All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That event does indeed contain in instanceId field, but the sourcetype may not match the "veeam_vbr_syslog" value expected by the DM.  It's hard to tell from the obscured screenshot. Everything in t... See more...
That event does indeed contain in instanceId field, but the sourcetype may not match the "veeam_vbr_syslog" value expected by the DM.  It's hard to tell from the obscured screenshot. Everything in the "constraints" section of the DM must match your data for it to be found by the DM and appear in the dashboard.
Assuming the values of the ip address, hostname and fqdn_hostname are unique in your lookup, you could try something like this index=prod_syslogfarm | append [ | inputlookup myinventory.csv] | eval... See more...
Assuming the values of the ip address, hostname and fqdn_hostname are unique in your lookup, you could try something like this index=prod_syslogfarm | append [ | inputlookup myinventory.csv] | eval host=coalesce(lower(hostname),lower(Hostname)) | eventstats count as host_count by host | eval ip=coalesce(ip_address,IP_Address) | eventstats count as ip_count by ip | eval fqdnhost=coalesce(lower(fqdn_hostname),lower(FQDN_Hostname)) | eventstats count as fqdn_count by fqdnhost | where host_count=1 OR ip_count=1 OR fqdn_count=1 You may need to adjust depending on your actual field names in your index and lookup file
You can find it here.. For list of all config files https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Listofconfigurationfiles  
This app is built and supported by Splunk.  i hope you can create support case with Splunk for this.  (as this app is new to me, i dont have any suggestions. lets wait for other community member's ... See more...
This app is built and supported by Splunk.  i hope you can create support case with Splunk for this.  (as this app is new to me, i dont have any suggestions. lets wait for other community member's suggestions)
Hi @aruncp333 ... this task should not any app specific.  Simply search for the particular data and count it, save it as alert with threshold of count >0..  pls let us know if you got the idea or a... See more...
Hi @aruncp333 ... this task should not any app specific.  Simply search for the particular data and count it, save it as alert with threshold of count >0..  pls let us know if you got the idea or any questions.. thanks. 
Either count_err doesn't exist in xxx.csv or no events have a value in id which matches an entry in xxx.csv with a corresponding value in count_err
Hi @yuanliu  It seems that the current query is only retrieving results from the 'myinventory' lookup without performing the intended comparison with the 'asset_inventory' data. It appears that you ... See more...
Hi @yuanliu  It seems that the current query is only retrieving results from the 'myinventory' lookup without performing the intended comparison with the 'asset_inventory' data. It appears that you need to modify the query such that it compares both datasets ('myinventory' and 'asset_inventory') and returns only the discrepancies between the two.
  This is a line of code that takes the fields from the CSV file     |lookup xxx.csv id OUTPUTNEW system time_range      I want to add one field     |lookup xxx.csv id OUTPUTNEW s... See more...
  This is a line of code that takes the fields from the CSV file     |lookup xxx.csv id OUTPUTNEW system time_range      I want to add one field     |lookup xxx.csv id OUTPUTNEW system time_range count_err     When I do this nothing is added, why? I would appreciate your help, thanks
Thank you @richgalloway  But this does not meet my requirement as my syslog data contains combination of hostname, fqdn and IP address and I have to match all these three fields with the respective a... See more...
Thank you @richgalloway  But this does not meet my requirement as my syslog data contains combination of hostname, fqdn and IP address and I have to match all these three fields with the respective asset inventory data which has these fields (Hostname, IP address, FQDN).  So I have to check if the syslog hostname or IP or fqdn is present in the aset inventory data and output only if the syslog data doesn't match with any of these three fields in the asset inventory data.  I have posted this question with examples in this link.  Although I have accepted the answer here https://community.splunk.com/t5/Splunk-Search/How-to-compare-a-look-up-field-with-multivalued-indexed-data-in/m-p/691717#M235509 after further testing, it doesn't seem to be working as expected.
so as i said we are using datamodel with tstats and as tstat we have to use by clause and fields like All_Traffic.src_ip so if the field is not converted before this by clause it can not be used afte... See more...
so as i said we are using datamodel with tstats and as tstat we have to use by clause and fields like All_Traffic.src_ip so if the field is not converted before this by clause it can not be used afterwards. what i did instead, rename the field in data model and using field alies i changed the name to this field. now we can use src_ip instead of data.clientaddr in any search without renaming it. obviously rename command is more hassel free, but as we all know a permenant solution is what evenyone needs
Dear Experts, We are in the latest version of ABAP agent (24.5). In S4HANA system, we noticed a runtime error getting triggered every hour. We identified the related KPI and disabled it. But custom... See more...
