All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I cannot see anything. Do you know the search can check this?  
Hi @jacknguyen, in the monitoring Console at [Indexing > License Usage > Historic License usage ] you can display the license usage split by index or sourcetype, etc... If this doesn't exactly answ... See more...
Hi @jacknguyen, in the monitoring Console at [Indexing > License Usage > Historic License usage ] you can display the license usage split by index or sourcetype, etc... If this doesn't exactly answer to your question, you can start from this search to customize your own. Ciao. Giuseppe 
Hello, I have the Unix/Linux Add-on installed in my Splunk Cloud. This Add-on gives me a list of Inactive Hosts. How do I create an episode 1 to 1 that alerts me every time a new host goes inactive?
Hello, I want to setup MTBF & MTTR  for databases and its servers in AppDynamics, kindly direct to a knowledge based document on how to achieve this aspect.
I cannot access the License Master, I also check Monitoring console in Index volume and instance, no result founds. 
Hi @jacknguyen , if you use the Monitoring Console or the License consuption dashboard, you can have these information. Ciao. Giuseppe
Never mind, i figured out. Just moved the |eval statement to the end after the table command, it worked.
Hi guys, My boss check on Splunk Master and see that, he want to know  index, source, sourcetype, capacity of log/day for each sourcetype, How can I see that I used this search before, but I fe... See more...
Hi guys, My boss check on Splunk Master and see that, he want to know  index, source, sourcetype, capacity of log/day for each sourcetype, How can I see that I used this search before, but I feel its not corect 100%, | dbinspect index=* | stats sum(rawSize) as total_size by index | eval total_size_mb = total_size / (1024 * 1024) | table index total_size_mb How I can check   this on my Indexer, I can ssh to Indexer too. Thank you for your time
Hi @Roger_FB , as me and @PickleRick said, you cannot configure different replication and search factors for each index, but only one for the entire cluster. You can only define that there are not ... See more...
Hi @Roger_FB , as me and @PickleRick said, you cannot configure different replication and search factors for each index, but only one for the entire cluster. You can only define that there are not replicated indexes. Ciao. Giuseppe
No. You cannot define (site) replication/search factors on a per-index level. You can set an index to being non-replicated but cannot go beyond that. You set (site)SF/RFs at the server level and onl... See more...
No. You cannot define (site) replication/search factors on a per-index level. You can set an index to being non-replicated but cannot go beyond that. You set (site)SF/RFs at the server level and only define whether the index is replicated at index level. So to have a setup with some indexes being replicated between sites and some not you'd need to have separate clusters (I'm not sure however how you go about site-affinity for search-heads when you're connecting to multiple clusters - never tried that).
There are at least two separate issues here. One is monitoring for data that used to be ingested but is no more, regardless of the reason for it (maybe there is a configuration problem on the recevi... See more...
There are at least two separate issues here. One is monitoring for data that used to be ingested but is no more, regardless of the reason for it (maybe there is a configuration problem on the receving end, maybe the source simply stopped sending data, maybe something else). There are several apps for that on Splunkbase. For example TrackMe - https://splunkbase.splunk.com/app/4621 Another thing is finding errors coming from your inputs (expired certs, broken connections, non-responding API endpoints and so on). And this is something you'd normally look for in _internal index indeed add those you'll find primarily in splunkd.log but also specific add-ons can create their own log files. So it's a bit more complicated than just a single search to find everything that's wrong.
Quick followup question, is there a way to include another field ( as in column ) as part of the final output? For example, if i have something like below where there is another field "Priority" c... See more...
Quick followup question, is there a way to include another field ( as in column ) as part of the final output? For example, if i have something like below where there is another field "Priority" calculated using eval, how to include it in the final output?   As of now,  using the below query,  Priority doesn't show any data and thats expected because Priority is not part of our chart command.  I tried all different combos to add Priority in the chart command but couldn't figure out how to.   | eval Priorty = case(Alert like "001","P1",Alert like "002","P2") | chart count by Alert status | addtotals col=t fieldname=Count label=Total labelfield=Alert | table rule_name Count status Priority    
That does indeed seem strange. Is this the last part of the search? Do the search dashboard and search log show anything significantly changing after you add this append command?
OK. So if you split your events received by syslog into separate files based on the source device, you should configure your monitor inputs to pick different kinds of files with specific sourcetypes ... See more...
OK. So if you split your events received by syslog into separate files based on the source device, you should configure your monitor inputs to pick different kinds of files with specific sourcetypes so you don't ingest the whole big directory with all your "network" logs but instead fine tune it with subsets of the files pertaining to specific devices. If you're saving all syslog-received events to one big file - that's way harder because you can only associate one sourcetype for a given monitor input. You might try to later dynamically overwrite it during ingestion process using props and transforms but this will be way way harder than doing the splittin on the syslog-receiver level.
What is your full search?
Hey splunkers, We are trying to implement and segregate roles in SOAR, and so we have several roles with several users in them. The problem is that every user can see all other users and assign cont... See more...
Hey splunkers, We are trying to implement and segregate roles in SOAR, and so we have several roles with several users in them. The problem is that every user can see all other users and assign containers/tasks to them. Is there a way  to restrict visibility/assignment on other users in the platform? I know it probably have should be realted to users & roles permissions but I' not getting it right... Thanks
Hi @tuts, for configuring syslog, you should follow the instructions at https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Monitornetworkports for sysmon, you should download the Splun... See more...
Hi @tuts, for configuring syslog, you should follow the instructions at https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Monitornetworkports for sysmon, you should download the Splunk Addon for Sysmon and follow the instructions at https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About Ciao. Giuseppe
Awesome. So often forget the "chart" command to use for such scenarios.   Thank you
Hello Splunk Community, I am working on a project that uses Splunk, and I need your assistance in properly installing and configuring both Syslog and Sysmon to ensure efficient data collection and a... See more...
Hello Splunk Community, I am working on a project that uses Splunk, and I need your assistance in properly installing and configuring both Syslog and Sysmon to ensure efficient data collection and analysis.
Hi Team, I am unable to login to controller as it was throwing error called "Permission Issue." Earlier I was able to login to controller but currently I am unable to login. While I am signing the p... See more...
Hi Team, I am unable to login to controller as it was throwing error called "Permission Issue." Earlier I was able to login to controller but currently I am unable to login. While I am signing the page it is showing authentication success and later  it was showing permission issue. Please help me on priority!!. Please find the attached screenshot for your reference.  error screenshot Thanks & Regards, PadmaPriya