All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @marysan - please see attached screenshots for Alert Configuration.          
Thank you so much for the response @tscroggins. I will validate using your math, though looking at it may suggest not be a negative number but I will definitely doublr check, I will also reach out to... See more...
Thank you so much for the response @tscroggins. I will validate using your math, though looking at it may suggest not be a negative number but I will definitely doublr check, I will also reach out to our support. Thank you so much.
Thank you for your help.
I am trying to create a splunk alert to monitor the heap used utilization and alert when it exceeds 85 percent, can anyone please help: heap.used would be the keyword below The raw data:PLATFORMINST... See more...
I am trying to create a splunk alert to monitor the heap used utilization and alert when it exceeds 85 percent, can anyone please help: heap.used would be the keyword below The raw data:PLATFORMINSTRUMENTS {"timestamp":"1717989699","instrumentList":[{"name":"sr.jql-functions.linkedIssuesOf","value":"2703057"},{"name":"writer.lucene.commit","value":"72497"},{"name":"index.writes","value":"46672292"},{"name":"cache.JiraOsgiContainerManager.hitCount","value":"0"},{"name":"cache.VelocityTemplateCache.totalLoadTime","value":"0"},{"name":"cache.VelocityTemplateCache.directives.evictionCount","value":"0"},{"name":"entity.workflows.total","value":"186"},{"name":"jmx.class.loaded.total","value":"209062"},{"name":"db.conns.time.to.borrow","value":"0"},{"name":"entity.attachments.total","value":"7707192"},{"name":"jmx.thread.cpu.wait.count","value":"0"},{"name":"issue.index.reads","value":"108244292"},{"name":"entity.projects.total","value":"2315"},{"name":"issue.worklogged.count","value":"2938"},{"name":"sr.jql-functions.addedAfterSprintStart","value":"7490"},{"name":"jira.license","value":"0"},{"name":"jmx.thread.ever.count","value":"329348"},{"name":"db.conns","value":"433059620"},{"name":"cache.i18n.CachingI18nFactory.missCount","value":"0"},{"name":"dbcp.maxActive","value":"-1"},{"name":"concurrent.requests","value":"0"},{"name":"jmx.memory.nonheap.committed","value":"1913360384"},{"name":"replicated.index.operations.total","value":"1390921"},{"name":"sr.jql-functions.removedAfterSprintStart","value":"1841"},{"name":"dbcp.numIdle","value":"31"},{"name":"sr.jql-functions.releaseDate","value":"32988"},{"name":"sr.jql-functions.linkedIssuesOfAllRecursive","value":"2169"},{"name":"entity.versions.total","value":"88928"},{"name":"jmx.memory.nonheap.used","value":"1783621536"},{"name":"cache.VelocityTemplateCache.missCount","value":"0"},{"name":"cache.VelocityTemplateCache.directives.loadSuccessCount","value":"0"},{"name":"cache.JiraOsgiContainerManager.size","value":"23"},{"name":"entity.issues.total","value":"12654909"},{"name":"jmx.memory.heap.used","value":"14251500568"},{"name":"sr.jql-functions.epicsOf","value":"301596"},{"name":"sr.jql-functions.aggregateExpression","value":"10"},
Below is my dashboard XMLcode. The behavior I want to implement is to have the user's selection of values ​​in the table's columns automatically enter the multi-selection input. I don't know what to ... See more...
Below is my dashboard XMLcode. The behavior I want to implement is to have the user's selection of values ​​in the table's columns automatically enter the multi-selection input. I don't know what to do. I want to make this...  Does anybody know what can I to do..??? Pleasee Help..me..... : ((((     <form version="1.1" theme="dark"> <label>Sales DashBoard</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="globalTime" searchWhenChanged="true"> <label>Select Time Range</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="text" token="country" searchWhenChanged="true"> <label>select Country</label> <default>*</default> </input> <input type="multiselect" token="client_token"> <label>client_token</label> <choice value="*">ALL</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>clientip="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>clientip</fieldForLabel> <fieldForValue>clientip</fieldForValue> <search> <query>index=main | stats count by clientip</query> </search> <default>*</default> </input> <input type="multiselect" token="field1" searchWhenChanged="true"> <label>field1 $clicked_value$</label> <choice value="*">all</choice> <choice value="clicked_value">choice</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>products</fieldForLabel> <fieldForValue>products</fieldForValue> <search> <query>| index=main productName=$clicked_value$ | stats count by productName</query> </search> <delimiter> </delimiter> </input> <input type="text" token="input_02" searchWhenChanged="true"> <label></label> <default>$clicked_value$</default> <initialValue>$clicked_value$</initialValue> </input> </fieldset> <row> <panel> <title>test demo</title> <table> <title>셀트리온 과제임 $clicked_value$</title> <search> <query>index=main sourcetype="access*" action=purchase $client_token$ | stats values(productName) as products by clientip</query> <earliest>$globalTime.earliest$</earliest> <latest>$globalTime.latest$</latest> </search> <option name="drilldown">cell</option> <format type="color" field="clientips"> <colorPalette type="minMidMax" maxColor="#118832" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <format type="number" field="clientips"></format> <drilldown> <set token="clicked_value">$click.value2$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Actual Purchase Rate</title> <single> <title>transition from shopping cart to actual purchase</title> <search> <query>index=main sourcetype="access_combined_wcookie" status=200 action IN(addtocart, purchase) | iplocation clientip | search Country="$country$" | eval action_type=if(action="addtocart", "cart", if(action="purchase", "purchase", "other")) | stats count(eval(action_type="cart")) as cart_count count(eval(action_type="purchase")) as purchase_count | eval rate=round(purchase_count*100/cart_count, 2) | table rate</query> <earliest>$globalTime.earliest$</earliest> <latest>$globalTime.latest$</latest> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0.00</option> <option name="rangeColors">["0xd41f1f","0xd94e17","0xf8be34","0x1182f3","0x118832"]</option> <option name="rangeValues">[60,70,85,90]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel>..</form>
Hi @KhalidAlharthi, Advice and answers have been provided in three similar, previously asked questions. If you know the format the other SIEM (QRadar?) expects, please add it here, and we can help y... See more...
