All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Wanted to explain the scenario better. I have dashboard A and Dashboard B. In Dashboard A I show for each metrics dimension if it is healthy or  unhealthy. Like CPU of Servers below threshold or not.... See more...
Wanted to explain the scenario better. I have dashboard A and Dashboard B. In Dashboard A I show for each metrics dimension if it is healthy or  unhealthy. Like CPU of Servers below threshold or not. Memory of the servers below thresholds or not. Then, I have Dashboard B which has muliple charts like CPU, Memory and more. Now, the way I envisage is User comes to Dashboard A he sees one of the metrics dimention as Unhealthy then he wants to see more detail or say graph on timeline say for last 24 hours so as he can analyze if it is momentary spike or a consistent issue for last two hours. So when he clicks on chart A which shows unhealthy I want to take the user to CPU specific chart of the 10 more charts in Dashboard B. To put it better I do want to navigate the user from Dashboard A to Dashboard B but also take him to a specific chart by may by focusing on that chart as he comes to Dashboard B. (I know well how to navigate via Drilldown.)
Hi Splunkers, I have the following tasks: I need to compare 2 different Splunk instances, that should be deployed in the same way, but should be not. So I have some sub tasks, to perform this checks.... See more...
Hi Splunkers, I have the following tasks: I need to compare 2 different Splunk instances, that should be deployed in the same way, but should be not. So I have some sub tasks, to perform this checks. One of them is this: in the first instances, some fields deployed by previous Splunk admin should be present (as you can imagine, if I'm here to ask for this, no documentation has been produced). Those field should have been replicated also on the second one, migrating some apps and addon on, but some of them could be in a missing state. So, the idea is: avoiding the most obvious way, whic is GUI-> Settings -> Field, is there another way to ask to Splunk: "hey, could list me all field that are inside you"'? The idea is a search, or recover them from command line, to obtain 2 file and compare them, for example 2 different txt/csv files.
Please share your current search and explain your requirement with respect to d@m
Hey, Is there a TA for for this or are you using the DB connect app if supported----> There is no TA, we are using the DB connect app  supported one in Splunk to generate data for the dashboard... See more...
Hey, Is there a TA for for this or are you using the DB connect app if supported----> There is no TA, we are using the DB connect app  supported one in Splunk to generate data for the dashboard for some specific source types, and however we have set up specific data labs that should continously index data every 15 mins. Also, the database quires are efficiently running yet after all these configurations the data is not being sent as expected. Did this work before, what changed.-- yes, this was working before when we created this. Have you developed a custom dashboard with panels that searches the data.--- yes ,a custom dashboard with panels that searches the data.
Even when I search for anything, it shows me this error, it's missed I couldn't find it in lookup, is there any source to downlow the lookup=LOOKUP-useragentstrings.csv
yea, I have managed to fix the overlay with the below | where _time>=relative_time(now(), "-1mon@mon@w") & to adjust eval= if(_time < info_min_time + 30*24*3600, _time + 90*24*3600, _time) ... See more...
yea, I have managed to fix the overlay with the below | where _time>=relative_time(now(), "-1mon@mon@w") & to adjust eval= if(_time < info_min_time + 30*24*3600, _time + 90*24*3600, _time) still need to fix the latter to reflect exact d@m
Even when I search for anything, it shows me this error.
Hi @Siddharthnegi , you cannot export data in pdf, but only printing a dashboard in pdf. Also because in pdf youcannot use them. If you want them in pdf, you could schedule a report sending result... See more...
Hi @Siddharthnegi , you cannot export data in pdf, but only printing a dashboard in pdf. Also because in pdf youcannot use them. If you want them in pdf, you could schedule a report sending results via email in pdf. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/9.3.0/RESTREF/RESTcluster#cluster.2Fmanager.2Fredundancy
I want to export results of a search in pdf format but it shows  
Well. Your screenshot shows... something. The only thing that I can try to deduce from it is that you're running your Splunk environment on Windows. (end event that is just a guess). Anyway. CM - if... See more...
