All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi folks, I have a use case where I am having different types of events in a single sourcetype. I want to apply different timestamp extractions for both the events. I am using TIME_PREFIX and MAX_T... See more...
Hi folks, I have a use case where I am having different types of events in a single sourcetype. I want to apply different timestamp extractions for both the events. I am using TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD to extract the timestamp from event #1. However, the same rules won't be useful for event #2. Is there a way to extract the timestamp values from both the events in a single sourcetype? Event #1 Timestamp should be extracted as (Oct  9 23:57:37.887) Oct 10 05:27:48 192.168.100.1 593155: *Oct  9 23:57:37.887: blah blah blah Event #2 Timestamp should be extracted as (Feb 13 11:27:46) Feb 13 11:27:46 100.80.8.22 %abc-INFO-000: blah blah blah TIME_PREFIX = \s[^\s]+\s\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s[^\s]+:\s|\s[^\s]+\s\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s MAX_TIMESTAMP_LOOKAHEAD = 30
Hi @jvamplew , I'm not sure, but it should run: <your_search> | bin span=1s -time | stats avg(host_usage) by host useother=true | addtotals | timechart span=1s avg(host_usage) by host limit=7 useot... See more...
Hi @jvamplew , I'm not sure, but it should run: <your_search> | bin span=1s -time | stats avg(host_usage) by host useother=true | addtotals | timechart span=1s avg(host_usage) by host limit=7 useother=true Ciao. Giuseppe
Hi @baiden ... Good questions will get better answers! 1) the user got admin rights, is that correct? 2) any details on - $SPLUNK_HOME\var\log\splunk\first_install.log ? 3) the Splunk version an... See more...
Hi @baiden ... Good questions will get better answers! 1) the user got admin rights, is that correct? 2) any details on - $SPLUNK_HOME\var\log\splunk\first_install.log ? 3) the Splunk version and windows OS version pls..  
Below is my two ROW event- message: [{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00253","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},... See more...
Below is my two ROW event- message: [{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00253","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00314","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":6,"FAILED":6,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00314","TOTAL":0,"PROCESSED":7295,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00052Med","TOTAL":0,"PROCESSED":273,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00011H","TOTAL":0,"PROCESSED":23,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00303","TOTAL":0,"PROCESSED":8,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00355","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":22,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_01015","TOTAL":0,"PROCESSED":3,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00011H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00314","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":38,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00355","TOTAL":0,"PROCESSED":44,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00364","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":6,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00302","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00364","TOTAL":0,"PROCESSED":7177,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00302","TOTAL":0,"PROCESSED":116,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00607Bundle","TOTAL":0,"PROCESSED":37,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00086","TOTAL":0,"PROCESSED":215,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00061","TOTAL":0,"PROCESSED":4,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00607Bundle","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":14,"FAILED":14,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00030","TOTAL":0,"PROCESSED":21,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00075Med","TOTAL":0,"PROCESSED":546,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00030","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":801,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00022AdjPro","TOTAL":0,"PROCESSED":150,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00473H","TOTAL":0,"PROCESSED":69,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00075Med","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":542,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00607Bundle","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00022AdjPro","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":335,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00473H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":10,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00304","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":12,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00304","TOTAL":0,"PROCESSED":637,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00396","TOTAL":0,"PROCESSED":2,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00079MEDICA","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":88,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00086","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00079MEDICA","TOTAL":0,"PROCESSED":24,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00304","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00022AdjPro","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":1,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":5}] message: [{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00253","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00797H","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":2,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00365","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":511,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00365","TOTAL":0,"PROCESSED":210,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00410","TOTAL":0,"PROCESSED":8,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":0,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00396","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":1,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4},{"TARGETSYSTEM":"CPW","ARUNAME":"CPW_00410","TOTAL":0,"PROCESSED":0,"REMAINING":0,"ERROR":0,"FAILED":0,"SKIPPED":21,"PROCESSING":0,"DATE":"7/9/2024","DAYHOUR":4}]
I am using below query and its throwing [nxg-splunk-idx503,nxg-splunk-idx504,nxg-splunk-idx506] Field 'collection' does not exist in the data. Same query is working fine for other events. Its only fa... See more...
I am using below query and its throwing [nxg-splunk-idx503,nxg-splunk-idx504,nxg-splunk-idx506] Field 'collection' does not exist in the data. Same query is working fine for other events. Its only failing for the hour 5 and 4   index = ***** host=**** source=***| spath | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection |eval totalCount = SKIPPED + PROCESSED|chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE   Below is my two ROW event- Event 1 {"id":"0","severity":"Information","message":"[{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00314\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":6,\"FAILED\":6,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00314\",\"TOTAL\":0,\"PROCESSED\":7295,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00303\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00355\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":22,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_01015\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5}{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00302\",\"TOTAL\":0,\"PROCESSED\":116,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":5}]"} Event 2 {"id":"0","severity":"Information","message":"[{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00797H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00365\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":511,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00365\",\"TOTAL\":0,\"PROCESSED\":210,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00410\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4},{\"TARGETSYSTEM\" "CPW\",\"ARUNAME\" "CPW_00410\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":21,\"PROCESSING\":0,\"DATE\" "7/9/2024\",\"DAYHOUR\":4}]"} You know its scanned 8 events and its matched with only 5 . Now sure why those events which is generated in hour 4 and 5 are not matching 
Thanks Giuseppe. Unfortunately that is the problem, I actually have 30 values. I want to display the total for all, but don't necessarily want to chart them all, as this many series over a number of... See more...
