All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| rest /servicesNS/-/-/saved/searches splunk_server=local   Getting all of your stored searches from the Search Head will be much easier with this.
Check this path in Indexer's filesystem:   /opt/splunk/var/lib/splunk/<any_index>/db  
The index  data lives on the Splunk indexer Server's . You typically  use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a b... See more...
The index  data lives on the Splunk indexer Server's . You typically  use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a bucket(folder).  So login to your Splunk indexers and go to the storage volume and see the data there.  See the table  section "What the index directories look like" this will show you the paths  https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/HowSplunkstoresindexes  
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using ... See more...
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using base-search. Is this possible?> | sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS <row> <panel id="connections"> <html depends="$hiddenForCSS$"> <style> #connections{ width: 15% !important; } </style> </html> <single> <title>Connections</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum().publish(label='A')" | stats sum(_value) as host_sum by _time</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">151</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x555","0x118832","0x1182f3","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,50,70]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">0</option> <option name="showTrendIndicator">0</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> <panel id="Con_state"> <html depends="$hiddenForCSS$"> <style> #Con_state{ width: 34% !important; } </style> </html> <single> <title>Connections by state</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">174</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">medium</option> <option name="useColors">1</option> </single> </panel></row>    
Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably enco... See more...
Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems. Check the docs: https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers   I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found th... See more...
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk.  All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support https://www.splunk.com/en_us/legal/splunk-software-support-policy.html
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload s... See more...
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload seems to be empty On WebUI, when I add I get 500 Error, on search following recommend on error page  index=_internal host="monitor*" source=*web_service.log log_level=ERROR requestid=666fdcbe397fd164249e90 I get this 2024-06-17 13:50:38,231 ERROR [666fdcbe397fd164249e90] error:338 - Traceback (most recent call last): File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 680, in _do_respond self.body.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 982, in process super(RequestBody, self).process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 559, in process proc(self) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 225, in process_multipart_form_data process_multipart(entity) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 217, in process_multipart part.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 557, in process self.default_proc() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 717, in default_proc self.file = self.read_into_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 731, in read_into_file fp_out = self.make_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 513, in make_file return tempfile.TemporaryFile() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 586, in TemporaryFile prefix, suffix, dir, output_type = _sanitize_params(prefix, suffix, dir) File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 126, in _sanitize_params dir = gettempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 294, in gettempdir tempdir = _get_default_tempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 229, in _get_default_tempdir dirlist) FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']  Any one know why? Thank you for your time
Will filldown do the trick? E.g. | filldown catchup_updated_time
ah okay thanks gotcha.  Current output is like the table i shown and desired output is the table after that. catchup_updated_time is not populated for some as its taken from another sourcetype ... See more...
ah okay thanks gotcha.  Current output is like the table i shown and desired output is the table after that. catchup_updated_time is not populated for some as its taken from another sourcetype which is www_cattchup_Logs Please let me know if futher info is required
Start here   | rest "/servicesNS/-/-/saved/searches" splunk_server=local search="is_scheduled=1" | rename eai:* as * acl.app as app | fields title app author type search   that will give you the ... See more...
Start here   | rest "/servicesNS/-/-/saved/searches" splunk_server=local search="is_scheduled=1" | rename eai:* as * acl.app as app | fields title app author type search   that will give you the data, then do what you need to do with it  
i want to get list of scheduled saved searches with the name and the searches itself. can anybody help?
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data throug... See more...
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App. We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7. Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.  If you need more information about this Configuration, ask for me anytime.
Hi @KendallW, Apologies for the late reply. I tried it but still doesn't return the expected outcome.
I cannot renew my developer license according https://dev.splunk.com/enterprise/dev_license/. I get the same error code 400 every time. I also cannot get a response when I send an email to devinfo@sp... See more...
I cannot renew my developer license according https://dev.splunk.com/enterprise/dev_license/. I get the same error code 400 every time. I also cannot get a response when I send an email to devinfo@splunk.com. What should I do?
I understood, but you can't do what you want to do and it's unlikely to get supported, but by all means create a new idea in that ideas link I posted.  
Yes, you can just say  | eval behindfirewall=max(behindfirewall) however, I am not sure if that will totally work, because if something in my example is attached to LoadBalancer-B, then it will ass... See more...
Yes, you can just say  | eval behindfirewall=max(behindfirewall) however, I am not sure if that will totally work, because if something in my example is attached to LoadBalancer-B, then it will assume it's behind the firewall, so not totally sure if my suggestion is valid
Correct, the match statement will break things because all events will all match the match key
Does your lookup definition contain nnn* or just nnn - to use wildcard, the lookup itself should have an asterisk
The page has moved. Recommend you google it. Today it's found here https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html?301=/dev-test&locale=en_us