:12.611Z [INFO] SessionManager sgrp:System_default swn:99999 sreq:1234567 | {"abrMode":"NA","abrProto":"HLS","event":"Cache","sUrlMap":"","sc":{"Host":"x.x.x.x","OriginMedia":"HLS","URL":"/x.x.x.x/vod/Test-XXXXXX/XXXXXX.smil/transmux/XXX"},"sm":{"ActiveReqs":0,"ActiveSecs":0,"AliveSecs":0,"MediaSecs":0,"SpanReqs":0,"SpanSecs":0},"swnId":"XXXXXXXXXXXXX","wflow":"System_default"}
This answer https://community.splunk.com/t5/Dashboards-Visualizations/How-to-use-token-in-a-multi-select-form-input/m-p/480570 is close to what you want.  You would end up with a set of sourcetype... See more...
This answer https://community.splunk.com/t5/Dashboards-Visualizations/How-to-use-token-in-a-multi-select-form-input/m-p/480570 is close to what you want.  You would end up with a set of sourcetype=data1 OR sourcetype=data2 etc. And you can initialize the default value with comma separated values as shown in https://community.splunk.com/t5/Dashboards-Visualizations/choose-all-Multiselect-values-by-default-without-using/m-p/357860
Hello, need help for auto multi select of the input values... So I have a Index values like data1, data2, data3. If I select data1 the sourcetype related to data1 should be auto selected, if i ... See more...
Hello, need help for auto multi select of the input values... So I have a Index values like data1, data2, data3. If I select data1 the sourcetype related to data1 should be auto selected, if i multislect data1 & data2 in the index it has to auto select in multi sourcetype
I assume you have logs that explicitly say whether the website is up or down. If so, you could make a new alert which compares the website status in the past X minutes until the time of the search (w... See more...
I assume you have logs that explicitly say whether the website is up or down. If so, you could make a new alert which compares the website status in the past X minutes until the time of the search (when the website is up) versus the website status between 2X and X minutes ago. Let's assume a time window of 5 minutes, and you can set the schedule of the alert to be every 1-5 minutes depending on how responsive you would like the alert to be. (I recommend throttling the alert if you make it fewer than 5 minutes)   <search filters for website status=ok> earliest=-5m | append [<search for website status = NOT OK> earliest=-10m latest=-5m] | stats values(status) as status dc(status) as dcstatus by website | where dcstatus > 2   This should only find websites where 10-5 minutes ago, it was down 5-0 minutes ago, it is up
I have an alert that can clear in the same minute that it originally fired.  When the correlation search runs, both events are in it, the alert and the clearing alert.  The correlation search creates... See more...
I have an alert that can clear in the same minute that it originally fired.  When the correlation search runs, both events are in it, the alert and the clearing alert.  The correlation search creates notable events for each but uses the current time for the _time for the notable events and not the _time from the original alerts.  Since both alerts are converted into notable events during the same correlation search run, they get the exact same timestamp.  This causes ITSI to not definitely know the correct order of the events and it sometimes thinks the Normal/Clear event came BEFORE the original alert. This seems odd to me.  I would have imagined that ITSI would use the original event time as the _time for the notable event but it doesn't. Any ideas on how to address?   
Could you try running it once with sudo? This should allow you to accept the license agreement, and then Splunk will use system privileges to set up the systemd service. Afterwards it should be contr... See more...
Could you try running it once with sudo? This should allow you to accept the license agreement, and then Splunk will use system privileges to set up the systemd service. Afterwards it should be controllable with systemctl.
Yeah this would be a nice feature to have. There are some Splunk Ideas suggesting it:  https://ideas.splunk.com/ideas/EID-I-1236 https://ideas.splunk.com/ideas/PLECID-I-424 You could add some vo... See more...
Yeah this would be a nice feature to have. There are some Splunk Ideas suggesting it:  https://ideas.splunk.com/ideas/EID-I-1236 https://ideas.splunk.com/ideas/PLECID-I-424 You could add some votes to them and tell your friends to vote as well. Hopefully the Splunk devs will then add a search bar to this dropdown.
You can use a SEDCMD to replace all the single quotes with double-quotes before indexing. in Props.conf: [yoursourcetype] SEDCMD-singletodouble=s/\'/\"/g
Hi @gcusello  thanks for you reply and help . Yes i did the followings: 1- Installed sysmon on my PC  2- Installed Splunk forwarder on my PC  3- Configured the inputs.conf by copying to  4- Alrea... See more...
Hi @gcusello  thanks for you reply and help . Yes i did the followings: 1- Installed sysmon on my PC  2- Installed Splunk forwarder on my PC  3- Configured the inputs.conf by copying to  4- Alread created index=winpc index on splunk  5- Dont see my PC / hostname from index=_internal logs last 30 days only see splunk hostname 6- Do I need to install universal forwarder credentail packge i tried but its fails when try to run the given comand here on : https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/ConfigSCUFCredentials#Install_the_forwarder_credentials_on_individual_forwarders_in_Windows 7- My splunk unversal forwarder was installed to C:\Program Files\SplunkUniversalForwarder and service is running.       
Hello.  I have a data source that is "mostly" json formatted, except it uses single quotes instead of double, therefore, splunk is not honoring it if I set the sourcetype to json. If I run a query ... See more...
Hello.  I have a data source that is "mostly" json formatted, except it uses single quotes instead of double, therefore, splunk is not honoring it if I set the sourcetype to json. If I run a query against it using this: sourcetype="test" | rex field=_raw mode=sed "s/'/\"/g" | spath it works fine, and all fields are extracted. How can I configure props and transforms to perform this change at index time so that my users don't need to have the additional search parameters and all the fields are extracted by default, short of manually extracting each field? Example event, no nested fields: {'date': '2024-02-10', 'time': '18:59:27', 'field1': 'foo', 'field2': 'bar'}
Andreas, thank for the quick response.   Unfortunately, I am using Splunk Cloud, and I see in your "curl.py" file that VERIFYSSL is "Forced to be True for Splunk Cloud Compatibility". So, while "cu... See more...
Andreas, thank for the quick response.   Unfortunately, I am using Splunk Cloud, and I see in your "curl.py" file that VERIFYSSL is "Forced to be True for Splunk Cloud Compatibility". So, while "curl -k" works from the LINUX command line on my Splunk server,  in Splunk SPL the "| curl verifyssl=false" is overridden in the add-on's python code. Is there any way to override ??? If not, I will have to find another way to do this, as I am constrained by my environment.
Just happened to us now... Do we know if this fixed it and\or what was the initial cause.  This was just after a splunkd restart.
You probably have configured also this https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ConfigureauthextensionsforSAMLtokens ? Maybe it’s time for support ticket?