All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Devi13, what do you mean with "respective time"? if you're meaning time info about the search (es. min_time, max_time, search execution_time, etc...) you could add "| addinfo" at the end of you... See more...
Hi @Devi13, what do you mean with "respective time"? if you're meaning time info about the search (es. min_time, max_time, search execution_time, etc...) you could add "| addinfo" at the end of your search and choose the info you want. for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo Ciao. Giuseppe
index=abc host IN () | stats max(response_time) as "Maximum Response Time" by URL | sort - "Maximum Response Time" I need to add the respective time for the maximum response time along with the st... See more...
index=abc host IN () | stats max(response_time) as "Maximum Response Time" by URL | sort - "Maximum Response Time" I need to add the respective time for the maximum response time along with the stats. Coud you please help
Hi @arungoy, yes Universla Forwarder 9.0 is fully compatible with Splunk Enterprise 9.2, as you can read at https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybet... See more...
Hi @arungoy, yes Universla Forwarder 9.0 is fully compatible with Splunk Enterprise 9.2, as you can read at https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers Ciao. Giuseppe
have find the answer to solve this?
i @Roy_9 , you shared too few information to help you: Which kind of scripts are you speaching ? which OS are you using? Have you a lustered or stand alone SH ? Why do you want to execute these... See more...
i @Roy_9 , you shared too few information to help you: Which kind of scripts are you speaching ? which OS are you using? Have you a lustered or stand alone SH ? Why do you want to execute these scripts on SH? Ciao. Giuseppe
Hi @renjith_nair. Thank you but  it's not something i am looking for. I have a column chart to visualize the status of requests to a website. Each time the dashboard is refreshed, the number of statu... See more...
Hi @renjith_nair. Thank you but  it's not something i am looking for. I have a column chart to visualize the status of requests to a website. Each time the dashboard is refreshed, the number of status displayed changes and the color of the columns may change. How can I configure a fixed color for each status value?  
it's too long to paste it here
Hi,  Currently, we are running with Splunk Enterprises and Universal Forwarder with 9.0 Version but now we need to upgrade it to latest version.  Is it possible if the versions for Splunk Enterpris... See more...
Hi,  Currently, we are running with Splunk Enterprises and Universal Forwarder with 9.0 Version but now we need to upgrade it to latest version.  Is it possible if the versions for Splunk Enterprises & UF could be different like Splunk Enterprises on 9.1 and UF on 9.0? or both should be on same version? From 9.0 version, should we go with 9.1 or 9.2 version?  Thanks in advance for your kind advice and guidance on it. -AK
@ITWhisperer  , i considered 1,0 and and put condition like this. But still i am not able to set the token. Is this implementation correct? <done> <condition match="match(has_runtime,&quot;1... See more...
@ITWhisperer  , i considered 1,0 and and put condition like this. But still i am not able to set the token. Is this implementation correct? <done> <condition match="match(has_runtime,&quot;1&quot;)"> <set token="tok_runtime">true</set> </condition> <condition match="match(has_runtime,&quot;0&quot;)"> <unset token="tok_runtime"></unset> </condition> </done>  
Hi @GaryZ, As far as I understand, this is not possible with dashboard studio so the best solution would be to have both charts there, but only one displaying depending on the token. However, you c... See more...
Hi @GaryZ, As far as I understand, this is not possible with dashboard studio so the best solution would be to have both charts there, but only one displaying depending on the token. However, you can do it with Classic Dashboards (i.e. simple XML dashboards). Here's an example:   <form version="1.1" theme="light"> <label>Splunk answers</label> <fieldset submitButton="false"> <input type="dropdown" token="chart" searchWhenChanged="true"> <label>Chart Style</label> <choice value="line">Line Chart</choice> <choice value="column">Bar Chart</choice> <default>line</default> <initialValue>line</initialValue> </input> </fieldset> <row> <panel> <title>Chart</title> <chart> <search> <query>| gentimes start=-20 | eval sample=random()%100 | eval _time = starttime | timechart span=1d max(sample) as value</query> <earliest>-20d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">$chart$</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>   The trick here is to create a token with the value of the chart you'd like to show ("line" or "column") and then use that token in the XML:   <option name="charting.chart">$chart$</option>     This might get annoying to develop though, as you can't edit the chart while this value is set. You can always change it while editing and then change it back when you're done.      
Thanks, Tejas and Rich...   Very much appreciated.
And if you then want to make that a bar chart, replace the fields - c at the end with | fields myFIELD | mvexpand myFIELD | eval count=tonumber(myFIELD)  
Quite literally | makeresults | fields - _time | eval min = 0.442 | eval max = 0.507 | eval mean = 0.4835625 | eval stdev = 0.014440074377630105 | eval count = 128 | eval pi = 3.1415926535897932384... See more...
