All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Giuseppe, Thank you for your quick answer. This will definitely be going to help me to achieve this.  
Cheers, I've checked the job manager and the job completes and writes to the stash, as all data is sent on to the indexers (which is is for all other inputs to this HF) that should be fine. Unfortun... See more...
Cheers, I've checked the job manager and the job completes and writes to the stash, as all data is sent on to the indexers (which is is for all other inputs to this HF) that should be fine. Unfortunately can't use the makeresults command as it needs to be first command in the search which conflicts with the ldapsearch command as that needs the same. It's almost like the collect command has stopped working..
Hi @cbiraris , which kind of example? isn't the search I shared ok? Ciao. Giuseppe
can you give me example ?
What search have you used for these visualisations?
Hi @Chirag812 , the easiest way to have the same result is to insert the list of servers in a lookup (called e.g. servers.csv) with at least one column (host) and run something like this: index=* s... See more...
Hi @Chirag812 , the easiest way to have the same result is to insert the list of servers in a lookup (called e.g. servers.csv) with at least one column (host) and run something like this: index=* sourcetype=* [ | inputlookup servers.csv | fields host ] P.S.: when you create this lookup, remember to create also the Lookup Definition. Ciao. Giuseppe
Hi @cbiraris , you should create your report with the last two fields in one and then separate them using a regex, something like this: <your_search> | rename Class.student_name AS student_name Cla... See more...
Hi @cbiraris , you should create your report with the last two fields in one and then separate them using a regex, something like this: <your_search> | rename Class.student_name AS student_name Class.number AS number | rex field=number "^(?<number>\d+)\s(?<type_of_number>.*)" | table student_name number type_of_number Ciao. Giuseppe
Hi @mubeen , I saw only one integration like the one you would: one of my colleagues modified the Python Splunk drivers to save reports in Share Point, but it isn't an immediate intervene. So you h... See more...
Hi @mubeen , I saw only one integration like the one you would: one of my colleagues modified the Python Splunk drivers to save reports in Share Point, but it isn't an immediate intervene. So you have only two solutions: engage Splunk PS to craete this integration, create the custom script you described. Ciao. Giuseppe
Looks better now. I changed the sourcetype from "veeam" to "veeam_vbr_syslog" like you said. Now I see a "transferred data" rate. There should be more data tomorrow. I will get back to you.
I think so! Looking again at the screen like your Field alias is applied to a sourcetype of "veeam" not "veeam_vbr_syslog" - suggest you check that The Data model expects sourcetype="veeam_vbr_syslo... See more...
I think so! Looking again at the screen like your Field alias is applied to a sourcetype of "veeam" not "veeam_vbr_syslog" - suggest you check that The Data model expects sourcetype="veeam_vbr_syslog" - is that the sourcetype applied to the Veeam data coming in?
You may find something helpful here:  Solved: Pie chart max value - Splunk Community
ALCON, Hello, I am having issues with printmon query results not showing the proper results for "total_pages".  The page_printed is always equal to zero (0). Moreover, total_pages value is also not ... See more...
ALCON, Hello, I am having issues with printmon query results not showing the proper results for "total_pages".  The page_printed is always equal to zero (0). Moreover, total_pages value is also not right as when I print 5 pages it is telling only 1. Any solution to that? One Example Query: (ALL "printmon" Queries give me the same inaccurate results) Index=wineventlog eventtype=printmon_windows (host=”Printer Name” OR host=”Printer Name”) user=”If looking for specific user info” | table _time, user, document, machine, printer, driver_name, total-pages, size_bytes | rename user as “User”, document as “Document”, machine as “Host”, printer as “Location”, driver_name as “Driver”, total_pages as “Total Pages”, size_bytes as “Bytes” | dedup document | sort - _time   Other Links about Subject but old info without any solution or fix: 1. WinPrintMon not logging page_printed correctly (‎24May2015) Link: https://community.splunk.com/t5/Getting-Data-In/WinPrintMon-not-logging-page-printed-correctly/m-p/121725 2. 1winprintmon search results aren't showing the proper results for "total_pages" (20Feb2019 at 0826) Link: https://community.splunk.com/t5/Splunk-Search/winprintmon-search-results-aren-t-showing-the-proper-results-for/m-p/392683#M172918   Please provide example query or where to find the fix.
