All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for your suggestion, I tried using it. But instead adding a radio button & having a token assigned to the values, I simply replaced the over & under with 1,0 (because I'm dependent on the valu... See more...
Thanks for your suggestion, I tried using it. But instead adding a radio button & having a token assigned to the values, I simply replaced the over & under with 1,0 (because I'm dependent on the value based on comparison between 2 sizes than having a default value assigned to a radio button) but the color still doesn't change. I also ran the query separately for a specific index & it returns 1 when currentsize>maxsize but somehow when including in the dashboard code, the color is still not being picked despite using rangevalues & rangeColors both. Is there anything I'm missing here? <single id="CurrentUtilisation"> <search> <query> <![CDATA[ index=usage_index_summary | fields Index as sourceIndex, totalRawSizeGB | where Index="$single_index_name$" | stats latest(totalRawSizeGB) as CurrentSize by Index | join left=L right=R where L.Index=R.extracted_Index [ search index=index_configured_limits_summary | stats latest(maxGlobalDataSizeGB) as MaxSizeGB by extracted_Index ] | rename L.CurrentSize as CurrentSizeGB, R.MaxSizeGB as MaxSizeGB, L.Index as Index | eval unit_label = if(CurrentSizeGB < 1, "MB", "GB") | eval CurrentSizeGB = if(CurrentSizeGB < 1, CurrentSizeGB*1024, CurrentSizeGB) | eval CurrentSizeDisplay = round(CurrentSizeGB) . if(unit_label == "MB", "MB", "GB") | eval CurrentSizeDisplay = if(CurrentSizeGB == 0, "None", CurrentSizeDisplay) | eval value=if(CurrentSizeGB > MaxSizeGB, "1", "0") | table CurrentSizeDisplay, value ]]> </query> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0xdc4e41"]</option> <option name="rangeValues">[0,1]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="underLabel">Current Utilisation</option> <option name="useColors">1</option> </single>
This logic makes sense, however, I will not get the other fields such as data, label, _time. I need those fields populated with the correct information. But thank you for your help. 
Hi @Shubham.Kadam, Thanks for following up with the solution! 
I just built an app to do this: https://splunkbase.splunk.com/app/7371
Hi All,  I have a splunk query returning output as: STime 09:45   I want to convert it to hours. Expected output: STime 9.75 hrs   How do I achieve this using splunk
I'm still receiving an inaccurate result.
Hi @Roberto.Barnes , It's applicable for SaaS (since it's mentioned in our doc section for SaaS). What happen is, you'll either need on-prem license or your AppD account needs to be "associated" w... See more...
Hi @Roberto.Barnes , It's applicable for SaaS (since it's mentioned in our doc section for SaaS). What happen is, you'll either need on-prem license or your AppD account needs to be "associated" with on-prem license. It's mentioned in : https://community.appdynamics.com/t5/Knowledge-Base/Download-Artifacts-from-Accounts-FAQ-nbsp/ta-p/39712 For example: ...If you’re a SaaS-only customer, Enterprise Console or EUM Server are not relevant to you. On-premises customers will see both Agents and Platform tabs ... As such you only see the "Agent" tab. regards, Terence
After configuring my indexer and forwarder to use SSL I receive the following error: Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown... See more...
After configuring my indexer and forwarder to use SSL I receive the following error: Error encountered for connection from src=MY_IP:44978. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol output.conf on  forwarder: [tcpout:group1] server = INDEXER_IP:9998 disabled = 0 sslVerifyServerCert = true useClientSSLCompression = true inputs.conf on indexer: [splunktcp-ssl:9998] disabled = 0 connection_host = ip [SSL] serverCert = /opt/splunk/etc/auth/mycerts/my_prepared_cert.pem requireClientCert = false output of openssl s_client -connect INDEXER_IP:9998 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4E137F80E8629FC675460A5B2A5E13305F5DE4153720F7A2566A7ED2490EF77C Session-ID-ctx: Master-Key: 7AD057B736D12AD4CA0515CF7E7AE9BDB1BB45A05F75DA6042A1A5460110D886BB80BEE06A79CFE94428D33A51B76009 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e4 37 a8 12 91 c0 0c a0-6e 1b c5 01 31 98 3f 80 .7......n...1.?. 0010 - 95 9b 8d 47 c5 a3 99 33-49 2a f0 86 7f 80 e8 2c ...G...3I*....., 0020 - b7 4e 80 23 ec 4e 0e c6-20 b5 70 9c f9 cd 7d bd .N.#.N.. .p...}. 0030 - 69 93 82 ec 9d 37 51 ba-47 8e a6 23 cb 51 7f 4e i....7Q.G..#.Q.N 0040 - 1f 59 8b 8b 06 c4 dc 23-f9 64 61 69 ea e3 c3 39 .Y.....#.dai...9 0050 - 79 eb 82 a2 5c 0c 28 32-a1 2a a5 a8 50 41 95 54 y...\.(2.*..PA.T 0060 - 5a f6 6d 53 cd 12 d3 34-fe 18 00 50 e0 06 2c 77 Z.mS...4...P..,w 0070 - 0f b9 35 03 a5 08 a2 df-88 23 39 c8 8e b5 81 67 ..5......#9....g 0080 - 71 c1 4e 7a ab 8f b8 36-59 1a 01 ae 7e a6 36 c0 q.Nz...6Y...~.6. 0090 - 5e c2 6e 4f 1d 9f 47 76-cc 38 0e a5 26 91 50 de ^.nO..Gv.8..&.P. Start Time: 1716539462 Timeout : 300 (sec) Verify return code: 0 (ok)  
Hi @zoe , even if you don't use timechart, I suppose that you are charting two fields value (y1 and y2), you have to compare the two fields in the where condition. | where y1=y2 or, if they are si... See more...
