All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplu... See more...
Hi @Naa_Win , try this, even if I did it more than five years ago, but it should still run! | rest splunk_server=local /services/deployment/server/clients\ | table hostname ip utsname *.restartSplunkd\ Ciao. Giuseppe
| eval "Plugin ID"=mvjoin('Plugin ID',", ")." "
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the... See more...
Dozens of posts on these topics.. I've tried makemv, fieldformat, tostring, tonumber all to no avail. So I'm just going to past my query in hopes someone can help me out. I have placed them after the stats call but having no luck.  query | stats list(Plugin) by Host, OS, App, Manager | rename list(Plugin) as "Plugin ID" The result is either one or several numbers in a single field - Plugin ID. I would prefer to delimit those results by comma (and align left for the single value results if possible).  Instead of (the lines are supposed to represent the cell/field): ______________ 204188 193574_______ ______193574__   I would like them on a single line, wrapping where necessary: 204188, 193574  193574_______   Any assistance would be appreciated. 
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a re... See more...
In the _cluster app on the cluster manager there is an indexes.conf file that specifically sets repFactor to 0 for the _introspection, _telemetry, _metrics, and _metrics_rollup indexes. Is there a reason these indexes should not be replicated? Thanks.
Hi @woodcock, do you know if this effort to re-architect Splunk you were referring to back in 2019 has been finished/released at all?  I'm interested in what the vision was to be back then.  Thank you!
Hi Rajesh, Sorry for the delay in my reply, I tried to made the curl that you asked me, but I'm afraid can't do it, or install it. Should I re-install the operator? Thank you very much for t... See more...
Hi Rajesh, Sorry for the delay in my reply, I tried to made the curl that you asked me, but I'm afraid can't do it, or install it. Should I re-install the operator? Thank you very much for the help. Regards Gustavo Marconi
Hi Team, How to replace no results found with 0 with a color in Splunk dashboard. I know that by appending below it update 'no results found' with 0 value. | appendpipe [stats count | where cou... See more...
Hi Team, How to replace no results found with 0 with a color in Splunk dashboard. I know that by appending below it update 'no results found' with 0 value. | appendpipe [stats count | where count=0] But it comes with red color as 0 value, I want to change to green color. even if I have changed Format Visualization --> Color range  from 0-5 as Green 5-max as Red   Could you please let me know how I can get green color with value as 0 when there is 'no results found' 
This is a different question - you could modify your search to use something like Component IN $componentselection$ but it depends on how your dashboard is set up
Hi Experts,  I have a question regarding our Splunk Dashboard. I want to show the logic of the calculation used in a single value panel. Specifically, I would like to display this information when a... See more...
Hi Experts,  I have a question regarding our Splunk Dashboard. I want to show the logic of the calculation used in a single value panel. Specifically, I would like to display this information when a user hovers over the panel or clicks a question mark (?) or information (i) symbol.  Is it possible to add this feature to a particular single value panel? Any guidance or examples would be greatly appreciated. Thank you
I know that rest calls don't cover the deployment server apps as they are not memory resident. But is there any way we can monitor Deployment Server which saves the output somewhere and we can monito... See more...
I know that rest calls don't cover the deployment server apps as they are not memory resident. But is there any way we can monitor Deployment Server which saves the output somewhere and we can monitor that to splunk ?
Splunk is all about time series data, so you can search data/events using various times etc, so what this means, you need to ensure you have well formatted logs with a time stamp, which is what Splun... See more...
Splunk is all about time series data, so you can search data/events using various times etc, so what this means, you need to ensure you have well formatted logs with a time stamp, which is what Splunk loves and try's to break the events based on the timestamp.  Splunk has the capability to auto detect most common log formats and timestamps, but this is not best practice for custom logs, its better to ensure you parse and format the timestamp correctly.  As you have a custom log file it  looks , you will need to create a new sourcetype for it and apply props and transforms configuration to it, which will then parse and ensure the time stamp is correct.  First try and understand the props concepts and apply that to your log file, it will requires some props code trial and error, until your get it to work as expected.  Start here:   https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Improving_data_onboarding_with_props.conf_configurations     
Hello there! To monitor Microsoft Hyper-V in customer environment, I know and use Hyper-V add-on for Splunk. But, the add-on does not include PowerShell scripts for monitoring Microsoft Hyper-V MS c... See more...
Hello there! To monitor Microsoft Hyper-V in customer environment, I know and use Hyper-V add-on for Splunk. But, the add-on does not include PowerShell scripts for monitoring Microsoft Hyper-V MS cluster and CSV (Cluster Shared Volumes) metrics and counters. Anyone using any sort of monitoring or custom scripts/apps for MS cluster and CSV monitoring?   Thanks
The forwarder is forwarding.  The information is broken up in splunk every time it comes across a line with a timestamp.   Then a new field is created after the timestamp line until it hits another t... See more...
The forwarder is forwarding.  The information is broken up in splunk every time it comes across a line with a timestamp.   Then a new field is created after the timestamp line until it hits another timestamp in the txt
get-brokersession is run via powershell and sent to a txt file.   The information is getting into splunk however, every line that has a date and time in it the event is killed and a new event begins ... See more...
get-brokersession is run via powershell and sent to a txt file.   The information is getting into splunk however, every line that has a date and time in it the event is killed and a new event begins  with the next line in splunk.   Is there a way just to have the txt file to be ingested into splunk without it chopping up the file every time it come to a timestamp in the log?
@ITWhisperer Thank you very much and you made my day to achieve the desired output. Also I would like to pass Component as a dropdown which could be either 1 or 2 or 3 comma separated values as AAAA... See more...
@ITWhisperer Thank you very much and you made my day to achieve the desired output. Also I would like to pass Component as a dropdown which could be either 1 or 2 or 3 comma separated values as AAAA, BBBB, CCCC and expecting output for each component it should display the Last Input Timestamp and Last Output Timestamp Component | Last Input Timestamp| Last Errored Timestamp AAAA             | 24-03-2024 12:23:23| 24-03-2024 08:23:12 BBBB             | 23-03-2024 10:12:44| 24-02-2024 05:45:22 CCCC             | 12-05-2024 11:01:00| 04-05-2024 01:23:12 Any help to achieve this would be really appreciated!
Hello @gcusello  Can you please share the same ? I have a similar use case.
| stats latest(eval(if(searchmatch("Error"),_time,null()))) as LastErroredTimestamp latest(eval(if(searchmatch("Input"),_time,null()))) as LastInputTimestamp by Component | fieldformat LastErroredTim... See more...
| stats latest(eval(if(searchmatch("Error"),_time,null()))) as LastErroredTimestamp latest(eval(if(searchmatch("Input"),_time,null()))) as LastInputTimestamp by Component | fieldformat LastErroredTimestamp=strftime(LastErroredTimestamp,"%F %T") | fieldformat LastInputTimestamp=strftime(LastInputTimestamp,"%F %T")
Thanks a lot!! It worked. Great help.
Hi, I would like to get the latest search record or multiple search combination. For example, if my search is as below index=myIndex ABCD AND (Input OR Error) I am expecting output as below table... See more...
Hi, I would like to get the latest search record or multiple search combination. For example, if my search is as below index=myIndex ABCD AND (Input OR Error) I am expecting output as below table format Component | Last Input Timestamp| Last Errored Timestamp ABCD             | 24-03-2024 12:23:23| 24-03-2024 08:23:12 Search should fetch the timestamp of latest log event of (ABCD and Input) and (ABCD and Error).