All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@BTrust- I don't see any issues with configuration or search that could be causing this issue. Do you have any sourcetype related configuration on the search head? (ex. rename in props.conf). If no... See more...
@BTrust- I don't see any issues with configuration or search that could be causing this issue. Do you have any sourcetype related configuration on the search head? (ex. rename in props.conf). If not, then I don't see any other issues with this. You can raise a Support Ticket with Splunk in that case.   I hope this helps~!!
What about if all the values passed into the macro are hard coded values? Like in my example, I'm just passing in 1.
Hi @jacknguyen , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I don't see any attached file. Please provide more context to the question.
I'm practicing auto-lookup. Auto-lookup of vendors_ip.csv has already been successful in my index. Here, I would like to add auto-lookup for the prices.csv file in the same index. The process I fol... See more...
I'm practicing auto-lookup. Auto-lookup of vendors_ip.csv has already been successful in my index. Here, I would like to add auto-lookup for the prices.csv file in the same index. The process I followed uploaded a lookup table, created a lookup definition, and created an automatic lookup, but as a result of searching for index=main, only the prices.csv fields are not visible. The fields of vendors_ip that were previously successful are output. What I'm curious about is whether it is possible to perform multiple automatic lookups on one index in splunk. I would also like to know why the automatic lookup is not working.
@apiprek2- Try updating JavaHome variable from DB Connect UI with that variable you have on Windows. And see if your Splunk DB connect works properly or not.   On the side note, Ideally root Splun... See more...
@apiprek2- Try updating JavaHome variable from DB Connect UI with that variable you have on Windows. And see if your Splunk DB connect works properly or not.   On the side note, Ideally root Splunk service should not have any impact on change or Java, Java variable, or DB connect.   I hope this helps!!!
It seems you were able to install the botsv1_data_set.tgz from the command line.  Can you share how you did that and from which directory?   I have tar -xvfz <filename> from the $SPLUNK_HOME/etc/app... See more...
It seems you were able to install the botsv1_data_set.tgz from the command line.  Can you share how you did that and from which directory?   I have tar -xvfz <filename> from the $SPLUNK_HOME/etc/apps directory and now have a botsv1_data_set folder with fully expanded data set in what appears to be a botsv1_data_set app, but I cannot search or see the app or data from my Splunk search and reporting screen.  I also cannot search the app or manage the app.
Stephanie, You state that after FTP transfer, you can install the botsv1 by command line.  I have downloaded the dataset via wget and moved to the $SPLUNK_HOME/etc/apps directory where I see ALL of ... See more...
Stephanie, You state that after FTP transfer, you can install the botsv1 by command line.  I have downloaded the dataset via wget and moved to the $SPLUNK_HOME/etc/apps directory where I see ALL of the other Splunk apps. I then expand with tar -xvzf <filename> and the 'botsv1_data_set' folder is created and populated with an entire folder structure of files/data. So the app now resides in the correct folder.  When I try to find the app in Splunk with Manage Apps, it is not populated on the list.  When I try to upload or find the app, the browse window opens up to my Windows VM host and not my linux server where Splunk is installed. A search using index=botsv1 finds nothing as does a search using index=botsv1_data_set
Change the submitButton="false" to "true" What's your intention with this <change> block on the multiselect - you are overwriting the field, so that' s why you cannot change things there because whe... See more...
Change the submitButton="false" to "true" What's your intention with this <change> block on the multiselect - you are overwriting the field, so that' s why you cannot change things there because when you click something, your eval statements change things back again. <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change>  
Macros are expanded before the search runs, so it cannot evaluate the macro definition based on the result of any contained logic because there is no data in the pipeline.
I have a macro like this: 1 + if(true(), 1, `myMacro(1)`) And I get an infinite recursion error when I use it in a query like this: | makeresults | eval foo = `myMacro(1)` Error in 'SearchParser... See more...
I have a macro like this: 1 + if(true(), 1, `myMacro(1)`) And I get an infinite recursion error when I use it in a query like this: | makeresults | eval foo = `myMacro(1)` Error in 'SearchParser': Reached maximum recursion depth (100) while expanding macros. Check for infinitely recursive macro definitions.   It seems like the macro call is actually being executed during the "expanding macro" operation, and that causes the infinite recursion. This is unexpected since the recursive macro call is actually in a part of the code that can never execute. I can't imagine any way that a macro could actually use recursion... since the macro "expands" outside of the context of the recursive logic. It will always get a recursion error.  
Optimise at the END of your dashboard rather than at the start. This is not a good use of a base search - so I would first work out all your searches then MAYBE you can use a base search to optimise... See more...
