All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device... See more...
Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device name (server name). Similarly for windows servers, firewalls, etc Linux servers: ab, dd, xy ( configuring those devices under index called 'linux') windows servers: wndw1, wndw2, wndw3 (configuring those devices under index called 'windows') Fortinet devices: frt1, frt2, frt3 (configuring those devices under index called 'fortinet') Now, I am using this tstats query |tstats count where index=* by host,index The result will be:  host index count ab linux 10  dd linux 20  xy linux 30 wndw1 windows 10  wndw2 windows 20  wndw3 windows 30 frt1 fortinet 10  frt2 fortinet 20  frt3 fortinet 30   Now, I have another set of devices (eg: network devices - ntwk1, ntwk2, ntwk3) but the name of the device is under the field called 'asset' My tstats query wont pick these network devices list. So need your suggestion how to include those
Hey Giuseppe   Thanks for your response this is exactly what i was looking for. Can a virtual machine suffice for an cluster manager? I was wanting to cluster my environment for HA. If I enable cl... See more...
Hey Giuseppe   Thanks for your response this is exactly what i was looking for. Can a virtual machine suffice for an cluster manager? I was wanting to cluster my environment for HA. If I enable clustering do I still need to copy all of my data from the original indexer and copy onto my new indexer? Or if i enable clustering what do i need to do to replicate my data from my original indexer to my new indexer? Another question, if I am deploying a new indexer should I update all my forwarders to send to both indexers or should i leave it to where its sending its data to the original indexer?
That's how case works - it returns the value for the first matching condition. If you want to evaluate all conditions, you have to do three separate evals and assign values to three separate fields.
True, you can't use tstats with search-time extracted fields. There are other techniques to accelerate working with data. Which one will be appropriate for you depends on your data and use case.
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad  
Hi Team, I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  bel... See more...
Hi Team, I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  below is the current configuration. Now i need to exclude the log which have cs-host=nxtengine.cpga.net.qa from indexing.  [monitor:///opt/splunk/syslog/symantec/bluecoat/*/*.log] sourcetype = bluecoat:proxysg:access:syslog index = cus_XXX host_segment = 6 disabled = false Sample raw logs below 2024-08-07T14:12:37+03:00 10.253.253.44 Bluecoat|src=X.x.x.x|srcport=53936|dst=x.x.x.x|dstport=8443|username=abcdef$|devicetime=[07/08/2024:11:12:32 GMT]|s-action=TCP_DENIED|sc-status=407|cs-method=CONNECT|time-taken=11|sc-bytes=247|cs-bytes=816|cs-uri-scheme=tcp|cs-host=nxtengine.cpga.net.qa|cs-uri-path=/|cs-uri-query=-|cs-uri-extension=-|cs-auth-group=-|rs(Content-Type)=-|cs(User-Agent)=Mozilla/5.0|cs(Referer)=-|sc-filter-result=DENIED|filter-category=none|cs-uri=tcp://nxtengine.cpga.net.qa:8443/            
Is there a 1-2-1 relationship between host and device name? Could you use a lookup after the tstats? What does your stats search look like? Perhaps there may be ways to optimise it.
It looks like, for trellis pie charts, you have to calculate the values as percentages i.e. each row should add up to 100. Since you already have the free percentage you can simply calculate the used... See more...
It looks like, for trellis pie charts, you have to calculate the values as percentages i.e. each row should add up to 100. Since you already have the free percentage you can simply calculate the used percentage.
Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I ma... See more...
Hello Everyone,   I'm experiencing a problem with the latest version of Missile Map (1.6.0). The animated arrows remain static when the page initially loads, and the animations only begin when I manually zoom in or out of the map.   This is an issue, as the animations used to start automatically as soon as the dashboard page was loaded.   Thank you for your assistance.
Hi @suvi6789 , Only for test, please try this: index="abc" | stats count(eval(searchmatch("error 1234"))) AS "Error1" count(eval(searchmatch("error 567"))) AS "Error12" count(eval(... See more...
Hi @suvi6789 , Only for test, please try this: index="abc" | stats count(eval(searchmatch("error 1234"))) AS "Error1" count(eval(searchmatch("error 567"))) AS "Error12" count(eval(searchmatch("error 89"))) AS "Error3" the issue is probably on the data, you must analyze them Ciao. Giuseppe
Thank you for your response If I comment the first search index="abc"  | eval JobName= case( ```searchmatch("error 1234"), "Error1",``` searchmatch("error 567"), "Error2", searchmatch("error ... See more...
