All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please try it exactly as I showed you - I have already explained that you need double quotes to the left of the assignment and single quotes to the right - if you do not follow simple instructions li... See more...
Please try it exactly as I showed you - I have already explained that you need double quotes to the left of the assignment and single quotes to the right - if you do not follow simple instructions like this, you will struggle to get a working solution!
No luck    
Try without StatusCode on the stats index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coal... See more...
Try without StatusCode on the stats index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode'
This was an issue I struggled with a bit at first, and while the Splunk team is very excellent, there own perspective is not always intuitive with respect to naming and function. Splunk DOCs describ... See more...
This was an issue I struggled with a bit at first, and while the Splunk team is very excellent, there own perspective is not always intuitive with respect to naming and function. Splunk DOCs describe the following about the deployment server, in particular the deployment clients have a defined deployment server that manages the configurations that are pushed out to it see the following: Plan a deployment - Splunk Documentation " Deployment server and clusters You cannot use the deployment server to update indexer cluster peer nodes or search head cluster members. Indexer clusters Do not use deployment server or forwarder management to manage configuration files across peer nodes (indexers) in an indexer cluster. Instead, use the configuration bundle method. You can, however, use the deployment server to distribute updates to the manager node, which then uses the configuration bundle method to distribute them to the peer nodes. See "Update common peer configurations" in the Managing Indexers and Clusters of Indexers manual. Search head clusters Do not use deployment server to update search head cluster members. The deployment server is not supported as a means to distribute configurations or apps to cluster members. To distribute configurations across the set of members, you must use the search head cluster deployer. See "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual."   The reference for respective configuring is here: Deploying Apps: Use the deployer to distribute apps and configuration updates - Splunk Documentation (see this section: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Deploy_a_configuration_bundle) By contrast, apps and configurations are managed by the deployment server, here: Create deployment apps - Splunk Documentation
Hi, query : is it possible to use  expand and collapse for table column fields in splunk classic dashboards.   query2 : is it possible to add excel feature (overriding next column value untill... See more...
Hi, query : is it possible to use  expand and collapse for table column fields in splunk classic dashboards.   query2 : is it possible to add excel feature (overriding next column value untill we expand) as above image in splunk classic dashboard.  
Hi @Idodox , please see this approach: <unrelated part to collect proper events> error=4 | eventstats count as total by applicationId | search error=404 | stats count as error_404 values(total) AS ... See more...
Hi @Idodox , please see this approach: <unrelated part to collect proper events> error=4 | eventstats count as total by applicationId | search error=404 | stats count as error_404 values(total) AS total by applicationId | eval errorRate=((error_404/total)*100)."%" | table applicationId, errorRate Ciao. Giuseppe
I have a cisco ess -3300 con switch with 20 1G copper port and 4 1G Fiber cable .My issue is that out of 24 1G port one of my Fiber interface is showing err-disable status and one 1G copper port is a... See more...
I have a cisco ess -3300 con switch with 20 1G copper port and 4 1G Fiber cable .My issue is that out of 24 1G port one of my Fiber interface is showing err-disable status and one 1G copper port is also not showing connected status how to resolve the above issue. Please reply as soon as possible.
My environment contains two EC2s: one primary and one warm standby. Due to a series of unfortunate events, our database on the warm standby got corrupted and phantom would not start on it. Luckily, w... See more...
My environment contains two EC2s: one primary and one warm standby. Due to a series of unfortunate events, our database on the warm standby got corrupted and phantom would not start on it. Luckily, we had a volume backup in AWS of the SOAR directory, so it was saved.  However, after some research afterwards, we found a different method of backing up: https://docs.splunk.com/Documentation/SOARonprem/6.2.2/Admin/BackupOrRestoreAndWarmStandby I think I'm being dense and overthinking it, but the article mentions a "primary warm standby", a "primary" + a "secondary" + a "warm standby" later on in the article. How many servers are in this configuration? I am not understanding how it is being set up and what the secondary is referencing. Also, what is a "primary warm standby"? Would this article be helpful in the situation I described above with my failed warm standby? 
