All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try these settings [applog_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+)ERROR NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true SHOULD_LINEMERGE = false TIME_FORMAT =... See more...
Try these settings [applog_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+)ERROR NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N TIME_PREFIX = ERROR\s+ Don't specify BREAK_ONLY_BEFORE_DATE if you want to break at something other than a date.  Also, don't use both BREAK_ONLY_BEFORE_DATE and LINE_BREAKER in the same stanza.  When using LINE_BREAKER, set SHOULD_LINEMERGE to false.
@gcusello , I am looking for only forwarder and Indexer.
If your app is running in IIS, and you restarted both the agent and the IIS, it should work. Here are some questions 1. If you are running a machine agent on the same server, please ensure that i... See more...
If your app is running in IIS, and you restarted both the agent and the IIS, it should work. Here are some questions 1. If you are running a machine agent on the same server, please ensure that in the machine agent controller-info.xml you set dotnet compatibility mode to "true". 2. Ensure to generate some load on the IIS application, it will only register the tiers if there is load on them. Easiest way is to just open the browse option for whichever applications you have deployed and clicking through the app or refreshing the base page a number of times.
So, if an ip address from lookup_ist_cs_checkin_rooms.csv matches with a message "display button:panel-*" and it matches with an ip address in a message with "Ipaddress(from request header)", do you ... See more...
So, if an ip address from lookup_ist_cs_checkin_rooms.csv matches with a message "display button:panel-*" and it matches with an ip address in a message with "Ipaddress(from request header)", do you want to include it or exclude it? That is, which condition takes precedence?
You are absolutely right. Splunk ran under root account. I have changed it already, but it didn't help. Normal universal forwarders works great, only Splunk servers don't change configuration. But I... See more...
You are absolutely right. Splunk ran under root account. I have changed it already, but it didn't help. Normal universal forwarders works great, only Splunk servers don't change configuration. But I will handle it using ../local/ files as you suggested. Thank you,  
You could do something like this | rex "process (?<process>\d+) start date (?<start>\S+), end date (?<end>\S+)" | eval startdate=strptime(start,"%d/%m/%Y") | eval enddate=relative_time(strptime(end,... See more...
You could do something like this | rex "process (?<process>\d+) start date (?<start>\S+), end date (?<end>\S+)" | eval startdate=strptime(start,"%d/%m/%Y") | eval enddate=relative_time(strptime(end,"%d/%m/%Y"), "+1d") | eval days=mvappend(startdate, enddate) | eval row=mvrange(0,2) | mvexpand row | eval _time=mvindex(days, row) | eval count=1-(row*2) | stats sum(count) as change by _time | streamstats sum(change) as total | makecontinuous _time | filldown total | fillnull value=0 change
@R15 wrote: Neither are working for me. Their search gives an unwieldy table with 100+ columns, yours has only blanks for avg and max.  Splunk 9.1.2 If not here's the query,   |rest /servi... See more...
@R15 wrote: Neither are working for me. Their search gives an unwieldy table with 100+ columns, yours has only blanks for avg and max.  Splunk 9.1.2 If not here's the query,   |rest /services/search/jobs | stats count avg(performance.command.search.expand_search.duration_secs) AS avg max(performance.command.search.expand_search.duration_secs) AS max BY search    
  The following query retrieves confroom_ipaddress values from the lookup table that do not match IP addresses found in the indexed logs: | inputlookup lookup_ist_cs_checkin_rooms.csv where NOT [s... See more...
  The following query retrieves confroom_ipaddress values from the lookup table that do not match IP addresses found in the indexed logs: | inputlookup lookup_ist_cs_checkin_rooms.csv where NOT [search index=fow_checkin message="display button:panel-*" | rex field=message "ipaddress: (?<ipaddress>[^ ]+)" | stats values(ipaddress) as confroom_ipaddress | table confroom_ipaddress] | rename confroom_ipaddress as ipaddress1 I would like to add an additional condition to include IP addresses that match those found in the following logs:   index=fow_checkin "Ipaddress(from request header)" | rex field=message "IpAddress\(from request header\):\s*(?<ip_address>\S+)$" | stats values(ip_address) as ip_address2 This means we need to include IP addresses from lookup_ist_cs_checkin_rooms.csv that match with the message "Ipaddress(from request header)" andexclude IP addresses from lookup_ist_cs_checkin_rooms.csv that match with the message "display button:panel-*"  as well. Please help.
Hi @AL3Z , yes, it's possible, but you should define the purpose, the borders and the Use Cases of your lab. In other words: what architecture you need to test: a distributed environment? only forw... See more...
Hi @AL3Z , yes, it's possible, but you should define the purpose, the borders and the Use Cases of your lab. In other words: what architecture you need to test: a distributed environment? only forwarder and Indexer? what else? In my lab I have seved virtual machines with two Indexers, three Search Heads, a Management Node (Cluster Manager, Deployer, License Master, Monitoring Console and Deployment Server), one Universal Forwarder. I did it on pc pc that hase 16 vCPUs and 32 GB TAM). As I said, you can do this, it depends on your requirements and the resources you have. Ciao. Giuseppe
Hi all, hoping someone can help me with this query. i have a data set that looks at a process and how long it takes to implement. for example, each event will be populated with a start date and an... See more...
