All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

There may be many ways to do that.  Here's one. ... | rex field=Host "(?<part1>[^\.]+)" ``` If the field just extracted is a number then the Host field probably is an IP address ``` | eval Host = if... See more...
There may be many ways to do that.  Here's one. ... | rex field=Host "(?<part1>[^\.]+)" ``` If the field just extracted is a number then the Host field probably is an IP address ``` | eval Host = if(isnum(part1), Host, part1) ...
I came across this post for Splunk Enterprise upgrade. https://community.splunk.com/t5/Installation/What-do-I-validate-after-I-upgrade-Splunk-Enterprise-to-confirm/m-p/479261 I need details about w... See more...
I came across this post for Splunk Enterprise upgrade. https://community.splunk.com/t5/Installation/What-do-I-validate-after-I-upgrade-Splunk-Enterprise-to-confirm/m-p/479261 I need details about what to validate after ES upgrade. I already have this from Splunk docs. But I am looking for something as detailed as above post for ES. https://docs.splunk.com/Documentation/ES/7.3.1/Install/Upgradetonewerversion#Step_5._Validate_the_upgrade  
The search is very basic. The system is isolated so I can't copy/paste but it's just searching for one event code, action, and signature and tabling the results. There is nothing unique or unusual fr... See more...
The search is very basic. The system is isolated so I can't copy/paste but it's just searching for one event code, action, and signature and tabling the results. There is nothing unique or unusual from other alert searches. I don't understand how anything in the search string would cause a 404 error. 
I wonder if an outer join might have worked, but join is rarely the best answer because it performs poorly. One other approach is to use a subsearch to find the interesting transaction IDs and then ... See more...
I wonder if an outer join might have worked, but join is rarely the best answer because it performs poorly. One other approach is to use a subsearch to find the interesting transaction IDs and then search for those IDs. index="data" [search index="data" | stats values(eventtype) as eventtype by transaction_id | search eventtype="TYPE1" AND eventtype="TYPE2" | fields transaction_id | format ] | table *  
Start by creating a search which retrieves the information you are trying to find. How far have you got with that?
I am also experiencing this issue and have yet to find a solution. I am hopeful that the community will provide an answer to this problem.
It isn't in the XML code you posted
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" .... See more...
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" . -time_offset, tostring(-time_offset)), time_utc=relative_time(_time,time_offset . "h") | convert timeformat="%F %T UTC" ctime(time_utc) | convert `timeformat` ctime(_time) AS time_local The following macro sets the time to the timezone of your choice: [tz(1)] definition = eval utc_offset=strftime(_time,"%:::z") | convert num(utc_offset) | eval tz_offset = $tz$ - utc_offset, tz_offset = if(tz_offset>=0,"+".tz_offset,tz_offset), utc_offset = if(utc_offset<=0,"+".-utc_offset,tostring(-utc_offset)) | eval time_tz=relative_time(_time, tz_offset . "h"), utc_time=relative_time(_time,utc_offset . "h") | convert timeformat="%F %T UTC" ctime(utc_time) | convert timeformat="%F %T UTC$tz$" ctime(time_tz) | convert `timeformat` ctime(_time) AS my_time | fields - tz_offset utc_offset* | rename time_tz AS "time:$tz$" args = tz [timeformat] definition = timeformat="%F %T UTC%:::z %Z"
i am already using that its in xml code.
hello i'm beginner in splunk. Currently, i'm working with splunk entreprise i want to retrieve microservices depandancy and export this informations  How can i do that?
Perhaps if you elaborate on what your search is for your alert we might be able to help spot the issue?
Try this <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest>
I am getting permission denied error on in Splunk forwarder logs ERROR DC:DeploymentClient - Failed to save manifest file to disk at='/opt/splunkforwarder/var/run/serverclass.xml': Permission denied... See more...
I am getting permission denied error on in Splunk forwarder logs ERROR DC:DeploymentClient - Failed to save manifest file to disk at='/opt/splunkforwarder/var/run/serverclass.xml': Permission denied Severclass.xml has  read/write permission to Splunk user on the server where UF is installed. Can anyone help 
I just ran into the same issue. I upgraded to splunk 9.2.1 and everything seemed to be working fine,  and now I am unable to authenticate using cac card
Can you elaborate on that? The search works fine on its own, and if the search was bad why would that cause the web page to not load? 
Hi @ITWhisperer , No my ask is for example in servicode we have below values 2031 1345 2345 null 5643 when i select time range as 24 hours we have data for all above codes so they are all sho... See more...
Hi @ITWhisperer , No my ask is for example in servicode we have below values 2031 1345 2345 null 5643 when i select time range as 24 hours we have data for all above codes so they are all showing up in the ServiceCode drop down. but when i select time range for last 15 mins there are no logs for "null" but still it is showing up in the drop down. We dont want to see null option if logs are not present.
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" . ... See more...
The following macro formats the time to a standard utc timezone: [utc] definition = eval time_offset=strftime(_time,"%:::z") | convert num(time_offset) | eval time_offset=if(time_offset<=0, "+" . -time_offset, tostring(-time_offset)), time_utc=relative_time(_time,time_offset . "h") | convert timeformat="%F %T UTC" ctime(time_utc) | convert `timeformat` ctime(_time) AS time_local The following macro sets the time to the timezone of your choice: [tz(1)] definition = eval utc_offset=strftime(_time,"%:::z") | convert num(utc_offset) | eval tz_offset = $tz$ - utc_offset, tz_offset = if(tz_offset>=0,"+".tz_offset,tz_offset), utc_offset = if(utc_offset<=0,"+".-utc_offset,tostring(-utc_offset)) | eval time_tz=relative_time(_time, tz_offset . "h"), utc_time=relative_time(_time,utc_offset . "h") | convert timeformat="%F %T UTC" ctime(utc_time) | convert timeformat="%F %T UTC$tz$" ctime(time_tz) | convert `timeformat` ctime(_time) AS my_time | fields - tz_offset utc_offset* | rename time_tz AS "time:$tz$" args = tz [timeformat] definition = timeformat="%F %T UTC%:::z %Z"
Please guide on onboarding cloudflare with splunk for a distributed architecture. along with information on, on which instance (HF, indexer, search heads, management instances) to install the add-ON... See more...
Please guide on onboarding cloudflare with splunk for a distributed architecture. along with information on, on which instance (HF, indexer, search heads, management instances) to install the add-ON, and on which instance to create custom index
Hi @Roger_FB , at first, this question isn't for the Community but youshould engage a Splunk Architect or a Splunk PS. Anyway, let me understand: you have one Indexer on Site1 and two in Site2 i... See more...
Hi @Roger_FB , at first, this question isn't for the Community but youshould engage a Splunk Architect or a Splunk PS. Anyway, let me understand: you have one Indexer on Site1 and two in Site2 indexes on Site2 must be replicated only on Indexers in Site2, instead Indexes in Site1 must be replicated also in Site2. I'm not sure that's possible to have Indexes not replicated in both the Sites. Ciao. Giuseppe
Hi @nspaitsec license manager and clustered indexers