Hi @zoe , even if you don't use timechart, I suppose that you are charting two fields value (y1 and y2), you have to compare the two fields in the where condition. | where y1=y2 or, if they are similar but ton the same: | where y1-y2<1 OR y2-y1<1 whwre 1 is the sensibility you want to use in your search. Ciao. Giuseppe  
I experienced the same error and I had to change manager_uri to master_uri in outputs.conf of the my HF
Hi Giuseppe,   thanks for the quick reply.  I do not have timechart. I have a table with the fields like x, y1, y2. If I plot x-y1 and x-y2 in line chars, there two lines cross. I need the value o... See more...
Hi Giuseppe,   thanks for the quick reply.  I do not have timechart. I have a table with the fields like x, y1, y2. If I plot x-y1 and x-y2 in line chars, there two lines cross. I need the value on the  y1 line is the same like that on the y2 line.    | where value1=value2  This solution would not work, because y1 and y2 do not have the same field values. I need to find the cross of there two artifical lines. 
Hi @mythili, sincerely I don't know. You could open a case to Splunk Support to have an answer or to notice a possible bug. let me know if I can help you more, or, please, accept one answer for th... See more...
Hi @mythili, sincerely I don't know. You could open a case to Splunk Support to have an answer or to notice a possible bug. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated Ciao. Giuseppe
Hi @Pandey_21, rename is a command to rename field names not to replace a string, use replace (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Replace) or rex to do this: | repla... See more...
Hi @Pandey_21, rename is a command to rename field names not to replace a string, use replace (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Replace) or rex to do this: | replace "Data Time series* errorcount=0" AS "Success" Ciao. Giuseppe    
Fresh proxmox 8.2 - same error when trying to deploy universal forwarder with polkit policy... As for now, I am going the way via root user - but this clearly seems a bug splunk needs to address in ... See more...
Fresh proxmox 8.2 - same error when trying to deploy universal forwarder with polkit policy... As for now, I am going the way via root user - but this clearly seems a bug splunk needs to address in his future version releases.
Hi @gcusello, Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?
Hi @zoe , after a chart there's always a search and some results. probably you have a search like the following: <your_search> | timechart count BY key wher key has two values (value1 and value2)... See more...
Hi @zoe , after a chart there's always a search and some results. probably you have a search like the following: <your_search> | timechart count BY key wher key has two values (value1 and value2) so you have to run a search like the following: <your_search> | timechart count BY key | where value1=value2 I could be more detailed, if you could share your search (in text mode, non screenshot!). Ciao. Giuseppe  
Hi All,   I am trying to rename a data but it is giving me error. I am doing in this way. | rename "Data Time series* *errorcount=0" AS "Success"  but error is : Error in 'rename' command: Wildca... See more...
Hi All,   I am trying to rename a data but it is giving me error. I am doing in this way. | rename "Data Time series* *errorcount=0" AS "Success"  but error is : Error in 'rename' command: Wildcard mismatch: 'Data Time series* *errorcount=0' as 'Success'.   Log file: Data Time series :: DataTimeSeries{requestId='482-fd1e-47-49-bf9b99f8', errorcount=0,   Can you please help me with correct rename command.
Hi I have the table x, y1, y2 and plot them in the line chart. how can I find the value where the two lines cross ?  
How can organizations efficiently handle and extract relevant data, such as webcam activity, from Office 365 audit logs, particularly when leveraging tools like the "Splunk Add-on for Microsoft Offic... See more...
How can organizations efficiently handle and extract relevant data, such as webcam activity, from Office 365 audit logs, particularly when leveraging tools like the "Splunk Add-on for Microsoft Office 365"?
Color change only applies to numeric values.  Here is a simple example using your "over", "under" range translated into 1, 0. <form version="1.1" theme="light"> <label>color range</label> <descr... See more...
Color change only applies to numeric values.  Here is a simple example using your "over", "under" range translated into 1, 0. <form version="1.1" theme="light"> <label>color range</label> <description>https://community.splunk.com/t5/Splunk-Search/SingleId-color-change-in-dashboard/m-p/688284#M234673</description> <fieldset submitButton="false"> <input type="radio" token="value_tok" searchWhenChanged="true"> <label>Select value</label> <choice value="over">Over</choice> <choice value="under">Under</choice> <default>over</default> <initialValue>over</initialValue> </input> </fieldset> <row> <panel> <single> <search> <query>| makeresults | eval value = case("$value_tok$" == "over", "1", "$value_tok$" == "under", "0")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0xdc4e41"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> </row> </form>