All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @cbiraris , which kind of example? isn't the search I shared ok? Ciao. Giuseppe
can you give me example ?
What search have you used for these visualisations?
Hi @Chirag812 , the easiest way to have the same result is to insert the list of servers in a lookup (called e.g. servers.csv) with at least one column (host) and run something like this: index=* s... See more...
Hi @Chirag812 , the easiest way to have the same result is to insert the list of servers in a lookup (called e.g. servers.csv) with at least one column (host) and run something like this: index=* sourcetype=* [ | inputlookup servers.csv | fields host ] P.S.: when you create this lookup, remember to create also the Lookup Definition. Ciao. Giuseppe
Hi @cbiraris , you should create your report with the last two fields in one and then separate them using a regex, something like this: <your_search> | rename Class.student_name AS student_name Cla... See more...
Hi @cbiraris , you should create your report with the last two fields in one and then separate them using a regex, something like this: <your_search> | rename Class.student_name AS student_name Class.number AS number | rex field=number "^(?<number>\d+)\s(?<type_of_number>.*)" | table student_name number type_of_number Ciao. Giuseppe
Hi @mubeen , I saw only one integration like the one you would: one of my colleagues modified the Python Splunk drivers to save reports in Share Point, but it isn't an immediate intervene. So you h... See more...
Hi @mubeen , I saw only one integration like the one you would: one of my colleagues modified the Python Splunk drivers to save reports in Share Point, but it isn't an immediate intervene. So you have only two solutions: engage Splunk PS to craete this integration, create the custom script you described. Ciao. Giuseppe
Looks better now. I changed the sourcetype from "veeam" to "veeam_vbr_syslog" like you said. Now I see a "transferred data" rate. There should be more data tomorrow. I will get back to you.
I think so! Looking again at the screen like your Field alias is applied to a sourcetype of "veeam" not "veeam_vbr_syslog" - suggest you check that The Data model expects sourcetype="veeam_vbr_syslo... See more...
I think so! Looking again at the screen like your Field alias is applied to a sourcetype of "veeam" not "veeam_vbr_syslog" - suggest you check that The Data model expects sourcetype="veeam_vbr_syslog" - is that the sourcetype applied to the Veeam data coming in?
You may find something helpful here:  Solved: Pie chart max value - Splunk Community
ALCON, Hello, I am having issues with printmon query results not showing the proper results for "total_pages".  The page_printed is always equal to zero (0). Moreover, total_pages value is also not ... See more...
ALCON, Hello, I am having issues with printmon query results not showing the proper results for "total_pages".  The page_printed is always equal to zero (0). Moreover, total_pages value is also not right as when I print 5 pages it is telling only 1. Any solution to that? One Example Query: (ALL "printmon" Queries give me the same inaccurate results) Index=wineventlog eventtype=printmon_windows (host=”Printer Name” OR host=”Printer Name”) user=”If looking for specific user info” | table _time, user, document, machine, printer, driver_name, total-pages, size_bytes | rename user as “User”, document as “Document”, machine as “Host”, printer as “Location”, driver_name as “Driver”, total_pages as “Total Pages”, size_bytes as “Bytes” | dedup document | sort - _time   Other Links about Subject but old info without any solution or fix: 1. WinPrintMon not logging page_printed correctly (‎24May2015) Link: https://community.splunk.com/t5/Getting-Data-In/WinPrintMon-not-logging-page-printed-correctly/m-p/121725 2. 1winprintmon search results aren't showing the proper results for "total_pages" (20Feb2019 at 0826) Link: https://community.splunk.com/t5/Splunk-Search/winprintmon-search-results-aren-t-showing-the-proper-results-for/m-p/392683#M172918   Please provide example query or where to find the fix.
Hello, I have a montly report that is huge (300 MB approx) and would like it to be exported to an external SFTP Server. I do not see any such option in Report Actions at present. Any ideas in how th... See more...
Hello, I have a montly report that is huge (300 MB approx) and would like it to be exported to an external SFTP Server. I do not see any such option in Report Actions at present. Any ideas in how this can be achieved would be of great help. I know it can be done using a custom script that copies the results to the SFTP Server from a specific path after the results are dumped to a lookup, but I want to explore other direct integration option.
Hi Team i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event. ... See more...
Hi Team i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event. for example: { "class1": { "student1": "123 rollnumber" }, "class2": { "student1": "123 rollno", "student2": "321 rollno" } } 1)class1 and class2 should be under Class field if i search for class1 i should only find student 1 and related info.  and  if i search for class3  i should only find student 1 and related info.  they will be in the field like class, student, number, and type of number  Class field class1 class2   student name student1 student1   number 123 123 321 type of number  rollnumber rollno rollno
Can we create a new field which contains the group of multiple servers name and that field I can use directly in all the query like report, alerts and so I no need to search for the server names all ... See more...
Can we create a new field which contains the group of multiple servers name and that field I can use directly in all the query like report, alerts and so I no need to search for the server names all the time and I can just use the created one field directly. For example index=* sourcetype=* host=X So here I want to create x=Server A + Server B + Server C. Is this possible in Splunk ? 
I need to do same thing in splunk studio dashboard with json editor.  How to achieve this in studio dashboard.
Trellis by instance . Instance being the specific Disk .. so c:/ etc.    but what you can see above is that when I use trellis (or don't) it only shows me either the partial free/full spaces but no... See more...
Trellis by instance . Instance being the specific Disk .. so c:/ etc.    but what you can see above is that when I use trellis (or don't) it only shows me either the partial free/full spaces but not in regards to the full disk.  I would like to see a pie chart in which each instance is shown with its used diskspace and the remaining free diskspace. but for whatever reason it doesn't.
