All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior... See more...
I am confused by what you are actually asking for. Let's say today is 8th August 2024 and the user enters 2023 for application version, are you wanting to compare two time periods, each 30 days prior to 8th August, one for 2024 and the other for 2023. In those time periods, you want application version to be 2023 for the 2024 search and 2022 for the 2023 time period?
The %SPLUNK_HOME% variable that you noted in this documentation is not defined outside of the Splunk process by default. %SPLUNK_HOME% refers to the Splunk installation folder on Windows. Typically:... See more...
The %SPLUNK_HOME% variable that you noted in this documentation is not defined outside of the Splunk process by default. %SPLUNK_HOME% refers to the Splunk installation folder on Windows. Typically:   C:\Program Files\Splunk     You can run all of those commands as the user running Splunk by either setting the environment variable or replacing it manually first. To permanently set the environment variable you can use:   setx SPLUNK_HOME "C:\Program Files\Splunk"   Read more here.
I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard) i... See more...
I am working on a tax product and we have products per tax year. Now I want to compare the performance of the tax products in a time chart and I did like below (This is in a splunk dashboard) index=cls_prod_app appname=Lacerte applicationversion=$applicationversion$ message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d | append [ search index=cls_prod_app appname=Lacerte applicationversion=2022 message="featureperfmetrics" NOT(isinternal="*") taxmodule=$taxmodule$ $hostingprovider$ datapath=* operation=createclient $concurrentusers$ latest=-365d@d ] | eval totaltimeinsec = totaltime/1000 | bin span=1m _time | timechart p95(totaltimeinsec) as RecordedTime by applicationversion limit=0 $applicationversion$ is user input and it will be 2023 or 2024 like this string.  1. I want to append a search if user type in 2023 then as 2022.  tostring(tonumber($applicationversion$)-) is not working for me somehow. toint tells me it is not a valid methd 2. I want to plot this in special way, for example, if I search 2023 for last 30 days, actual 2022 real performance should be of last year data. What I need is if select 2023, last 30 days today on Aug,08-2024 then I want to compare last 30 days of 2023 and last years (Aug08, 2023)'s last 30 days data in a time chart to see the real graph for any deviation. Is there any way to achieve this in splunk?
Hi @Iris_Pi , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I think I can see the issue here:   [wineventlog_index_windows] definition= index=wineventlog OR index=main   This should be:   [wineventlog_index_windows] search = index=wineventlog OR index=m... See more...
I think I can see the issue here:   [wineventlog_index_windows] definition= index=wineventlog OR index=main   This should be:   [wineventlog_index_windows] search = index=wineventlog OR index=main   Note the "search" directive instead of "definition". Definition is used in macros.conf. Let me know how you get on
Hi @vid1 , the installation procedure is at https://docs.splunk.com/Documentation/Forwarder/9.3.0/Forwarder/Installanixuniversalforwarder what message are you receiving? what do you find at /opt/s... See more...
Hi @vid1 , the installation procedure is at https://docs.splunk.com/Documentation/Forwarder/9.3.0/Forwarder/Installanixuniversalforwarder what message are you receiving? what do you find at /opt/splunkforwarder/var/log/splunk firstinstall.log ? Ciao. giuseppe
Hi @Iris_Pi , you must send a diag to Splunk Support when you have on-premise systems because they cannot access them, but they can access Splunk Cloud so you don't need to create it. let me know i... See more...
Hi @Iris_Pi , you must send a diag to Splunk Support when you have on-premise systems because they cannot access them, but they can access Splunk Cloud so you don't need to create it. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hello Ciao, Thanks much for your reply, I will get back to splunk support regarding to this point.
Hi @Iris_Pi , you don't need to create a diag on Splunk Cloud because Splunk Support can already access it. Ciao. Giuseppe
Hello Guys, Can you please share the steps on how to create diag file for **Splunk Cloud**? I found some posts saying that we can run "Splunk diag" from the command line, However there's no command... See more...
Hello Guys, Can you please share the steps on how to create diag file for **Splunk Cloud**? I found some posts saying that we can run "Splunk diag" from the command line, However there's no command line for Splunk cloud, then how can I get a diag file as asked by support. Thanks much in advance! Regards, Iris
1) I would like to say thank you for your advice, I think I overlooked the main index.  2) The main reason what I want to split from one source type say test, into index=bank, index=card, index=erro... See more...
1) I would like to say thank you for your advice, I think I overlooked the main index.  2) The main reason what I want to split from one source type say test, into index=bank, index=card, index=error is because I need to different access permissions.   
Hi, We have already done that - deleted the smart agent on the host itself, but it's still there. The agent got wiped about 3 weeks ago when we were done testing. We are using: AppDynamics Contro... See more...
