All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am generating alarms by acquiring abnormal values for CPU usage of NW devices. I would like to send these alarms via email or webhook, but I get the above error and cannot send them. What is the ... See more...
I am generating alarms by acquiring abnormal values for CPU usage of NW devices. I would like to send these alarms via email or webhook, but I get the above error and cannot send them. What is the cause? Error in 'sendalert' command: Alert script returned error code 2.
We are receiving some notables that reference an encoded command being used with PowerShell, and the notable lists the command in question. The issue is that the command it is listing appears to be i... See more...
We are receiving some notables that reference an encoded command being used with PowerShell, and the notable lists the command in question. The issue is that the command it is listing appears to be incomplete when we decode the string. Does anyone know a way for us to potentially hunt down and figure out what the full encoded command referenced in the notable may be?
We are receiving some notables that reference an encoded command being used with PowerShell, and the notable lists the command in question. The issue is that the command it is listing appears to be i... See more...
We are receiving some notables that reference an encoded command being used with PowerShell, and the notable lists the command in question. The issue is that the command it is listing appears to be incomplete when we decode the string. Does anyone know a way for us to potentially hunt down and figure out what the full encoded command referenced in the notable may be?
Not like that,I have a table with 5 column and one of the column URL field. Instead of showing full URL .I need to show only click here instead of URL. Then we need to open the complete URL on clicki... See more...
Not like that,I have a table with 5 column and one of the column URL field. Instead of showing full URL .I need to show only click here instead of URL. Then we need to open the complete URL on clicking click here.   Name  URL App DSR click here Web app  
Thanks for your suggestion, I tried using it. But instead adding a radio button & having a token assigned to the values, I simply replaced the over & under with 1,0 (because I'm dependent on the valu... See more...
Thanks for your suggestion, I tried using it. But instead adding a radio button & having a token assigned to the values, I simply replaced the over & under with 1,0 (because I'm dependent on the value based on comparison between 2 sizes than having a default value assigned to a radio button) but the color still doesn't change. I also ran the query separately for a specific index & it returns 1 when currentsize>maxsize but somehow when including in the dashboard code, the color is still not being picked despite using rangevalues & rangeColors both. Is there anything I'm missing here? <single id="CurrentUtilisation"> <search> <query> <![CDATA[ index=usage_index_summary | fields Index as sourceIndex, totalRawSizeGB | where Index="$single_index_name$" | stats latest(totalRawSizeGB) as CurrentSize by Index | join left=L right=R where L.Index=R.extracted_Index [ search index=index_configured_limits_summary | stats latest(maxGlobalDataSizeGB) as MaxSizeGB by extracted_Index ] | rename L.CurrentSize as CurrentSizeGB, R.MaxSizeGB as MaxSizeGB, L.Index as Index | eval unit_label = if(CurrentSizeGB < 1, "MB", "GB") | eval CurrentSizeGB = if(CurrentSizeGB < 1, CurrentSizeGB*1024, CurrentSizeGB) | eval CurrentSizeDisplay = round(CurrentSizeGB) . if(unit_label == "MB", "MB", "GB") | eval CurrentSizeDisplay = if(CurrentSizeGB == 0, "None", CurrentSizeDisplay) | eval value=if(CurrentSizeGB > MaxSizeGB, "1", "0") | table CurrentSizeDisplay, value ]]> </query> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0xdc4e41"]</option> <option name="rangeValues">[0,1]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="underLabel">Current Utilisation</option> <option name="useColors">1</option> </single>
This logic makes sense, however, I will not get the other fields such as data, label, _time. I need those fields populated with the correct information. But thank you for your help. 
Hi @Shubham.Kadam, Thanks for following up with the solution! 
I just built an app to do this: https://splunkbase.splunk.com/app/7371
Hi All,  I have a splunk query returning output as: STime 09:45   I want to convert it to hours. Expected output: STime 9.75 hrs   How do I achieve this using splunk
I'm still receiving an inaccurate result.
Hi @Roberto.Barnes , It's applicable for SaaS (since it's mentioned in our doc section for SaaS). What happen is, you'll either need on-prem license or your AppD account needs to be "associated" w... See more...
