All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @yuvaraj_m91 You can reference the required fields in your Splunk alert config using $name$ for the alert name and $result.field$ for other fields
if 3 results got good timestamp meaning, props.conf is working fine.  lets troubleshoot the 4th one..  pls copy paste your search query..  (remove the hostnames, confidential info etc.. )
@inventsekar  If you see the below attached screenshot. The first three events is matching but the last one event is always creating an issue.  FYI : I am using default timezone setting.  
1) Pls give us the search query you are using..  what you see on the results is your splunk user profile's timezone setting.  2) on your Splunk user profile, pls make sure you have the right timezo... See more...
1) Pls give us the search query you are using..  what you see on the results is your splunk user profile's timezone setting.  2) on your Splunk user profile, pls make sure you have the right timezone settings (click on your username---- > Account settings---- > Time Zone)
@inventsekar  I have updated this "TIME_FORMAT = %FT%H:%M:%S.%3Q%Z" other is in # I have already restarted the Splunkd services.
Hi @uagraw01 .. for the timeformat.. did you apply both mine and @yuanliu 's timeformat's?.. (after updating the props.conf, you must restart the splunk services.. then only the changes will be inse... See more...
Hi @uagraw01 .. for the timeformat.. did you apply both mine and @yuanliu 's timeformat's?.. (after updating the props.conf, you must restart the splunk services.. then only the changes will be inserted to Splunk)  
My Objective is to create an Alert in ServiceNow whenever an failure alert triggered in SPlunk. I have installed Splunk Add on for ServiceNow and configured the connection setup.  I was able to suc... See more...
My Objective is to create an Alert in ServiceNow whenever an failure alert triggered in SPlunk. I have installed Splunk Add on for ServiceNow and configured the connection setup.  I was able to successfully post the incident is ServiceNow with the default fields available in ServiceNow Incident Alert. However i need to update the Description field in ServiceNow with the details of Alert Name and Alert Result to identify why that alert triggered.
Hi Dev Team, It has been a while since the last update version for this App was released (mid 2023) and now lost Splunk Cloud certification for compatibility. Can we please have this App revised to... See more...
Hi Dev Team, It has been a while since the last update version for this App was released (mid 2023) and now lost Splunk Cloud certification for compatibility. Can we please have this App revised to match Splunk Cloud requirements for compatibility? Thank you. Regards.  
@inventsekar  [Scada_walmart_alarm] DATETIME_CONFIG = KV_MODE = xml NO_BINARY_CHECK = true CHARSET = UTF-8 LINE_BREAKER = <\/eqtext\:EquipmentEvent NO_BINARY_CHECK = true SHOULD_LINEMERGE = f... See more...
@inventsekar  [Scada_walmart_alarm] DATETIME_CONFIG = KV_MODE = xml NO_BINARY_CHECK = true CHARSET = UTF-8 LINE_BREAKER = <\/eqtext\:EquipmentEvent NO_BINARY_CHECK = true SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %FT%H:%M:%S.%3Q%Z #TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z TIME_PREFIX = \<eqtext\:EventTime\> SEDCMD-first = s/^.*<eqtext:EquipmentEvent/<eqtext:EquipmentEvent/g
Hi @uagraw01 pls show us your props.conf    (if you dont know where to find the props.... are you using HF or not... if u use HF, then props.conf should be there if you dont use HF, then, you sho... See more...
Hi @uagraw01 pls show us your props.conf    (if you dont know where to find the props.... are you using HF or not... if u use HF, then props.conf should be there if you dont use HF, then, you should have props.conf for this should be in indexer)
@yuanliu @inventsekar  When I ingested to Splunk both the times varies ( index and event time). Please see below screenshot.  
Hi @uagraw01  |makeresults | eval logs="2024-07-13T16:21:31.287Z" | eval time=strptime(logs,"%Y-%m-%dT%H:%M:%S.%Q") | eval date = strftime(time,"%Y-%m-%d %H:%M:%S") | table logs time date ... pls ... See more...
Hi @uagraw01  |makeresults | eval logs="2024-07-13T16:21:31.287Z" | eval time=strptime(logs,"%Y-%m-%dT%H:%M:%S.%Q") | eval date = strftime(time,"%Y-%m-%d %H:%M:%S") | table logs time date ... pls check "%Y-%m-%dT%H:%M:%S.%Q" 
Should be "%FT%H:%M:%S.%3Q%Z".  You can always test your time format with an emulation, like | makeresults format=csv data="eqtext:EventTime 2024-07-13T16:21:31.287Z" | eval _time = strptime('eqtext... See more...
Should be "%FT%H:%M:%S.%3Q%Z".  You can always test your time format with an emulation, like | makeresults format=csv data="eqtext:EventTime 2024-07-13T16:21:31.287Z" | eval _time = strptime('eqtext:EventTime', "%FT%H:%M:%S.%3Q%Z")  
Is there anyway to fix this error, given that it is may be caused by the application?
Try this:   index=xyz Feature IN (Create, Update, Search, Health) | timechart span=1m count as TotalHits, perc90(Elapsed) by Feature | appendpipe [stats max("Total Hits: *") as * | eval _ti... See more...
