All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for the clarification.  There are many places where a yellow triangle can appear so it was hard to know which you were seeing. I recommend ignoring the IOWait alert since it tends to be over-... See more...
Thanks for the clarification.  There are many places where a yellow triangle can appear so it was hard to know which you were seeing. I recommend ignoring the IOWait alert since it tends to be over-sensitive.  Tune the health check (Settings->Health Report Manager) so the alert appears less often.
Ok, lets check if the results are available by just removing below from the dashboard depends="$hide_this_always$"  We need to confirm the sid is available since its part of the download path.  So ... See more...
Ok, lets check if the results are available by just removing below from the dashboard depends="$hide_this_always$"  We need to confirm the sid is available since its part of the download path.  So either in the title of the panel or somewhere just display the token. If the result is available and sid is present, try using the URL directly in the browser to make sure that the result is fetched. Here is a sample dashboard created using the same logic and it works <dashboard version="1.1" theme="light"> <label>Download</label> <row> <!-- Below is the table with the results. We are setting the panel depends to a non existing token so that it always false the panel is not visible.--> <panel depends="$hide_always$"> <title>$sid$</title> <table> <search> <query>index=_*|stats count by sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> <done> <eval token="date">strftime(now(), "%d-%m-%Y %H:%M:%S")</eval> <set token="sid">$job.sid$</set> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <!-- Setting the title for testing purpose and making sure that the SID is available in the token --> <title>Job Id is : $sid$, Time is : $date$</title> <html> <a href="/api/search/jobs/$sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=test_$date$.csv&amp;outputMode=csv" class="button js-button">Download</a> <style> .button { background-color: steelblue; border-radius: 5px; color: white; padding: .5em; text-decoration: none; } .button:focus, .button:hover { background-color: #2A4E6C; color: White; } </style> </html> </panel> </row> </dashboard>
Hello, I have 500 HTTP messages in my access log. Also I have corresponding events from other log sources with the same correlation-id. Now I want to join the information to enhance the results.   ... See more...
Hello, I have 500 HTTP messages in my access log. Also I have corresponding events from other log sources with the same correlation-id. Now I want to join the information to enhance the results.   Access Log Events:   2024-04-25T11:00:26+00:00 [info] type=access status=500 xCorrelationId=90e2a321-f522-466f-9ffa-72cbdaa1a576 .... 2024-04-25T10:15:25+00:00 [info] type=access status=500 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 ...   Other Events:   2024-04-25T10:15:24+00:00 xCorrelationId=9b1833f5-776b-44c3-92d7-d603abdfecf8 NoHandlerFoundException: No endpoint GET     My actual intention is, to exclude the results from main search, if there is another event with the same correlation-id but containing specific exceptions like "NoHandlerFoundException". That means, i need a search per result from the main search. Do you know a solution for this? Thanks!
It showing as green circle at the moment,  but it keeps flashing a warning  see screen shot below  
Clicking on the triangle should display explanatory text.  Share that text here if you need help understanding it.
@renjith_nair Thank You for the response. I keep getting check "network internet connection" when I click on download button and it is failing to download. I was able to download the report once but ... See more...
@renjith_nair Thank You for the response. I keep getting check "network internet connection" when I click on download button and it is failing to download. I was able to download the report once but later I keep getting this error? I know for a fact it is not internet issue because I able to download the other panels data directly when i click the default export button which is there in Splunk. Is it something related to my code?       <row depends="$hide_this_always$"> <panel> <table> <search> <done> <eval token="date">strftime(now(), "%d-%m-%Y")</eval> <set token="sid">$job.sid$</set> </done> <query>index=_internal</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <html> <a href="/api/search/jobs/$sid$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=Vulnerability_$date$.csv&amp;outputMode=csv" class="button js-button">Download</a> <style> .button { background-color: steelblue; border-radius: 5px; color: white; padding: .5em; text-decoration: none; } .button:focus, .button:hover { background-color: #2A4E6C; color: White; } </style> </html> </panel> </row>    
Without giveout more information so we can help you (it's better to provide more context as to your issue, screen shots etc) that said it sounds like its related to risky commands. Maybe its to do w... See more...
Without giveout more information so we can help you (it's better to provide more context as to your issue, screen shots etc) that said it sounds like its related to risky commands. Maybe its to do with this. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/SPLsafeguards
BTW I don't know if it's clear, but a) you should be able to find the checkpoint files on disk, but .. b) even if you don't, if you back up $SPLUNK_HOME/var/lib/modinputs I think you effectively ba... See more...
BTW I don't know if it's clear, but a) you should be able to find the checkpoint files on disk, but .. b) even if you don't, if you back up $SPLUNK_HOME/var/lib/modinputs I think you effectively back up your checkpoint files.  A bit of interwebs searching ought to confirm this. Also note that the checkpoint files are useless if you are trying to back them up pre-updating (at least if you cross the magical version near 3.10 where it switches from checkpoint files to KV store entries), because you can't slap them into place and expect it to find/use them any more.  It should migrate them during the upgrade, but I'm not sure it'll ever "re-migrate" later if you have to try to restore files into a kvstore based system.  YMMV, etc.
I'm regularly seeing a warning triangle appear, who to I search to fine our what is causing this 
I believe that this bug is planned to be fixed in 9.2.2
Can you paste the actual cron entry in here?  From your further description, my guess is that it's just wrong somehow (or at least that's one of a few problems). Also if this is still happening, hav... See more...
Can you paste the actual cron entry in here?  From your further description, my guess is that it's just wrong somehow (or at least that's one of a few problems). Also if this is still happening, have you tried the simple expedient of just *changing* the timings to make it come at the time you expect it to come?  I think if you take a careful and measured approach, changing one thing at a time and seeing what effect it has, you'll a) figure it out and b) also figure out *why* it's doing what it's doing.
It sounds like you've done pretty good basic troubleshooting already and confirmed that the data *should* be coming in. So it very well may be, but the reason you can't find it is because the time o... See more...
It sounds like you've done pretty good basic troubleshooting already and confirmed that the data *should* be coming in. So it very well may be, but the reason you can't find it is because the time on the device is off? Maybe it's a week or a day behind, or even worse it's set to next month.  You *could* try searching for its IP address over all time just to see if this is the case.  Maybe it's just that its timezone is mis- or unspecified, and it's showing up always from 4 hours ago so all searches running in timeframes closer to now than 4 hours ago are just missing it.  (E.g. "now" ends up being squirreled away in Splunk as X hours ago, so "last 4 hours" never shows it).   That's my guess, give that a think and a try and see what you find.   Happy Splunking, Rich  
The LINE_BREAKER setting requires a capture group.  The group is where events will be split.  Try this LINE_BREAKER = ()\w{3}\s\d\d:\d\d
It is unlikely that Splunk is adding them to the data it receives - what is your ingest path, i.e. how does the data get into Splunk and what configuration have you used along the way?
Except that the screen grab you showed is not from this SimpleXML code  
I've no idea where those control characters (\n, \x etc.) are coming from. They are not in the data that the mainframe send to Splunk.
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already par... See more...
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already parsed though)
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Na... See more...
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Nan error <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval></change> </input> </panel>
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful info... See more...
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful information.
| eval devices=mvappend(old_device,new_device) | stats values(user) as users by devices