Yes i does, but nothing like I want.   without trellis with trellis by instance What I actually want is something like this, only for each instance:  When I manage to make it look like th... See more...
Yes i does, but nothing like I want.   without trellis with trellis by instance What I actually want is something like this, only for each instance:  When I manage to make it look like this at least I still can't use trellis to show me all different instances (disks), only the one in the first row. :    | mstats max("% Free Space") as "MB", max("Free Megabytes") as "FreeMB" WHERE index=m_windows_perfmon AND host=NTSAP10 span=1d by instance | search instance!=hard* | search instance!=_Total | eval FreeDiskspace=round(FreeMB/1024,2) | eval TotalDiskspace=round((FreeDiskspace/MB)*100,2) | eval FullDiskspace=round(TotalDiskspace-FreeDiskspace,2) | dedup instance | table FreeDiskspace TotalDiskspace | transpose 0 column_name=instance the table then looks like this currently:  the rows must be the instances, so c, d, e etc. and I can't split by instance in trellis for whatever reason either.  
Hello, Anyone knows if it possible to remove/delete a smart agent from the controller UI? - that is not in use anymore. we used it for testing, and now want to remove it from the controller UI.
I have a Dashboard Studio Dashboard and want to set a token from an input (like text input or dropdown input) triggered by the interaction with another element within the dashboard.   I already tri... See more...
I have a Dashboard Studio Dashboard and want to set a token from an input (like text input or dropdown input) triggered by the interaction with another element within the dashboard.   I already tried to do that with the interaction --> Set Token option and specified the token name as "form.tokenname". This did not work, the value of the token was not changed.   Is there a way to achieve that in Dashboard Studio like it works in Classic XML Dashboard by setting the token with "form.tokenname"?
Hi @Josua.Panjaitan , From the error “Unable to get AppAgentConfigurationResponse from controller“ given, it is worth to double check the controller information in controller-info.xml . Was the the... See more...
Hi @Josua.Panjaitan , From the error “Unable to get AppAgentConfigurationResponse from controller“ given, it is worth to double check the controller information in controller-info.xml . Was the the controller info set correct? For example, check whether the  <controller-host> ,  <account-name> ,  <account-access-key>   are correct. There are other possible causes as well for this error it is hard to tell from the error statement only. However, it’s possible to gain closure on what happens in the process by checking the agent log.   Troubleshooting Java Agent Issues Hope this helps! Regards, Martina
A Splunk URI query usually contains a few key/value pairs like these: earliest - epoch time for how far back to search latest - epoch time for when to start search sid - unique search ID q - Que... See more...
A Splunk URI query usually contains a few key/value pairs like these: earliest - epoch time for how far back to search latest - epoch time for when to start search sid - unique search ID q - Query string display.events.fields -  Selected Fields If the path and URL query is over ~4000 characters after URL encoding, it will cause that 414 error. I have only had long query values for q and display.events.fields cause the 414 error. Splunk passes the sid in the URL so that the search doesn't need to be run again. All the search parameters are available on the server if you provide the sid, but if the search is deleted or expired it can fall back to the other URL parameters to re-run the search. The solutions are to edit the search to make it shorter in the URL or to edit the URL afterwards to remove some of the long parameters. Now lets discuss the options I mentioned earlier. These will assume the following search and selected fields. They are not long enough to cause the 414 error, but will work for illustrating the issue. search (265 chars encoded): index=test host=0.example.com OR host=1.example.com OR host=2.example.com OR host=3.example.com OR host=4.example.com OR host=5.example.com OR host=6.example.com OR host=7.example.com OR host=8.example.com OR host=9.example.com fields: host, src, src_ip, src_mac, dest, dest_ip, dest_mac 1. Refactor the Search We can make this search string smaller by using the IN statement, a lookup, or a macro. The IN statement and lookup table makes sense if you have a list of values in a search, the macro makes sense if you pipe the output to multiple subsequent commands (multiple eval, stats, etc.). 1.a. IN statement (166 chars encoded) index=test host IN (0.example.com,1.example.com,2.example.com,3.example.com,4.example.com,5.example.com,6.example.com,7.example.com,8.example.com,9.example.com) 1.b. lookup table (77 chars encoded) index=test [inputlookup example_domains | return 1000 host] 1.c. Search macro (40 chars encoded) index=test `example_domain_search` 2. Edit the URL Here is an example path for the first query above /search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&display.page.search.mode=smart&dispatch.sample_ratio=1&earliest=-24h%40h&latest=now&display.events.fields=%5B"host"%2C"src"%2C"src_ip"%2C"src_mac"%2C"dest"%2C"dest_ip"%2C"dest_mac"%5D&sid=1723000000.00000 2.a. Manually edit the URL (not recommended) Go to the address bar and manually remove the longer query parameters 2.a.i:. Remove the display parameters and timeframe /search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&sid=1723000000.00000 or 2.a.ii:. Remove the display parameters /search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&earliest=-24h%40h&latest=now&sid=1723000000.00000 or  2.a.iii. Leave only the search ID (sid) /search?sid=1723000000.00000 2.b. Edit the URL with a bookmarklet With the bookmarklet shared earlier, you can use a regular expression to remove some of the parameters. You could remove all but the sid like I did, or you could remove only the display.events.fields if that is causing issues for you.  Any of the manual edits made above can be made with a regular expression. If you want a regular expression that provides more fields than the sid, you can use an regular expression tool like regex101 to assist in creating a different bookmarklet. It is probably possible to build a lexer bookmarklet that parses the search query and truncates it to fit within the server's ~4000 character limit, but that's probably a waste of time.