All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I've got two servers providing me temperature data. Host A has Sensor1 and Sensor2. Host B has Sensor1 and Sensor2.  My goal is a line graph of all four sensors named as their actual room name. As ... See more...
I've got two servers providing me temperature data. Host A has Sensor1 and Sensor2. Host B has Sensor1 and Sensor2.  My goal is a line graph of all four sensors named as their actual room name. As long as I use host=HostA in the base search, my timechart works great with 20min avg.  index=tempmon sourcetype=tempdata host=HostA | timechart span=20min eval(round(avg(Sensor1),2)) as "Room12", eval(round(avg(Sensor2),2)) as "Room13" I'm struggling to understand if a subsearch or 'where' statement would help do something like this index=tempmon sourcetype=tempdata Where host=HostA | eval Room12=Sensor1 | eval Room13=Sensor2 Where host=HostB | eval Room14=Sensor1 | eval Room15=Sensor2 | timechart span=20min avg(Room12), avg(Room13), avg(Room14), avg(Room15)  
Thanks for the great explanation, really appreciated!
Use the spath command to parse the XML then select the desired field.  If spath doesn't work, it's because the XML is not valid.  You may need to strip out excess quotes.
I am trying to ingest Linux logs into Splunk.  1. I have deployed the unix_TA through the deployment server to the Heavy forwarder and to the universal forwarder with the inputs. conf defined in the... See more...
I am trying to ingest Linux logs into Splunk.  1. I have deployed the unix_TA through the deployment server to the Heavy forwarder and to the universal forwarder with the inputs. conf defined in the Local directory. The indexes are defined in the inputs.conf as well. 2. The Universal forwarder has confirmed that the TA is found in the /opt/splunkuniversal forwarder/apps directory with the inputs.conf as deployed. 3. permissions have been granted to the Splunkfwd on the universal forwarder on the Linux server to read var/log . 4. The TA is also installed on the Search Head. I am able to see the metric logs in the _internal index. However I do not see the event logs. I have run a tcp dump on the heavy forwarder's CLI  and have confirmed that there are logs coming in. Any ideas on what I am missing?
Hey there, Have you tried pulling the docker image manually or did you just hit START? If not, try this:   1. SSH into your Splunk server 2. Check what docker images are present   docker images... See more...
Hey there, Have you tried pulling the docker image manually or did you just hit START? If not, try this:   1. SSH into your Splunk server 2. Check what docker images are present   docker images​   3. Pull the latest version of Golden Image CPU image manually from Docker Hub. As of today, its version 5.1.2     docker pull phdrieger/mltk-container-golden-cpu:5.1.2​   4. The image you just pulled should now be visible     docker images​   5. Update the DSDL app to the latest version. As of today, this is 5.1.2 6. Restart or refresh your search head 7. Now try to start the container again     In case you want any other docker image, here is the official repository where you find all images to every container image that is available in DSDL: https://hub.docker.com/u/phdrieger Let me know if I can help you any further. 
Hi try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attr... See more...
Hi try to change another TRANSFORMS definition to something else like TRANSFORMS-null-ib-log instead of use just TRANSFORS-null twice. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Attributeprecedencewithinafile r. Ismo
Hey Betty Have you pulled the docker container image (Golden Image CPU) manually or did you just select it from the dropdown and then hit START? If you did not pull it manually yet, try this first.... See more...
Hey Betty Have you pulled the docker container image (Golden Image CPU) manually or did you just select it from the dropdown and then hit START? If you did not pull it manually yet, try this first. SSH into the server where Splunk is installed Check what docker images are present. I suspect you don't see the docker image phdrieger/mltk-container-golden-cpu yet. This is needet to start a container.   docker images   Pull the latest version (as of today, 5.1.2) of the Golden Image CPU from Docker Hub   docker pull phdrieger/mltk-container-golden-cpu​:5.1.2   You should now see the image you just pulled   docker images​   OPTIONAL STEP: Check if you can start the container you just pulled   docker run phdrieger/mltk-container-golden-cpu​:5.1.2   Update the DSDL app to the latest version (as of today, 5.1.2) Restart or refresh your search head to make sure the news configs of DSDL 5.1.2 are live   http://YOURHOST:8000/en-GB/debug/refresh​   Now try starting a container again.   Here are all available docker images in case you want to pull others too: https://hub.docker.com/u/phdrieger    Let me know if I can help you any further.
Hi  I have a xml response in splunk whenever i query a index.I used to get the error msg in    </soap:Envelope>", RESPONSE="<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve... See more...