Quite literally | makeresults | fields - _time | eval min = 0.442 | eval max = 0.507 | eval mean = 0.4835625 | eval stdev = 0.014440074377630105 | eval count = 128 | eval pi = 3.141592653589793238462 | eval min = printf("%.3f", mean - 3.0 *stdev)```; # use sprintf as a rounding function``` | eval max = printf("%.3f", mean + 3.0 * stdev) | eval x=min | eval interval = (max - min)/(count - 1) | eval c=mvrange(0, count, 1) | foreach c mode=multivalue [ | eval y= (1.0/(stdev * sqrt(2.0 * pi))) * exp(-0.5*(pow(((x - mean) / stdev), 2))), myFIELD=mvappend(myFIELD, printf("%.3d", y)), x = x + interval ] | fields - c  
Yes, it's very easy. Just edit the chart type setting in the XML to use a token and then in your input give the appropriate options, e.g.   <panel> <input type="dropdown" token="viz_type... See more...
Yes, it's very easy. Just edit the chart type setting in the XML to use a token and then in your input give the appropriate options, e.g.   <panel> <input type="dropdown" token="viz_type" searchWhenChanged="true"> <label>What viz type</label> <choice value="pie">Pie</choice> <choice value="bar">Bar</choice> <choice value="line">Line</choice> <choice value="column">Column</choice> </input> <chart> <search> <query> | makeresults count=5000 | eval car=mvindex(split("Volvo,Mercedes,VW,Porsche",","),random() % 4) | stats count by car </query> </search> <option name="charting.chart">$viz_type$</option> <option name="charting.drilldown">all</option> </chart> </panel>  
What's your SPL?
I am not sure how you managed to create that because that XML is completely broken and is not a valid dashboard. Your <choice> values are not valid XML, e.g. you can't have value=multiple quoted stri... See more...
I am not sure how you managed to create that because that XML is completely broken and is not a valid dashboard. Your <choice> values are not valid XML, e.g. you can't have value=multiple quoted strings. <choice value="appdev1host","logdev1host","cordev1host">DEV1</choice> Why don't you just make your choice value something like <choice value="*dev1host">DEV1</choice> and so on. Also, not sure what you are trying to achieve with your SPL - are "Total count" and "Incoming count" fields in your data? Using appendcols is not a good technique as you are repeating almost the identical search, which is not necessary. If you want to share an example of your data I can help suggest a correct search.
summaryindex and collect are synonyms - I believe summaryindex is just an alias for the documented collect command. Your understand is correct re the two searches. (1) happens before (2) and (2) can... See more...
summaryindex and collect are synonyms - I believe summaryindex is just an alias for the documented collect command. Your understand is correct re the two searches. (1) happens before (2) and (2) can be done as often as needed in the same day until (1) happens again the following day. That link is about moving existing CSV contents to KV store. You don't need a CSV to get data to a lookup. You can simply  search data | outputlookup kv_store_lookup Note that a KV store lookup is a lookup definition, not a lookup table file. A CSV is a lookup table file, but can also have a definition associated with it (and it's good practice), whereas a KV store lookup definition just requires the definition and an associated collection to be defined. You can create collections using the Splunk app for lookup editing https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/DefineaKVStorelookupinSplunkWeb  
Good morning, I am currently instructing the Cluster Admin course, and a student has asked a question which to my great surprise doesn't seem to covered anywhere. They have an indexer cluster and S... See more...
Good morning, I am currently instructing the Cluster Admin course, and a student has asked a question which to my great surprise doesn't seem to covered anywhere. They have an indexer cluster and SHC on a single site, and they want to shut down everything for a planned power outage in their data centre.   What is the correct sequence and commands for doing this? My own guesses are: Shut down everything that is sending data to splunk first. Place the index cluster in maintenance mode Shut down the deployment server if in use. Shutdown the SHC deployer (splunk stop) Shut down the SHC members (splunk stop?) Shut down the indexer members (? not sure which variant of the commands to use here) Shut down the cluster master last. Restart is the reverse order. Correct or not? Thank you, Charles
Hi, I am facing a executable permission issue for the few scripts for a splunk app and seeing these errors on various search heads, what is the best way to fix it? can someone help me with the scrip... See more...
Hi, I am facing a executable permission issue for the few scripts for a splunk app and seeing these errors on various search heads, what is the best way to fix it? can someone help me with the script or a fix if you ever come across?   thanks in advance.
Can you illustrate how you obtain incomingcount rejectedcount invalidcount topcount trmpcount topiccount?  As a habit, always share how data looks like.  If you just count stuff, there should be no "... See more...
Can you illustrate how you obtain incomingcount rejectedcount invalidcount topcount trmpcount topiccount?  As a habit, always share how data looks like.  If you just count stuff, there should be no "empty" column. (Also, are you asking about empty row or empty column?) For example, if you have this data set Application incoming invalid rejected top trmp top Login come something   some other     Login   some more   some stuff     Login       stuff stuff     Success come in     more stuff     and you use this to produce those count columns   | stats count(incoming) as incomingcount count(rejected) as rejectedcount count(invalid) as invalidcount count(top) as topcount count(trmp) as trmpcount count(topic) as topiccount by Application   Splunk should give you Application incomingcount rejectedcount invalidcount topcount trmpcount topiccount Login 1 0 2 3 0 0 Success 1 0 0 1 0 0 Here is my data emulation to produce that mock input.   | makeresults format=csv data="Application, incoming, rejected, invalid, top, trmp, topic Login, come, , something, some other Login, , , some more, some stuff Login, , , , stuff stuff Success, come in, , , more stuff"