All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @RahulMisra1  the outputlookup command is used to write the lookup file (we can overwrite or append the lookup file) Pls note - this one overwrites the lookup file..  if you want to append, pls ... See more...
Hi @RahulMisra1  the outputlookup command is used to write the lookup file (we can overwrite or append the lookup file) Pls note - this one overwrites the lookup file..  if you want to append, pls let us know..  index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | eval match=if('IP'== test_IP, "yes", "no") | search match=no | stats count by IP | outputlookup test_MID_IP.csv  
could you please share the alert script or command
Yes, it is possible.  1) Install a Universal Forwarder (UF) on the Windows server 2) Enable the [perfmon://LogicalDisk] input on the UF.  Restart the UF for the change to take effect. 3) Create an... See more...
Yes, it is possible.  1) Install a Universal Forwarder (UF) on the Windows server 2) Enable the [perfmon://LogicalDisk] input on the UF.  Restart the UF for the change to take effect. 3) Create an alert the triggers at the desired value of the % Free Space field.
Hi @SaintNick ...the stackexchange gave this one: https://unix.stackexchange.com/questions/710815/how-do-i-make-cron-use-utc if u r using windows or if the above idea didnt work, if u r looking for... See more...
Hi @SaintNick ...the stackexchange gave this one: https://unix.stackexchange.com/questions/710815/how-do-i-make-cron-use-utc if u r using windows or if the above idea didnt work, if u r looking for a simple short-cut, simply convert the time to UTC time manually and update the cron accordingly. 
Great! Thanks for your help, i had checked the article, but each bucket consist of raw data and tsidx file only. i am asking after the raw data is parsed and normalized, should they stored in somew... See more...
Great! Thanks for your help, i had checked the article, but each bucket consist of raw data and tsidx file only. i am asking after the raw data is parsed and normalized, should they stored in somewhere in the parsed form.
Call out to any Splunk engineer or moderator to answer this simple question!
Thanks Guiseppe, that's exactly what I want to know, how to tell the cron to run in UTC times.
No worries, glad it worked out out   
I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used.  but causes issues when same inside of another app (I know Splunk for saved sea... See more...
I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used.  but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups) So, something like this alert may help | rest splunk_server=local servicesNS/admin/search/data/props/lookups | search attribute=LOOKUP-* | stats count by attribute ```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context``` ```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"``` | eval duplicate=if(count > 1, "Yes", "No") | where count > 1   You can then find out, explore if there are other apps that use the same name attribute: Example in your case eventcode | rest splunk_server=local servicesNS/admin/search/data/props/lookups | search attribute=LOOKUP-eventcode   Have play and see if this helps.    
How we can configure disk space alert using Splunk . is it possible 
How i update the test_MID_IP.csv  with the output IP, so that next time it runs with updated list index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | loo... See more...
How i update the test_MID_IP.csv  with the output IP, so that next time it runs with updated list index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | eval match=if('IP'== test_IP, "yes", "no") | search match=no | stats count by IP
I had defined the complete path in inputs.conf and restarted the Splunkforwarder but got error in Splunkd logs. Kindly refer the attachment.  
Remove the CDATA bracketing - it is not required
i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supress... See more...
i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supression</label> <description>Please enter the values for your One-Time-Blackout.</description> <row> <panel> <html> <![CDATA[ <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div> ]]> </html> </panel> </row> </dashboard>   O/p looks in text format:   Manual-supression Please enter the values for your One-Time-Blackout. <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div>    
Hi @jacknguyen , as also @deepakc said, check if the file is corrupted, and eventually open a case to Splunk Support. Ciao. Giuseppe
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon   I just removed Defender A... See more...
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon   I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ?      
Of course this is Splunk License I request. This is stand-alone server. My License can add with all my labs but this Server have error 500 when click Add License on WebUI
From the Error, it states "failed to parse license because: The license payload seems to be empty"  Its normally  XML format so you should be able to check it and that its not corrupted etc.  If you... See more...
From the Error, it states "failed to parse license because: The license payload seems to be empty"  Its normally  XML format so you should be able to check it and that its not corrupted etc.  If your still having lic issues then contact Splunk to ensure you have the correct license.  Follow these steps:  https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Installalicense 
Hi @wxlcba , in addition to the checks hinted by @deepakc , did you downloaded and installed on your HFs the forwarder app from SplunkCloud? it contains the configuration for the connection. Ciao.... See more...
Hi @wxlcba , in addition to the checks hinted by @deepakc , did you downloaded and installed on your HFs the forwarder app from SplunkCloud? it contains the configuration for the connection. Ciao. Giuseppe
Hi @jacknguyen , I suppose that you used the splunk.license file, which you should have received from Splunk. how did you load the license? Did you followed the procedure at https://docs.splunk.co... See more...
Hi @jacknguyen , I suppose that you used the splunk.license file, which you should have received from Splunk. how did you load the license? Did you followed the procedure at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/Installalicense even if it's a very simple process. Have you a distributed architecture or a singe stand-alone server? if you have a distributed architecture, you must load the license in the License Master. Ciao. Giuseppe