All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Panels can be hidden by using the depends attribute with a token that is never set <panel depends="$neverset$">
HI  in splunkd.log file I am seeing: TailReader [260668 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log' and In splunk, I am seeing the logs a... See more...
HI  in splunkd.log file I am seeing: TailReader [260668 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log' and In splunk, I am seeing the logs as well Basically, I want to know that is happening here. this tracker.log file should be under index=_internal but somehow this file is present under index=linux  and in Linux TA, I can see the [linux_audit] sourcetype config under props.conf.  who is calling this as I am not seeing any related input parameter for this. Kind Regards, Rashid    
A string in single quotes is treated by Splunk as a field name. substr('message.processingDuration', 1, len('message.processingDuration')-2)
Try something like this index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers... See more...
Try something like this index=cls_prod_app appname=Lacerte message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ [| makeresults | eval latest=relative_time(now(),"@d") | eval row=mvrange(0,2) | mvexpand row | eval latest=relative_time(latest,"@d-".row."y") | eval earliest=relative_time(latest,"-30d") | eval applicationversion=$applicationversion$-row | table earliest latest applicationversion]
Hi @gcusello  With the updated query , i am not able to fetch the data of the current date.  Can you please help me to add the data of the current date too.  Query:  index=events_prod_cdp... See more...
Hi @gcusello  With the updated query , i am not able to fetch the data of the current date.  Can you please help me to add the data of the current date too.  Query:  index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time file | append [ search index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="PIDZJEA" endswith="IDJO20P" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time | eval file="count after PIDZJEA" | table file eventcount _time] | chart sum(eventcount) AS eventcount OVER _time BY file   Extract :       Also , is it possible to have a visual graph like below to show the details in the graph :  IN_per_24h = count of RPWARDA between IDJO20P and PIDZJEA of the day.  Out_per_24h =  count of SPWARAA + SPWARRA between IDJO20P and PIDZJEA of the day.  Backlog = count after PIDZJEA  of the day.     
@ITWhisperer  : Can you please check my last query and help to provide a solution. 
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms  as 102 for the following log:     { "timestamp": "2029-02-29 07:32:54.734... See more...
Hello Everyone, I have written the splunk query to remove last 2 character from the string: processingDuration = 102ms  as 102 for the following log:     { "timestamp": "2029-02-29 07:32:54.734", "level": "INFO", "thread": "54dd544ff", "logger": "my.logger", "message": { "logTimeStamp": "2029-02-29T07:32:54.734494726Z", "logType": "RESP", "statusCode": 200, "processingDuration": "102ms", "headers": { "Content-Type": [ "application/json" ] }, "tracers": { "correlation-id": [ "hfkjhwkj98342" ], "request-id": [ "53456345" ], "service-trace-id": [ "34234623456" ] } }, "context": "hello-service" }     my splunk query:     index=my_index | spath logger | search logger="my.logger" | spath "message.logType" | search "message.logType"=RESP | spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" | eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2) | table "message.tracers.correlation-id{}" myprocessTime     the above query considers "message.processingDuration" as string itself and removes last 2 characters out of it. I tried without double quotes also, it returned empty:     substr(message.processingDuration, 1, len(message.processingDuration)-2)      Appreciate your help on this. Thanks in advance.
@KendallW  Thanks for your response. The XML tags you provided works in classic dashboard. Do you know how we can do same in dashboard studio ? Regards, PNV
Hi @bowesmana  : I see the reset operation you have added. Do you know how we can do this in dashboard studio.  I have two dropdowns. A & B. On selection of values in A, it displays relevant va... See more...
Hi @bowesmana  : I see the reset operation you have added. Do you know how we can do this in dashboard studio.  I have two dropdowns. A & B. On selection of values in A, it displays relevant values in B. On changing selection in value A, dropdown B displays previous selection value first then listed with new selection values from A. Regards, PNV
Hi Splunker, I am currently working with REST API calls for user management in Splunk. While attempting to add additional roles to the default admin account, I accidentally removed the admin role fr... See more...