I'm trying to get a percentage of a field, based on a condition (filtered by search) by another field. e.g.  percentage of 404 errors by application. So need to get the total number of requests for ... See more...
I'm trying to get a percentage of a field, based on a condition (filtered by search) by another field. e.g.  percentage of 404 errors by application. So need to get the total number of requests for each application, filter to keep only 404 errors then count by application. At least that's the logic I used.   <unrelated part to collect proper events> | eventstats count as total by applicationId | search error=404 | stats count as error_404 by applicationId | eval errorRate=((error_404/total)*100)."%" | table applicationId, errorRate     This returns a list of applications, but no values for errorRate. Individually, I'm able to get a result for this:   | stats count as total by applicationId   And also for this:   | search error=404 | stats count as error_404 by applicationId   But something in having them together in the flow I have doesn't work. I also tried this which didn't work. In this instance I get values for applicationId and total. So I guess there's something wrong with how I'm getting the error_404 values.   | stats count as total by applicationId | appendcols[search error=404|stats count as error_404 by applicationId] | eval errorRate=((error_404/total)*100)."%" | table applicationId, error_404, total, errorRate  
Hi, If you make a curl request to the Splunk, that in the web_access.log the client is a 127.0.0.1 and user is '-', can we somehow correct client field to know who actually made the request?
@ITWhisperer , I tried but no luck . It is displaying the count but not displaying the stats    
When field names have special characters in, they often need single quotes around them (double if they are on the left of the assignment). Try this | eval "BackendResponse.content.reasonCode OR Cons... See more...
When field names have special characters in, they often need single quotes around them (double if they are on the left of the assignment). Try this | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce('BackendResponse.content.reasonCode', 'ConsumerResponse.content.reasonCode') | stats count by 'BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode' StatusCode
Hi, I am unable to find the upload asset option inside Edit properties in manage app. Eventhough I have admin role, i am unable to upload asset. Does it require any capabilities to upload asset to ... See more...
Hi, I am unable to find the upload asset option inside Edit properties in manage app. Eventhough I have admin role, i am unable to upload asset. Does it require any capabilities to upload asset to splunk cloud.?
Hi, I am uploading a .tgz file with js script, png and css inside my /appserver/static folder of my app. After uploading and installing the app in splunk cloud, i am unable to use the script. Any ... See more...
Hi, I am uploading a .tgz file with js script, png and css inside my /appserver/static folder of my app. After uploading and installing the app in splunk cloud, i am unable to use the script. Any idea on this.  
hi @inventsekar  1. yes 2. Where to find  $SPLUNK_HOME\var\log\splunk\first_install.log ? 3. windows 11 and splunk version is 9.2.2
@yuanliu this is the query which I am using to filter the data index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerRespons... See more...
@yuanliu this is the query which I am using to filter the data index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce(BackendResponse.content.reasonCode, ConsumerResponse.content.reasonCode) | stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" StatusCode It is showing the event count, but it is not generating the results. Highlited the same.  
this is the query which I am using to filter the data index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.... See more...
this is the query which I am using to filter the data index="apigee" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" = coalesce(BackendResponse.content.reasonCode, ConsumerResponse.content.reasonCode) | stats count by "BackendResponse.content.reasonCode OR ConsumerResponse.content.reasonCode" StatusCode  
It would help to know what curl command you tried and what error it returned. AIUI, alerts must be deleted individually.  There is no method in the UI for selecting multiple alerts for deletion.
Hi @darshm , if you're sure that in your events there's only one date and time, you could leave Splunk to choose the timestamp, but, my hint is the same of @ITWhisperer : different formats should ha... See more...
Hi @darshm , if you're sure that in your events there's only one date and time, you could leave Splunk to choose the timestamp, but, my hint is the same of @ITWhisperer : different formats should have different sourcetypes, eventually with a similar name (e.g. for fortinet there are fortigate_events, fortigate_logs, fortigate_utm, etc...). Ciao. Giuseppe
The short answer is that the different log formats should be in different sourcetypes.