All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

There are two REST endpoints you can use to get that information. This one fetches saved searches (including reports and alerts)   | rest splunk_server=local /servicesNS/-/-/saved/searches | searc... See more...
There are two REST endpoints you can use to get that information. This one fetches saved searches (including reports and alerts)   | rest splunk_server=local /servicesNS/-/-/saved/searches | search search="*You found a bug!*"   This one does the same for dashboards.   | rest splunk_server=local /services/-/-/data/ui/views | search eai:data="*You found a bug!*"  
I presume the problem is the table is very wide.  If so, try swapping the terms in the chart command index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrde... See more...
I presume the problem is the table is very wide.  If so, try swapping the terms in the chart command index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" | eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over timestamp by TransactionType Alternatively, try the timechart command. index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" | eval timestamp=strftime(_time, "%F") | timechart useother=0 limit=30 count by TransactionType  
Tried both the expressions, Getting same error in both regex 'account_id\\":\\"(?<account_id>[^\]+"activity)': Regex: missing terminating ] for character class.
Hi, I'm working with a dashboard where I have three rows of data. Each row is filtered based on specific conditions. I have enabled drilldown for all these rows for eg: row 1: Panel 1: token na... See more...
Hi, I'm working with a dashboard where I have three rows of data. Each row is filtered based on specific conditions. I have enabled drilldown for all these rows for eg: row 1: Panel 1: token name: r1_drill, condition: success ,  Panel 2: token name: r1_drill, condition: failed row 2 :  Panel 1: token name: r2_drill, condition: success, type: abc , Panel 2: token name: r2_drill, condition: failed, type: abc  row 3:  Panel 1: token name: r3_drill, condition: success, type: def,  Panel 2: token name: r3_drill, condition: failed, type: def The problem is while passing tokens to the piecharts:      Clicking on r3_drill works as expected.      Clicking on r2_drill sets r3_drill conditions as default, causing incorrect filtering.      I need to unset r3_drill when r2_drill is set and vice versa for all. Any guidance or examples would be greatly appreciated. Thanks  
Hello, I've been asked to provide a list of all Alerts/Reports/Dashboards that contain the value "You Found a bug!"  in the underlying Search. I have no idea how to do this :). I manually found one... See more...
Hello, I've been asked to provide a list of all Alerts/Reports/Dashboards that contain the value "You Found a bug!"  in the underlying Search. I have no idea how to do this :). I manually found one Alert that is using a Search that would match: source=bluefletch "details.package"="com.siteone.mobilepro" "details.message.environment"=PROD (event=ErrorEvent OR event=ExceptionEvent) "details.message.additionalInfo.content{}.Title"="You found a bug!" I just need to find all of the other Alerts/Reports/Dashboards that also is using this. Does anyone have any ideas how this can be done.  Thank you for any help on this. Thanks, Tom          
My Log data looks like: i am using this query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" |eval timestamp=strftime(_time, "%F") ... See more...
My Log data looks like: i am using this query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over TransactionType by timestamp   I have to built report on transaction type, total count date wise     please help to form the query, due to space it is not showing properly TransactionType = cXML OrderRequest TransactionType = cXML ConfirmationRequest     Regards Avik      
The index name is specified on another line, similar to how the sourcetype is specified. [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json index = foo Read The Fine Manual ... See more...
The index name is specified on another line, similar to how the sourcetype is specified. [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json index = foo Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf
Ran into exact same issue going from 9.1.1 to 9.2.1. had the same errors and commented out the line "marnall" pointed out, restarted splunk ,finished the update and successfully started Splunk.. W... See more...
Ran into exact same issue going from 9.1.1 to 9.2.1. had the same errors and commented out the line "marnall" pointed out, restarted splunk ,finished the update and successfully started Splunk.. Why is this happening? and does it happen to everyone?
[monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json   Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"? Or index in the sourcetype ... See more...
[monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json   Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"? Or index in the sourcetype do you mean by this: "snort3:alert:json" ?
This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg   No other lines in the file. I... See more...
This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg   No other lines in the file. I am open to suggestions, and get this as well: WARNING: Server Certificate Hostname Validation is disabled., see server.conf, etc Thanks, EWHolzx
OK so what information have managed to ingest into Splunk from them? Essentially, you can only query information which has been ingested (with a few exceptions).
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But somet... See more...
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist. Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user? Thanks
@ITWhisperer we have splunk add-on windows deployed on all machines.
What data do you have ingested into Splunk?
Hi, can someone help me with splunk search to identify browsers installed on a machine, im looking for a specific field where i can capture this data. thanks
 index = "*" "a39d0417-bc8e-41fd-ae1f-7ed5566caed6" "*uploadstat*" status=Processed
Hi @Splunk-Star, could you share more infos, e.g. som screenshot? Thank you. Ciao. Giuseppe
Show source is not loading for only one event, getting "Failed to find target event in final sorted event list. Cannot properly prune results" after loading
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed.  Splunk was re-started after each upgrade. I am not familiar with the acronym of ... See more...
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed.  Splunk was re-started after each upgrade. I am not familiar with the acronym of "SHC" -Thanks for the info. ewholz
Thanks for the brief  explanation.