Well. Your screenshot shows... something. The only thing that I can try to deduce from it is that you're running your Splunk environment on Windows. (end event that is just a guess). Anyway. CM - if it's not doing anything else - should have pretty constant memory usage determined by the size of your environment (number of indexers and buckets on those indexers). Of course it will start small and quite quickly build up memory usage as peers register with it and report their buckets but after that the memory usage growth should slow down significantly. If you have a constant linear growth... it might warrant a support case. Or you might simply have too small machine for your CM. In the SH case though it's not that easy because it highly depends on activity - number of searches, the searches themselves, your users limits and so on. You could use monitoring console to see what your users are doing and what is consuming most memory. Anyway, 12GB RAM is a minimum reference SH specification and it's very rarely enough. (and if you're using premium apps like ES or ITSI it's way below the recommended specs).
Hello, we have this issue that our splunk manager and search head after around 1 up to 2 weeks increase in RAM. The splunkd service and some python scripts are the ones that slowly increment the usag... See more...
Hello, we have this issue that our splunk manager and search head after around 1 up to 2 weeks increase in RAM. The splunkd service and some python scripts are the ones that slowly increment the usage of RAM over time and we had the issue that the splunkd service fails sometimes, since there is not enough ram for it to execute tasks.  We have 16GB of ram after I restart the splunkd service it goes down to 4.6 GB RAM in use. Now like I said this will increase slowly up to 15.8GB over time.  As you can see here it goes up to 12GB. Current splunk version: 9.2.0.1 Is there a known bug of memory leak for splunk itself ? Did somebody had the same issue already if so, how did you resolve this problem ? Thank you.
OK then you should be able to simply use a where command to keep just the events in the time ranges you want
Hi, Not exactly what I'm after. Timewrap will cause to chart 3 values, my erliest month of interest, anything in between and my last month. I've tried to plan with eval _time vales but with no avail... See more...
Hi, Not exactly what I'm after. Timewrap will cause to chart 3 values, my erliest month of interest, anything in between and my last month. I've tried to plan with eval _time vales but with no avail, perhaps this needs other approach, I'm trying to chart only the months of my interest to obtain clean view and to simplify calculations on those 2 month values when required. Per below example I want to look at May and July only, thanks
Hi everyone, I am referring to the documentation on High Availability Clustering Configuration, and I came across the following statement: "An eligible 'standby' cluster manager will not set its re... See more...
Hi everyone, I am referring to the documentation on High Availability Clustering Configuration, and I came across the following statement: "An eligible 'standby' cluster manager will not set its redundancy state to 'active' upon consecutive loss of heartbeat to the manager which is currently in active state. The administrator must manually change the cluster manager redundancy state to 'active' or 'standby'." Could someone please guide me on how to manually change the cluster manager redundancy state to 'active' or 'standby' in Splunk? What are the exact steps or commands required to perform this operation? Thank you in advance for your help!
Hi @AnanthaS , as I said, if you want to create a drilldown from a Single Value panel, the only parameters that you must pass to the drilldown are the time tokens. you can create your drilldown usi... See more...
Hi @AnanthaS , as I said, if you want to create a drilldown from a Single Value panel, the only parameters that you must pass to the drilldown are the time tokens. you can create your drilldown using the ui (as I hint and I already described in my previous answers)or add these rows to the Single Value panel: <drilldown> <link target="_blank">/app/<your_app>/<your_seconday_dashboard>?TimeFrom=$Time.earliest$&amp;TimeTo=$Time.latest$</link> </drilldown> where $Time.earliest$ and $Time.latest$ are the tokens that you used for the primary dashboard. Obviously, remember to change the drilldown option in the panel: <option name="drilldown">all</option> instead of "none". Ciao. Giuseppe  
The scenario is I created a dashboard where I show CPU , Memory if it violates threshold and once the user clicks on the dashboard I redirect the user to another dashboard where  I have graph for CPU... See more...
The scenario is I created a dashboard where I show CPU , Memory if it violates threshold and once the user clicks on the dashboard I redirect the user to another dashboard where  I have graph for CPU memory etc...and here Since the user clicked on CPU breach I want to redirect him to CPU specific graph
Hi @bowesmana , Thank you for the shred links. 
Hi @Lloyd , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Thank you  @gcusello  for your quick reply and support