Hello, I have a montly report that is huge (300 MB approx) and would like it to be exported to an external SFTP Server. I do not see any such option in Report Actions at present. Any ideas in how th... See more...
Hello, I have a montly report that is huge (300 MB approx) and would like it to be exported to an external SFTP Server. I do not see any such option in Report Actions at present. Any ideas in how this can be achieved would be of great help. I know it can be done using a custom script that copies the results to the SFTP Server from a specific path after the results are dumped to a lookup, but I want to explore other direct integration option.
Hi Team i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event. ... See more...
Hi Team i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event. for example: { "class1": { "student1": "123 rollnumber" }, "class2": { "student1": "123 rollno", "student2": "321 rollno" } } 1)class1 and class2 should be under Class field if i search for class1 i should only find student 1 and related info.  and  if i search for class3  i should only find student 1 and related info.  they will be in the field like class, student, number, and type of number  Class field class1 class2   student name student1 student1   number 123 123 321 type of number  rollnumber rollno rollno
Can we create a new field which contains the group of multiple servers name and that field I can use directly in all the query like report, alerts and so I no need to search for the server names all ... See more...
Can we create a new field which contains the group of multiple servers name and that field I can use directly in all the query like report, alerts and so I no need to search for the server names all the time and I can just use the created one field directly. For example index=* sourcetype=* host=X So here I want to create x=Server A + Server B + Server C. Is this possible in Splunk ? 
I need to do same thing in splunk studio dashboard with json editor.  How to achieve this in studio dashboard.
Trellis by instance . Instance being the specific Disk .. so c:/ etc.    but what you can see above is that when I use trellis (or don't) it only shows me either the partial free/full spaces but no... See more...
Trellis by instance . Instance being the specific Disk .. so c:/ etc.    but what you can see above is that when I use trellis (or don't) it only shows me either the partial free/full spaces but not in regards to the full disk.  I would like to see a pie chart in which each instance is shown with its used diskspace and the remaining free diskspace. but for whatever reason it doesn't.
Yes i does, but nothing like I want.   without trellis with trellis by instance What I actually want is something like this, only for each instance:  When I manage to make it look like th... See more...
Yes i does, but nothing like I want.   without trellis with trellis by instance What I actually want is something like this, only for each instance:  When I manage to make it look like this at least I still can't use trellis to show me all different instances (disks), only the one in the first row. :    | mstats max("% Free Space") as "MB", max("Free Megabytes") as "FreeMB" WHERE index=m_windows_perfmon AND host=NTSAP10 span=1d by instance | search instance!=hard* | search instance!=_Total | eval FreeDiskspace=round(FreeMB/1024,2) | eval TotalDiskspace=round((FreeDiskspace/MB)*100,2) | eval FullDiskspace=round(TotalDiskspace-FreeDiskspace,2) | dedup instance | table FreeDiskspace TotalDiskspace | transpose 0 column_name=instance the table then looks like this currently:  the rows must be the instances, so c, d, e etc. and I can't split by instance in trellis for whatever reason either.  
Hello, Anyone knows if it possible to remove/delete a smart agent from the controller UI? - that is not in use anymore. we used it for testing, and now want to remove it from the controller UI.
I have a Dashboard Studio Dashboard and want to set a token from an input (like text input or dropdown input) triggered by the interaction with another element within the dashboard.   I already tri... See more...
I have a Dashboard Studio Dashboard and want to set a token from an input (like text input or dropdown input) triggered by the interaction with another element within the dashboard.   I already tried to do that with the interaction --> Set Token option and specified the token name as "form.tokenname". This did not work, the value of the token was not changed.   Is there a way to achieve that in Dashboard Studio like it works in Classic XML Dashboard by setting the token with "form.tokenname"?