Hi all, hoping someone can help me with this query. i have a data set that looks at a process and how long it takes to implement. for example, each event will be populated with a start date and an end date. i want to create a calendar view that shows the schedule of the processes in implementation, for example: process 1 start date 12/08/2024, end date 16/08/2024 (5 days implementation) process 2 start date 12/08/2024, end date 12/08/2024 (1 day implementation) process 3 start date 13/08/2024, end date 15/08/2024 (3 days implementation) process 4 start date 14/08/2024, end date 16/08/2024 (2 days implementation) I want to be able to produce a graph or a calendar view that will show how many process' we have in implementation, counting each day of their implementation period (based on start and end date) so for the above example it would look like: Date                        count of Process' in implementation 12/08/2024       2 (process 1 and 2) 13/08/2024       2 (process 1 and 3) 14/08/2024       3 (process 1, 3 and 4) 15/08/2024       3 (process 1, 3 and 4) 16/08/2024       2 ((process 1 and 4) any help greatly appreciated 
Hi, I want to setup a home lab like splunk Enterprise and splunk forwarder on the same os to pull the logs into splunk. Is it possible to setup in this way.  
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line 2023 data from Now to -30 days 2022 data from "now-1y" to -30 days   Can we plot this in single time chart ? You... See more...
If I select 2023, Aug 12 for last 30 days, then in the chart I need two line 2023 data from Now to -30 days 2022 data from "now-1y" to -30 days   Can we plot this in single time chart ? You need to very carefully state your use case (without using SPL).  Your sample code definitely does not suggest two time intervals.  Now that you need two time intervals, you also need to specify How do you "select 2023, Aug 12 for last 30 days?"  Do you use a time input? (I will assume yes.) Is this input independent of the other user selection of version, i.e., 2024 or 2023? (I will also assume yes.) Without these specifics, your question is unanswerable.  You also should specify how the result should look like, and give some mock data, then illustrate some mock result.  SPL should be the last thing to illustrate; if you illustrate SPL that does not give you desired results, you should illustrate actual output from the code when applied to the exact illustrated dataset. Anyway, my solution is the same: set up tokens to modify search terms.  As I mentioned, you can set up auxiliary tokens based on user selection.  In this example, I add two additional tokens $early_start$ and $early_end$ base on the time selector $interval$.  Your search term should be index=cls_prod_app applicationversion IN ($applicationversion$) ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 Here is a demo dashboard in Simple XML. (Token management in Dashboard Studio is different, but the same principle applies.) <form version="1.1" theme="light"> <label>Set token applicationversion</label> <description>https://community.splunk.com/t5/Splunk-Search/YoY-query-for-comparing-two-products-together/m-p/695943</description> <search> <query> | makeresults </query> <progress> <eval token="early_start">if(match($interval.earliest$, "-"), $interval.earliest$ . "-1y", relative_time($interval.earliest$, "-1y"))</eval> <eval token="early_end">case(match($interval.latest$, "-"), $interval.latest$ . "-1y", $interval.latest$ == "now", relative_time(now(), "-1y"), true(), relative_time($interval.latest$, "-1y"))</eval> </progress> </search> <fieldset submitButton="false"> <input type="dropdown" token="applicationversion" searchWhenChanged="true"> <label>Version</label> <choice value="2024,2023">2024</choice> <choice value="2023,2022">2023</choice> <initialValue>2024,2023</initialValue> </input> <input type="time" token="interval"> <label></label> <default> <earliest>-30d@d</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>(earliest = $interval.earliest$, latest = $interval.latest$) OR (earliest = $early_start$ latest = $early_end$) applicationversion IN ($applicationversion$)</title> <html>Your end search would be <pre> index=cls_prod_app applicationversion IN ($applicationversion$) ((earliest=$interval.earliest$ latest=$interval.latest$) OR (earliest = $early_start$ latest = $early_end$)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 </pre> </html> </panel> </row> </form> Play with this dashboard.  If you select applicationvesion: 2023 and date range July 13, 2023 - August 12, 2023, your search will be rendered as index=cls_prod_app applicationversion IN (2023,2022) ((earliest=1689231600 latest=1691910000) OR (earliest = 1691218800 latest = 1691834497)) appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0
Also requesting a working way of adding newline to description in a servicenow incident generated by this addon
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/rout... See more...
Hello everyone, Please check the below data : ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 5-03aca501-42b3-11ef-ad89-0a2944cc61cb] error.notification.details: { "correlationId" : "5-03aca501-42b3-11ef-ad89-0a2944cc61cb", "message" : "Error Details", "tracePoint" : "FLOW", "priority" : "ERROR", } ERROR 2024-08-09 14:19:31,389 email-slack-notification-impl-flow.BLOCKING @22feab4f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 38de9c30-49eb-11ef-8a9e-02cfc6727565] error.notification.details: { "correlationId" : "38de9c30-49eb-11ef-8a9e-02cfc6727565", "message" : "Error Details", "priority" : "ERROR", } The above 2 blocks of data are coming as one event but I want them to be 2 events each starting from keyword "Error". Below is my props.config entry for same but not working: applog_test] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true BREAK_ONLY_BEFORE = date SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N TIME_PREFIX=ERROR\s+ Please help how to fix this. Thanks in advance!    
Following up... I am facing the same issue...running Splunk Enterprise  version 8.2.6.1.
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure... See more...
Hi @rajan_kumar_rai , I didn't have experience on this issue after thst (8 years ago). If you still have this issue, open a case to Splunk Support. But before update you Splunk becaue I'm not sure that your release is still under maintenance. Ciao. Giuseppe
Facing the same issue in Splunk Enterprise version  - 8.2.6.1    Any fix? workaround? please share !!
Exactly the same issue facing in Splunk Enterprise version 8.2.6.1   Any fix? or workaround? 
Hi @gcusello , Did you get the solution for this issue?  I am using Splunk v8.2.6.1 and I am facing the same issue. Please help if you have any solution for this!
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want t... See more...
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want that whenever my website came back UP again or functions normally then I should receive and alert email also to notify me that website is working fine now. Could you please shower you knowledge here and help me to setup this alert.  TIA.