All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi team,   Currently we are implemented the Standalone below servers, Zone-1 Environment Server Name IP Splunk Role DEV L4     Search Head+ Indexer QA L4   ... See more...
Hi team,   Currently we are implemented the Standalone below servers, Zone-1 Environment Server Name IP Splunk Role DEV L4     Search Head+ Indexer QA L4     Search Head + Indexer L4     Deployment Server   Zone-2         Environment Server Name IP Splunk Role DEV L4     Search Head + Indexer QA L4     Search Head + Indexer   In our environment, only 2 Indexer + Search head server is there on the same instance   How to Implement the High Availability Servers?   please help me the process.             
The forwarders are unable to connect to the indexers and send their logs.  Verify the outputs.conf settings are correct on the forwarders.  Check the URL, the port (9997 is the default), and the cert... See more...
The forwarders are unable to connect to the indexers and send their logs.  Verify the outputs.conf settings are correct on the forwarders.  Check the URL, the port (9997 is the default), and the certificate (if SSL/TLS is used).  Also, check that the network is allowing connections to the indexers.
Perhaps the alert is not configured as expected.  Please share the savedsearches.conf stanza for the alert so we can check for errors.
On my Splunk on Windows the Addon is very slow and i got some Error Messages. 07-01-2024 13:47:27.491 +0200 ERROR ScriptRunner [82504 TcpChannelThread] - stderr from 'D:\apps\Splunk\bin\Python3.ex... See more...
On my Splunk on Windows the Addon is very slow and i got some Error Messages. 07-01-2024 13:47:27.491 +0200 ERROR ScriptRunner [82504 TcpChannelThread] - stderr from 'D:\apps\Splunk\bin\Python3.exe D:\apps\Splunk\bin\runScript.py setup': cfg = cli.getConfStanza("ta_databricks_settings", "logging") 07-01-2024 13:47:27.491 +0200 ERROR ScriptRunner [82504 TcpChannelThread] - stderr from 'D:\apps\Splunk\bin\Python3.exe D:\apps\Splunk\bin\runScript.py setup': File "D:\apps\Splunk\etc\apps\TA-Databricks\bin\log_manager.py", line 32, in setup_logging 07-01-2024 13:47:27.491 +0200 ERROR ScriptRunner [82504 TcpChannelThread] - stderr from 'D:\apps\Splunk\bin\Python3.exe D:\apps\Splunk\bin\runScript.py setup': _LOGGER = setup_logging("ta_databricks_utils") This errors happend for 60 seconds and than the connection will estabished and i recieved the data.  
Because you are using _time as your x-axis, the chart will show all times in your time range. You could change your chart settings so that the lines are not joined Alternatively, you could renam... See more...
Because you are using _time as your x-axis, the chart will show all times in your time range. You could change your chart settings so that the lines are not joined Alternatively, you could rename the _time field to something else, but then you would also have to format the time - you may also have to remove events where the value is null (depending on how your search is setup)   | rename _time as time | fieldformat time=strftime(time,"%F %T")   However, this is likely to lead to the x-axis values having ellipses in, so you could rotate the labels  
Hi @tscroggins, How we can represent server icon for the nodes. could you please let me know. Thanks in advance!
It is a bit difficult to suggest a solution without know what your events looks like. Please share some anonymised representative events. Alternatively, if the account name in your events is "user",... See more...
It is a bit difficult to suggest a solution without know what your events looks like. Please share some anonymised representative events. Alternatively, if the account name in your events is "user", you could try something like this | bin _time span=10m | stats count by _time user
Hi Team, An alert is scheduled to run for every 2 hours  It is getting skipped per day the alert will run - 12 times For a week 12*7 = 84 times a week We could see in the skipped search resul... See more...
Hi Team, An alert is scheduled to run for every 2 hours  It is getting skipped per day the alert will run - 12 times For a week 12*7 = 84 times a week We could see in the skipped search result that the alert is skipped for 3000 times in last 7 days How is it possible? Below search is used to find the skipped search splunk_server=*prod1-heavy index="_internal" sourcetype="scheduler" host=*-prod1-heavy | eval scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | lookup search_env_mapping host AS host OUTPUT tenant | stats count values(scheduled) as scheduled values(savedsearch_name) as search_name values(status) as status values(reason) as reason values(run_time) as run_time values(dm_node) as dm_node values(sid) as sid by savedsearch_name tenant | sort -count | search status!=success | table scheduled, savedsearch_name, status, reason,count,tenant
| eval results=if(results=0,"No events Found",results)
Hi, I would like to create a time chart for a specified time suppose 8AM to 2PM everyday for last 30 days. I am able to chart it however in visualisation, the line from 2PM to next day 8AM is a strai... See more...
Hi, I would like to create a time chart for a specified time suppose 8AM to 2PM everyday for last 30 days. I am able to chart it however in visualisation, the line from 2PM to next day 8AM is a straight line. How can we exclude that line for duration(2PM to next day 8AM) and just show chart for 8AM to 2PM everyday as a single line. Can we exclude the Green box line? Query Used(just conditions): | eval hour=tonumber(strftime(_time,"%H")) | where hour >=8 | where hour <=14 | fields - hour
OK I misunderstood your new requirement <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> ... See more...
OK I misunderstood your new requirement <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>
How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day. Output should b... See more...
How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day. Output should be - _time results 04-23-2024 "No events found" 04-23-2024 "No events found" . . . 06-30-2024 23
Hey can anybody help with this task of how to find an account with the most login attempts  in the 4624 events within a time span of 10 min
After installing splunk in windows or Linux server we are able to see the logs in server but we are not able to see the logs in Splunk HI and we are getting error message as below: 07-01-2024 05... See more...
After installing splunk in windows or Linux server we are able to see the logs in server but we are not able to see the logs in Splunk HI and we are getting error message as below: 07-01-2024 05:21:16.653 -0500 ERROR TcpOutputFd [2997818 TcpOutEloop] - Connection to host=<ip address>:9998 failed
Hi @BRFZ , forwarding to Indexers is configured at global level, you don't need to add nothing to this ingestion. Check if these ogs are in the correct splunk_server. ciao. Giuseppe
Yes, I installed an aadd-on on the search head, and I intend to send the data to the indexers for storage. However, the index was stored in this path /opt/splunk/etc/apps/search/local/indexers.conf i... See more...
Yes, I installed an aadd-on on the search head, and I intend to send the data to the indexers for storage. However, the index was stored in this path /opt/splunk/etc/apps/search/local/indexers.conf instead of /opt/splunk/etc/system, so I don't see where I can configure the outputs to send the data.
Hi @BRFZ , let me understand: are you using the SH to collect events? this isn't a best practice. Anyway, if you are forwarding events from the SH to the indexers, you should be ok. Ciao. Giuseppe
The delete command essentially works in the same way in Splunk Cloud as it does in an on-prem infrastructure. It won't delete your data from DDAS, but will make it unsearchable.
I get you but I want to create a timechart per the events or data coming through
Unfortunately I can see the same: "something" instead of something.