All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, We attempted to upgrade Splunk OTEL on the cluster using the helm3 upgrade command, but encountered the following error.       Error: UPGRADE FAILED: parse error at (splunk-otel-collector... See more...
Hello, We attempted to upgrade Splunk OTEL on the cluster using the helm3 upgrade command, but encountered the following error.       Error: UPGRADE FAILED: parse error at (splunk-otel-collector/templates/operator/_helpers.tpl:8): unclosed action        
I want to know if the Splunk Machine Learning Toolkit 5.3.1 version is compatible with Splunk 9.1.3 Splunk Machine Learning Toolkit 
@anglewwb35- I'm not sure what kind of integration are you trying to do. But here is the references for Splunk API, which I hope will help you build the integration.   https://docs.splunk.com/Docum... See more...
@anglewwb35- I'm not sure what kind of integration are you trying to do. But here is the references for Splunk API, which I hope will help you build the integration.   https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTUM/RESTusing https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTprolog
@ivarny- I'm able to access the Doc, not sure what's wrong your machine. Try a different browser maybe.
@egt- This is not complete stack-trace to provide the information what is the root cause of this error. Regarding the slowness of the system, it all usually boils down to machines capability. Please... See more...
@egt- This is not complete stack-trace to provide the information what is the root cause of this error. Regarding the slowness of the system, it all usually boils down to machines capability. Please check the resource availability of the system - CPU, Memory, Network   I hope this helps!!!
@umeshchandra- Even though you are using SAML authentication, you can still create a local Splunk service account (with right read-only permissions) for this job. And it should do the job for your us... See more...
@umeshchandra- Even though you are using SAML authentication, you can still create a local Splunk service account (with right read-only permissions) for this job. And it should do the job for your use-case.   I hope this helps!!!
@sputre- The Add-on documentation describes the API - https://docs.splunk.com/Documentation/AddOns/released/NetApp/Lookups (But I personally have no experience with it)   I hope this helps!!!
@BisHop1020- Are you talking about this add-on - https://splunkbase.splunk.com/app/6135 This App is archived and I would not recommend using it.   If purpose of using this Add-on is to collect dat... See more...
@BisHop1020- Are you talking about this add-on - https://splunkbase.splunk.com/app/6135 This App is archived and I would not recommend using it.   If purpose of using this Add-on is to collect data from Jamf pro? Is so, then you can use - https://splunkbase.splunk.com/app/4729   I hope this helps!!!
@nsxlogging- I know Splunkbase was under maintenance recently. Try again and if the issue persist then you can contact splunkbase-admin@splunk.com.   I hope this helps!!!
@n3wbi3- Have you configured DMC (Monitoring Console) roles for all the servers properly? https://docs.splunk.com/Documentation/Splunk/9.2.1/DMC/Configureindistributedmode   Try running: | rest s... See more...
@n3wbi3- Have you configured DMC (Monitoring Console) roles for all the servers properly? https://docs.splunk.com/Documentation/Splunk/9.2.1/DMC/Configureindistributedmode   Try running: | rest splunk_server_group=* /services/licenser/pools   I hope this helps!!!
@BTrust- I don't see any issues with configuration or search that could be causing this issue. Do you have any sourcetype related configuration on the search head? (ex. rename in props.conf). If no... See more...
@BTrust- I don't see any issues with configuration or search that could be causing this issue. Do you have any sourcetype related configuration on the search head? (ex. rename in props.conf). If not, then I don't see any other issues with this. You can raise a Support Ticket with Splunk in that case.   I hope this helps~!!
What about if all the values passed into the macro are hard coded values? Like in my example, I'm just passing in 1.
Hi @jacknguyen , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I don't see any attached file. Please provide more context to the question.
I'm practicing auto-lookup. Auto-lookup of vendors_ip.csv has already been successful in my index. Here, I would like to add auto-lookup for the prices.csv file in the same index. The process I fol... See more...
I'm practicing auto-lookup. Auto-lookup of vendors_ip.csv has already been successful in my index. Here, I would like to add auto-lookup for the prices.csv file in the same index. The process I followed uploaded a lookup table, created a lookup definition, and created an automatic lookup, but as a result of searching for index=main, only the prices.csv fields are not visible. The fields of vendors_ip that were previously successful are output. What I'm curious about is whether it is possible to perform multiple automatic lookups on one index in splunk. I would also like to know why the automatic lookup is not working.
@apiprek2- Try updating JavaHome variable from DB Connect UI with that variable you have on Windows. And see if your Splunk DB connect works properly or not.   On the side note, Ideally root Splun... See more...
@apiprek2- Try updating JavaHome variable from DB Connect UI with that variable you have on Windows. And see if your Splunk DB connect works properly or not.   On the side note, Ideally root Splunk service should not have any impact on change or Java, Java variable, or DB connect.   I hope this helps!!!
It seems you were able to install the botsv1_data_set.tgz from the command line.  Can you share how you did that and from which directory?   I have tar -xvfz <filename> from the $SPLUNK_HOME/etc/app... See more...
It seems you were able to install the botsv1_data_set.tgz from the command line.  Can you share how you did that and from which directory?   I have tar -xvfz <filename> from the $SPLUNK_HOME/etc/apps directory and now have a botsv1_data_set folder with fully expanded data set in what appears to be a botsv1_data_set app, but I cannot search or see the app or data from my Splunk search and reporting screen.  I also cannot search the app or manage the app.
Stephanie, You state that after FTP transfer, you can install the botsv1 by command line.  I have downloaded the dataset via wget and moved to the $SPLUNK_HOME/etc/apps directory where I see ALL of ... See more...
Stephanie, You state that after FTP transfer, you can install the botsv1 by command line.  I have downloaded the dataset via wget and moved to the $SPLUNK_HOME/etc/apps directory where I see ALL of the other Splunk apps. I then expand with tar -xvzf <filename> and the 'botsv1_data_set' folder is created and populated with an entire folder structure of files/data. So the app now resides in the correct folder.  When I try to find the app in Splunk with Manage Apps, it is not populated on the list.  When I try to upload or find the app, the browse window opens up to my Windows VM host and not my linux server where Splunk is installed. A search using index=botsv1 finds nothing as does a search using index=botsv1_data_set
Change the submitButton="false" to "true" What's your intention with this <change> block on the multiselect - you are overwriting the field, so that' s why you cannot change things there because whe... See more...
Change the submitButton="false" to "true" What's your intention with this <change> block on the multiselect - you are overwriting the field, so that' s why you cannot change things there because when you click something, your eval statements change things back again. <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change>  
Macros are expanded before the search runs, so it cannot evaluate the macro definition based on the result of any contained logic because there is no data in the pipeline.