Hi  I have a xml response in splunk whenever i query a index.I used to get the error msg in    </soap:Envelope>", RESPONSE="<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <soapenv:Fault xmlns:trefault="http://tresoap.intecbilling.com/fault/2.0"> <faultcode>trefault:ApplicationException</faultcode> <faultstring><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</faultstring> <detail> <trefault:Detail> <trefault:Message><CM-41398> ERROR: Value &quot;Apple Watch 4G 5GB&quot; supplied for Fact &quot;OrderedComp.RatePlan_R&quot; is not allowed by the fact&apos;s filter search or expression</trefault:Message> <trefault:ErrorId>41398</trefault:ErrorId> </trefault:Detail> </detail> </soapenv:Fault> </soapenv:Body>   Can someone tell me how to extract this error msg from the xml and display the error msg in a seperate panel as table in dashboard 
Hi all I'm trying to make an in-dashboard menu (not the app top menu). We have a few main dashboards, each links to more specific dashboards. I'd like a menu at the top, something like... Overview ... See more...
Hi all I'm trying to make an in-dashboard menu (not the app top menu). We have a few main dashboards, each links to more specific dashboards. I'd like a menu at the top, something like... Overview | today | yesterday | this week | last week Each item has an interaction set to jump to another dashboard. I've created a single value element, set some text and added an interaction. That all works fine, but the "inspect fullscreen refresh" menu keeps poping up in the way of mouse clicks, see screen shot. a) is there a way to hide this menu for specific elements or in general? b) any other suggestions on how I might make an in-page menu?   I'm using Dashboard Studio in Grid layout... hopefully the answer isn't "use classic"
YEAH!  It is really useful.  It helps a lot! 2 karmas :  one for You , second one for woodcock   K.    
I have a powershell script running get-brokersession which then exports the results to a txt file.   The file is then forwarded via the Universal Forwarder.     Trying to create a search that bases t... See more...
I have a powershell script running get-brokersession which then exports the results to a txt file.   The file is then forwarded via the Universal Forwarder.     Trying to create a search that bases the output data via the session key.   The Citrix add-on app is not allowed at our location.
Hi this seems to work. | makeresults | eval gb=1, gb=gb . "g" | convert memk(gb) as kb_c | eval kb=round(kb_c/1024/1024,2) Destination will be always as KB. r. Ismo 
Hi @bowesmana , yes your correct. Now I corrected it it's working as expected. Thank you    
Hi if you have access to this HF node then you can set local admin pass for splunk. Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with th... See more...
Hi if you have access to this HF node then you can set local admin pass for splunk. Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with the next content [user_info] USERNAME = admin PASSWORD = YourPassWdHere Then just restart your splunk instance. Then use next URL to login  "<your HF base url>/en-US/account/login?loginType=splunk" This use splunk's internal login method instead of LDAP / SAML etc.  Then just add your previously added admin + pass and you are in. r. Ismo
But are you using HEC's raw endpoint instead of event? Also you have two same TRANSFORMS TRANSFORMS-001 = set_sourcetype_by_regex TRANSFORMS-001 = set_index_by_sourcetype Which means that only... See more...
But are you using HEC's raw endpoint instead of event? Also you have two same TRANSFORMS TRANSFORMS-001 = set_sourcetype_by_regex TRANSFORMS-001 = set_index_by_sourcetype Which means that only one of those are used!
That is one excellent source. There are some others too. Here is one old post SQL vs. Splunk inner/outer join https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inn... See more...
That is one excellent source. There are some others too. Here is one old post SQL vs. Splunk inner/outer join https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948
It seems like you need to request your AD team to provide you access to the AD group which governs the authentication to your HF. Then you will be able to login. No need to change anything from the b... See more...
It seems like you need to request your AD team to provide you access to the AD group which governs the authentication to your HF. Then you will be able to login. No need to change anything from the backend.
Where about in the dashboard source code would this go? I have attempted to add it at the top after "<description>Test</description>" but it doesn't seem to have any affect.
Try the eventstats command. | eventstats count as result by name  
We would like to create a dashboard with a table showing the top 10 MQ queues based on their current queue length. This is based on the MQ extension which delivers the custom metrics as expected. 1... See more...
We would like to create a dashboard with a table showing the top 10 MQ queues based on their current queue length. This is based on the MQ extension which delivers the custom metrics as expected. 1. with Dashboard & Reports, there is no table widget available 2. with an Analytics Dashboard, it seems that accessing (custom) metrics with ADQL is not possible. Any solution to this?