Dear Experts, We are in the latest version of ABAP agent (24.5). In S4HANA system, we noticed a runtime error getting triggered every hour. We identified the related KPI and disabled it. But customer needs permanent solution, because it is related to SOST (Mail monitoring) TSV_TNEW_PAGE_ALLOC_FAILED | No more memory available to add rows to an internal table. | SAPLSX11 | LSX11F02 Any idea on permanent solution? Thanks Jananie
Hi @Nawab , you have two solutions: add new fields to you Data Model, I don't like this solution: rename your fields to insert them in the DM fields, this is the prefereable solution. in this w... See more...
Hi @Nawab , you have two solutions: add new fields to you Data Model, I don't like this solution: rename your fields to insert them in the DM fields, this is the prefereable solution. in this way, you can use the DM fields for your searches with tstats. This aliases should be visible both in DMs and in original data, how do you renamed them: in the DM or in the add-on. Do it in the add-on, so you can see them in intersting fields. Ciao. Giuseppe
Try something like this - note that is doesn't deal with All - for that (should you decide it is necessary), you would have to do something a bit more complicated <input type="multiselect" token="ye... See more...
Try something like this - note that is doesn't deal with All - for that (should you decide it is necessary), you would have to do something a bit more complicated <input type="multiselect" token="year"> <label>Year</label> <fieldForLabel>year</fieldForLabel> <fieldForValue>year</fieldForValue> <search> <query>| inputlookup supported_years.csv | dedup year | table year</query> </search> <default>2023</default> <initialValue>2023</initialValue> <change> <eval token="earliest">mvindex(mvsort($form.year$),0)</eval> <eval token="latest">mvindex(mvsort($form.year$),mvcount($form.year$)-1)</eval> <eval token="timeRangeEarliest">strptime($earliest$."0101","%Y%m%d")</eval> <eval token="timeRangeLatest">relative_time(strptime(($latest$)."0101","%Y%m%d"),"+1y")</eval> </change> </input>
We ingested some data from one device which is not add to network traffic datamodel by default. this device sends data in json format. data is added to datamodel but when i use auto extracted fields... See more...
We ingested some data from one device which is not add to network traffic datamodel by default. this device sends data in json format. data is added to datamodel but when i use auto extracted fields and rename that field to already existed field it is still showing original name in interesting fields.   source field = data.clientaddr dest field = src_ip   why i need this to be changed at source level because i want one search to work for all devices. I am using tstats command in search   in interesting fields it is still showing data.clientaddr instead of src_ip
Anyone, any guidance or examples would be greatly appreciated for the above message? Thanks
Hi All,  Is there a way in splunk dashboard studio just I make one column clickable  in table displayed?  I have a table visualisation  in dashboard studio. I want just one column value to be c... See more...
Hi All,  Is there a way in splunk dashboard studio just I make one column clickable  in table displayed?  I have a table visualisation  in dashboard studio. I want just one column value to be clickable. So, that on click of that another table is displayed . ( show / hide).  Please let me know how we can make just value in one column clickable ? Can we ? Regards, PNV
Thanks for your reply. Sorry for the two identical token name, this was a typo and I have corrected it. If there are three or more years, I want to find the earliest year and the latest year, and... See more...
Thanks for your reply. Sorry for the two identical token name, this was a typo and I have corrected it. If there are three or more years, I want to find the earliest year and the latest year, and use the date as tokens. (I just want to find the smallest time range that covers all those years.) And I want to use the tokens for time range of searches in dashboard. Like this: <search> <query>| index=abc</query> <earliest>$timeRangeEarliest$</earliest> <latest>$timeRangeLastet$</latest> </search>
Dear Splunkers, I´m experiencing Splunk AR application network connection issues when trying to add new device. Please see attached print screen.  The error description is following No internet con... See more...
Dear Splunkers, I´m experiencing Splunk AR application network connection issues when trying to add new device. Please see attached print screen.  The error description is following No internet connection - MOB-SSG-6102 and it won´t generate verification code for to register new device. I´ve already tried to re-install the app but it does not help. Can you suggest ? Thank you BR
Your question is a little confusing. You have mentioned the same token twice. Also, please can you clarify what you want if three different years are chosen? Also, how are you going to use the token(... See more...
Your question is a little confusing. You have mentioned the same token twice. Also, please can you clarify what you want if three different years are chosen? Also, how are you going to use the token(s) as this makes a difference to how they might be set up?
This is a bit cryptic! Please explain exactly what the issue is and exactly what you have tried to fix it.