Hi @KhalidAlharthi, Advice and answers have been provided in three similar, previously asked questions. If you know the format the other SIEM (QRadar?) expects, please add it here, and we can help you tailor the Splunk output. Since this is a Splunk community forum, however, you're more likely to find expertise in Splunk Enterprise Security than QRadar. If you see the data arriving on the remote system using tcpdump, Splunk has already successfully forwarded the data irrespective of the format.
Hi @jasantor, The implementation is in $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/bin/algos_support/density_function/beta_distribution.py: 1. Sample min(data.shape[0], 10000) elements from field using... See more...
Hi @jasantor, The implementation is in $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/bin/algos_support/density_function/beta_distribution.py: 1. Sample min(data.shape[0], 10000) elements from field using numpy.random.choice. 2. Normalize sample to [0..1] using (data - data.min()) / (data.max() - data.min()). 3. Fit normalized sample to Beta using scipy.stats.beta.fit. 4. If either alpha <= 0 or beta <= 0, estimate parameters using normalized sample mean and variance. The return values for scipy.stats.beta.fit are alpha, beta, loc, and scale. MLTK's implementation of dist=beta either misinterprets or mislabels loc and scale as mean and standard deviation, respectively. You could compute the values yourself: | summary MyModel2 | rex field=other "Alpha: (?<alpha>[^,]+), Beta: (?<beta>.+)" | eval mean=alpha/(alpha+beta), std=sqrt((alpha*beta)/(pow(alpha+beta,2)*(alpha+beta+1))) However, this will give you the approximate mean and standard deviation of the normalized sample, not the original data. The dist=beta implementation is a little over four years old now, and something tells me no one has validated it. At the risk of being overly critical, the code looks suspiciously like it was copied from Stack Overflow. I don't have a personal Splunk support account, so I can't report the issue. If you have support, I recommend opening a support case.
I suspect something on your end - either an outdated trusted RootCA store or some TLS decrypting appliance doing MitM. I see a perfectly good DigiCert-issued certificate when curling download.splunk.... See more...
I suspect something on your end - either an outdated trusted RootCA store or some TLS decrypting appliance doing MitM. I see a perfectly good DigiCert-issued certificate when curling download.splunk.com
looks like the issue still there.  ok, as it is a simple issue and considering the above workaround, closing this post, thanks. 
Hi @VijaySrrie ... you have given only very least details.  pls provide us the modular input script.. the config files..  is the modular input working fine previously and just recently it started t... See more...
Hi @VijaySrrie ... you have given only very least details.  pls provide us the modular input script.. the config files..  is the modular input working fine previously and just recently it started the duplicates?
guys i have obtained routing through syslog method and i faced a problem the logs are coming when i run Tcpdump in the third-party system but i can't see them in the other SIEM    how can i solve t... See more...
guys i have obtained routing through syslog method and i faced a problem the logs are coming when i run Tcpdump in the third-party system but i can't see them in the other SIEM    how can i solve this issue ....   hellp
@gcusello I sent you private message .
Hi @KhalidAlharthi , what do you mean with "DM"? Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 
Hi @hazem , yes, there's a precedence in confoigurations at index time, but for custom apps it's related to the alphabetical precedence. Anyway, it should run because you have a duplicated configur... See more...
Hi @hazem , yes, there's a precedence in confoigurations at index time, but for custom apps it's related to the alphabetical precedence. Anyway, it should run because you have a duplicated configuration that isn't required. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restrictions_on_report_acceleration Since the search itself qualifies for acceleration, most probably y... See more...
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restrictions_on_report_acceleration Since the search itself qualifies for acceleration, most probably your user role either lacks capabilities to enable accelerations or write permissions for the report.
yeah i picked your solution.   could you please check your DM
did you mean that the configuration in (all_UF_outputs) will override the (all_splk_outputs) because the Capital Letter (U) has the highest precedence than lower (s) ?
did you mean that the configuration in (all_UF_outputs) will override the (all_splk_outputs) because the Capital Letter (U) has the highest precedence than lower (s) ?  
hi @Tzur  let me understand: you want to take the last value of "monitor" field or there's a rule? if the last value, you could try: <your_search> | stats last(monitor) AS monitor values... See more...
hi @Tzur  let me understand: you want to take the last value of "monitor" field or there's a rule? if the last value, you could try: <your_search> | stats last(monitor) AS monitor values(ip) AS ip values(other_fields) AS other_fields BY hostname if there' s a rule (e.g. if ip=1.2.3.4), you can try: <your_search> | stats values(eval(if(ip="1.2.3.4","v","x"))) AS monitor values(ip) AS ip values(other_fields) AS other_fields BY hostname Ciao. Giuseppe
Hi @hazem , let me understand: you have two apps containing the same indexers addressing, or different ones? if yes why? Anyway, it isn't correct because the configuration in the first overrides t... See more...
Hi @hazem , let me understand: you have two apps containing the same indexers addressing, or different ones? if yes why? Anyway, it isn't correct because the configuration in the first overrides the ones in the second. Could you share your outputs.conf? Ciao. Giuseppe