All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This still gives me only one year results - 2023
Hello, sorry, I forgot to mention that I am using the API portion of the Add-On Builder, no scripting, just direct API connection.   Thanks again, Tom
Hello, Could anyone please tell me how I can disable SSL Verification for the Add-On Builder?  I can't figure out where the parameter is located at. Thank you for any help on this one, Tom  
Using the classic type dashboards I'm able to have simple script run on load of the dashboard by adding something like: <dashboard script="App_Name:script_name.js" version="1.1"> But adding t... See more...
Using the classic type dashboards I'm able to have simple script run on load of the dashboard by adding something like: <dashboard script="App_Name:script_name.js" version="1.1"> But adding this to a dashboard created using Dashboard Studio the script does not run. How do you get a script to run on load of a dashboard that was created with Dashboard Studio?   
Hi AndrewBurnett, Thank you for keeping me updated. I have send the link to our Linux colleagues, and will hear what they think of it. Harry
Restore the $SPLUNK_HOME/etc/system/local/authorize.conf file from your most recent backup and restart Splunk.
I believe I have a fix, and curious if it resolves your issue as well. I'm in close contact with Splunk Support about this, so I'm sure documentation will be coming out shortly.   Follow this docum... See more...
I believe I have a fix, and curious if it resolves your issue as well. I'm in close contact with Splunk Support about this, so I'm sure documentation will be coming out shortly.   Follow this documentation to enable cgroupsv2, reboot, and then disable/re-enable boot-start. https://access.redhat.com/webassets/avalon/j/includes/session/scribe/?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fsolutions%2F6898151
Also you could consider putting the search in the init block so it isn't even in a panel
Panels can be hidden by using the depends attribute with a token that is never set <panel depends="$neverset$">
HI  in splunkd.log file I am seeing: TailReader [260668 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log' and In splunk, I am seeing the logs a... See more...
HI  in splunkd.log file I am seeing: TailReader [260668 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log' and In splunk, I am seeing the logs as well Basically, I want to know that is happening here. this tracker.log file should be under index=_internal but somehow this file is present under index=linux  and in Linux TA, I can see the [linux_audit] sourcetype config under props.conf.  who is calling this as I am not seeing any related input parameter for this. Kind Regards, Rashid    
A string in single quotes is treated by Splunk as a field name. substr('message.processingDuration', 1, len('message.processingDuration')-2)
Try something like this index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers... See more...
Try something like this index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ [| makeresults | eval latest=relative_time(now(),"@d") | eval row=mvrange(0,2) | mvexpand row | eval latest=relative_time(latest,"@d-".row."y") | eval earliest=relative_time(latest,"-30d") | eval applicationversion=$applicationversion$-row | table earliest latest applicationversion]
Hi @gcusello  With the updated query , i am not able to fetch the data of the current date.  Can you please help me to add the data of the current date too.  Query:  index=events_prod_cdp... See more...
Hi @gcusello  With the updated query , i am not able to fetch the data of the current date.  Can you please help me to add the data of the current date too.  Query:  index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time file | append [ search index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="PIDZJEA" endswith="IDJO20P" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time | eval file="count after PIDZJEA" | table file eventcount _time] | chart sum(eventcount) AS eventcount OVER _time BY file   Extract :       Also , is it possible to have a visual graph like below to show the details in the graph :  IN_per_24h = count of RPWARDA between IDJO20P and PIDZJEA of the day.  Out_per_24h =  count of SPWARAA + SPWARRA between IDJO20P and PIDZJEA of the day.  Backlog = count after PIDZJEA  of the day.     
@ITWhisperer  : Can you please check my last query and help to provide a solution. 
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms  as 102 for the following log:     { "timestamp": "2029-02-29 07:32:54.734... See more...
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms  as 102 for the following log:     { "timestamp": "2029-02-29 07:32:54.734", "level": "INFO", "thread": "54dd544ff", "logger": "my.logger", "message": { "logTimeStamp": "2029-02-29T07:32:54.734494726Z", "logType": "RESP", "statusCode": 200, "processingDuration": "102ms", "headers": { "Content-Type": [ "application/json" ] }, "tracers": { "correlation-id": [ "hfkjhwkj98342" ], "request-id": [ "53456345" ], "service-trace-id": [ "34234623456" ] } }, "context": "hello-service" }     my splunk query:     index=my_index | spath logger | search logger="my.logger" | spath "message.logType" | search "message.logType"=RESP | spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" | eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2) | table "message.tracers.correlation-id{}" myprocessTime     the above query considers "message.processingDuration" as string itself and removes last 2 characters out of it. I tried without double quotes also, it returned empty:     substr(message.processingDuration, 1, len(message.processingDuration)-2)      Appreciate your help on this. Thanks in advance.
@KendallW  Thanks for your response. The XML tags you provided works in classic dashboard. Do you know how we can do same in dashboard studio ? Regards, PNV
Hi @bowesmana  : I see the reset operation you have added. Do you know how we can do this in dashboard studio.  I have two dropdowns. A & B. On selection of values in A, it displays relevant va... See more...
Hi @bowesmana  : I see the reset operation you have added. Do you know how we can do this in dashboard studio.  I have two dropdowns. A & B. On selection of values in A, it displays relevant values in B. On changing selection in value A, dropdown B displays previous selection value first then listed with new selection values from A. Regards, PNV
Hi Splunker, I am currently working with REST API calls for user management in Splunk. While attempting to add additional roles to the default admin account, I accidentally removed the admin role fr... See more...
Hi Splunker, I am currently working with REST API calls for user management in Splunk. While attempting to add additional roles to the default admin account, I accidentally removed the admin role from this account. Unfortunately, I do not have any other user accounts with admin privileges. At present, I only have a single user account with the "User" role and cannot create a new user with "Admin" privileges. Could you please advise on how to restore the deleted roles to the existing user account or suggest any alternative solutions?  
I need to generate a report where it will output table with different timings in columns. Trick part is logs captured fall under a unique transaction ID   index=<app> "Start Time" OR "End Time"  ... See more...
I need to generate a report where it will output table with different timings in columns. Trick part is logs captured fall under a unique transaction ID   index=<app> "Start Time" OR "End Time"   Sample Output Log (Note that this is under 1 transaction ID): 8:00 TransID "Start Time" 8:01 TransID "End Time" 8:30 TransID "Start Time" 8:31 TransID "End Time" 9:00 TransID "Start Time" 9:01 TransID "End Time"   Table should look like: TransID StartTime1 EndTime1 Duration1 StartTime2 EndTime2 Duration 2 StartTime3 EndTime3 Duration3 0123 8:00 8:01 1:00 8:30 8:31 1:00 9:00 9:01 1:00
Yes