Try this:   index=xyz Feature IN (Create, Update, Search, Health) | timechart span=1m count as TotalHits, perc90(Elapsed) by Feature | appendpipe [stats max("Total Hits: *") as * | eval _time = "Total Hits"] | fields - "Total Hits: *" | appendpipe [stats max("perc90(Elapsed): *") as * | eval _time = "perc90(Elapsed)"] | fields - "perc90*" | tail 2 | transpose header_field=_time column_name=Feature | where Feature != "_span"   Two additional pointers: Do not use a second search line if Feature is already available in indexed data. Do not use a separate command for time bucket if you are going to use timechart. This is my emulation:   index=_internal | rename date_second as Elapsed, log_level as Feature | eval Feature = case(Feature == "INFO", "Create", Feature == "WARN", "Health", Feature == "ERROR", "Search", true(), "Update") ``` the above emulates index=xyz Feature IN (Create, Update, Search, Health) ```   With this, the result is Feature perc90(Elapsed) Total Hits Create 59.000000000000000 1283 Health 48.700000000000000 191 Search 59 212 Update 52.000000000000000 551
Hello Splunkers!!   I have a below event and I want to parse. But the event is not parsing with time format in Splunk. Please help me to get it fix . TIME_FORMAT : %dT%H:%M:%S.%3QZ TIME_PREFIX :... See more...
Hello Splunkers!!   I have a below event and I want to parse. But the event is not parsing with time format in Splunk. Please help me to get it fix . TIME_FORMAT : %dT%H:%M:%S.%3QZ TIME_PREFIX : \<eqtext\:EventTime\> I have used the above setting but nothings works. StillI can see isse with indexed and event time. Please help me to get it fix.   Below are the raw events:   <eqtext:EquipmentEvent xmlns:eqtext="http:///FM/EqtEvent/EqtEventExtTypes/V1/1/5" xmlns:sbt="http://FM/Common/Services/ServicesBaseTypes/V1/8/4" xmlns:eqtexo="http://FM/EqtEvent/EqtEventExtOut/V1/1/5"><eqtext:ID><eqtext:Location><eqtext:PhysicalLocation><AreaID>7053</AreaID><ZoneID>33</ZoneID><EquipmentID>25</EquipmentID><ElementID>0</ElementID></eqtext:PhysicalLocation></eqtext:Location><eqtext:Description> Welder cold</eqtext:Description><eqtext:MIS_Address>6.2</eqtext:MIS_Address></eqtext:ID><eqtext:Detail><State>CAME_IN</State><eqtext:EventTime>2024-07-13T16:21:31.287Z</eqtext:EventTime><eqtext:MsgNr>7751154552301783480</eqtext:MsgNr><Severity>INFO</Severity><eqtext:OperatorID>WALVAU-SCADA-1</eqtext:OperatorID><ErrorType>TECHNICAL</ErrorType></eqtext:Detail></eqtext:EquipmentEvent></eqtexo:EquipmentEventReport>
Hi @thevikramyadav ..  As you are aware, good questions will receive better answers!  - are you confused about search factor, replication factor, etc - are you confused about SHC maintenance, supp... See more...
Hi @thevikramyadav ..  As you are aware, good questions will receive better answers!  - are you confused about search factor, replication factor, etc - are you confused about SHC maintenance, support tasks..  - are you confused about why SHC needed in first place? - are you confused about SHC and distributed searching?..  - are you confused about licensing for SHC.. or something else..    Best Regards Sekar    
Hi @eoronsaye  may i know if you are trying to install the UF package manually or thru tools like Chef, software deployment packages, etc just in case, if you have missed to check this doc: https:... See more...
Hi @eoronsaye  may i know if you are trying to install the UF package manually or thru tools like Chef, software deployment packages, etc just in case, if you have missed to check this doc: https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller  
Hi Team, While setting up our new remote Heavy Forwarder, we configured it to collect data from 20 universal Forwarders and Syslog devices, averaging about 30GB daily. To control network bandwidth... See more...
Hi Team, While setting up our new remote Heavy Forwarder, we configured it to collect data from 20 universal Forwarders and Syslog devices, averaging about 30GB daily. To control network bandwidth usage, we applied a maximum throughput limit of 1MBps (1024KBps) using the maxKBps setting in limits.conf on the new remote Heavy Forwarder. This setting is intended to cap the rate at which data is forwarded to our Indexers, aiming to prevent exceeding the specified bandwidth limit. However, according to Splunk documentation, this configuration doesn't guarantee that data transmission will always stay below the set maxKBps. It depends on factors such as the status of processing queues and doesn't directly restrict the volume of data being sent over the network. How can we ensure the remote HF is not exceeding the value set in maxKBps in any case. Regards VK
I have result like this     column, row 1 TotalHits: Create, 171 TotalHits: Health, 894 TotalHits: Search, 172 TotalHits: Update, 5 perc90(Elapsed): Create, 55 per... See more...
I have result like this     column, row 1 TotalHits: Create, 171 TotalHits: Health, 894 TotalHits: Search, 172 TotalHits: Update, 5 perc90(Elapsed): Create, 55 perc90(Elapsed): Health, 52 perc90(Elapsed): Search, 60 perc90(Elapsed): Update, 39       I want to convert this into   Total Hits perc90(Elapsed) Create 171 55 Update 5 52 Search 172 60 Health 894 52   What query should I use Btw, to reach the above output I used like this, even this I am not sure whether its the best way index=xyz | search Feature IN (Create, Update, Search, Health) | bin _time span=1m | timechart count as TotalHits, perc90(Elapsed) by Feature | stats max(*) AS * | transpose Basically I am trying to get the MAX of the 90th percentile and Total Hits during a time window.