All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi  I have few question regarding dashboard studio is there any way to customise the shape menu ex - line  Can i rotate the image based on my design ( Dashboard Studio ) How or Where to find out ... See more...
Hi  I have few question regarding dashboard studio is there any way to customise the shape menu ex - line  Can i rotate the image based on my design ( Dashboard Studio ) How or Where to find out more shape image ( Dashboard Studio ) attached image below How to make a text appear like a shadow in this space  
Hi Alll I have created Map tile in the dashboard studio however the query is running with no issue but i cannot see the out and i am getting the same error message  for multiple map tile. The below... See more...
Hi Alll I have created Map tile in the dashboard studio however the query is running with no issue but i cannot see the out and i am getting the same error message  for multiple map tile. The below map layout are from dashboard studio  Marker Layer with Base Configurations Marker Layer with Dynamic Coloring Bubble Layer with Single Series Bubble Layer with Multiple Series Choropleth Layer World Choropleth Layer with hidden base layer   Code  - index=test "event.Properties.apikey"="*" "event.endpoint"="*" | iplocation event.Properties.ip | dedup event.Properties.ip | top limit=20 Country Output - Blank with data however no errror was triggered   
When importing Prometheus metric data into Splunk, the following error is output. (Importing is performed using 'Prometheus Metrics for Splunk') /opt/splunk/var/log/splunk/splunkd.log WARN Pipelin... See more...
When importing Prometheus metric data into Splunk, the following error is output. (Importing is performed using 'Prometheus Metrics for Splunk') /opt/splunk/var/log/splunk/splunkd.log WARN PipelineCpuUsageTracker [1627 parsing] - No indexkey available chan=source::prometheusrw:sourcetype::prometheusrw:host::splunk-hf-75869c4964-phm44 timetook=1 msec. WARN TcpOutputProc [9736 indexerPipe] - Pipeline data does not have indexKey. [_path] = /opt/splunk/etc/apps/modinput_prometheus/linux_x86_64/bin/prometheusrw\n[_raw] = \n[_meta] = punct::\n[_stmid] = 3CUUsSnja9PAAB.B\n[MetaData:Source] = source::prometheusrw\n[MetaData:Host] = host::splunk-hf-6448d7ffdb-ltzbr\n[MetaData:Sourcetype] = sourcetype::prometheusrw\n[_done] = _done\n[_linebreaker] = _linebreaker\n[_charSet] = UTF-8\n[_conf] = source::prometheusrw|host::splunk-hf-6448d7ffdb-ltzbr|prometheusrw|2\n[_channel] = 2\n Please tell me the cause of the error and how to deal with it.
I plan to develop a customize visualization. I edit a formatter.html  <form class="splunk-formatter-section" section-label="Data Series"> <splunk-control-group label="Data Type"> <splunk-select id=... See more...
I plan to develop a customize visualization. I edit a formatter.html  <form class="splunk-formatter-section" section-label="Data Series"> <splunk-control-group label="Data Type"> <splunk-select id="dataTypeSelect" name="{{VIZ_NAMESPACE}}.dataType" value="Custom"> <option value="Custom">Custom</option> <option value="XBar_R-X">XBar R - X</option> <option value="LineChart">LineChart</option> <option value="Pie">Pie</option> <option value="Gauge">Gauge</option> </splunk-select> </splunk-control-group> <splunk-control-group label="Option"> <splunk-text-area id="optionTextArea" name="{{VIZ_NAMESPACE}}.option" value="{}"> </splunk-text-area> </splunk-control-group>... I wish to change dataType, then textarea option have diffenent value to appear in format menu. Menu Option  have many choice, How to modify  visualization_source.js content to get this?
Hi, I recently tried creating a private app on Splunk Cloud, the app is getting created successfully, but it does not show nor display in the list of apps which are on the Splunk Cloud. I tried to ... See more...
Hi, I recently tried creating a private app on Splunk Cloud, the app is getting created successfully, but it does not show nor display in the list of apps which are on the Splunk Cloud. I tried to create the app using both barebones and sample_app as a template with different App IDs but it didn't work, however the app is getting created and there's no error being displayed for the same, also I kept the visibility as yes. Please can someone assist me on this? Thanks!
Values gives you an ordered set of unique values, try using the list aggregation function instead index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_mod... See more...
Values gives you an ordered set of unique values, try using the list aggregation function instead index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", like(report_model, "ata%"), "Cisco", like(report_model, "snom%"), "Snom", like(report_model, "VISION%"), "Snom", like(report_model, "yealink%"), "Yealink", 1=1, "Other") |stats count by fw_version,report_model,brand | stats values(brand) as brand list(fw_version) as fw_version list(count) as count by report_model |table brand report_model fw_version count
1) Max 50k rows b) Will splitting the CSV work? It's unfortunate that you cannot change limits.conf.  Yes, splitting CSV will work.  If you don't need these CSVs as lookup, that's not a probl... See more...