Thanks Giuseppe. Unfortunately that is the problem, I actually have 30 values. I want to display the total for all, but don't necessarily want to chart them all, as this many series over a number of charts tends to slow down the dashboard. I was hoping that by using Other, it would sum the other values into that column, thereby allowing me to display an accurate total while not displaying all the values.  Is there a way to do this? I'm thinking it may only work by appending a subsearch for the total and overlaying it on the original chart, but I was trying to avoid adding another search for every panel that displays this data. 
i have enough space and everything but it stills says there is an error i have instaled it 3 three times but i cant still run out  
Hi @srinivasmanikan , could you share a sample of your logs in text format? Ciao. Giuseppe
Hi @Rajiv_splunk , please try this: index=sample status=* NOT [ search index="service" earliest=-24h latest=now status IN (1,2) | table status ] don't use the search command after the... See more...
Hi @Rajiv_splunk , please try this: index=sample status=* NOT [ search index="service" earliest=-24h latest=now status IN (1,2) | table status ] don't use the search command after the main search, you'll have more performant searches. if the two searches don't match, check if the values in the subsearch are compatible with the values of the main earch. Ciao. Giuseppe
Hello I'm using Splunk cloud and i want to delete multiple alerts from list. i was trying to do it with curl but got errors that i cannot figure out. is there any other way ?
Hi @jvamplew, if you use limit=5, you'll have 5 results, so you don't need to use useother. In this way addtotals summarize only the results of the search, in other words, only the first 5 values. ... See more...
Hi @jvamplew, if you use limit=5, you'll have 5 results, so you don't need to use useother. In this way addtotals summarize only the results of the search, in other words, only the first 5 values. Ciao. Giuseppe
Hi @baiden , some check: have you administrative grants to install a new software on your system? have you an active anti-virus on your system? have you enough space in your disk? See in $SPLUNK... See more...
Hi @baiden , some check: have you administrative grants to install a new software on your system? have you an active anti-virus on your system? have you enough space in your disk? See in $SPLUNK_HOME\var\log\splunk\first_install.log if there's some message Ciao. Giuseppe
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load,... See more...
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load, the server reported internal errors which may indicate you do not have access to this page. Error: Request failed with status code 500 ERR0002   On checking the logs, I'm seeing the following error every time I access the configuration page 07-09-2024 11:40:38.666 +0100 ERROR AdminManagerExternal [438068 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 345, in _format_all_response\n self._encrypt_raw_credentials(cont["entry"])\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 375, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\credentials.py", line 293, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\utils.py", line 153, in wrapper\n return func(*args, **kwargs)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 341, in _get_all_passwords\n return self._get_clear_passwords(passwords)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 324, in _get_clear_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log/python.log for more details.   This is a disturbed environment, running Splunk 9.2.2 on Virtual Windows 2019 Servers To confuse matters, this app works and is configurable on my test server; The only difference being the test server is a stand alone installation PureStorage Unified Add-on for Splunk 
Dislike to reply to my own comment, but I got an answer from Splunk Support. HTTP Event Collector does NOT log metrics from UF sending data over HTTP, and this is reported on internal ticket SPL-239... See more...
Dislike to reply to my own comment, but I got an answer from Splunk Support. HTTP Event Collector does NOT log metrics from UF sending data over HTTP, and this is reported on internal ticket SPL-239230 : "No metrics are sent to the http_event_collector_metrics.log"  which has been in backlog since 2023.
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production searc... See more...
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production search head should become part of the search head cluster, initially as the only existing member.  When everything will be up and running I will add other 2 servers.  I have read something about Enterprise Security migration related to bundle size limits, for example, but found few things About ITSI.  Thank you in advance and warm regards.   
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services ... See more...
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services & Microsoft Azure for my needs, based on this graphic to help myself https://jasonconger.com/splunk-azure-gdi/ But I'm facing the issue of subscriptions inputs settings for both addons, basically I understand that we have to set each subscriptions by ourselves, but it means we could miss some of them and especially the new created ones. So I was thinking of a script API based which get all the subscriptions from Azure then push an inputs in Splunkcloud. I've the feeling I'm not be the only one facing this problem, so I told me maybe someone might have found a better way to collect automatically all subscriptions.  Thanks in advance for your help ! Ben
 
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host... See more...
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host_usage) by host useother=true | addtotals   The below gives me a lower overall total than the above:   | timechart span=1s avg(host_usage) by host limit=5 useother=true | addtotals   I thought Other was supposed to be the total of all other values not explicitly displayed?
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status ... See more...
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status 1 and 2. How can i achieve it. I am trying the below query in the base query to exclude  but it is not working index=sample status=* ''''''base query"'''   |search NOT [search index="service"   earliest=-24h latest=now  |search status IN (1,2)| table  status]
Do you have a sample code on how we can do this