All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

when i run the above query, am getting "invalid arguement near innisbrook"
I want to change the color of the bars to green for approved and red for declined. I have tried using seriesColorsByField, but it does not change the color    
There are no results because the rex command is not extracting any fields.  That's because it is looking for text ("REQUEST" and "RETRYNO") that don't exist (at least not in the sample event).  This ... See more...
There are no results because the rex command is not extracting any fields.  That's because it is looking for text ("REQUEST" and "RETRYNO") that don't exist (at least not in the sample event).  This run-anywhere query works for me.   | makeresults | eval _raw="</soap:Envelope>\", RESPONSE=\"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> <soapenv:Header/> <soapenv:Body> <soapenv:Fault xmlns:trefault=\"http://tresoap.intecbilling.com/fault/2.0\"> <faultcode>trefault:ApplicationException</faultcode> <faultstring><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</faultstring> <detail> <trefault:Detail> <trefault:Message><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</trefault:Message> <trefault:ErrorId>41398</trefault:ErrorId> </trefault:Detail> </detail> </soapenv:Fault> </soapenv:Body>" |rex "RESPONSE=\\\"(?<RESPONSE>.+)" |spath input=RESPONSE |spath input=RESPONSE output=trefault:Message path=soapenv:Envelope.soapenv:Body.soapenv:Fault.faultstring.detail.trefault:Detail.trefault:Message  
Hi @PadmaPriya.Pyda , Could you please send me private message with your Email id and controller url to look into it further? 
The stats family of commands will not fill in the null values created by the absence of data.  The timechart command, however, will do so.  try this |tstats prestats=t avg(TotalResponseTime) as Resp... See more...
The stats family of commands will not fill in the null values created by the absence of data.  The timechart command, however, will do so.  try this |tstats prestats=t avg(TotalResponseTime) as ResponseTime avg(FordResponseTime) as Fordresponsetime where index=app-index NOT TERM(timeout) by _time | timechart avg(TotalResponseTime) as ResponseTime avg(FordResponseTime) as Fordresponsetime The tstats command does the heavy lifting and prepares the results for later processing by another stats command.  The timechart command essentially formats what tstats created and fills in zeroes for missing values.  
Hi All, using below query but not getting complete output. If there is no data present  for Response time for particular days but values present for Fordresponsetime for same days  it is not showing... See more...
Hi All, using below query but not getting complete output. If there is no data present  for Response time for particular days but values present for Fordresponsetime for same days  it is not showing up in the table   |tstats avg(TotalResponseTime) as ResponseTime avg(FordResponseTime) as Fordresponsetime where index=app-index NOT TERM(timeout) by _time   QueryOutput: _time ResponseTime Fordresponsetime 2024-01-01 12.67 34.00 2024-01-02 34.94 56.89 2024-01-03 24.78 52.70 2024-01-04 34.70 42.87 ExpectedOutput: _time ResponseTime Fordresponsetime 2024-01-01 12.67 34.00 2024-01-02 34.94 56.89 2024-01-03 24.78 52.70 2024-01-04 34.70 42.87 2024-01-05 0 33.56 2024-01-06 0 23.77 2024-01-07 0 34.78  
if i give the below query to extract the error msg alone from the soap response: index="abcl" sourcetype="oracle:transactionlog" OPERATION = "getOrderService" |rex "REQUEST=\"(?<REQUEST>.+)\", ... See more...
if i give the below query to extract the error msg alone from the soap response: index="abcl" sourcetype="oracle:transactionlog" OPERATION = "getOrderService" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO" |spath input=RESPONSE |spath input=RESPONE output=trefault:Message path=trefault:Message am getting no response
Hello,  I did the splunk ES installation following all the steps noted here - https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity i did all the steps and now when t... See more...
Hello,  I did the splunk ES installation following all the steps noted here - https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity i did all the steps and now when trying to find those index, even on the /opt/splunk/etc/apps/SplunkEnterpriseSecuritSuite/local or default and there is no indexes.conf, with in them I am trying to find index=notable, notable_summary, risk to see notable events from correlation search  How am i supposed to get these indexes in apps inside ES, like shown here as well.  https://docs.splunk.com/Documentation/ES/7.3.2/Install/Indexes Any help would be appreciated
Dashboards are for people and are only action when someone is using them.  Alerts run searches on a schedule and trigger an action based on the results of the searches. Consider copying the searches... See more...
Dashboards are for people and are only action when someone is using them.  Alerts run searches on a schedule and trigger an action based on the results of the searches. Consider copying the searches from the 7 panels into scheduled searches.  Then have the dashboard use the loadjob command to display the most recent results of each search.  Create 7 alerts that also use the loadjob command to load the search results and take action based on them.
I've got two servers providing me temperature data. Host A has Sensor1 and Sensor2. Host B has Sensor1 and Sensor2.  My goal is a line graph of all four sensors named as their actual room name. As ... See more...
I've got two servers providing me temperature data. Host A has Sensor1 and Sensor2. Host B has Sensor1 and Sensor2.  My goal is a line graph of all four sensors named as their actual room name. As long as I use host=HostA in the base search, my timechart works great with 20min avg.  index=tempmon sourcetype=tempdata host=HostA | timechart span=20min eval(round(avg(Sensor1),2)) as "Room12", eval(round(avg(Sensor2),2)) as "Room13" I'm struggling to understand if a subsearch or 'where' statement would help do something like this index=tempmon sourcetype=tempdata Where host=HostA | eval Room12=Sensor1 | eval Room13=Sensor2 Where host=HostB | eval Room14=Sensor1 | eval Room15=Sensor2 | timechart span=20min avg(Room12), avg(Room13), avg(Room14), avg(Room15)  
Thanks for the great explanation, really appreciated!