Hi @Roberto.Barnes , It's applicable for SaaS (since it's mentioned in our doc section for SaaS). What happen is, you'll either need on-prem license or your AppD account needs to be "associated" with on-prem license. It's mentioned in : https://community.appdynamics.com/t5/Knowledge-Base/Download-Artifacts-from-Accounts-FAQ-nbsp/ta-p/39712 For example: ...If you’re a SaaS-only customer, Enterprise Console or EUM Server are not relevant to you. On-premises customers will see both Agents and Platform tabs ... As such you only see the "Agent" tab. regards, Terence
After configuring my indexer and forwarder to use SSL I receive the following error: Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown... See more...
After configuring my indexer and forwarder to use SSL I receive the following error: Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol output.conf on  forwarder: [tcpout:group1] server = INDEXER_IP:9998 disabled = 0 sslVerifyServerCert = true useClientSSLCompression = true inputs.conf on indexer: [splunktcp-ssl:9998] disabled = 0 connection_host = ip [SSL] serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem requireClientCert = false output of openssl s_client -connect INDEXER_IP:9998 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C Session-ID-ctx: Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80 .7......n...1.?. 0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c ...G...3I*....., 0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd .N.#.N.. .p...}. 0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e i....7Q.G..#.Q.N 0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39 .Y.....#.dai...9 0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54 y...\.(2.*..PA.T 0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77 Z.mS...4...P..,w 0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67 ..5......#9....g 0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0 q.Nz...6Y...~.6. 0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de ^.nO..Gv.8..&.P. Start Time: 1716539462 Timeout : 300 (sec) Verify return code: 0 (ok)  
Hi @zoe , even if you don't use timechart, I suppose that you are charting two fields value (y1 and y2), you have to compare the two fields in the where condition. | where y1=y2 or, if they are si... See more...
Hi @zoe , even if you don't use timechart, I suppose that you are charting two fields value (y1 and y2), you have to compare the two fields in the where condition. | where y1=y2 or, if they are similar but ton the same: | where y1-y2<1 OR y2-y1<1 whwre 1 is the sensibility you want to use in your search. Ciao. Giuseppe  
I experienced the same error and I had to change manager_uri to master_uri in outputs.conf of the my HF
Hi Giuseppe,   thanks for the quick reply.  I do not have timechart. I have a table with the fields like x, y1, y2. If I plot x-y1 and x-y2 in line chars, there two lines cross. I need the value o... See more...
Hi Giuseppe,   thanks for the quick reply.  I do not have timechart. I have a table with the fields like x, y1, y2. If I plot x-y1 and x-y2 in line chars, there two lines cross. I need the value on the  y1 line is the same like that on the y2 line.    | where value1=value2  This solution would not work, because y1 and y2 do not have the same field values. I need to find the cross of there two artifical lines. 
Hi @mythili, sincerely I don't know. You could open a case to Splunk Support to have an answer or to notice a possible bug. let me know if I can help you more, or, please, accept one answer for th... See more...
Hi @mythili, sincerely I don't know. You could open a case to Splunk Support to have an answer or to notice a possible bug. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated Ciao. Giuseppe
Hi @Pandey_21, rename is a command to rename field names not to replace a string, use replace (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Replace) or rex to do this: | repla... See more...
Hi @Pandey_21, rename is a command to rename field names not to replace a string, use replace (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Replace) or rex to do this: | replace "Data Time series* errorcount=0" AS "Success" Ciao. Giuseppe    
Fresh proxmox 8.2 - same error when trying to deploy universal forwarder with polkit policy... As for now, I am going the way via root user - but this clearly seems a bug splunk needs to address in ... See more...
Fresh proxmox 8.2 - same error when trying to deploy universal forwarder with polkit policy... As for now, I am going the way via root user - but this clearly seems a bug splunk needs to address in his future version releases.
Hi @gcusello, Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?
Hi @zoe , after a chart there's always a search and some results. probably you have a search like the following: <your_search> | timechart count BY key wher key has two values (value1 and value2)... See more...
Hi @zoe , after a chart there's always a search and some results. probably you have a search like the following: <your_search> | timechart count BY key wher key has two values (value1 and value2) so you have to run a search like the following: <your_search> | timechart count BY key | where value1=value2 I could be more detailed, if you could share your search (in text mode, non screenshot!). Ciao. Giuseppe