All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello , Did you get the solution for this issue?  I am using Splunk v8.2.6.1 and I am facing the same issue. Please help if you have any solution for this!
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want t... See more...
Hi Splunkers, I am monitoring my websites using Splunk website monitoring, I have configured an alert which sends me email alert whenever my website goes down or takes time to response. Now I want that whenever my website came back UP again or functions normally then I should receive and alert email also to notify me that website is working fine now. Could you please shower you knowledge here and help me to setup this alert.  TIA.
Hi Ismo, This solution seems to be amazing. However, I will have to try to solve this as far as possible without installing an extra app. Best regards, Sherwin
Hi this is known issue. You cannot disable some apps via GUI. Fortunately you could try this app to disable SSG and some other https://splunkbase.splunk.com/app/7319 r. Ismo
Hi @sherwin_r , this should occur if you try to enable some input in Secure Gateway not by itself, did you do it? Ciao. Giuseppe
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you ... See more...
Hi @sidnakvee , did you installed the Splunk_TA_Windows add-on (https://splunkbase.splunk.com/app/742) on your pc? in addition remember that, as @KendallW hinted, you need to enable the inputs you want, copying the inputs.conf from the default to the local folder. In affition in these stanzas, you have to add the row: index = winpc There's another check that you could perform: running this search: index=_internal and viewing the hosts, do you see the hostnames of your pcs? Same procedure for sysmon: download and install the Splunk Add-On for Sysmon (https://splunkbase.splunk.com/app/5709) on your pcs, check the enablement state of the inputs and enable the ones you like, adding the index option. Ciao. Giuseppe
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regard... See more...
Hi @gcusello , Thanks for the quick response.   I want to do this because my Splunk installation does not have access to the internet and Secure Gateway therefore logs a lot of errors. Regards, Sherwin
Hi @sherwin_r , the only way to disable an app in a clustered environament is to modify the app.conf file in the app's local folder (if not present, copying it from default) of the deployer (app loc... See more...
Hi @sherwin_r , the only way to disable an app in a clustered environament is to modify the app.conf file in the app's local folder (if not present, copying it from default) of the deployer (app located in shcluster folder) and pushing the modified app to the cluster. But why do you want to do this? Ciao. Giuseppe
I'll try this next , okay
I am trying to disable the Splunk Secure Gateway app in a clustered environment. However I dont see an option to disable the app in Apps -> Manage Apps. It only displays the current status of the app... See more...
I am trying to disable the Splunk Secure Gateway app in a clustered environment. However I dont see an option to disable the app in Apps -> Manage Apps. It only displays the current status of the app, which is "Active". I also tried the same in a single node installation, where there is an option to disable the app just next to its current status in the same menu, i.e. Apps -> Manage Apps.   So, how can I disable the Splunk Secure Gateway in the clustered environment ?
Another remarks. You shouldn't ever install any additional module directly into Splunk's python! If there is something what you are needing, then create on app (see dev.splunk.com) and add those lib... See more...
Another remarks. You shouldn't ever install any additional module directly into Splunk's python! If there is something what you are needing, then create on app (see dev.splunk.com) and add those libraries under it.
Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case (index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | ev... See more...
Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case (index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | eval asset_name=lower(coalesce(dv_name, host)) | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name
Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I hav... See more...
Try running the search in the search app and look at the job - here I have done a similar search but I don't have access to your data and my indexes don't hold any data as far back as a year so I have used the last hour and the same time the previous day index=_audit [| makeresults | eval latest=relative_time(now(),"@h") | eval row=mvrange(0,2) | mvexpand row | eval latest=relative_time(latest,"@h-".row."d") | eval earliest=relative_time(latest,"-1h") | table earliest latest] | bin span=1h _time | stats count by _time Go to Inspect Job Then Job Details Dashboard and look at the Map Phase Search String You should see the time periods being searched. They will be in epoch time so you can copy them into another search to show their formatted versions Do yours correlate to the values you were expecting
Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. I... See more...
Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. Is the merge case sensitive ?  For example,  HOST01 which is one of the values in host field of index=windows, is actually  host01 in index=cmdb ( under the dv_name) field.   That explains why the consolidation via coalesce or rename ain't working.
The No-JS solution works wonderfully and you get my karma points. However, it doesn't seem to acknowledge the $filename_token$ (which I also set after the search is done, no need for extra tokens,... See more...
The No-JS solution works wonderfully and you get my karma points. However, it doesn't seem to acknowledge the $filename_token$ (which I also set after the search is done, no need for extra tokens, the job_sid not being null is enough for depends), it always offers to save the file with name "results". Just a minor thing, it's still very usable and elegant.
Hi guys , i wanted to see predictive monitoring of in ITSI product, how can i see the free tour of it kindly help me please.
It shouldn't matter what is contained in the host field in the 'cmdb' index as we are overwriting it. There is no problem with overwriting default fields in a search. Regardless, I still can't see w... See more...
It shouldn't matter what is contained in the host field in the 'cmdb' index as we are overwriting it. There is no problem with overwriting default fields in a search. Regardless, I still can't see why your original query didn't work. - There may be some whitespace or other strange characters in some of the field values from one of the indexes causing them to not match with the other index. Are you able to check this?
That didn't work. Query does not show any results if we rename the dv_name to host. That is because host is a default field  and for index=cmdb, the host field originally contains the name of the Log... See more...
That didn't work. Query does not show any results if we rename the dv_name to host. That is because host is a default field  and for index=cmdb, the host field originally contains the name of the Log source (ServiceNow) sending over the asset information to splunk. Renaming it overwrites the default field. thanks for replying though.
  Hi @neerajs_81 try just renaming the dv_name field instead of creating a new field with coalesce, e.g.: (index=cmdb sourcetye=server) OR (index=windows) | rename dv_name as host | stats dc(index)... See more...
  Hi @neerajs_81 try just renaming the dv_name field instead of creating a new field with coalesce, e.g.: (index=cmdb sourcetye=server) OR (index=windows) | rename dv_name as host | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by host  
We have enabled On Demand Capture Session for capturing the memory leaks on of our node. After the session ends, we are unable to see the detection dashboard