Optimise at the END of your dashboard rather than at the start. This is not a good use of a base search - so I would first work out all your searches then MAYBE you can use a base search to optimise away when you are happy with the searches. You will consume more memory and things will be slower because all post processing will occur on the search head rather than possible on the distributed indexers. If you can give an example of the other searches, then there may be an optimisation, but start simple. An example of where a base search may be suitable could be type="request" "request.path"="prod/" | stats count by auth.account_namespace request.path and then you might have 2 post processing searches that do | stats sum(count) as count by auth.account_namespace | sort - count | head 10 | transpose 0 header_field=auth.account_namespace column_name=account_namespace | eval account_namespace="" and | stats sum(count) as count by request.path ... so you are using the base search to take stats across 2 dimensions and then each of the post processing search is calculating from those existing aggregations. See this article on post processing/base searches.  https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/Savedsearches#Post-process_searches_2  
Are you saying it doesn't work? This works fine | makeresults | fields - _time | eval network="2a02:4780:10::/44" | outputlookup ipv6.csv and | makeresults | fields - _time | eval ipv6="2a02:4780... See more...
Are you saying it doesn't work? This works fine | makeresults | fields - _time | eval network="2a02:4780:10::/44" | outputlookup ipv6.csv and | makeresults | fields - _time | eval ipv6="2a02:4780:10:5be5::1" | lookup ipv6 network as ipv6 OUTPUT network as v6IP where the match type is defined as CIDR(network)
Thanks @bowesmana for your comment. Very new to Splunk and not really sure if I do need base search, but all I want really is for these events to only search once for my dashboard to not consume a lo... See more...
Thanks @bowesmana for your comment. Very new to Splunk and not really sure if I do need base search, but all I want really is for these events to only search once for my dashboard to not consume a lot of memory when it is loading or refreshing.  At the moment I do have 5 chart on my dashboard and I need to get the data from that event with different path to search. All the event are from that query and what is happening now is trying to do a query of that for 5x. I though base search would be the best thing to use so it will only query once on my dashboard. 
My understanding is that IPv6 IS supported, but I do recall I may have had some issues with CIDR on IPv6. Can you test | makeresults | eval ipv6="2a02:4780:10:5be5::1" | search ipv6="2a02:4780:10::/... See more...
My understanding is that IPv6 IS supported, but I do recall I may have had some issues with CIDR on IPv6. Can you test | makeresults | eval ipv6="2a02:4780:10:5be5::1" | search ipv6="2a02:4780:10::/44" because search definitely should support CIDR in ipv6
In your API column example, how are you assigning the tokApi token to the API column? I assume you are doing something like | makeresults | eval API=$tokApi|s$ ... At least that is what you _shoul... See more...
In your API column example, how are you assigning the tokApi token to the API column? I assume you are doing something like | makeresults | eval API=$tokApi|s$ ... At least that is what you _should_ be doing... 
You are using base searches wrongly. Firstly you should be using a transforming command in your base search, not just loading events - that is not what base searches are intended for and can often ma... See more...
You are using base searches wrongly. Firstly you should be using a transforming command in your base search, not just loading events - that is not what base searches are intended for and can often make your dashboard perform badly. If you really need to have events then you need to include a | fields statement with the fields you want, but remember, base searches are limited and this is definitely NOT a good way to use a base search. You should really put your stats command as part of the base search, but that will of course depend on what else you want to use the search for.  
Removing databases in fishbucket restored order in my ingestions.  Thank you! For the record, I preserved fishbucket/db/ which does not contain any BTree. (Had I known this, I could have done this w... See more...
Removing databases in fishbucket restored order in my ingestions.  Thank you! For the record, I preserved fishbucket/db/ which does not contain any BTree. (Had I known this, I could have done this while cleaning up disk corruption.  There should be no assumption that fishbucket escaped corruption.)
Hello,  I have some issues where using base search is not working on my dashboard. Interestingly, if I click on the search icon, it will come up with valid search query and it will shows some result... See more...
Hello,  I have some issues where using base search is not working on my dashboard. Interestingly, if I click on the search icon, it will come up with valid search query and it will shows some result. However, on my dashboard itselt it shows "no results found". Below is currently what I have set: <search id="prod_request"> <query>type="request" "request.path"="prod/"</query> <earliest>$timerange.earliest$</earliest> <latest>$timerange.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>10m</refresh> <refreshType>delay</refreshType> </search> <chart> <title>Top 10 request</title> <search base="prod_request"> <query>| stats count by auth.account_namespace | sort - count | head 10 | transpose 0 header_field=auth.account_namespace column_name=account_namespace | eval account_namespace=""</query> </search> <option name="charting.axisTitleX.text">Account Namespace</option> <option name="charting.chart">bar</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="charting.seriesColors">[0x1e93c6, 0xf2b827, 0xd6563c, 0x6a5c9e, 0x31a35f, 0xed8440, 0x3863a0, 0xa2cc3e, 0xcc5068, 0x73427f]</option> <option name="refresh.display">progressbar</option> </chart>
Are you using Classic or Studio? Please share significant part of your dashboard source in a code block to make reading easier