All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

right, change the index, for license: index=summary | stats sum(b) as totalBytes by host, index, source, sourcetype | eval host=lower(host) | eval MB=totalBytes/1024/1024 | eval GB=round(MB/10... See more...
right, change the index, for license: index=summary | stats sum(b) as totalBytes by host, index, source, sourcetype | eval host=lower(host) | eval MB=totalBytes/1024/1024 | eval GB=round(MB/1024,2) | sort - GB | head 100 | table host index source sourcetype GB Best, Giulia
Hi @WilmarMeyer  - this is on Splunk Side: Server Settings->IP Allow List Management-> "Search Head API Access".
@gcasaldi  Here it just pulls the cluster master server information with GB when I ran the query for last month and not any other results. Refer screenshot for reference.  
Hello All   Please i need help with the below, i am trying to display a particular column with the below query but i got a 'no results found' output   | inputlookup TagDescriptionLookup.csv | fi... See more...
Hello All   Please i need help with the below, i am trying to display a particular column with the below query but i got a 'no results found' output   | inputlookup TagDescriptionLookup.csv | fields Site UnitName TagName TagDescription Units | where column = "TagName" | rename column AS ColumnName | table ColumnName   Thanks
try like this (select time range from the search): index=_internal source=*license_usage.log type="Usage" | stats sum(b) as totalBytes by host, index, source, sourcetype | eval host=lower(host) ... See more...
try like this (select time range from the search): index=_internal source=*license_usage.log type="Usage" | stats sum(b) as totalBytes by host, index, source, sourcetype | eval host=lower(host) | eval MB=totalBytes/1024/1024 | eval GB=round(MB/1024,2) | sort - GB | head 100 | table host index source sourcetype GB Let me know   Best, Giulia
I installed a new splunk pprod platform and I would like to migrate all the prod data to the new platform. I restored the searchhead prod cluster on the pprod cluster with the backup and restoration... See more...
I installed a new splunk pprod platform and I would like to migrate all the prod data to the new platform. I restored the searchhead prod cluster on the pprod cluster with the backup and restoration of .bundle as indicated in this link: https://docs.splunk.com/Documentation/Splunk/8.2.12/DistSearch/BackuprestoreSHC The problem I have is a difference in the number of lookups between the prod and the pprod (pprod contains 1240 lookups and 58 datamodels while the prod contains 1270 lookups and 59 datamodels). Why do I have this difference even though I restored the pprod cluster with the prod .bundle? What can I do to have the same number on both platforms?
any help?
I have added the following to a dashboard to try and set the variable when it loads: <init> <condition match="$env:instance_type$ == cloud"> <set token="URL">Chips</set> </condition> <condition>... See more...
I have added the following to a dashboard to try and set the variable when it loads: <init> <condition match="$env:instance_type$ == cloud"> <set token="URL">Chips</set> </condition> <condition> <set token="URL">Fish</set> </condition> </init> While the $env:instance_type$ works to bring back the details of the environment when I map it directly in an HTML block it does not seem to want to evaluate in the initiate tags... I do not really want to push this into the parameters on the dashboard as this will confuse users and end up with mistakes happening - is there anywhere else I can set this seamlessly as the dashboard loads?
@gcasaldi , Thank you for your prompt response. For example, I want to pull the report for the entire month of May (from May 1st to May 31st, 2024) for the top 100 hosts by license usage, along with... See more...
@gcasaldi , Thank you for your prompt response. For example, I want to pull the report for the entire month of May (from May 1st to May 31st, 2024) for the top 100 hosts by license usage, along with their index, host, source, and sourcetype. I used the following query: index=_internal source=*license_usage.log type="Usage" | eval host=lower(host) | eval MB=b/1024/1024 | eval GB=round(MB/1024,2) | search earliest=-1mo@d latest=now@d | sort - GB | head 100 | table host index source sourcetype GB ``` However, the query seems to be running continuously and does not produce any results. It is still running when I search for the previous month in the Search and Reporting app. Could you please let me know where I might have made a mistake?
You can achieve this by leveraging internal indexes and configuring a report. Here's how: Search Query below This search query retrieves license usage data by host for a specific time range: ind... See more...
You can achieve this by leveraging internal indexes and configuring a report. Here's how: Search Query below This search query retrieves license usage data by host for a specific time range: index=_internal source=*license_usage.log type="Usage" | eval host=lower(host) # Standardize hostname (optional) | eval MB=b/1024/1024 # Convert bytes to Megabytes | eval GB=round(MB/1024,2) # Convert Megabytes to Gigabytes (round to 2 decimals) | search earliest=-1mo@d latest=now@d # Adjust timeframe as needed (e.g., -3mo@d for past 3 months) | sort - GB # Sort by license usage in descending order | head 100 # Limit results to top 100 hosts | table host GB source sourcetype
Need to pull the License Usage in GB for the top 100 Host along with their respective Index Source and Souretype information on monthly basis for reports. So kindly help with the query. 