1) Max 50k rows b) Will splitting the CSV work? It's unfortunate that you cannot change limits.conf.  Yes, splitting CSV will work.  If you don't need these CSVs as lookup, that's not a problem.  But if you still need a lookup, you will need to maintain two sets of CSVs, one for lookup, the rest for this purpose. (Alternatively, you can modify your searches to use multiple lookups.  At that point, you code can become unmaintainable.) 2) Join command This is where things become intensely interesting  I did not compare your statements with the actual depiction.  After reviewing your original description, I notice that your depiction (and illustration) is a left join of CSV on the left, with index search on the right.  In this regard, Splunk's join is working exactly as documented.     | inputlookup host.csv | join type=left ip_address [ search index=owner | rename ip as ip_address] | table host ip_address owner     Here is an emulation:     | makeresults format=csv data="ip_address, host 10.1.1.1, host1 10.1.1.2, host2 10.1.1.3, host3 10.1.1.4, host4" ``` the above emulates | inputlookup host.csv ``` | join type=left ip_address [makeresults format=csv data="ip, host, owner 10.1.1.3, host3, owner3 10.1.1.4, host4, owner4 10.1.1.5, host5, owner5" | eval index = "owner" ``` the above emulates index=owner ``` | rename ip as ip_address] | table host ip_address owner     The result is the same host ip_address owner host1 10.1.1.1   host2 10.1.1.2   host3 10.1.1.3 owner3 host4 10.1.1.4 owner4 I suspect that the "bad" output you observe is caused by the 50K row limit. (Try a smaller CSV and a smaller index search you should see.) In the solution you provided index will be treated as left data because it's specified first Unlike join, the append-stats method that many Splunkers use does not really depend on which set is introduced first.  The control is in the filter.
Hi guys,   i have the following query that produces table below   index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", l... See more...
Hi guys,   i have the following query that produces table below   index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", like(report_model, "ata%"), "Cisco", like(report_model, "snom%"), "Snom", like(report_model, "VISION%"), "Snom", like(report_model, "yealink%"), "Yealink", 1=1, "Other") | stats count by fw_version,report_model,brand | table brand report_model fw_version count |sort report_model, count desc In this table i want to group the rows with the same value in report_model column, i use stats values() to achive that as follows index=core_ct_report_* | eval brand=case(like(report_model, "cfg%"), "grandstream", like(report_model, "cisco%"), "Cisco", like(report_model, "ata%"), "Cisco", like(report_model, "snom%"), "Snom", like(report_model, "VISION%"), "Snom", like(report_model, "yealink%"), "Yealink", 1=1, "Other") |stats count by fw_version,report_model,brand | stats values(brand) as brand values(fw_version) as fw_version values(count) as count by report_model |table brand report_model fw_version count   but with this query the count is also grouped, on 6th row there are count values missing, the count missing has the value 1 so only one '1' is showed. i can't remove count from stats values() or the count values doesn't appear in final table. What i'm doing wrong?   Thanks in advance for your help.  
<form version="1.1" theme="light"> <label>two DS panels</label> <fieldset submitButton="false"> <input type="multiselect" token="server"> <label>Server</label> <choice value="a">A</choice> <choice va... See more...
<form version="1.1" theme="light"> <label>two DS panels</label> <fieldset submitButton="false"> <input type="multiselect" token="server"> <label>Server</label> <choice value="a">A</choice> <choice value="b">B</choice> <choice value="c">C</choice> <choice value="d">D</choice> </input> </fieldset> <row> <panel> <table> <title>US DS</title> <search> <query>| makeresults format=csv data="Host, DS A, US-DS B, US-DS" | table Host DS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>UK DS</title> <search> <query>| makeresults format=csv data="Host, DS C, UK-DS D, UK-DS" | table Host DS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
How can I solve that?
And the question is?
Math is cool, I did try /100 but did not use exact. doh.   Thanks for the reply.
That worked, thank you both very much. I changed it to en-GB in the URL and it is now working as expected.  Thank you!
You could pipe it to rex and create a new field inside subsearch. Then just use this field with return.
Can you share your dashboard code inside </> block?
I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.c... See more...
I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.conf and default.meta files by calling the python/powershell files. Is this something I need to set somewhere?
[serversindex] Configuration initialization for /opt/splunk/var/run/searchpeers/serverhead-1721913866 took longer than expected (1002ms) when dispatching a search with search ID remote_serverhead_u... See more...
[serversindex] Configuration initialization for /opt/splunk/var/run/searchpeers/serverhead-1721913866 took longer than expected (1002ms) when dispatching a search with search ID remote_serverhead_userxx__userxx__search__search1_1723144245.50. This usually indicates problems with underlying storage performance.
Or try to use some other locale than en-US on URL when you login to splunk.
Blame Americanism on this.  In your user account, see if there is an option to customize locale, not just timezone.
Hi have you try | eval testdata = [| nslookupsearch dest_ip|return <your field name from command] r. Ismo