All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @sidnakvee,  Welcome! I highly suggest checking out some of the free training offered by Splunk, especially this one about getting data into Splunk: https://education.splunk.com/Saba/Web_spf/NA10... See more...
Hi @sidnakvee,  Welcome! I highly suggest checking out some of the free training offered by Splunk, especially this one about getting data into Splunk: https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/ledetail/cours000000000003373  To answer your question, it sounds like you would like to send data from your local Windows machine to Splunk Cloud using the UF. To do this, you will indeed need to edit the inputs.conf file, for example: [WinEventLog:Security] disabled = 0 [WinEventLog:Application] disabled = 0 [WinEventLog:System] disabled = 0 [monitor://C:\Path\To\Sysmon\Logs] disabled = 0  Make sure to restart Splunk on the UF after making any changes, so that the changes are applied.  Next, check that the UF is actually connected to your Splunk Cloud instance and forwarding its internal logs (index=_internal). If not, check the Splunk logs on the UF itself for any connectivity issues. The log files you want to check are "splunkd.log" and "metrics.log" located in ...\splunkforwarder\var\log\splunk\.
Hi  Can we create widgets that display the Drive utilized in Volume like MyComputer? I have to create a dashboard like the one above for separate partitions. Let me know if it is possible ... See more...
Hi  Can we create widgets that display the Drive utilized in Volume like MyComputer? I have to create a dashboard like the one above for separate partitions. Let me know if it is possible Thanks ^ Post edited by @Ryan.Paredez. Split the post into a new one and updated the subject. 
Thanks @yuanliu , let me organise my thoughts and query abit after the long weekend. cheers and appreciate the prompt reply and help !
Future Visitors: Python 3.7 is the version delivered with Splunk 9.2. Attempting to replace it with a newer version could have disastrous consequences.
In fact, I have asked that very question in 2017, did not get an answer and created this solution. Here is the link to my post: Solved: Re: Custom search command called multiple times - Splunk Commun... See more...
In fact, I have asked that very question in 2017, did not get an answer and created this solution. Here is the link to my post: Solved: Re: Custom search command called multiple times - Splunk Community There, you can find a more detailed description of my solution.
Reviving the thread a year later: I have the same problem, had it back in Splunk 6.6.2 and still seeing it in Splunk 8.2.6 years later. No idea why - but I really needed to work around it. Here is w... See more...
Reviving the thread a year later: I have the same problem, had it back in Splunk 6.6.2 and still seeing it in Splunk 8.2.6 years later. No idea why - but I really needed to work around it. Here is what I came up with: I open a file, with a name derived from search id, with exclusive access for creation in a special `lock` folder. If it succeeds, I proceed with the rest of the code. If it fails, I realize that it was already "caught" by the previous run of the same command and bail out. Of course, I need some way of tidying up that `lock` folder, which is something that can be done with a scripted input, and not too frequently - once a day or even once a week should be plenty. In theory, I should be able to remove (unlink) that lock file right from the second instance, but it bit me in the back, so I abandoned the idea. Might want to revisit now, after so many years...
The first row can easily be excluded because there is no Count.  But the weird _raw signifies some unusual characteristics.  Failure to extract db_bulk_write_time suggests the same.  You need to post... See more...
The first row can easily be excluded because there is no Count.  But the weird _raw signifies some unusual characteristics.  Failure to extract db_bulk_write_time suggests the same.  You need to post more realistic/representative data.
also in this case 2024-08-12 10:53:53.455 2.75 3   2000 s 2024-08-12 10:53:56.205 2.765 the 2nd row should be 2.75 instead
Hi ,   I am new to Spunk just got Free Cloud Trial. I did the followings : 1- Logged in to Cloud trial instance 2- Created Index name winpc   3- App > Univeral forwarded and downloaded on Win PC... See more...
