All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

OK I misunderstood your new requirement <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> ... See more...
OK I misunderstood your new requirement <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">if($form.tokcheck$!="Any field",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),$toktext$)</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>
How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day. Output should b... See more...
How do I run a search against a sourcetype (which is very low volume), and display a custom text when there are 0 events found.  Search should be run for 30days, with a span of 1day. Output should be - _time results 04-23-2024 "No events found" 04-23-2024 "No events found" . . . 06-30-2024 23
Hey can anybody help with this task of how to find an account with the most login attempts  in the 4624 events within a time span of 10 min
After installing splunk in windows or Linux server we are able to see the logs in server but we are not able to see the logs in Splunk HI and we are getting error message as below: 07-01-2024 05... See more...
After installing splunk in windows or Linux server we are able to see the logs in server but we are not able to see the logs in Splunk HI and we are getting error message as below: 07-01-2024 05:21:16.653 -0500 ERROR TcpOutputFd [2997818 TcpOutEloop] - Connection to host=<ip address>:9998 failed
Hi @BRFZ , forwarding to Indexers is configured at global level, you don't need to add nothing to this ingestion. Check if these ogs are in the correct splunk_server. ciao. Giuseppe
Yes, I installed an aadd-on on the search head, and I intend to send the data to the indexers for storage. However, the index was stored in this path /opt/splunk/etc/apps/search/local/indexers.conf i... See more...
Yes, I installed an aadd-on on the search head, and I intend to send the data to the indexers for storage. However, the index was stored in this path /opt/splunk/etc/apps/search/local/indexers.conf instead of /opt/splunk/etc/system, so I don't see where I can configure the outputs to send the data.
Hi @BRFZ , let me understand: are you using the SH to collect events? this isn't a best practice. Anyway, if you are forwarding events from the SH to the indexers, you should be ok. Ciao. Giuseppe
The delete command essentially works in the same way in Splunk Cloud as it does in an on-prem infrastructure. It won't delete your data from DDAS, but will make it unsearchable.
I get you but I want to create a timechart per the events or data coming through
Unfortunately I can see the same: "something" instead of something.
Thank you for your response. Could you help me with the second problem ?  I have installed the add-on on the Search Head, and the index where the collected data is stored is located on the search ... See more...
Thank you for your response. Could you help me with the second problem ?  I have installed the add-on on the Search Head, and the index where the collected data is stored is located on the search head at the following path : '/opt/splunk/etc/apps/search/local/indexes.conf'  How can I direct this index to both indexers that are not in a cluster ?
Try something like this <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="ch... See more...
Try something like this <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>
  Hello,   I have a dashboard with checkbox and input field. If you choose the group and type 'something' into to the text input the search is looking for category="something" If you choose the ... See more...
  Hello,   I have a dashboard with checkbox and input field. If you choose the group and type 'something' into to the text input the search is looking for category="something" If you choose the Any field the search is looking for "something". I want to set that if I choose the Any field the search does not add this tag: "", only search for something. But of course remain the tag with other checkbox selection, like category="something".   The main goal would be I'd like to free to use the Any field option. So now if I type e.g. something OR anything, the search does not understand correctly because it looks like "something OR anything", so it detect like one variable. So I like to see something OR anything.   Could you please help to modify my dashboard?     <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">replace($tokcheck$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>     Thank you very much in advance!
I did install adguard (DNS blocker) and sees that beam.scs.splunk.com is one of the default blocked sites.
Hi @Rakeshar4u  , I've included a link to the dashboard in the body of the alert email, but it appears as plain text rather than a clickable hyperlink. I also tried using <href>, but it still shows ... See more...
Hi @Rakeshar4u  , I've included a link to the dashboard in the body of the alert email, but it appears as plain text rather than a clickable hyperlink. I also tried using <href>, but it still shows as plain text. Here's my alert configuration: My Splunk version is 9.2.1. Any insights would be appreciated.  
Hi @LearningGuy , does the query return any results when you run it on the DB directly? select * from host_ip   Also noticed you have "os_type" in your query vs "ostype" in your lookup. Could be t... See more...
Hi @LearningGuy , does the query return any results when you run it on the DB directly? select * from host_ip   Also noticed you have "os_type" in your query vs "ostype" in your lookup. Could be the issue    
Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventL... See more...
Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventLog events are missing in Splunk which are present on your server, or are the events partially missing/cut in half in Splunk? As a first step, check for any parsing issues from your Splunk _internal logs:  index=_internal splunk_server=* source=*splunkd.log* component IN (AggregatorMiningProcessor LineBreakingProcessor DateParserVerbose) (log_level=WARN OR log_level=ERROR) data_sourcetype=WinEventLog*
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the con... See more...
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the connection drops/fails to reach the endpoint, it can be tricky to pinpoint the cause of HEC issues. Do you have any such logging in the downstream Anypoint system? So, to narrow down the issue, first check the Splunk _internal logs for any obvious timestamp parsing issues: index=_internal splunk_server=* source=*splunkd.log* component=DateParserVerbose data_sourcetype=<your sourcetype> If there are no obvious timestamp parsing issues returned, next check whether a single event from the missing time period has actually been indexed to Splunk. It could be that the timestamp extraction step has actually been bypassed, so the events have been indexed under a different timestamp, meaning they won't show up in your search. Search (using time period "All time") : index=yourindex sourcetype=yoursourcetype _raw="full raw event copied from Anypoint logs"  
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payl... See more...
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided: | makeresults | eval _raw="{ \"deployment.environment\":\"entorno-pruebas\", \"k8s.cluster.name\":\"splunk-otel\", \"k8s.namespace.name\":\"default\", \"k8s.node.name\":\"minikube\", \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\", \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\", \"metric_type\":\"Gauge\", \"os.type\":\"linux\", \"metric_name:k8s.pod.filesystem.usage\":491520 }" | spath | stats values(k8s.pod.name) as k8s.pod.name  
There was some maintenance activity which blocked the page from loading. Now I am able to access the web page.