All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please share the PROBLEM and RECOVERY events. (It is rather difficult to solve your problem without being able to see what events you are dealing with!)
Error while connecting AWS lambda with SignalFX
Just wanted to add the "final touch" which made the solution work as intended: Solved: Re: Defining a global token for alert recipients - Splunk Community
Sweet relief after so much trial and error, I could kiss you! Yes, this solution finally works! savedsearches.conf <basesearch> | table <something> | `macro`  macro.conf [macro] definition = eva... See more...
Sweet relief after so much trial and error, I could kiss you! Yes, this solution finally works! savedsearches.conf <basesearch> | table <something> | `macro`  macro.conf [macro] definition = eval _recipients="email1@email.com, email2@email.com" and finally in the savedsearches.conf (or To: field in the UI) action.email.to = $result._recipients$ And it finnaly works as intended!!!  Whish I could reward 100 karma for this Still think that this should be a "built in" thing available both in the GUI and config files, "email groups", but I'm to happy to care right now
Hi, everybody! I am an iOS engineer. We are using AppD recently, but there are some things that I am very confused about. So I put forward feedback and hope someone can help answer it. As shown... See more...
Hi, everybody! I am an iOS engineer. We are using AppD recently, but there are some things that I am very confused about. So I put forward feedback and hope someone can help answer it. As shown in the picture above, the red frame in the upper right corner of the picture. https://docs.appdynamics.com/appd/4.5.x/en/end-user-monitoring/mobile-real-user-monitoring/overview-of-the-controller-ui-for-mobile-rum/mobile-sessions#MobileSessions-SessionTimeline My questions are as follows: 1. What does "49 of 54 Sessions for this Agent" mean here? 2. When I click the arrows before and after the red frame text, the page can be switched to view different logs, so how are the contents of the current page and the next page divided? What does the log of the current page represent? 3. How is the cycle of a session calculated? Because I don't see the code for the relevant session in the code. 4. What does a session mean? How is it divided? Hope someone can answer it, Many thanks. Best regards.
This is indeed a nice alternative thank you!
UF host for last 60 minutes with now errors and warnings   IDX side    Still a problem here. This morning we had to reboot from the Splunk servers due to a security patch of the operating... See more...
UF host for last 60 minutes with now errors and warnings   IDX side    Still a problem here. This morning we had to reboot from the Splunk servers due to a security patch of the operating system. You can see it at the beginning of the graph. This meant that the connection between UF and IDX had to be re-established, i.e. when IDX or UF restarts, about 20 minutes yesterday and today 10 minutes is not the delay or batch processing.
Hi @Srini_551 , as @marnall said, Splunk isn't a tool for updating data because it doesn't use a database table, but you could use one of these workarounds to solve your needs: 1) schedule a searc... See more...
Hi @Srini_551 , as @marnall said, Splunk isn't a tool for updating data because it doesn't use a database table, but you could use one of these workarounds to solve your needs: 1) schedule a search that updates your lookup with the new alerts and access the lookup using the Splunk Lookup Editor App. 2) create a dashboard in wich you have two panels: one with all the alerts, so you can choose the alert to modify, then in the second panel, you display the selected row and, using a text input, you can update the row, at the end you can sabe the raw in the lookup. this solution runs only if you are using a kvstore that record a key for each row. First solution is easier to implement, but you must use the Splunk Lookup Editor App as interface. Ciao. Giuseppe
Tried this and it worked thanks
Any errors on either side of the connection?
If you wanted to update your lookup from the dashboard you'd need to make some (details would depend on your particular use case) search using existing lookup contents and the entered values and end ... See more...
If you wanted to update your lookup from the dashboard you'd need to make some (details would depend on your particular use case) search using existing lookup contents and the entered values and end it with the outputlookup command.
Hey Thank you for being so helpful Glad to say I solved it It turns out I forgot to set it as a stats....
Quoting from the details tab - Vault Enterprise users can complete the Splunk app request form to request access to the app.
I note that it does not alert the field that does not exist, When I make another file that doesn't have the field, it does warn
Hi @manjunathmeti  thanks for reply I tried OUTPUT and its the same behavior
Your question is so vague we have no way of knowing what your problem is. I'm assuming you have an all-in-one installation (just one instance of Splunk Enterprise) installed on a single computer. Ap... See more...
Your question is so vague we have no way of knowing what your problem is. I'm assuming you have an all-in-one installation (just one instance of Splunk Enterprise) installed on a single computer. Apart from that we know nothing. What data you have in yoir Splunk environment? What are you doing when you say you're trying to search? What results do you get? Help us help you.
There is a typo on @richgalloway's suggestion, please try below; index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval us... See more...
There is a typo on @richgalloway's suggestion, please try below; index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(usage, "commas")  
Hi @cybersecnutant, Yes, you should be covered. As @PickleRick describe, there will be no change on remote storage, only your hot buckets will ve replicated between indexers local storage until they... See more...
Hi @cybersecnutant, Yes, you should be covered. As @PickleRick describe, there will be no change on remote storage, only your hot buckets will ve replicated between indexers local storage until they rolled to warm.  
Ah that makes sense - thanks @manjunathmeti  I will hassle my servicenow contact and see if I can understand what he has done
The link was just for reference, usually, you need to deploy an app or integration in Service Now first so that the add-on on Splunk integrates with Service Now.