All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to neg... See more...
It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to negative e.g. change the "(" to "-" and remove the ")".
Try like this <form version="1.1" theme="light"> <fieldset submitButton="false"> <input type="text" token="user" depends="$alwayshidden$"> <label>User</label> <default>$env:user$</... See more...
Try like this <form version="1.1" theme="light"> <fieldset submitButton="false"> <input type="text" token="user" depends="$alwayshidden$"> <label>User</label> <default>$env:user$</default> </input> </fieldset> <row> <html> $user$ </html> </row> </form>
inputs are enabled for system,app,security logs  ,its just action field is not being correctly extracted for event codes
we have a centralized collector via WEF for our windows logs where a uf with windows addon is sending logs to splunkcloud,where also we have a ta addon .
Restart splunkd on CM worked fine for me when "Previously scheduled Remove Excess Buckets is running", been hanging for days.
Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;O... See more...
Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD Test;Abc2;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc2;UPD Test;Abc3;DONE;2022-09-09;Me;Null;INS Hello;Abc5;OPEN;2022-09-09;Me;Abc4;UPD So in above example, I would like to find records where reference with status DONE is not found in any other record under field New Reference with status OPEN. In abov example, abc1 and abc2 finds matched record but Abc3 &Abc5 doesn't find.   many Thanks 
Hi, Thanks for your inputs , its working but not fulfilling the requirements.  can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and w... See more...
Hi, Thanks for your inputs , its working but not fulfilling the requirements.  can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and want to get expand field values for the one column name which we have selected(specific) but not to expand all the columns where this drilldown is used.
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search> [ sear... See more...
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search> [ search <your_search> | rename Reference AS NewReference | fields NewReference ] | fields Name Reference Status Date Creator NewReference Type | stats dc(Status) AS Status_count values(*) AS * BY Reference | where Status_count=2 | table Name Reference Status Date Creator NewReference Type if you have more conditions, you can add them to the where. Ciao. giuseppe  
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-... See more...
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD So I would like to find  records where Reference(Abc1) with status (Done) is present  in another record whose NewReference is equal to Referenc eof earlier record (Abc1) and status is OPEN The logs will have thousands of records Thanks
Hi @Chiranjeev , did you enabled inputs in the add-on? by default they are disabled. Ciao. Giuseppe
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did y... See more...
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did you enabled? are you using a Load Balancer? Ciao. Giuseppe
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: K... See more...
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster,  you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Depl... See more...
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster,  you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Deployer and after it deployes apps to the Cluster. Ciao. Giuseppe
No. Each SHC needs own deployer. But the deployer does not do much so it doesn't have to be a big machine.
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. ... See more...
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. My glass orb is undergoing annual maintenance...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why... See more...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why you got the error "Error in 'makeresults' command: This command must be the first command of a search.".  What splunk receives from your query "search | makeresults | eval nombre=\"denis\"" with api call is this: makeresults | eval nombre="denis" AND NOT | makeresults | eval nombre="denis" https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearch_id.7D.2Fresults
Hi @isoutamo @gcusello  I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I c... See more...
Hi @isoutamo @gcusello  I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I can still use the single value to adjust the text shown underneath. Thanks all for your suggestions!
It's hard to be sure not knowing your config and data but the typical case is that you're using both indexed fields as well as search-time json extractions.
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authent... See more...
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authentication list authentication To see what authentication mechanism is your HF using
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why th... See more...
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why this might be happening?