All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @rpole , You could use a label using eval command, somtethinl like this: index="pcs-ing" ins="ingestion-worker" "metric.ingestion.api.import.time" "mdq.sId" IN ("57","10662") | rename mdq.sId a... See more...
Hi @rpole , You could use a label using eval command, somtethinl like this: index="pcs-ing" ins="ingestion-worker" "metric.ingestion.api.import.time" "mdq.sId" IN ("57","10662") | rename mdq.sId as mdq_sId | eval mdq=if(mdq_sId="57","stack-ind","stack-aus" | timechart span=60m limit=0 count as ingestion_cycles by mdq If it's possibile, use underscore "_" instead minus "-". Ciao. Giuseppe
Apologies there was a typo as I renamed fields to try generalize this is the search I'm trying     index=myindex ip earliest latest [| inputlookup ip_list_2.csv | eval ip = "*" . 'Extracted IP' . ... See more...
Apologies there was a typo as I renamed fields to try generalize this is the search I'm trying     index=myindex ip earliest latest [| inputlookup ip_list_2.csv | eval ip = "*" . 'Extracted IP' . "*" | eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60) | eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60) | fields ip earliest latest ]     This is an sample of the csv REQUEST_TIME Extracted IP 3/29/24 16:13 1.1.1.1 3/14/24 8:51 2.2.2.2 1/26/24 13:24 3.3.3.3   I had though the search was running like this and stopped it index=myindex (ip=1.1.1.1 OR ip =2.2.2.2 OR ip=3.3.3.3) earliest=1/26/24 13:24 latest =3/29/24 16:13 . I only want to report on IP 1.1.1.1's activity at 3/29/24 16:13 and not any other time. Thanks I'll try the suggestions and report back.
Hi team,  I have created a Splunk dashboard using the below query where we are displaying a metric as per stack IDs [i.e, "mdq.sId"]. The dashboards are displayed with legends showing the IDs 54 and... See more...
Hi team,  I have created a Splunk dashboard using the below query where we are displaying a metric as per stack IDs [i.e, "mdq.sId"]. The dashboards are displayed with legends showing the IDs 54 and 10662. I want to display these IDs with a different name corresponding to the stack IDs on the legends.  For example, 54 is stack-ind and 10662 is stack-aus.     index="pcs-ing" ins="ingestion-worker" "metric.ingestion.api.import.time" "mdq.sId" IN ("54","10662") | timechart span=60m limit=0 count as ingestion_cycles by mdq.sId     is it possible to search by the stackID but display on legends using alias names? For example, in the above dashboard, I want '54'  to be shown as 'stack-ind' and '10664' as 'stack-aus'   
Hello,  I get Splunk Enterprise 6-month 10gb licenses., for free home use, as I use Splunk heavily at work, and try things in my home lab first. I was on vacation for some time, and let my license l... See more...
Hello,  I get Splunk Enterprise 6-month 10gb licenses., for free home use, as I use Splunk heavily at work, and try things in my home lab first. I was on vacation for some time, and let my license lapse. This caused multiple items to stop working, primarily the search feature. I added a new license this morning, but search is still restricted.  I have tried searching to request a reset license, calling to get a reset license, and submitting a support ticket for a reset license. Because I'm on a free account, nothing will allow me to actually request a reset license.  For free personal use enterprise licenses, can anyone share how to request a reset license so I can resume searching function?
Hello! Thanks for the extensive and very useful feedback! I have had chance to look at my search again, and with the correction suggested, I am now able to highlight correctly the strings I am inte... See more...
Hello! Thanks for the extensive and very useful feedback! I have had chance to look at my search again, and with the correction suggested, I am now able to highlight correctly the strings I am interested in the Message field of the index, as the following example I am perhaps missing one final step, that is to add the search field from the following sub-search in the final table, as I understood the format command should add to my query. [ | inputlookup PS-monitored.csv | eval search=PS_command | fields search | format ] I tried to look for a newly created field "search", or any new created ones, but couldn't find anything...am I missing something obvious? Thanks again!
I have defined a number.input field in Dashboard Studio (Version:9.0.2) so that the user can select a number representing a date (between 1-31). I want the date to be set to current day's date by def... See more...
I have defined a number.input field in Dashboard Studio (Version:9.0.2) so that the user can select a number representing a date (between 1-31). I want the date to be set to current day's date by default when the user opens the dashboard.. But "defaultValue": "$token_curr_date$" in the code below throws error  - Incorrect Type. Expected "number" {     "options": {         "defaultValue": "$token_curr_date$",         "token": "num_date",         "min": 1,         "max": 31     },     "title": "Select Date",     "type": "input.number" }   In "dataSources" I have defined below search and token:           "ds_current_date": {             "type": "ds.search",             "options": {                 "query": "| makeresults | eval token_curr_date=strftime(now(), \"%d\") | fields token_curr_date"             },             "token": "token_curr_date"         }   How do set the default value of input.number to current date? 
@deepakc , Thank you. It worked like a charm.
No, i am having a separate comma separated value like bl01,bl02,bl03,0_Ref_res. These are the folder names. I want to check whether Test_Data have the last folder name. If yes i want to consider tha... See more...
No, i am having a separate comma separated value like bl01,bl02,bl03,0_Ref_res. These are the folder names. I want to check whether Test_Data have the last folder name. If yes i want to consider that particular row. If last value is not present it should consider bl03. If not it should consider bl02 etc. I am trying to find a logic for this.
Hai @Zazou , Good for you, see next time. Ciao and Happy splunking. Giuseppe P.S.: Karma Points are appreciated
Hai @jacknguyen , It isn't a best practice to use the same shared disk for more Indexers for many reasons,One of the Is that NFS isn't to use for Splunk storage. It this is the only way (with mucho... See more...
