All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Figured it out thanks to you all! @PickleRick  @gcusello  Here is what I did.  First I ran the    ./splunk list monitor command to see what was being monitored. It was as you said Splunk does not l... See more...
Figured it out thanks to you all! @PickleRick  @gcusello  Here is what I did.  First I ran the    ./splunk list monitor command to see what was being monitored. It was as you said Splunk does not like multiple overlapping input stanzas. This is what my inputs configuration looks like. I had to remove the /var/log/audit stanzas    inputs.conf  [monitor:///var/log] disabled = false blacklist = syslog    [monitor:///var/log/syslog/10.10.10.10/.../*] disabled = false  host = loginsight01 index = insight    [monitor:///var/log/syslog/10.10.10.11/.../*] disabled = false  host = loginsight02 index = insight    [monitor:///var/log/syslog/10.10.10.12/.../*] disabled = false  host = loginsight03 index = insight    Thank you all for the help!     
Try something like this <form version="1.1" theme="light"> <label>Hidden panels</label> <fieldset submitButton="false"> <input type="dropdown" token="panel_tok" searchWhenChanged="true"> ... See more...
Try something like this <form version="1.1" theme="light"> <label>Hidden panels</label> <fieldset submitButton="false"> <input type="dropdown" token="panel_tok" searchWhenChanged="true"> <label>Vendor</label> <choice value="All">All</choice> <default>All</default> <initialValue>All</initialValue> <fieldForLabel>Vendor</fieldForLabel> <fieldForValue>Vendor</fieldForValue> <search> <query>| makeresults format=csv data="Vendor Vendor A Vendor B" |stats c by Vendor</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <change> <condition value="All"> <set token="vendorA">true</set> <set token="vendorB">true</set> </condition> <condition value="Vendor A"> <set token="vendorA"></set> <unset token="vendorB"></unset> </condition> <condition value="Vendor B"> <unset token="vendorA"></unset> <set token="vendorB"></set> </condition> </change> </input> </fieldset> <row> <panel depends="$vendorA$"> <html> <p>Panel A</p> </html> </panel> </row> <row> <panel depends="$vendorB$"> <html> <p>Panel B</p> </html> </panel> </row> </form>
    <input token="panel_tok" searchWhenChanged="true"> <label>Vendor</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <field... See more...
    <input token="panel_tok" searchWhenChanged="true"> <label>Vendor</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>vendor</fieldForLabel> <fieldForValue>vendor</fieldForValue> <search> <query> |stats c by vendor </query> <earliest>-7d@h</earliest> <latest>now</latest> </search>   @ITWhisperer 
Please share the source of your dashboard in a code block
Some more digging, this seems to be the same issue: https://community.splunk.com/t5/Splunk-Search/Having-a-problem-substituting-value-for-earliest-in-a-map/m-p/33122
Hi @JandrevdM , what's in my search doesn't match your requirement? then, if you want the list of all your assets, you don't need all that commands, but only a list of hosts. then UniqueHostCount ... See more...
Hi @JandrevdM , what's in my search doesn't match your requirement? then, if you want the list of all your assets, you don't need all that commands, but only a list of hosts. then UniqueHostCount is always 1 in your search. them you don't have timestamp from the first stats command, so you cannot use it in the second stats command because after a stats command you have only the fields in the stats. At least, using tstats you have a more performant search. Ciao. Giuseppe  
Hi @kp_pl , as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview  The SPL2 bin command puts continuous numerical values into discrete sets, or bins... See more...
Hi @kp_pl , as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview  The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value. but the option to give the groups is span and not bin, bin gives the number of groups. so please try something like this: <your-search> | bin span=10 TIMETAKEN | stats count by TIMETAKEN Ciao. Giuseppe in other words, you could use
Hi @gcusello Thanks! I also tried this but it takes ages to get results. index=* | stats dc(computerName) as UniqueHostCount by computerName | where UniqueHostCount > 0 | stats max(timestamp... See more...
Hi @gcusello Thanks! I also tried this but it takes ages to get results. index=* | stats dc(computerName) as UniqueHostCount by computerName | where UniqueHostCount > 0 | stats max(timestamp) by computerName | table computerName
I have header panels on a dashboard. Say this dropdown has a token called tok_panel. Is there a way to make the panels depend on specific values of tok_panel? i.e., if I select "All" in the dropdown... See more...
I have header panels on a dashboard. Say this dropdown has a token called tok_panel. Is there a way to make the panels depend on specific values of tok_panel? i.e., if I select "All" in the dropdown, only panel "All" should be visible instead of *. In my case i'm using Static options for all to display. Others options coming based on |stats c by field name. @gcusello  @ITWhisperer  @PickleRick @richgalloway 
Hi @trevor7 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @JandrevdM , with this search you can have only the list of Universal Forwarders and not the list of all devices. In addition you could have a more performat search in this way: | tstats count ... See more...
Hi @JandrevdM , with this search you can have only the list of Universal Forwarders and not the list of all devices. In addition you could have a more performat search in this way: | tstats count where index=_internal BY host If you want also other devices, you must use a different filter in where condition, e.g.: | tstats count where index=_internal OR index=* BY host Ciao. Giuseppe
Unfortunatly i cannot confirm because all the nodes are on Lnx-8
I have been expirimenting and noticed a massive improvement on RHEL9. Can you confirm that?
Hi, I am new to Splunk and would like to build a dashboard to find all hosts in environment. This should query all logs to pick up WSL environments, devices ingesting from my security tools and overa... See more...
Hi, I am new to Splunk and would like to build a dashboard to find all hosts in environment. This should query all logs to pick up WSL environments, devices ingesting from my security tools and overall just anything with a hostname and classify it as domain joined, server or workstation. I am using this to then see the devices that has the forwarder installed and then would correlate to see what devices require the splunk forwarder. index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname | table date_hour, date_minute, date_mday, date_month, date_year, hostname, sourceIp, fwdType ,guid ,version ,build ,os ,arch | stats count
yes the comment should be saved 
I know this question was asked about 2 years ago but I didn't see any responses, so I am going to ask it again.  Is there a way to add a tooltip to a table in Dashboard Studio.  I want the tooltip to... See more...
I know this question was asked about 2 years ago but I didn't see any responses, so I am going to ask it again.  Is there a way to add a tooltip to a table in Dashboard Studio.  I want the tooltip to be dynamic in that the wording comes from a lookup table, based on
Is there a way to export the ticket information from mission control with the analyst notes, and resolution ?    If it's not possible directly from MC, is there a way to do that via splunk search ?... See more...
Is there a way to export the ticket information from mission control with the analyst notes, and resolution ?    If it's not possible directly from MC, is there a way to do that via splunk search ?    thanks 
@PickleRick I have increased the max_timestamp from 650 to 750 as well as corrected the TIME_PREFIX setting also but still the issue persist.
In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs | stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc7... See more...
In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs | stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc75(TT) as Q3, perc98(TT) as P98 by OP Here is the way I count quartiles and 98percentile of my set. The result is four values between 2sek.(Q1 ) and 40sek.(P98) for every OP. Last time @ITWhisperer mestioned about command BIN. I like it! I wondered about creating 10 bins instead ( kind of every10 percentile). I did somethink like | bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by TIMETAKEN and expected to see 10 bins but the result was : TIMETAKEN count(TIMETAKEN) 0-10 6393 10-20 389 20-30 15 40-50 2 so no 10 bins but only 4 What am I doing wrong ? And how to create 10 bins for each OP ? Something like | bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by OP   ???      
Have you read my previous response? Did you check any of the things I mentioned?