Hi ,   I am new to Spunk just got Free Cloud Trial. I did the followings : 1- Logged in to Cloud trial instance 2- Created Index name winpc   3- App > Univeral forwarded and downloaded on Win PC 4- Installed Forwarded on WInPC during step on use this agent with selected use with cloud instance 5- Receiver index left blank had no idea about my splun instance FQDN /IP 6- Checked services Splunk universal forwarded service running as Logon As Local system Issues : 1- No Logs I can see into index winpc created after waiting a hour or so 2- How can I tell forwarded to forward win and sysmon logs too should I edit inputs.conf file ?   Kindly guide and help so that I may get logs and learn any further .   Regards  
I get and my first row count is empty _raw is weird too _time processing_time Count db_bulk_write_time no_msg_wait_time _raw 2024-08-12 10:55:41.200 1.226     1000 . 2024-08-12 10:55:... See more...
I get and my first row count is empty _raw is weird too _time processing_time Count db_bulk_write_time no_msg_wait_time _raw 2024-08-12 10:55:41.200 1.226     1000 . 2024-08-12 10:55:40.872 0.312 1   0 s 2024-08-12 10:55:37.122 3.75 1   3000 s 2024-08-12 10:55:36.809 0.313 1   0 s 2024-08-12 10:55:33.106 3.688 1   3000 s 2024-08-12 10:55:32.778 0.313 1   0 s 2024-08-12 10:55:29.028 3.75 1   3000 s 2024-08-12 10:55:28.700 0.328 1   0 s 2024-08-12 10:55:24.950 3.75 1   3000 s 2024-08-12 10:55:24.622 0.312 1   0 s 2024-08-12 10:55:21.888 2.734 1   2000 s 2024-08-12 10:55:20.122 1.766 1   1000 s
I requested again last week yet no reply.
Can you expand on how your team did it? Ideally with step-by-step methods.
Thank you. It worked.
Request it again at https://dev.splunk.com/enterprise/dev_license
Hi,  I have previously had Splunk Dev license which I use for testing. As my license expired, I requested for a new one. It's been more that 3 weeks, yet my request is still pending. Any help is ap... See more...
Hi,  I have previously had Splunk Dev license which I use for testing. As my license expired, I requested for a new one. It's been more that 3 weeks, yet my request is still pending. Any help is appreciated.    Thanks    
Hi @PickleRick, it receives the tcpdump connection showing the syslog activity and information whenever we log on, log off or send a test message from the iDRAC machine, but it is not ingested in Spl... See more...
Hi @PickleRick, it receives the tcpdump connection showing the syslog activity and information whenever we log on, log off or send a test message from the iDRAC machine, but it is not ingested in Splunk and somehow it gets lost from the Log collector machine.
Also could you please share some example dashboard which you have used
Hi  I would like to display the count of the error code.
I think the approach should be adjusted.  When a user selects 2023, you can always make any value out of it, e.g., "2022, 2023".  Theoretically, you can even use a secondary token setter to calculate... See more...
I think the approach should be adjusted.  When a user selects 2023, you can always make any value out of it, e.g., "2022, 2023".  Theoretically, you can even use a secondary token setter to calculate if the input is free text, not a selector.  Then, you search can simply be index=cls_prod_app appname=Lacerte applicationversion IN ($applicationversion$) message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 Here is an example in Simple XML for input: <input type="dropdown" token="applicationversion"> <label>Version</label> <choice value="2023,2024">2024</choice> <choice value="2022,2023">2023</choice> ] <prefix> </prefix> <suffix> </suffix> </input>
Hi @jaibalaraman, You can use multiple Sankey visualizations to display a single source-target-value combination, or you can create mock visualizations using boxes, text, and a single-value visualiz... See more...
Hi @jaibalaraman, You can use multiple Sankey visualizations to display a single source-target-value combination, or you can create mock visualizations using boxes, text, and a single-value visualization. In this Splunk 9.3 example, I've used three adjacent boxes, with the center box having 50% transparency. A markdown element is placed over the center box to provide the text, and a single-value element is placed to the right to provide a count. In your case, however, 403120 appears to be an event identifier and not a count. What are you trying to communicate with individual tiles that can't be represented by a Sankey diagram?