I am following the documentation to log events using javascript. https://dev.splunk.com/enterprise/docs/devtools/javascript/logging-javascript/loggingjavascripthowtos/howtologhttpjs I am sending th... See more...
I am following the documentation to log events using javascript. https://dev.splunk.com/enterprise/docs/devtools/javascript/logging-javascript/loggingjavascripthowtos/howtologhttpjs I am sending the data as below but couldn't see any of the keys in the Splunk log. var payload = { message: { temperature: "70F", chickenCount: 500 } };
I am facing the same issue. Not able to see any of the data in splunk. Did you find the solution to get the data? Please let me know how to resolve this issue.
Hi Team, One of end point(Get shipping) under the business transaction, it's not being captured consistently, And don't know why it's behaving this way, Does anyone help me on this issue . I just s... See more...
Hi Team, One of end point(Get shipping) under the business transaction, it's not being captured consistently, And don't know why it's behaving this way, Does anyone help me on this issue . I just selected from 8 days data
Thanks - tokens look promising enough... i can check if it is Cloud and if so set the token to one value, if not as another. 
-in multi-site cluster if initially, the replication factor was site_replication_factor = origin:2,total:2 site_search_factor =origin:1,total:1    and later I change it to site_replication_facto... See more...
-in multi-site cluster if initially, the replication factor was site_replication_factor = origin:2,total:2 site_search_factor =origin:1,total:1    and later I change it to site_replication_factor = origin:2,total:3 site_search_factor =origin:1,total:2   Will the old data also be replicated with  new replication and search factor Or only the new data will have the replication copies as per new replication and search factors  
Hi Team,   We have deployed Splunk Cloud in our environment and currently have a requirement to generate monthly report statistics separately based on Index, Host, Source, and Sourcetype. Could yo... See more...
Hi Team,   We have deployed Splunk Cloud in our environment and currently have a requirement to generate monthly report statistics separately based on Index, Host, Source, and Sourcetype. Could you please provide the queries to pull the required statistics in Splunk? We need separate reports for the top 10 in GB, excluding internal indexes and their sourcetypes. Your assistance with the query is much appreciated.        
@gcusello When i navigate to the Cloud Monitoring Console-->License Usage-->Workload. I can see Indexing Process-->Peak SVC usage per hour split by indexing source. So when i navigate to the query ... See more...
@gcusello When i navigate to the Cloud Monitoring Console-->License Usage-->Workload. I can see Indexing Process-->Peak SVC usage per hour split by indexing source. So when i navigate to the query in another search window.  I can see the query as below:   index=summary source="splunk-ingestion" [`sim_get_local_stack` | eval host="*.".stack.".*splunk*" | fields host] | dedup keepempty=t _time idx st | stats sum(ingestion_gb) as ingestion_gb by _time idx | eventstats sum(ingestion_gb) as total_gb by _time | eval pct=ingestion_gb/total_gb | bin _time span=1h | join _time [ search index=summary source="splunk-svc-consumer" svc_consumer="data services" svc_usage=* | fillnull value="" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source | eval unified_sid=if(unified_sid="",usage_source,unified_sid) | stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type | timechart span=1h sum(utilized_svc) as svc_usage ] | eval svc_usage=svc_usage*pct | timechart useother=false span=1h sum(svc_usage) by idx     I need to generate three separate reports, each identifying the top 10 items based on license usage in GB over the last 30 days. Specifically, I want to pull the following information: 1. The top 10 indexes (excluding internal indexes). 2. The top 10 sourcetypes (excluding internal index sourcetypes). 3. The top 10 sources. These reports need to be scheduled to run every month. Could you please provide the queries for these three requirements?  
that's my outputs.conf    [syslog] defaultGroup = group2 [syslog:remote_siem] server = xx.xx.xx.xx:514 sendCookedData = false
Hello Community,   I wondering that i forward the logs using syslog instead of TCP, I received the packets using TcpDump and everything is good but the data not showing there and it's transferred u... See more...
Hello Community,   I wondering that i forward the logs using syslog instead of TCP, I received the packets using TcpDump and everything is good but the data not showing there and it's transferred using tcpdump....   that's my configuration in HF    Outputs.conf   [syslog] defaultGroup = group2 [syslog:remote_siem] server = xx.xx.xx.xx:514 sendCookedData = false transforms.conf   [send_tmds_to_remote_siem] REGEX = . SOURCE_KEY = _MetaData:Index DEST_KEY = _SYSLOG_ROUTING FORMAT = remote_siem [send_tmao_to_remote_siem] REGEX = . SOURCE_KEY = _MetaData:Index DEST_KEY = _SYSLOG_ROUTING FORMAT = remote_siem   props.conf [source::udp:1518] TRANSFORMS-send_tmds_to_remote_siem = send_tmds_to_remote_siem [source::udp:1517] TRANSFORMS-send_tmao_to_remote_siem = send_tmao_to_remote_siem   is it fine or something not correct please help .