All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventL... See more...
Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventLog events are missing in Splunk which are present on your server, or are the events partially missing/cut in half in Splunk? As a first step, check for any parsing issues from your Splunk _internal logs:  index=_internal splunk_server=* source=*splunkd.log* component IN (AggregatorMiningProcessor LineBreakingProcessor DateParserVerbose) (log_level=WARN OR log_level=ERROR) data_sourcetype=WinEventLog*
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the con... See more...
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the connection drops/fails to reach the endpoint, it can be tricky to pinpoint the cause of HEC issues. Do you have any such logging in the downstream Anypoint system? So, to narrow down the issue, first check the Splunk _internal logs for any obvious timestamp parsing issues: index=_internal splunk_server=* source=*splunkd.log* component=DateParserVerbose data_sourcetype=<your sourcetype> If there are no obvious timestamp parsing issues returned, next check whether a single event from the missing time period has actually been indexed to Splunk. It could be that the timestamp extraction step has actually been bypassed, so the events have been indexed under a different timestamp, meaning they won't show up in your search. Search (using time period "All time") : index=yourindex sourcetype=yoursourcetype _raw="full raw event copied from Anypoint logs"  
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payl... See more...
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided: | makeresults | eval _raw="{ \"deployment.environment\":\"entorno-pruebas\", \"k8s.cluster.name\":\"splunk-otel\", \"k8s.namespace.name\":\"default\", \"k8s.node.name\":\"minikube\", \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\", \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\", \"metric_type\":\"Gauge\", \"os.type\":\"linux\", \"metric_name:k8s.pod.filesystem.usage\":491520 }" | spath | stats values(k8s.pod.name) as k8s.pod.name  
There was some maintenance activity which blocked the page from loading. Now I am able to access the web page.
Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bun... See more...
Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bundle
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Stat... See more...
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Status is "Done" - what about non-successes, do you get a different value in Status?
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whet... See more...
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whether this works the same way for Splunk Cloud / DDAS, or whether if I run "| delete" from search,  will it free up space in my DDAS entitlement? 
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-c... See more...
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-corp.cloud/splunk I asked the my splunk administrator to add “ssnc-corp.cloud” to the allow list, but it didn't seem to work. Do we need to restart splunk? What if I can check the reason why it does not take effect?
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the ... See more...
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the first result of your alert search will be added to the body's result field. See https://docs.splunk.com/Documentation/Splunk/latest/Alert/Webhooks for more information. The webhook source code is very simple. You can view it directly in $SPLUNK_HOME/etc/apps/alert_webhook/bin/webhook.py or by downloading and extracting a copy of Splunk Enterprise for any platform if you don't have access to your Splunk instance.
/opt/splunk/bin/splunk cmd openssl x509 -enddate -noout -in <PATH TO CERTIFICATE>
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to... See more...
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to delete it)
Awesome, this works as well. Thanks again for your help on this one. 
This works! thanks man for your help on this one. 
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" ... See more...
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" | stats count by policies{} | sort -count | where 'policies{}' != "default" | head 10  
Put my additional SPL - AFTER your original search - you've added it in the middle
I am not sure I understood the additional dimension - too many numbers for my head, 8 windows, 6 samples, 5 samples... so I got lost. However, if this helps, in the first search, the range bands wer... See more...
I am not sure I understood the additional dimension - too many numbers for my head, 8 windows, 6 samples, 5 samples... so I got lost. However, if this helps, in the first search, the range bands were simply defined as the age and then a fixed 14400 window. If you want to change the window as well, then you can use another array, i.e. | eval age_ranges=split("1,6,11,31,61,91,121,241",",") | eval window=split("1800,3600,5400,7200,14400,14400,14400,14400",",") ... ``` Band calculation ``` | foreach 0 1 2 3 4 5 6 7 [ eval r=tonumber(mvindex(age_ranges, <<FIELD>>))*60, s=tonumber(mvindex(window, <<FIELD>>)), zone=if(age < s + r AND age > r, <<FIELD>>, null()), range=mvappend(range, zone) ] but again, not sure I understood the requirement
Yeah, I am a bit confuse as well. Seems like the last part of the query "| sort - count | head 10" does not really do anything.  So I've modified my search to be like: type="request" "request.path"... See more...
Yeah, I am a bit confuse as well. Seems like the last part of the query "| sort - count | head 10" does not really do anything.  So I've modified my search to be like: type="request" "request.path"="prod/" | stats count by account_namespace | eval namespace="" | xyseries namespace account_namespace count | sort - count | head 10 by using the above, it gives me a result where the account_namespace shows as a column with all the count as the value. In the column it is showing all of it and not only the top 10 that has highest count. 
Hi there, I have this query below to search the top policies that has been used.    type="request" "request.path"="prod/" | stats count by policies{} | sort -count | head 10   by default all th... See more...
Hi there, I have this query below to search the top policies that has been used.    type="request" "request.path"="prod/" | stats count by policies{} | sort -count | head 10   by default all the policies is being generated with "default" which I wanted to get rid of when searching so properly shows the top 10 policies only.  The search query above example results are:   policies: default policies_1 policies_2 policies_3 ....   I wanted to get rid of the default showing on my result. Any idea or help is really appricated. 
Your original search will already limit the top 10, as you are doing sort+head, so not sure I understand how you are getting all results?
Thanks @bowesmana for your reply and sharing the below. I have now managed to make it multiseries chart by applying you've shared below. However, it is showing the result of all of the account_namesp... See more...
Thanks @bowesmana for your reply and sharing the below. I have now managed to make it multiseries chart by applying you've shared below. However, it is showing the result of all of the account_namespace, is there a way for me to filter the highest 10 count and only shows that?