All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could ... See more...
Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could be to produce the column with ellipses, the use a drilldown to display the full text. Here is an example of the latter:   <dashboard version="1.1" theme="light"> <label>Very long text</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-dashboards/m-p/692394#M56730</description> <init> <set token="reveal_tok">init</set> </init> <search> <query> | makeresults format=csv data="reveal short" </query> </search> <row> <panel> <title>reveal = $reveal_tok$</title> <table> <search> <query>| makeresults format=csv data="fieldname not as long very very very very very very very very very very loooooooooooooooooooooog" | rename fieldname as _fieldname | eval fieldname = if(len(_fieldname) &gt; 50 AND len("$reveal_tok$") &lt; 51, substr(_fieldname, 0, 50) . " ... " , _fieldname)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="reveal_tok">$row._fieldname$</set> </drilldown> </table> </panel> </row> </dashboard>   When the dashboard loads, the initial value of $reveal_tok$ is set to "init". If you click that ellipses, the token's value becomes that of _fieldname (which is very long on this row).  The drilldown therefore reveals the full string. If you click on that short string, $reveal_tok$ becomes the shorter string, therefore the drilldown changes display back to ellipses for very long strings. There are other ways to do this, depending on your visualization needs and coding style.
That is not possible. What problem are you trying to solve?
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose. ... See more...
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose.  I recommend Splunk Connect for Syslog (SC4S) because it's easy to set up and configure.  See https://splunk.github.io/splunk-connect-for-syslog/main/
Thanks so much. This 10 year old post helped me resolve my issue!
Is it possible to reconfigure Splunk to use _indextime instead of _time for data retention policy?
Why does the Approval settings work in some actions and not in others?
There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the cou... See more...
There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype. | stats count by sourcetype | append [| makeresults format=csv data="sourcetype,count A,0 B,0 C,0 D,0 E,0 F,0" | table sourcetype count] | stats sum(count) as count by sourcetype | where count=0 | eval count="No events found"
That worked!! One last thing, how do I display only specific sourcetype out of (A B C D E) for where the events for all the days=0. reword this statement
https://conf.splunk.com/files/2020/slides/TRU1761C.pdf Here I found a good pdf ... in fact  starcher found and I found his post .  
when i try to install splunklib i am getting a error because of pycrypto ....so couldn't follow that
wow , the first link is a good source of knowledge   thanks a lot.   There is one more sql I need to implement in splunk but it is not present there. Maybe you could help . The most efficient way ... See more...
wow , the first link is a good source of knowledge   thanks a lot.   There is one more sql I need to implement in splunk but it is not present there. Maybe you could help . The most efficient way to inner join is something like : index=db OR index=app | eval join=if(index="db",processId,pid) | stats sum(rows) sum(cputime) by join But how to join two tables with multicolumn key  ?   SELECT * FROM mytable1 INNER JOIN mytable2 ON (mytable1.mycolumn= mytable2.mycolumn AND mytable1.mycolumn2= mytable2.mycolumn2)    
@nguyens  Thanks it worked...
I have the same issue and believe it is caused from the last cloud update.  I have note reported this as a bug yet.
Try implementing using the class model
There isn't an inbuilt feature in Splunk, which can do this. You can build a custom app with external lookups (scripts) and use something like google translate or other services to do this and transf... See more...
There isn't an inbuilt feature in Splunk, which can do this. You can build a custom app with external lookups (scripts) and use something like google translate or other services to do this and transform your data. To get started, you can disassemble this old app and then take it from there to build your own. https://splunkbase.splunk.com/app/1609
The one issue that I see with this approach is the transfer of data buckets from Cluster A to Cluster B. Every indexer creates buckets with its unique uuid. Transferring those buckets to a new cluste... See more...
The one issue that I see with this approach is the transfer of data buckets from Cluster A to Cluster B. Every indexer creates buckets with its unique uuid. Transferring those buckets to a new cluster where the cluster master has no idea as to who those buckets belong to would cause a massive headache for you. If you can re-ingest the data, that would solve your problem easily. Otherwise, I highly recommend involving Splunk support in this operation and get this guidance.
Hi If you are running splunk as splunk user, but use systemctl as root there is no need to add splunk into sudoers file! I have seen same kind of behavior on some AWS ec2 instances time by time. Ho... See more...
Hi If you are running splunk as splunk user, but use systemctl as root there is no need to add splunk into sudoers file! I have seen same kind of behavior on some AWS ec2 instances time by time. However I haven't ever need to look it why.  Hard to say which one is the root cause splunk or systemd, probably some weird combination will cause this. Have you log your OS logs like messages, audit etc. into splunk? If yes, then you could try to find reason from those. Another what you could try is "dmesg -T" and journalctl and look if those gives you more hints. r. Ismo
Hi Have you already seen this https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk? It could give some hints how things are done on Splunk vs SQL. BUT you shouldn't foll... See more...
Hi Have you already seen this https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk? It could give some hints how things are done on Splunk vs SQL. BUT you shouldn't follow this too much as how Splunk is working is totally different than in SQL. I suppose that there are many conf presentations which could help you to better understand how to work with Splunk. Some other good source of work with Splunk are: https://conf.splunk.com/watch/conf-online.html?locale=watch#/ https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/app/catalog/search?searchText=search%20beginner&selectedTab=LEARNINGEVENT&filter=%7B%22LEARNINGEVENTTYPEFACET%22:%7B%22label%22:null,%22values%22:%20%5B%7B%22facetValueId%22:%221%22,%22facetValueLabel%22:null%7D%5D%7D%7D https://docs.splunk.com/Documentation/Splunk/latest/Search/GetstartedwithSearch https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial https://www.youtube.com/results?search_query=splunk+bsides r. Ismo
Thanks fort the tips. As a workaround i made an override for the Splunk service, to receive a timeout after 4 minutes in stead of the default 6. We run it as root user, but concerning the sudoers... See more...
Thanks fort the tips. As a workaround i made an override for the Splunk service, to receive a timeout after 4 minutes in stead of the default 6. We run it as root user, but concerning the sudoers file: this is something for me to investigate. Maybe it has something to do with rights, because other application on Linux do not have this behaviour
It would be helpful if you could suggest a way to overcome this if that's the case