All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML re... See more...
Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML response. Kindly provide any valuable suggestions
Hi @yuvaraj_m91 , you already have this search in the License Consuption Report, the problem is that usually you don't maintain six months of internal logs. You could run a search avery day saving ... See more...
Hi @yuvaraj_m91 , you already have this search in the License Consuption Report, the problem is that usually you don't maintain six months of internal logs. You could run a search avery day saving the results in a summary index, you you'll have a very performant search and all the data also more than the retention. You could also run a search summing the lenght of each event of each index, but it will be very very slow search. Ciao. Giuseppe
Looking for spl query to get the index wise log consumption for each months splitup for last 6 months
Hi @Siddharthnegi, add the correct timezone to you user, and you'll see your timestamps. Ciao. Giuseppe
Hi @Richard_400, you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:   (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 dat... See more...
Hi @Richard_400, you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:   (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter) | timechart span=5m max(Rx/1E5) as Rx_count by INTinfo1   Ciao. Giuseppe
Hi @pm2012 , In the square brackets put the sourcetype you want to add to your data flow. Put the props.conf file on Search Heads and on the Forwarders they are coming, and (if present) on intermed... See more...
Hi @pm2012 , In the square brackets put the sourcetype you want to add to your data flow. Put the props.conf file on Search Heads and on the Forwarders they are coming, and (if present) on intermediate Heavy Forwarders. Ciao. Giuseppe
Hi @splunky_diamond, yes it's the latest! open a case to Splunk Support, as I said this is an old resolved bug. Ciao. Giuseppe
Hi @Kaushaas, usually all roles can see and edit Permissions on own dashboards, ask to your administrators to enable this feature for your role. Ciao. Giuseppe
Hi @karthi2809, you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fie... See more...
Hi @karthi2809, you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fields></fields> tag. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated  ;.)  
Hi @KendallW , I have add the fields - _time at the last SPL command to remove the _time field. Unfortunately, it still doesn't show the annotation in the line graph.  
Hi @gcusello  Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map ... See more...
Hi @gcusello  Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map the URL.
Hi @karthi2809, check if in the Lookup definition you flagged the case sensitivity flag, in case unflag it. see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one ... See more...
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one category in the Splunk field (field name: filter_category). Is this something to do with the data collection in Splunk? Any details is appreciated. Check the current WebPulse categorization for any URL: https://sitereview.bluecoat.com/#/ 
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (inde... See more...
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter) timechart span=5m eval(round(max(eval(Rx/1E5)),1)) as Rx_count by INTinfo1 _time Device_A Gi0/1 (a) Device_A Gi0/2 (b) Device_B Gi0/8 (c) Calc A+B-C 10:00 100 200 50 250 10:05 100 300 80 320 10:10 150 250 100 300    
our servers are in germany but splunk time is 2hr ahead  why is that? like  the event creation is on 5:02 am german time but in splunk it is showing 3:02am . any solutions
Hi @gcusello  I am really unable to find my role but all I understand is that i dont have all the required permissions .Any suggestion on what kind of role will let me edit permissions for dashboard?
Hello @gcusello , See below I show the .spl file name and download date.   I believe I have the latest version of the ES currently. Cheers, splunky_diamond
Hi,  thanks for you explication,I'll review and rewrite my others search query statements.   thanks.
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that... See more...
Hi Team, We have P1 Splunk alerts generated based on event ID: 12320 triggered from the following servers: scwdxxxxx0009 scwdxxxxx0008 scwpxxxxx0002 scwpxxxxx0001 Recently, we identified that we have a 24-hour suppression time for the alert, which led to a critical incident. To address this issue, the user has requested a reduction in the suppression time for the alert. The goal is to eliminate suppression unless the previous triggered alert is still open. If there are no open P1 tickets for event ID: 12320, there should not be any suppression of the generation of new tickets. Current Alert Configuration We have one alert in Splunk, and we are using the following query: Splunk query: index=winevent sourcetype="WinEvent:*" ((host="scwpxxxxx0001*" OR host="scwdxxxxx0008*" OR host="scwdxxxxx0009*" OR host="scwpxxxxx0002*") AND (EventCode=12320)) | eval assignment_group = "ABC IT - Computing Services" | eval host=lower(mvindex(split(host,"."),0)) | eval correlation_id=strftime(_time,"%Y-%m-%d %H:%M:%S").":".host | eval short_description=case((host="scwpxxxxx0001" OR host="scwdxxxxx0008"),"Microsoft AAD Proxy Connector - Prod not able to connect due to network issues.",(host="scwdxxxxx0009" OR host="scwpxxxxx0002"),"Microsoft AAD Proxy Connector - Dev not able to connect due to network issues.", 1=1, 0 ) | eval category="Application", subcategory="Repair/Fix", contact_type="Event", state=4, ci=host, customer="no573", impact=1, urgency=1, description="Event Code ".EventCode." encountered on host ".host." at ".strftime(_time,"%m/%d/%Y %H:%M:%S %Z")." SourceName:".SourceName." Log Name: ".LogName." TaskCategory:".TaskCategory." Message=".Message." Ticket generated on SNOW at ".strftime(now(),"%m/%d/%Y %H:%M:%S %Z") | table host, short_description, assignment_group, impact, urgency, category, subcategory, description, ci, correlation_id Alert Type Scheduled Schedule Run on cron schedule: */30 * * * * (every 30 minutes) Time Range Last 4 hours Expiration 24 hours Throttle Enabled Suppress results containing field value: host, EventCode Suppress triggering for: 24 hours Trigger Actions ServiceNow Incident Integration How we can suppress the alert as per the requirement. Please help us here. Thank you.
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 3... See more...
Hi, I have seen a steady increase in perfmon events or data in past 30 days. The number of hosts has been about same and overall production activity is the same. There was one host added during the 30 day time frame. I thought that host may have been the cause of the incrase. But, that new host is not even in the top 10 most active hosts.  The amount of overall perfmon data in proportion to the wineventlog data is increasing.  Please see the attached chart. Perfmon is represented with  brown bar, wineventlog is the green bar.  I'm asking for any ideas that would help me in identifying the cause of this change. Thank you, in advance for any help.