Hi, We have already done that - deleted the smart agent on the host itself, but it's still there. The agent got wiped about 3 weeks ago when we were done testing. We are using: AppDynamics Controller build 24.2.6-1114
You can change the field name with the "rename" method, but what I wanted was for the desired field name to be searched when I searched with just    index=botsv2 sourcetype="stream:smtp"   ----... See more...
You can change the field name with the "rename" method, but what I wanted was for the desired field name to be searched when I searched with just    index=botsv2 sourcetype="stream:smtp"   --------------------------------------------------------------------------------------------------------------------------------------------- index=botsv2 sourcetype="stream:smtp" attach_filename{}="*" (Before,, In order to extraact file_name, I had to search for  that..) I took a hint from your words and solved it in a different way. Taking a hint that attach_filename{} was already extracted from splunk, I created a lookup-file using "spath" and made it "Auto-Lookup". Then, the field is now extracted and displayed with just index=botsv2 sourcetype="stream:smtp". I really appreciate your help. Thank You
Thank you for the quick reply , ok but few days back PDF option was not there and now it is . how is that possible?
Hi @Siddharthnegi , for my knowledge, it isn't possible to remove it. Ciao. Giuseppe
can we edit this format option ? like to remove or add PDF format . Because few days back PDF option was not showing here and now it is . Is there a way to edit it or add pdf format
There are general recommendations in form of so called SVAs - Splunk Validated Architectures https://docs.splunk.com/Documentation/SVA/current/Architectures/About Of course those are guidelines and... See more...
There are general recommendations in form of so called SVAs - Splunk Validated Architectures https://docs.splunk.com/Documentation/SVA/current/Architectures/About Of course those are guidelines and are based on typical needs and can be adjusted in some border cases - for example when you have a relatively isolated environment you can (and often will) use intermediate forwarder(s) to route events from sources inside to the indexers on the outside. But the intermediate forwarder can (and often will) be a UF - it doesn't have to be a HF. While I like the (non-SVA) general concept of additional HF layer in front of indexers (it has its pros and cons so it's not a solution I'll preach indiscriminently to everyone), adding multiple HFs in a single "branched" processing chain introduces a whole lot of inconsistency and can be a huge pain to troubleshoot in case of problems with ingestion.
  Then, how do I change the field name from attach_filename{} to file_name? rename is your friend. | rename attach_filename{} as filename  
Maybe transaction?  Something like   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | transaction startswith="Saved messages to DB" endswith="Done bulk saving messages" keepevicted=t ... See more...
Maybe transaction?  Something like   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | transaction startswith="Saved messages to DB" endswith="Done bulk saving messages" keepevicted=t | eval no_msg_wait_time = mvcount(noMessageHandleCounter) * 1000 | fillnull no_msg_wait_time | rename duration as processing_time | eval _raw = mvindex(split(_raw, " "), -1) | rex "Done Bulk saving .+ used (?<db_bulk_write_time>\w+)" | table _time processing_time Count db_bulk_write_time no_msg_wait_time _raw   Your sample event will give _time processing_time Count db_bulk_write_time no_msg_wait_time _raw 2024-08-07 21:13:16.637 3.797 1 12 3000 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms 2024-08-07 21:13:12.841 3.781 1 11 3000 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:12.054 0.771 1 24 0 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:07.710 4.297 1 113 4000 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms I didn't break _time into separate fields but that can easily be done. Here is an emulation for you to play with and compare with real data.   | makeresults | eval data = split("2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=7), retry in 1000 ms 2024-08-07 21:13:11,007 [15] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4504 2024-08-07 21:13:11,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:11,257 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:11,382 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:11,507 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:11,632 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:11,757 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:11,882 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms 2024-08-07 21:13:12,007 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:12,054 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:12,179 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:12,257 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,398 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,528 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,778 [33] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4668 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:12,841 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,934 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:12,966 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:13,059 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:13,059 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,184 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:13,200 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,325 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:13,341 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:13,591 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:13,716 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:13,841 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:13,966 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:15,731 [20] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:7648 2024-08-07 21:13:15,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:15,981 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:16,106 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:16,231 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:16,356 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:16,481 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:16,606 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:16,637 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:16,731 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:16,762 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:16,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:16,856 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:16,997 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,137 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:19,544 [28] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:13568 2024-08-07 21:13:19,669 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:19,794 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:19,919 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:20,044 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:20,169 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:20,294 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:20,419 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms", " ") | mvexpand data | rename data as _raw | extract | eval _time = strptime(replace(_raw, "^(?<_time>\S+ \S+).+", "\1"), "%F %T,%3N") | sort - _time ``` the above emulates index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" ```