All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi guys, Thanks for responding, and apologies for the long delay. There is an error for one of the multisite variables not being configured properly and then a bunch of subsequent errors that the... See more...
Hi guys, Thanks for responding, and apologies for the long delay. There is an error for one of the multisite variables not being configured properly and then a bunch of subsequent errors that the server cannot reach to the CM. I will also add that this is a HA multisite config and idk how this impacts how the needed cluster stanza variables that need to be configured.
You can use the dynamic element color https://docs.splunk.com/Documentation/Splunk/9.2.1/DashStudio/ModifyDOS select background and set the color based on the status   Here is a run anywhere ... See more...
You can use the dynamic element color https://docs.splunk.com/Documentation/Splunk/9.2.1/DashStudio/ModifyDOS select background and set the color based on the status   Here is a run anywhere example Just change the status in the dropdown and you can see the color changes { "visualizations": { "viz_NJsTjQl4": { "type": "splunk.singlevalue", "options": { "backgroundColor": "> majorValue | matchValue(backgroundColorEditorConfig)", "majorColor": "#ffffff" }, "dataSources": { "primary": "ds_275I8YNY" }, "context": { "backgroundColorEditorConfig": [ { "match": "Stopped", "value": "#ad3f20" }, { "match": "Running", "value": "#207865" } ] } } }, "dataSources": { "ds_275I8YNY": { "type": "ds.search", "options": { "query": "| makeresults\n| eval value=\"$status$\"" }, "name": "Search_1" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_BHJAbWl2": { "options": { "items": [ { "label": "Running", "value": "Running" }, { "label": "Stopped", "value": "Stopped" } ], "token": "status", "selectFirstSearchResult": true }, "title": "Status", "type": "input.dropdown" } }, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_NJsTjQl4", "type": "block", "position": { "x": 0, "y": 0, "w": 1440, "h": 400 } } ], "globalInputs": [ "input_global_trp", "input_BHJAbWl2" ] }, "description": "", "title": "single_panel_studio" }
thanks @gcusello  but i have other scenario if i decide to install  stand alone indexer in DR site and editing  in outputs.conf  for agents to add new stand alone indexer located at DR .at this stag... See more...
thanks @gcusello  but i have other scenario if i decide to install  stand alone indexer in DR site and editing  in outputs.conf  for agents to add new stand alone indexer located at DR .at this stage data will forward to indexer which managed by master node at main site  and also standalone  DR indexer . and configure retention period in DR site less than main site . do you recommend this approach      
Thanks! This works partially very good. It provides in the results all calls, success, errors and no_responses (for the calls where no_response happens) . However it ignores other calls where reques... See more...
Thanks! This works partially very good. It provides in the results all calls, success, errors and no_responses (for the calls where no_response happens) . However it ignores other calls where requests and responses are equal.
Sorry no thats not the requirement.. only the row where status is 200 i only want to highlight the percentage cell and then change the colour depending on the percentage value status count per... See more...
Sorry no thats not the requirement.. only the row where status is 200 i only want to highlight the percentage cell and then change the colour depending on the percentage value status count percentage 200 3245 98 (only highlight this cell) 404 34 1 503 34 1   >75% = green >50 <74 = amber >50 = red
The date transformation is working, i test it. My concerned is how(where) to insert it in my search query . When i add the transfo at the end of the query nothing happen. Here my full request which... See more...
The date transformation is working, i test it. My concerned is how(where) to insert it in my search query . When i add the transfo at the end of the query nothing happen. Here my full request which display a table well structured but with the date end and start date in this format 2024-04-30T12:01:04.215Z and not in this one 2024-04-30 14:01:04 search | table guid property value| | xyseries guid property value | fields guid start end duration status | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T")  
@woodcock  Hi, i am getting the permissions errors where it the execute bit is nor getting replicated to shc even though they are set to executable on deployers. do you have any idea?
Hi @gcusello  This is happening for splunk add-on for nix and OS is linux  in a clustered SH. I checked the permissions are set to executible in the code repository but those are not getting repli... See more...
Hi @gcusello  This is happening for splunk add-on for nix and OS is linux  in a clustered SH. I checked the permissions are set to executible in the code repository but those are not getting replicated to search heads.
Hi @saidAb , if you could share your search, it's easier to help you, anyway, I suppose that you are using eval instats, in this case, add the total count of events and calcuate as difference from t... See more...
Hi @saidAb , if you could share your search, it's easier to help you, anyway, I suppose that you are using eval instats, in this case, add the total count of events and calcuate as difference from this value. e.g. <your_search> | stats count(eval(status="success")) success_count count(eval(status="failed")) failed_count count | eval others=count-success_count-failed_count Ciao. Giuseppe
Hi @Skins , in the above colour definition, you can configure to highlight (e.g. in green) only the cells with value=200, to do this you have to choose the last option "values". Ciao. Giuseppe
Hi @hazem , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points... See more...
Hi @hazem , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck | fillnull value=0 backend_time | stats count(eval('message.direction'="request")) as Calls, count(eval('mess... See more...
index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck | fillnull value=0 backend_time | stats count(eval('message.direction'="request")) as Calls, count(eval('message.response_code'="200")) as Success, count(eval('message.response_code'!="200")) as Error | eval "No response"=Calls-Success-Error
index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck           | fillnull value=0 backend_time           | stats count(eval('message.direction'="request")) as Calls, count(eval('mess... See more...
index="xxxx" sourcetype="xxxxx" message.request_path!=*/healthCheck           | fillnull value=0 backend_time           | stats count(eval('message.direction'="request")) as Calls, count(eval('message.response_code'="200")) as Success, count(eval('message.response_code'!="200")) as Error E.g. On the resuts, I see:  Calls 27; Success 11; Error 6 I need also to see in the results, that there was no responses for 10 calls (null_resposes) as well.   
I am trying to setup Webhook action to send IP form a search to Akamai.  Need help in writng the webhook
It depends on your data. Please can you share some sample anonymised represntative events in a code block so we can see what you are dealing with.
| makeresults | eval start="2024-04-30T11:59:24.123Z" | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T") This works which would seem to suggest that the values you have in start (and end)... See more...
| makeresults | eval start="2024-04-30T11:59:24.123Z" | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T") This works which would seem to suggest that the values you have in start (and end) are not in this format. Please can you share some examples which aren't working?
Is there a chance that a field parsing listed in the second half of the search is not shared within the app/globally? That is the first thing that I would check - make sure all of the variables liste... See more...
Is there a chance that a field parsing listed in the second half of the search is not shared within the app/globally? That is the first thing that I would check - make sure all of the variables listed are shared and that the non-admin role has access to the app in which they are shared.
thanks @gcusello that was where i looked first but it applies to all fields in the column. My requirement is purely to highlight the percentage cell for status 200 thx
Hi all, A query, can calculate http calls, success responses and error response. I need an addition to the  query to get how many requests are without response. I mean calls - success_respnses - err... See more...
Hi all, A query, can calculate http calls, success responses and error response. I need an addition to the  query to get how many requests are without response. I mean calls - success_respnses - erros_rsponse = null_responses. Some good idea bout this? Thanks in advance!
hello @gcusello  thank you for your reply