All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Created a local directory within the SplunkDeploymentServerConfig app.  Added the outputs.conf /opt/splunk/etc/apps/SplunkDeploymentServerConfig/local/outputs.conf [indexAndForward] index = tr... See more...
Created a local directory within the SplunkDeploymentServerConfig app.  Added the outputs.conf /opt/splunk/etc/apps/SplunkDeploymentServerConfig/local/outputs.conf [indexAndForward] index = true selectiveIndexing = true Clients started reporting to the DS after restarting Splunk.  Thankful I found this thread.
What do your raw events look like?
Just to follow up with what my problem was, I had a license set for an individual instance. I thought distributed meant multiple instances of each type of Splunk Server, ie, multiple indexers, SH, fo... See more...
Just to follow up with what my problem was, I had a license set for an individual instance. I thought distributed meant multiple instances of each type of Splunk Server, ie, multiple indexers, SH, forwarders, etc. I didnt realize one SH, one Indexer, and one Forwarder counted as a distributed. Either way, putting the 10 GB/day distributed license did the trick.   Now dev works  
headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPercent" for example) into separate objects so they can represented by separate and I am confused.... See more...
headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPercent" for example) into separate objects so they can represented by separate and I am confused.  Have you viewed my sample output?  meteoTemp and meteolunarPercent are extracted by spath, and tabulated in my example.  You can plot them however you want.  For example, source="mqtt://MeteoMQTT" | rex "msg=(?<msg>.+)" | spath input=msg | timechart avg(meteoTemp) as avgMeteoTemp max(meteolunaPercent) as maxMeteolunaPercent If you do not get those fields, you need to play with my emulation and carefully compare with your raw data and post data that is representative of the actual data structure.
I want to add onto this that I am also having this problem. Except the command exceeds the 360 timeout by a minute or more.
Hello, My Splunk query returns the marks of students in the below format.   User                Subject                 Grade John                Physics                 D                       ... See more...
Hello, My Splunk query returns the marks of students in the below format.   User                Subject                 Grade John                Physics                 D                           Science                A                           Math                      B                           Social                    C                           History                 D Mark                Physics               A                           Social                   B                           History                 C Sam                 Math                     C                           Social                   D                           History                A   How can I filter the query to show only marks for Physics and Social? Somewhat like the below. User                Subject              Grade John                Physics               D                           Social                   C Mark                Physics               A                           Social                   B Sam                 Social                  D   Thank you!  
Thanks for the quick reply. That has helped in that it's extracted the "msg data" section from the headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPerc... See more...
Thanks for the quick reply. That has helped in that it's extracted the "msg data" section from the headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPercent" for example) into separate objects so they can represented by separate and different "widgets" on a dashboard. Sticking with those same two examples, I ultimately want to plot temperature on a line chart, but show lunarPercent as a single value   Thanks.
I have a Splunk table that has 3 rows and a count for each row. How do I make each value in table go to a different URL.  This is what I have but every row I click goes to that link. I want each tabl... See more...
I have a Splunk table that has 3 rows and a count for each row. How do I make each value in table go to a different URL.  This is what I have but every row I click goes to that link. I want each table to go to a different link.     "type": "splunk.table",     "dataSources": {         "primary": "ds_5ds4f5"     },     "title": "Device Inventory",     "eventHandlers": [         {             "type": "drilldown.customUrl",             "options": {                 "url": "https://device.com",                 "newTab": true             }         }     ],
What is it and how does it work? I've got it installed but there is no documentation that I can find... 
Hi @kare.peng, That link seems to be broken and also links to an old version of AppDynamics. Can you confirm what Controller version number you are using? Here is the most recent documentation fo... See more...
Hi @kare.peng, That link seems to be broken and also links to an old version of AppDynamics. Can you confirm what Controller version number you are using? Here is the most recent documentation for this feature: https://docs.appdynamics.com/appd/24.x/24.7/en/end-user-monitoring/mobile-real-user-monitoring
Hi @Anees Ur.Rahman, Did you get a chance to see the reply from @Xiangning.Mao? If the reply helped, please click the 'Accept as Solution' button on their reply. If not, keep the conversation going... See more...
Hi @Anees Ur.Rahman, Did you get a chance to see the reply from @Xiangning.Mao? If the reply helped, please click the 'Accept as Solution' button on their reply. If not, keep the conversation going by replying to this thread. 
Yeah, I was starting to consider that afterwards.  I appreciate the assistance. 
So you have it - if you run the first instance you'll overwrite earlier gathered data. True, subsequent three runs will append to your lookup but only after the fourth run you'll have the full 24h-lo... See more...
So you have it - if you run the first instance you'll overwrite earlier gathered data. True, subsequent three runs will append to your lookup but only after the fourth run you'll have the full 24h-long result set. I'd rather consider summary indexing instead of building a lookup.
While technically it should be possible to do with @gcusello 's way of chaining subsearches it's a very bad idea. Subsearches do have their limitation so your result can be completely wrong. Unfortu... See more...
While technically it should be possible to do with @gcusello 's way of chaining subsearches it's a very bad idea. Subsearches do have their limitation so your result can be completely wrong. Unfortunately if you really need to do a full text search it's not possible to use the techniques typically used in similar cases since they rely on common fields. Be aware though that regardless of the subsearch use searching through unparsed data can also be very performance-intensive.
Each query would be offset in its scheduling queryA would run at midnight, looking back from the previous midnight - to previous 0600 queryB would run a bit later, looking back from the previous ... See more...
Each query would be offset in its scheduling queryA would run at midnight, looking back from the previous midnight - to previous 0600 queryB would run a bit later, looking back from the previous 0600 - to previous 1200 queryC would run a bit later, looking back from the previous 1200 - to previous 1800 queryD would run a bit later, looking back from the previous 1800 - to previous 0000 Purpose is intended to not create so much resource utilization. I essentially want to piecemeal the 4 outputs into 1 lookup, read that lookup, enrich it, and schedule that as the alert itself. Then I want it do it all over again, but I do not want the lookup to keep appending after a 24hr cycle.  TL;DR I want a solution to break up a 24hr alert into chunks and bring it back together. 
It does not... I gave it shot, but thank you for the idea! 
Hi Community, We have the "Splunk Add-on for Microsoft Office 365" installed.  We've created "Inputs" for "Audit.AzureActiveDirectory", "Audit.Exchange","Audit.SharePoint". As a result, we are gett... See more...
Hi Community, We have the "Splunk Add-on for Microsoft Office 365" installed.  We've created "Inputs" for "Audit.AzureActiveDirectory", "Audit.Exchange","Audit.SharePoint". As a result, we are getting all the Azure, Exchange, and SharePoint Azure audit log events loaded into Splunk! Perfect! Now we want to add the "Teams" audit log events also.   But we don't see an "Audit.Teams" entry in the "Content Type" picklist on the "Add Management Activity" screen.  We only see the entries listed above. The only option we see relative to Teams is on the "Create New Input" list and that only loads aggregate Usage Report data on calliong.  Unfortunately, that is useless for us. Has anyone figured out how to load/ingest all the Teams related Azure Audit Log events like the above AzureAD, Exchange, SharePoint events are loaded? Thanks in advance for any advice!!
Make two separate correlation searches. These are two separate conditions.
That's probably one of the quirks of MSI - sometimes it calls for an installation package even when you're uninstalling a program.
Do your strings have spaces? Try using the trim function | eval match = tonumber(trim(SequenceNumber_Comment)) - tonumber(trim(SequenceNumber_Withdrawal))