All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi All, Please help me to solve the below queries in splunk classic dashboard query1:  For example, we have created a table for each alert in splunk with all the alert details as individual columns... See more...
Hi All, Please help me to solve the below queries in splunk classic dashboard query1:  For example, we have created a table for each alert in splunk with all the alert details as individual columns like alertid,alertname,alerttime,alertsummary,alertdescription etc. in a Splunk classic dashboard. So now how to add extra column as comment in above splunk table and manually enter the values in the column in each row and save it in lookup file.   query2: is it possible to add editable column in a splunk table and save the response in lookup table.if yes help me to implement the same in dashboard.
This is confusing.  Could you explain "convert them?" Do you mean the raw events are not in XML?  In that case, could you share raw events?  Also, French should not stop Splunk as long as it is encod... See more...
This is confusing.  Could you explain "convert them?" Do you mean the raw events are not in XML?  In that case, could you share raw events?  Also, French should not stop Splunk as long as it is encoded in UTF-8 or another compatible scheme.
sorry if it's not clear, For example, there is Hostnames A, B, C is X owner Hostnames D, E, F is the Y owner. I want each filter to be bound to tokens on other filters. So, for example, if I se... See more...
sorry if it's not clear, For example, there is Hostnames A, B, C is X owner Hostnames D, E, F is the Y owner. I want each filter to be bound to tokens on other filters. So, for example, if I set the owner filter to value X, the dropdown on Hostname filter only displays A, B, C. Or if I choose hosntname A, the owner filter only show X value, is it possible?
Replace stats in the query with timechart and it should work. index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage... See more...
Replace stats in the query with timechart and it should work. index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(Used, "commas")  
As an alternative you can use other functions | eval trimmed_email=trim(Employee_Email,"\"[]") or | eval substr_email=substr(Employee_Email,3,len(Employee_Email)-4)
You're doing stats aggregation to a single value. Your stats sum(b) will produce just one overall number.
Hi @scout29 , see in the Monitoring Console App or in [Settins > License < License Conuption Report > previous 30 days] and you'll have your search. ciao. Giuseppe
I am trying to create a bar chart that shows the total daily splunk ingestion (in TB) by day for the past month. I am using the below search, but i am not able to get the |timechart to work to displa... See more...
I am trying to create a bar chart that shows the total daily splunk ingestion (in TB) by day for the past month. I am using the below search, but i am not able to get the |timechart to work to display the total ingestion by day. What am i missing? index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | stats sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(Used, "commas")
thanks for clarifying
You need to escape the square brackets and double quotes | eval test1=replace(replace(Employee_Email,"\[\"",""),"\"\]","")
Hi, we moved a customer from virtualized splunk indexers to physical machines with nvme storages. Since me performed this migration the customer experiences slower results when running dense searche... See more...
Hi, we moved a customer from virtualized splunk indexers to physical machines with nvme storages. Since me performed this migration the customer experiences slower results when running dense searches. So i checked the job inspector and it seems, that there is an issue . As far as i understood the value "dispatch.fetch" is the time the SH waits for the idx to return the results. Is this value based on network or storage conditions? Attached the slightly blurred job inspector
Hi, Thanks for your reply. I just had a look in transforms.conff file and seen such stanzas [system_props_xml_attributes] # Extracts values from following fields: # Provider: Name, Guid # TimeC... See more...
Hi, Thanks for your reply. I just had a look in transforms.conff file and seen such stanzas [system_props_xml_attributes] # Extracts values from following fields: # Provider: Name, Guid # TimeCreated: SystemTime, RawTime # Correlation: ActivityID, RelativeActivityID # Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime # Security: UserID So, for the element "Provider" - Name & Guid are attributes similarly for the element "Timecreated" - systemtime & rawtime are attributes So the fields are parsing correctly right ?
Edit: I tried:  | eval test1 = replace (Employee_Email, "[" , "")
Hi, I have a field called "Employee_Email". This field contains the value: ["firstname.lastname@gmail.com"] How do I remove the special characters [" and "]?   I tried:  | eval test1 = repl... See more...
Hi, I have a field called "Employee_Email". This field contains the value: ["firstname.lastname@gmail.com"] How do I remove the special characters [" and "]?   I tried:  | eval test1 = replace (Employee_Email "[" , "")   But when I tried to remove either [ or " it gives me the following errors: Error in 'EvalCommand': Regex: missing terminating ] for character class Or: Unbalanced quotes.   Is there a way to ignore the normal effect of [ and "?
The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element. For example, if you extract the fields with spath you will get ...Provider@Name showing that it is ... See more...
The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element. For example, if you extract the fields with spath you will get ...Provider@Name showing that it is an attribute. 
You could consider area charts which sort of mixes line and column charts
thanks, for your help.... it works 
On one hand thank you very much, changing this to a column makes the stacked work.   On the other hand the documentation I was reading did list the stackmode under line charts, so that is a bit confu... See more...
On one hand thank you very much, changing this to a column makes the stacked work.   On the other hand the documentation I was reading did list the stackmode under line charts, so that is a bit confusing. Chart configuration reference - Splunk Documentation The teams would prefer the line graphs as that is more common for us, but this does get the desired visual. Thank you
It is not clear what you are trying to achieve here - you already have your tokens in your table search! btw, your ipaddress dropdown has a fieldForLabel with is not returned by the search.