Use the spath command to parse the XML then select the desired field.  If spath doesn't work, it's because the XML is not valid.  You may need to strip out excess quotes.
I am trying to ingest Linux logs into Splunk.  1. I have deployed the unix_TA through the deployment server to the Heavy forwarder and to the universal forwarder with the inputs. conf defined in the... See more...
I am trying to ingest Linux logs into Splunk.  1. I have deployed the unix_TA through the deployment server to the Heavy forwarder and to the universal forwarder with the inputs. conf defined in the Local directory. The indexes are defined in the inputs.conf as well. 2. The Universal forwarder has confirmed that the TA is found in the /opt/splunkuniversal forwarder/apps directory with the inputs.conf as deployed. 3. permissions have been granted to the Splunkfwd on the universal forwarder on the Linux server to read var/log . 4. The TA is also installed on the Search Head. I am able to see the metric logs in the _internal index. However I do not see the event logs. I have run a tcp dump on the heavy forwarder's CLI  and have confirmed that there are logs coming in. Any ideas on what I am missing?
Hey there, Have you tried pulling the docker image manually or did you just hit START? If not, try this:   1. SSH into your Splunk server 2. Check what docker images are present   docker images... See more...
Hey there, Have you tried pulling the docker image manually or did you just hit START? If not, try this:   1. SSH into your Splunk server 2. Check what docker images are present   docker images​   3. Pull the latest version of Golden Image CPU image manually from Docker Hub. As of today, its version 5.1.2     docker pull phdrieger/mltk-container-golden-cpu:5.1.2​   4. The image you just pulled should now be visible     docker images​   5. Update the DSDL app to the latest version. As of today, this is 5.1.2 6. Restart or refresh your search head 7. Now try to start the container again     In case you want any other docker image, here is the official repository where you find all images to every container image that is available in DSDL: https://hub.docker.com/u/phdrieger Let me know if I can help you any further. 
Hi try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attr... See more...
Hi try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attributeprecedencewithinafile r. Ismo
Hey Betty Have you pulled the docker container image (Golden Image CPU) manually or did you just select it from the dropdown and then hit START? If you did not pull it manually yet, try this first.... See more...
Hey Betty Have you pulled the docker container image (Golden Image CPU) manually or did you just select it from the dropdown and then hit START? If you did not pull it manually yet, try this first. SSH into the server where Splunk is installed Check what docker images are present. I suspect you don't see the docker image phdrieger/mltk-container-golden-cpu yet. This is needet to start a container.   docker images   Pull the latest version (as of today, 5.1.2) of the Golden Image CPU from Docker Hub   docker pull phdrieger/mltk-container-golden-cpu​:5.1.2   You should now see the image you just pulled   docker images​   OPTIONAL STEP: Check if you can start the container you just pulled   docker run phdrieger/mltk-container-golden-cpu​:5.1.2   Update the DSDL app to the latest version (as of today, 5.1.2) Restart or refresh your search head to make sure the news configs of DSDL 5.1.2 are live   http://YOURHOST:8000/en-GB/debug/refresh​   Now try starting a container again.   Here are all available docker images in case you want to pull others too: https://hub.docker.com/u/phdrieger    Let me know if I can help you any further.
Hi  I have a xml response in splunk whenever i query a index.I used to get the error msg in    </soap:Envelope>", RESPONSE="<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve... See more...
Hi  I have a xml response in splunk whenever i query a index.I used to get the error msg in    </soap:Envelope>", RESPONSE="<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <soapenv:Fault xmlns:trefault="http://tresoap.intecbilling.com/fault/2.0"> <faultcode>trefault:ApplicationException</faultcode> <faultstring><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</faultstring> <detail> <trefault:Detail> <trefault:Message><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</trefault:Message> <trefault:ErrorId>41398</trefault:ErrorId> </trefault:Detail> </detail> </soapenv:Fault> </soapenv:Body>   Can someone tell me how to extract this error msg from the xml and display the error msg in a seperate panel as table in dashboard 
Hi all I'm trying to make an in-dashboard menu (not the app top menu). We have a few main dashboards, each links to more specific dashboards. I'd like a menu at the top, something like... Overview ... See more...
Hi all I'm trying to make an in-dashboard menu (not the app top menu). We have a few main dashboards, each links to more specific dashboards. I'd like a menu at the top, something like... Overview | today | yesterday | this week | last week Each item has an interaction set to jump to another dashboard. I've created a single value element, set some text and added an interaction. That all works fine, but the "inspect fullscreen refresh" menu keeps poping up in the way of mouse clicks, see screen shot. a) is there a way to hide this menu for specific elements or in general? b) any other suggestions on how I might make an in-page menu?   I'm using Dashboard Studio in Grid layout... hopefully the answer isn't "use classic"
YEAH!  It is really useful.  It helps a lot! 2 karmas :  one for You , second one for woodcock   K.    
I have a powershell script running get-brokersession which then exports the results to a txt file.   The file is then forwarded via the Universal Forwarder.     Trying to create a search that bases t... See more...
I have a powershell script running get-brokersession which then exports the results to a txt file.   The file is then forwarded via the Universal Forwarder.     Trying to create a search that bases the output data via the session key.   The Citrix add-on app is not allowed at our location.