Thank you for your response If I comment the first search index="abc"  | eval JobName= case( ```searchmatch("error 1234"), "Error1",``` searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) Now, the result is  Error2 - 125
If I comment  index="abc"  | eval JobName= case( ```searchmatch("error 1234"), "Error1",``` searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) Now, the result is  Error... See more...
If I comment  index="abc"  | eval JobName= case( ```searchmatch("error 1234"), "Error1",``` searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) Now, the result is  Error2 - 125
Hi @suvi6789 , the search is correct, are you sure about the strings to search for Error 2 and 3? Only for debugging, please change the order of searchmatch in the eval. Ciao. Giuseppe
Thanks for the response My Bad, the parenthesis are wrong. I have ran the query with the right paranthesis. It was a typo. index="abc"  | eval JobName= case( searchmatch("error 1234"), "Error1", ... See more...
Thanks for the response My Bad, the parenthesis are wrong. I have ran the query with the right paranthesis. It was a typo. index="abc"  | eval JobName= case( searchmatch("error 1234"), "Error1", searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) | stats count by JobName Output says  Error1 - 234 (234 is the count of error) though error 2 and error 3 are there, It is not listing in the results. 
Hi @suvi6789 , parenthesis are wrong and if Error1,2 and3 are strings, use quotes: index="abc" | eval JobName= case( searchmatch("error 1234"), "Error1", searchmatch("error 567"), "Error2", search... See more...
Hi @suvi6789 , parenthesis are wrong and if Error1,2 and3 are strings, use quotes: index="abc" | eval JobName= case( searchmatch("error 1234"), "Error1", searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) | stats count by JobName
Hi, Can anyone please help me to frame the SPL script. I have to collect the list of devices reporting in splunk along with the indexname. For that I am using tstats command. |  tstats count where ... See more...
Hi, Can anyone please help me to frame the SPL script. I have to collect the list of devices reporting in splunk along with the indexname. For that I am using tstats command. |  tstats count where index=* by host,index  Now the problem is, for an index the device name is under fieldname 'asset'.  To get such list from this index, I can't able to use tstats command since it works only for metafields. I tried using stats command but it is taking very long time which is impacting the performance. Please suggest me how should I frame the query in efficient manner for this case. Thanks
Hi,  I have doing a list of different searches and want the count of each searches.  So, I was using the searchmatch command but when using it I get only the first result that is successfully searc... See more...
Hi,  I have doing a list of different searches and want the count of each searches.  So, I was using the searchmatch command but when using it I get only the first result that is successfully searches and it ignore the rest For example: index="abc"  | eval JobName= case( searchmatch("error 1234", Error1), searchmatch("error 567", Error2), searchmatch("error 89", Error3) ) | stats count by JobName Output says  Error1 - 234 (234 is the count of error) though error 2 and error 3 are there, It is not listing in the results.  Please could you suggest on how to get this sorted  
Hello everyone, I am encountering an issue with sending emails for the alerts I have configured on Splunk. Here are the steps I followed: SMTP Server Configuration: I set up an SMTP server usin... See more...
Hello everyone, I am encountering an issue with sending emails for the alerts I have configured on Splunk. Here are the steps I followed: SMTP Server Configuration: I set up an SMTP server using Postfix on a virtual machine (VM). I also configured the firewall on this VM to allow SMTP traffic. Splunk Configuration: In Splunk, I configured the email server settings using my Postfix server information. I verified the settings under Settings -> Server settings -> Email settings, and everything seems correct. Alert Configuration: I created several alerts and configured the "Send Email" action for each alert. I provided the recipients, subject, and email content. Despite these configurations, I am not receiving any emails when the alerts are triggered. Additional Details: I tested sending emails from the command line on the VM with Postfix, and it works correctly. I checked Splunk logs (splunkd.log) and did not find any obvious errors related to email sending. Postfix logs show that email requests do not seem to be reaching the server. Questions: Are there any additional steps I might have missed in the Splunk configuration for sending emails? How can I diagnose why emails are not being sent from Splunk? Are there specific logs or configurations I should check again? Thank you in advance for your help!
I get the same Error message but i dont know what to do. Do anyone have a soltuion for that Problem?
i'm getting the exact same Error. Do anyone have a Solution for that Problem?