Hi Splunker, I am currently working with REST API calls for user management in Splunk. While attempting to add additional roles to the default admin account, I accidentally removed the admin role from this account. Unfortunately, I do not have any other user accounts with admin privileges. At present, I only have a single user account with the "User" role and cannot create a new user with "Admin" privileges. Could you please advise on how to restore the deleted roles to the existing user account or suggest any alternative solutions?  
I need to generate a report where it will output table with different timings in columns. Trick part is logs captured fall under a unique transaction ID   index=<app> "Start Time" OR "End Time"  ... See more...
I need to generate a report where it will output table with different timings in columns. Trick part is logs captured fall under a unique transaction ID   index=<app> "Start Time" OR "End Time"   Sample Output Log (Note that this is under 1 transaction ID): 8:00 TransID "Start Time" 8:01 TransID "End Time" 8:30 TransID "Start Time" 8:31 TransID "End Time" 9:00 TransID "Start Time" 9:01 TransID "End Time"   Table should look like: TransID StartTime1 EndTime1 Duration1 StartTime2 EndTime2 Duration 2 StartTime3 EndTime3 Duration3 0123 8:00 8:01 1:00 8:30 8:31 1:00 9:00 9:01 1:00
Yes 
I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior... See more...
I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior to 8th August, one for 2024 and the other for 2023. In those time periods, you want application version to be 2023 for the 2024 search and 2022 for the 2023 time period?
The %SPLUNK_HOME% variable that you noted in this documentation is not defined outside of the Splunk process by default. %SPLUNK_HOME% refers to the Splunk installation folder on Windows. Typically:... See more...
The %SPLUNK_HOME% variable that you noted in this documentation is not defined outside of the Splunk process by default. %SPLUNK_HOME% refers to the Splunk installation folder on Windows. Typically:   C:\Program Files\Splunk     You can run all of those commands as the user running Splunk by either setting the environment variable or replacing it manually first. To permanently set the environment variable you can use:   setx SPLUNK_HOME "C:\Program Files\Splunk"   Read more here.
I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard) i... See more...
I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard) index=cls_prod_app appname=Lacerte applicationversion=$applicationversion$ message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d | append [ search index=cls_prod_app appname=Lacerte applicationversion=2022 message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d ] | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 $applicationversion$ is user input and it will be 2023 or 2024 like this string.  1. I want to append a search if user type in 2023 then as 2022.  tostring(tonumber($applicationversion$)-) is not working for me somehow. toint tells me it is not a valid methd 2. I want to plot this in special way, for example, if I search 2023 for last 30 days, actual 2022 real performance should be of last year data. What I need is if select 2023, last 30 days today on Aug,08-2024 then I want to compare last 30 days of 2023 and last years (Aug08, 2023)'s last 30 days data in a time chart to see the real graph for any deviation. Is there any way to achieve this in splunk?
Hi @Iris_Pi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I think I can see the issue here:   [wineventlog_index_windows] definition= index=wineventlog OR index=main   This should be:   [wineventlog_index_windows] search = index=wineventlog OR index=m... See more...
I think I can see the issue here:   [wineventlog_index_windows] definition= index=wineventlog OR index=main   This should be:   [wineventlog_index_windows] search = index=wineventlog OR index=main   Note the "search" directive instead of "definition". Definition is used in macros.conf. Let me know how you get on
Hi @vid1 , the installation procedure is at https://docs.splunk.com/Documentation/Forwarder/9.3.0/Forwarder/Installanixuniversalforwarder what message are you receiving? what do you find at /opt/s... See more...
Hi @vid1 , the installation procedure is at https://docs.splunk.com/Documentation/Forwarder/9.3.0/Forwarder/Installanixuniversalforwarder what message are you receiving? what do you find at /opt/splunkforwarder/var/log/splunk firstinstall.log ? Ciao. giuseppe
Hi @Iris_Pi , you must send a diag to Splunk Support when you have on-premise systems because they cannot access them, but they can access Splunk Cloud so you don't need to create it. let me know i... See more...
Hi @Iris_Pi , you must send a diag to Splunk Support when you have on-premise systems because they cannot access them, but they can access Splunk Cloud so you don't need to create it. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated