All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It showing as green circle at the moment,  but it keeps flashing a warning  see screen shot below  
Clicking on the triangle should display explanatory text.  Share that text here if you need help understanding it.
@renjith_nair Thank You for the response. I keep getting check "network internet connection" when I click on download button and it is failing to download. I was able to download the report once but ... See more...
@renjith_nair Thank You for the response. I keep getting check "network internet connection" when I click on download button and it is failing to download. I was able to download the report once but later I keep getting this error? I know for a fact it is not internet issue because I able to download the other panels data directly when i click the default export button which is there in Splunk. Is it something related to my code?       <row depends="$hide_this_always$"> <panel> <table> <search> <done> <eval token="date">strftime(now(), "%d-%m-%Y")</eval> <set token="sid">$job.sid$</set> </done> <query>index=_internal</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <html> <a href="/api/search/jobs/$sid$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=Vulnerability_$date$.csv&amp;outputMode=csv" class="button js-button">Download</a> <style> .button { background-color: steelblue; border-radius: 5px; color: white; padding: .5em; text-decoration: none; } .button:focus, .button:hover { background-color: #2A4E6C; color: White; } </style> </html> </panel> </row>    
Without giveout more information so we can help you (it's better to provide more context as to your issue, screen shots etc) that said it sounds like its related to risky commands. Maybe its to do w... See more...
Without giveout more information so we can help you (it's better to provide more context as to your issue, screen shots etc) that said it sounds like its related to risky commands. Maybe its to do with this. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/SPLsafeguards
BTW I don't know if it's clear, but a) you should be able to find the checkpoint files on disk, but .. b) even if you don't, if you back up $SPLUNK_HOME/var/lib/modinputs I think you effectively ba... See more...
BTW I don't know if it's clear, but a) you should be able to find the checkpoint files on disk, but .. b) even if you don't, if you back up $SPLUNK_HOME/var/lib/modinputs I think you effectively back up your checkpoint files.  A bit of interwebs searching ought to confirm this. Also note that the checkpoint files are useless if you are trying to back them up pre-updating (at least if you cross the magical version near 3.10 where it switches from checkpoint files to KV store entries), because you can't slap them into place and expect it to find/use them any more.  It should migrate them during the upgrade, but I'm not sure it'll ever "re-migrate" later if you have to try to restore files into a kvstore based system.  YMMV, etc.
I'm regularly seeing a warning triangle appear, who to I search to fine our what is causing this 
I believe that this bug is planned to be fixed in 9.2.2
Can you paste the actual cron entry in here?  From your further description, my guess is that it's just wrong somehow (or at least that's one of a few problems). Also if this is still happening, hav... See more...
Can you paste the actual cron entry in here?  From your further description, my guess is that it's just wrong somehow (or at least that's one of a few problems). Also if this is still happening, have you tried the simple expedient of just *changing* the timings to make it come at the time you expect it to come?  I think if you take a careful and measured approach, changing one thing at a time and seeing what effect it has, you'll a) figure it out and b) also figure out *why* it's doing what it's doing.
It sounds like you've done pretty good basic troubleshooting already and confirmed that the data *should* be coming in. So it very well may be, but the reason you can't find it is because the time o... See more...
It sounds like you've done pretty good basic troubleshooting already and confirmed that the data *should* be coming in. So it very well may be, but the reason you can't find it is because the time on the device is off? Maybe it's a week or a day behind, or even worse it's set to next month.  You *could* try searching for its IP address over all time just to see if this is the case.  Maybe it's just that its timezone is mis- or unspecified, and it's showing up always from 4 hours ago so all searches running in timeframes closer to now than 4 hours ago are just missing it.  (E.g. "now" ends up being squirreled away in Splunk as X hours ago, so "last 4 hours" never shows it).   That's my guess, give that a think and a try and see what you find.   Happy Splunking, Rich  
The LINE_BREAKER setting requires a capture group.  The group is where events will be split.  Try this LINE_BREAKER = ()\w{3}\s\d\d:\d\d
It is unlikely that Splunk is adding them to the data it receives - what is your ingest path, i.e. how does the data get into Splunk and what configuration have you used along the way?
Except that the screen grab you showed is not from this SimpleXML code  
I've no idea where those control characters (\n, \x etc.) are coming from. They are not in the data that the mainframe send to Splunk.
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already par... See more...
It looks like it is the control characters which are giving you grief. You could try replacing "\x" with "\\x" and then reparsing (with spath) (you may need to remove all the other fields already parsed though)
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Na... See more...
I've already given all the details & mentioned earlier that I used your method.  To be specific, I used this below mentioned statement in the "timedrop" dropdown change section. But still getting Nan error <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if(isnull('timedrop') or 'timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval></change> </input> </panel>
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful info... See more...
All you have shown is a screen grab of something that isn't working without any detail of what you have actually tried i.e. the SimpleXML you are using in this instance. Please share some useful information.
| eval devices=mvappend(old_device,new_device) | stats values(user) as users by devices
I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNA... See more...
I have 2 eventa from a mainframe running z/OS (not sure that affects things): 1.{"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:35:18.05 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","ACTION":"INFORMATIONAL","MSGNUM":"IEF234E","MSGTXT":"IEF234E K 449F,JE5207,PVT,RDSONLVP,RDSONLVP","MSGREQTYPE":""} 2. {"MFSOURCETYPE":"SYSLOG","DATETIME":"2024-04-24 13:34:47.92 +0100","SYSLOGSYSTEMNAME":"A090","JOBID":"STC15694","JOBNAME":"RDSONLVP","SYSPLEX":"UKPPLX01","CONSOLE":"INTERNAL","ACTION":"INFORMATIONAL","MSGNUM":"IEC147I","MSGTXT":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE":""}    for event 1, everything works as it should. For event 2, the MSGTXT field is coming up blank: I thought that the MDSGTCT field might be populated and just not displaying becasue of the control characters (the mainframe doesn't use these, so not sure where they are coming from) but running rex against MSGTXT or substr still gives me nothing.  Adding the search command: rex "MSGTXT(?<msgtext>.+):" does create a msgtext field with the MSGTXT plus a few more characters : ":"IEC147I 613-04,IFG0195B,RDSONLVP,RDSONLVP,IIII4004,449F,JE5207,\nRDS.VPLS.PDLY0001.PFDRL.U142530.E240220\x9C\n \x80\x80","MSGREQTYPE"            , so the data is in the event to be extracted.  I can work with this to extract the comma-deliminated field that I actually want, but it's a pain having to prcess this particula MSGNUM (IEC147I) differently. Any suggestions as to how to go about getting htese events parsed correctly? Thanks, Steve            
Tried this method but for some reason I still see the same error.   
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controlle... See more...
Hi @gcusello, I have the Event 4776 occuring often but I have nothing in the table (see attached PDF).  The alert I want is a mail when the Event 4776 is not occuring on one of the Domain Controller.  For exemple, if I don't have the event for 2 minutes, this is critical. So in Alert, I want a mail when the last Event ocurred more than 2 minutes ago for exemple. Or a message if I dont have the Event for 2 minutes. Thanks for the detail regarding the Alert parameters in Splunk.