All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Nawab , compression must be applied both on connections between UFs and IF and IF and IDXs. Only one question: why do you need an IF? Ciao. Giuseppe
Thank you for your supporting, i have updated the information, sorry because i did not capture it  
We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.   If we do compression on IF, will it automatical... See more...
We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.   If we do compression on IF, will it automatically apply on data coming from UFs or should we do this config on all UFs as well.
Here are the content of the local.meta file: [app/install/install_source_checksum] version = 9.2.1 modtime = 1719187793.873274000 [] access = read : [ * ], write : [ * ] export = system versio... See more...
Here are the content of the local.meta file: [app/install/install_source_checksum] version = 9.2.1 modtime = 1719187793.873274000 [] access = read : [ * ], write : [ * ] export = system version = 9.2.1 modtime = 1719188413.914413000
Hi @ITWhisperer  the below error message I got The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within lon... See more...
Hi @ITWhisperer  the below error message I got The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Please provide more specific examples of the events you are dealing with.
Dashboards are essentially representations of search results. Do you have some searches that provide the information you want from your logs?
Firstly, this looks like JSON so you should probably look to use JSON extractions. If you are getting errors with this, then perhaps you could share what you tried and what errors you got, and perhap... See more...
Firstly, this looks like JSON so you should probably look to use JSON extractions. If you are getting errors with this, then perhaps you could share what you tried and what errors you got, and perhaps it can be resolved that way. However, if you want to continue down the rex track (not recommended), you could try something like this | rex "\"CrmId\": \"(?<CrmId>[^\"]+).*\"status\": \"(?<status>[^\"]+).*\"source\": \"(?<source>[^\"]+).*\"leadId\": \"(?<leadId>[^\"]+).*\"isFirstLead\": \"(?<isFirstLead>[^\"]+).*\"offersinPrinciple\": \"(?<offersinPrinciple>[^\"]+).*\"sourceSiteId\": \"(?<sourceSiteId>[^\"]+).*\"howDidYouHear\": \"(?<howDidYouHear>[^\"]+)"
Hi team, I need to extract the highlighted field in the below messege using regex... I have tried Splunk inbuilt field extraction it is throwing error when i use multiple field...   { "eventTime":... See more...
Hi team, I need to extract the highlighted field in the below messege using regex... I have tried Splunk inbuilt field extraction it is throwing error when i use multiple field...   { "eventTime": "2024-06-24T06:15:42Z", "leaduuid": "1234455", "CrmId": "11111111", "studentCrmUuid": "634543564", "externalId": "", "SiteId": "xxxx", "subCategory": "", "category": "Course Enquiry", "eventId": "", "eventRegistrationId": "", "status": "Open", "source": "Online Enquiry", "leadId": "22222222",  "assignmentStatusCode": "", "assignmentStatus": "", "isFirstLead": "yes", "c4cEventId": "", "channelPartnerApplication": "no", "applicationReceivedDate": "", "referredBy": "", "referrerCounsellor": "", "createdBy": "Technical User",  "lastChangedBy": "Technical User" , "leadSubAgentID": "", "cancelReason": ""}, "offersInPrinciple": {"offersinPrinciple": "no", "oipReferenceNumber": "", "oipVerificationStatus": ""}, "qualification": {"qualification": "Unqualified", "primaryFinancialSource": ""}, "online": {"referringUrl": "", "idpNearestOffice": "", "sourceSiteId": "xxxxx", "preferredCounsellingMode": "", "institutionInfo": "", "courseName": "", "howDidYouHear": "Social Media"}
Hi Team, We are setting up minimalistic dashboards for application logs. application logs include local server logs, application logs, tibco logs, kibana logs. is there a standard dashboard setup ... See more...
Hi Team, We are setting up minimalistic dashboards for application logs. application logs include local server logs, application logs, tibco logs, kibana logs. is there a standard dashboard setup available for application log monitoring dashboard. Please guide me to create one dashboard for application log monitoring.   Thanks, 
Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise.  I have a datamodel "Test", a dataset "datasetA" in... See more...
Hello everyone, I am a newbie in this field, I am looking forward to your help. I am using Eventgen to create data samples for Splunk Enterprise.  I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB". All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above. The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA. Is there anyone have the same problem? More information: Sorry because i do not capture it   example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions |stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found The data samples in datasetA and datasetB is the same Thank you for reading  
Hi , Sure let me try this regex and see. Yes there are no blank spaces after each line containing null values
Yes, the result would be the same whenever it runs but I would prefer it to execute only after the user click on Submit button. 
This is expected behaviour - if the panel search has no dependencies, it will execute - why would this be a problem, since there are no dependencies, shouldn't the result be the same whenever it runs?
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log.... See more...
Hi all, I recently installed this add-one on my cluster (hfs, idxs, shs). I copied props.conf and transforms.conf into local directory and uncomment the mappings to sourcetype elastic:auditbeat:log. But this action had no effect and yet I just see one sourcetype: elastic:auditbeat:log any ideas are appreciated. Thanks.
hello @ITWhisperer This worked. Thanks for your help
Hello @ITWhisperer this worked. Thanks for your help
I have a dashboard where I have multiple form inputs and using them in multiple panels(which i have not given here). I don't want any panel to run the search before clicking on Submit button. But ... See more...
I have a dashboard where I have multiple form inputs and using them in multiple panels(which i have not given here). I don't want any panel to run the search before clicking on Submit button. But for one panel where I have not used any of the user inputs or tokens, it simply runs as soon as the dashboard loads, not sure if this is the expected behaviour and if I have to do additional token dependencies separately for that panel search to stop it from autorun, appreciate your valid suggestions here. <form version="1.1" theme="dark"> <fieldset autoRun="false" submitButton="true"> <input type="time" token="token_time" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-1d@d</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <chart> <title>Dashboard Title</title> <search> <query>Search Query </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row>
I want to search for the string value defined in the text field anywhere in the event.
Please clarify what you mean by "except any field" - do you want to filter to search all your fields for any of them having the value defined in the text field? If so, you need to identify all the fi... See more...
Please clarify what you mean by "except any field" - do you want to filter to search all your fields for any of them having the value defined in the text field? If so, you need to identify all the field names. Or do you simply want to search for the string value defined in the text field anywhere in the event?