Hai @jacknguyen , It isn't a best practice to use the same shared disk for more Indexers for many reasons,One of the Is that NFS isn't to use for Splunk storage. It this is the only way (with mucho care and sure problems!), eventually use different folders. Ciao Giuseppe  
Hi All, I need you help.   I have trained few services and added the next_30m_avg_score in a Glass table but I don´t know how do I add dynamic color to the Score.   What modification do I do in t... See more...
Hi All, I need you help.   I have trained few services and added the next_30m_avg_score in a Glass table but I don´t know how do I add dynamic color to the Score.   What modification do I do in the source code to add the color   My source code is: `itsi_predict(40588288-a7ed-42b9-8dec-0c0379e058f9,health_score,app:itsi_predict_40588288_a7ed_42b9_8dec_0c0379e058f9_RandomForestRegressor_d1258935c9f0529f3d510eae_1713353848355)` | table next30m_avg_hs   This is how the Glass Table look:    Please suggest
We are using a product called IronStream (https://www.precisely.com/product/precisely-ironstream/ironstream-for-splunk) to get this data into Splunk. I think the creation of the fields is being done ... See more...
We are using a product called IronStream (https://www.precisely.com/product/precisely-ironstream/ironstream-for-splunk) to get this data into Splunk. I think the creation of the fields is being done at the mainframe end, becasue the _raw data looks like this: {"MFSOURCETYPE":"SMF014","SYSNAME":"MCG","SMFID":"MCG","DATETIME":"2024-05-15 09:48:00.44 +010 which is nothing like an SMF record as created. (I assuming here that the _raw is the data received by Splunk and not the data after field extraction). I'm not sure how much further I can go with this - at least now I'm aware it happens so can work around it. If necessary I can raise the issue with Precisely.    
I have 2 Index in Index Cluster Hot, Cold, Frozen  Hot and Cold are different disks Frozen will use same disk for both Index my question is: " The log will be replicated, Or Can I save just one I... See more...
I have 2 Index in Index Cluster Hot, Cold, Frozen  Hot and Cold are different disks Frozen will use same disk for both Index my question is: " The log will be replicated, Or Can I save just one Index into a Frozen and use it for backup Index Cluster?"
Hello Splunk Team, who we are? L Squared is a leading digital signage service provider, offering the Hub Content Management System (CMS). This platform empowers users to effortlessly manage and... See more...
Hello Splunk Team, who we are? L Squared is a leading digital signage service provider, offering the Hub Content Management System (CMS). This platform empowers users to effortlessly manage and display media content on digital signage screens. we want integrate Splunk powerful data analytics platform, into our ecosystem.   What we want? Integrating a read-only version of Splunk app's dashboards into L Squared Hub via an iframe. Implementing OAuth 2.0 authentication for secure access token generation or any other authentication method to get access token securely. Providing users with a list of Splunk apps and their respective dashboards for selection. How to do? To achieve these objectives, users will follow these steps: Initiate an OAuth 2.0 authentication request to Splunk for access token generation or utilize client credentials such as username, password, and secret key. Upon successful authorization, users gain access to Splunk REST API endpoints, including: Retrieving a list of installed Splunk apps using the following API call: E.g. "curl -k -u admin:password https://localhost:8089/services/apps/local?output_mode=json" Fetching a list of dashboards for a specific Splunk app via the following API call: e.g. curl -k -u admin:password https://localhost:8089/servicesNS/{username}/{app_name}/data/ui/views?output_mode=json&search=((isDashboard=1 AND (rootNode="dashboard") AND isVisible=1) AND ((eai:acl.sharing="user" AND eai:acl.owner="{username}") OR (eai:acl.sharing!="user"))) Finally, embed the selected Splunk app's dashboard read-only version onto L Squared Hub using an iframe. Who are our end users? This integration empowers organizations to seamlessly monitor and analyze their data through large displays. It enables teams to access up-to-date Splunk data conveniently, enhancing decision-making and operational efficiency. if you know right person or right way to get solution, please share with us ideas. Thanks in advance! @MuS @elizabethl_splu @richgalloway 
Do you mean something like this | eventstats last(Test_Data) as last_Test_Data by Identity | where Test_Data = last_Test_Data
After i updated tha add-on to 6.3.x I am not able to create or update account setting under account type  Tenable.sc credentails (deprecated) I have tried version 6.3.2 and 6.3.6 both failed with e... See more...
After i updated tha add-on to 6.3.x I am not able to create or update account setting under account type  Tenable.sc credentails (deprecated) I have tried version 6.3.2 and 6.3.6 both failed with error "please enter valid address, username and password or configure valide proxy settings or verify ssl certificate" I am using credentials only and no proxy. Using version 6.1.0 of the add-on i can create/update account with the same info.
What I need to do is: Select all events that have `PROD*` in field name and calculate number of events that have `SUCCESS` value in `RESULT` field  
Hi @ITWhisperer , I did event stats like you mentioned and i am able to get the proper table. Thank you so much. I have a list with 4 data, and i have to check whether the field Test_Data has last ... See more...
Hi @ITWhisperer , I did event stats like you mentioned and i am able to get the proper table. Thank you so much. I have a list with 4 data, and i have to check whether the field Test_Data has last data from the list. If yes I have to consider only those rows in the table. How can i compare this?
Only admin should be allowed and able to remove indexes.  You should have controll of who that is.
If I understand your description of your data correctly, you could try something like this | eventstats max(Test_ID) as max_Test_ID by Identity, Test_Data | where Test_ID = max_Test_ID | table Ident... See more...
If I understand your description of your data correctly, you could try something like this | eventstats max(Test_ID) as max_Test_ID by Identity, Test_Data | where Test_ID = max_Test_ID | table Identity, Test_Data, Test_ID, Test_Status