All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to disting... See more...
Hi, i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to distinguish them by their hostname. I have created the file inputs.conf in c:/programfiles/splunkforwarder/etc/system/local and  i have put the following stanza into it  [udp://514} sourcetype=firewall_logs connection_host= 192.168.1.*, 192.168.1.* (fortigate IP's) host= Both fortigate hostnames in comma seperated values but the hostname is appearing under single hostname
Can i get a Splunk query that shows the last logon date for a group of active directory service account      Thanks 
You can search the internal Splunk logs to see if there are any errors logged. If you run this what do you get? index=_internal sendemail sourcetype!=splunkd_ui_access sourcetype!=splunkd_remote_sea... See more...
You can search the internal Splunk logs to see if there are any errors logged. If you run this what do you get? index=_internal sendemail sourcetype!=splunkd_ui_access sourcetype!=splunkd_remote_searches ERROR  
This is the beauty of using DNS CNames to reference all your Splunk servers in configuration. Ideally you don't put references to any physical names in your configs. That way when you switch servers ... See more...
This is the beauty of using DNS CNames to reference all your Splunk servers in configuration. Ideally you don't put references to any physical names in your configs. That way when you switch servers you can build your new server along side your old server and then when you want to switch to a new servers you just flip the CName over to the new server.
Hi @fabrizioalleva , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @fabrizioalleva , if you need to send an alert, you could run a search like the following every 5 minutes: index=myindex eariest=-5m@m latest=@m | stats count BY APP | where count<5 instead in ... See more...
Hi @fabrizioalleva , if you need to send an alert, you could run a search like the following every 5 minutes: index=myindex eariest=-5m@m latest=@m | stats count BY APP | where count<5 instead in a dashboard panel, you can use timechart. Ciao. Giuseppe
Thanks, @gcusello, I already tried with time chart, but if I've a lot of application which work in this way, I'm not able to work with timechart, also because if I wanto to work with data after time... See more...
Thanks, @gcusello, I already tried with time chart, but if I've a lot of application which work in this way, I'm not able to work with timechart, also because if I wanto to work with data after timechart I cannot. Maybe better so: DATE,APP 2024/05/24 11:04:00, APPA 2024/05/24 11:05:00,APPB 2024/05/24 11:06:00,APPA 2024/05/24 11:08:00,APPB 2024/05/24 11:09:00,APPA 2024/05/24 11:10:00,APPB 2024/05/24 11:11:00,APPA 2024/05/24 11:13:00,APPB 2024/05/24 11:14:00,APPA So I've to highlight this condition of "flapping" in 10 minutes. If The app is present, it means that it's not respondig. index=myindex | timechart span=1m by APP produces: _time, APPA, APPB And what I want to produce _time, APPA, APPB 2024/05/24 11:04:00, 1,0 2024/05/24 11:05:00, 0,1 2024/05/24 11:06:00, 1,0 2024/05/24 11:07:00,0,0 2024/05/24 11:08:00, 0,1 2024/05/24 11:09:00, 1,0 2024/05/24 11:10:00, 0,1 2024/05/24 11:11:00, 1,0 2024/05/24 11:12:00,0,0 2024/05/24 11:13:00, 0,1 2024/05/24 11:14:00, 1,0 But I want to work with this output in order to send alert to other application. Thanks    
Hi @PavithraSarvin, I’m a Community Moderator in the Splunk Community. This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recomm... See more...
Hi @PavithraSarvin, I’m a Community Moderator in the Splunk Community. This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi @fabrizioalleva, I suppose that you already extracted the field with the status=1. In this case you could run <your_search> | timechart span=1m count BY status Ciao. Giuseppe
Hi @vishwa, use eval round (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MathematicalFunctions#round.28.26lt.3Bnum.26gt.3B.2C_.26lt.3Bprecision.26gt.3B.29 | eval your_field=r... See more...
Hi @vishwa, use eval round (https://docs.splunk.com/Documentation/SCS/current/SearchReference/MathematicalFunctions#round.28.26lt.3Bnum.26gt.3B.2C_.26lt.3Bprecision.26gt.3B.29 | eval your_field=round(your_field,0) Ciao. Giuseppe 
Hi all, we've a procedure that's writes index only where there's a KO: So I've a sequence of events like these: DATE,RESPONSE 2024/05/24 11:04:00,1 2024/05/24 11:05:00,1 2024/05/24 11:06:00,1 ... See more...
Hi all, we've a procedure that's writes index only where there's a KO: So I've a sequence of events like these: DATE,RESPONSE 2024/05/24 11:04:00,1 2024/05/24 11:05:00,1 2024/05/24 11:06:00,1 2024/05/24 11:08:00,1 2024/05/24 11:09:00,1 2024/05/24 11:10:00,1 2024/05/24 11:11:00,1 2024/05/24 11:13:00,1 2024/05/24 11:14:00,1 As you can se between 2024/05/24 11:06:00 and 2024/05/24 11:08:00 and 2024/05/24 11:11:00 2024/05/24 11:12:00 , there's no a KO What we want do is to produce a full output like this: 2024/05/24 11:04:00,1 2024/05/24 11:05:00,1 2024/05/24 11:06:00,1 2024/05/24 11:07:00,0 2024/05/24 11:08:00,1 2024/05/24 11:09:00,1 2024/05/24 11:10:00,1 2024/05/24 11:11:00,1 2024/05/24 11:12:00,0 2024/05/24 11:13:00,1 2024/05/24 11:14:00,1 In order to highlight the service's up/down. I've tried with a lot of method but I cannot obtain a similiar result.   Any suggestion ?   Thanks Fabrizio
I want to migrate my clustered environment from one Linux to another. Is it possible to migrate search head and deployment server first and then the indexers on the other day? CentOS and the new di... See more...
I want to migrate my clustered environment from one Linux to another. Is it possible to migrate search head and deployment server first and then the indexers on the other day? CentOS and the new distro is RHEL? Any Ideas or suggestions?
Additional Info for @PickleRick's response: This will be removed in a future version of the solnlib library. See function starting at line 237 in the CredentialManager class: https://splunk.githu... See more...
Additional Info for @PickleRick's response: This will be removed in a future version of the solnlib library. See function starting at line 237 in the CredentialManager class: https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialManager.get_password Looking at the new code, a realm will be required to be passed to the definition.
Hi all, I have table where the values are showing as 234.000000 56.000000 But we want to remove zeros and shown only 234 56 How we do this???
Is there a solution in place for this issue? Iam facing same issue.
Hi @Amit.Bisht, Thanks for asking your question on the community. Since the community did not jump in and help, you can contact AppDynamics Support. How do I submit a Support ticket? An FAQ 
how we can filter it with providing the value 7670
Rename you field with the url in to start with an underscore e.g. "_url", then refer to it in the drilldown as suggested earlier e.g. "$row._url$"
Try  LINE_BREAKER = ()\d{4}-\d\d
This run-anywhere example should explain the process. | makeresults | eval STime="9:45" | rex field=STime "(?<hrs>\d+):(?<mins>\d+)" | eval Hours=hrs + round(mins/60,2)