All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Did you manage to get a solution for this? For me as well this fails. But the relative thing works. Like -1d and so but this does not MM/dd/yyyy':'HH:mm:ss
Hello guys.... I have this task to investigate why indexes roll of data before retention age. From my findings, it shows number of warm buckets exceeded. Here's what the index configuration looks lik... See more...
Hello guys.... I have this task to investigate why indexes roll of data before retention age. From my findings, it shows number of warm buckets exceeded. Here's what the index configuration looks like. How can i fix this? [wall] repFactor=auto coldPath = volume:cold/customer/wall/colddb homePath = volume:hot_warm/customer/wall/db thawedPath = /splunk/data/cold/customer/wall/thaweddb frozenTimePeriodInSecs = 34186680 maxHotBuckets = 10 maxTotalDataSizeMB = 400000
</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> ... See more...
</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup applicationName | sort applicationName | table applicationName </query> </search> <fieldForLabel>applicationName</fieldForLabel> <fieldForValue>applicationName</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort InterfaceName | table InterfaceName </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>InterfaceName</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input> Query : index=mulesoft environment=PRD $BankApp$ OR (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where $interface$ AND isnotnull(FileList) | sort -timestamp If i select all in dropdown the particular values of inputlookup  file fields and data should be showen.If its * then its shows all the values.This the query which i am trying to achieve things. 
As you have gotten valid license, just ask unlock license from same source as you got your normal license.
Thanks.
You should replace the version number with word “latest” and then you will get the latest version of those documents.
Hi @Simon.Rajanpaul, Thank you so much for coming back many months later and sharing a solution. I love to see it!
Hi @karthi2809, this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer. Anyway, at first don't use the search comm... See more...
Hi @karthi2809, this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer. Anyway, at first don't use the search command after the main search because your search will be slower Then, I see again a different field name than the one in the input, which is the correct one? could you share yur search with the tokens? Ciao. Giuseppe
@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold... See more...
@agdkIf you’re observing bucket downloads from S3 unexpectedly, it might be worth investigating further.. Verify that your SmartStore configuration is correctly set up. Ensure that the cache and cold storage volumes are properly configured.?? Confirm that the space padding setting is appropriately adjusted to avoid unnecessary eviction..??    https://docs.splunk.com/Documentation/Splunk/latest/Indexer/TroubleshootSmartStore?_gl=1*j14jj0*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMzU0MDI0NC4zOC4xLjE3MTM1NDIxMzUuNjAuMC4w*_ga_5EPM2P39FV*MTcxMzU0MDIyNi40MC4xLjE3MTM1NDIxMzUuMC4wLjgyOTY2NTcwNw..&_ga=2.163511419.633269778.1713540226-984040655.1703927739#Troubleshoot_with_REST_searches 
@gcusello Its working now.One more details that i want to know.If select applicationName and InterfaceName for particular value the value is comming and if i use all with * its not showing any data .... See more...
@gcusello Its working now.One more details that i want to know.If select applicationName and InterfaceName for particular value the value is comming and if i use all with * its not showing any data .How can we add all (*).Instead of * .How to add all the data in the applicationName and interfaceName . for example  | search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api)  like this . I will paste  my query.   index=mulesoft environment=* | search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api) OR (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where InterfaceName="APEX_VENDOR_PORTAL_AP_SUPPLIERS_OUT" AND isnotnull(FileList) | sort -timestamp | sort -timestamp
Try something like this | search ("<--- TRN:" OR "---> TRN:" OR "===> TRN@") | eval field=split(source,"/") | eval Instance=mvindex(field,4) | rex "(?<direction>[<\->]+) TRN[^:]*:\s+(?<TRN>\S+)" | r... See more...
Try something like this | search ("<--- TRN:" OR "---> TRN:" OR "===> TRN@") | eval field=split(source,"/") | eval Instance=mvindex(field,4) | rex "(?<direction>[<\->]+) TRN[^:]*:\s+(?<TRN>\S+)" | rex " ===>.+\[Priority=(?<Priority>\w+)" | rex "(?<App>\w+) sent to" | eval get=if(direction="<---","get",null()) | eval put=if(direction="--->","put",null()) | stats values(get) as get values(put) as put values(Priority) as Priority values(App) as App by TRN Instance | where Priority="$token$" | chart count(get) as Testget count(put) as Testput count(eval(App=="AP")) as AP count(eval(App=="AH")) as AH count(eval(App="MP")) as MP by Instance | eval Pending = Testget - (AP + AH)
@keneyfofe Have you checked splunkd.log? Check the below link for reference.  https://community.splunk.com/t5/Splunk-Enterprise/SplunkUI-app-list-error-V9-1-0-1-SVA-S1-lab-instance/m-p/651872  If t... See more...
@keneyfofe Have you checked splunkd.log? Check the below link for reference.  https://community.splunk.com/t5/Splunk-Enterprise/SplunkUI-app-list-error-V9-1-0-1-SVA-S1-lab-instance/m-p/651872  If this helps, please upvote or accept solution. 
@jppasnak  Splunk team confirmed that is a bug on Splunk version 9.2.x. The Splunk Dev team is working on that. We can wait until they release fix version.    You should create a support/bug ticket... See more...
@jppasnak  Splunk team confirmed that is a bug on Splunk version 9.2.x. The Splunk Dev team is working on that. We can wait until they release fix version.    You should create a support/bug ticket to Splunk Support. ** If this helps, please upvote or accept solution. **
| xyseries guid property value
Having trouble integrating SentinelOne App for Splunk (v5.1 & 5.2) - "cannot unpack non-iterable NoneType object" & Authentication Failed I'm encountering errors while integrating the SentinelOne Ap... See more...
Having trouble integrating SentinelOne App for Splunk (v5.1 & 5.2) - "cannot unpack non-iterable NoneType object" & Authentication Failed I'm encountering errors while integrating the SentinelOne App for Splunk on both versions 5.1 and 5.2. I've followed the official documentation (please specify which documentation if available) for API integration and configured everything within the app, including sourcetypes ("activities","threats","Activities","Application"etc). when searching events for SentinelOne: [I am seeing the following error] error_message="cannot unpack non-iterable NoneType object" error_type="&lt;class 'TypeError'&gt;" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="496" input_guid="6xxxxxb-8xxxc-e531-e6x8-4xxxaf" input_name="edr-activities" error_message="[{'code': 4010010, 'detail': None, 'title': 'Authentication Failed'}]" error_type="&lt;class 'management.mgmtsdk_v2.exceptions.UnauthorizedException'&gt;" error_arguments="[{'code': 4010010, 'detail': None, 'title': 'Authentication Failed'}]" error_filename="s1_client.py" error_line_number="188" input_guid="6xxxxx-8xxx-exxx-xxx78-4xxxxxaf" input_name="edr-activities" "   @sentinelone  App - https://splunkbase.splunk.com/app/5433    
hello i have a list of events structured with the following fields :  guid (uniqueid), property (name of a property ), value ( value link to the property name). i have 4 specific properties that ... See more...
hello i have a list of events structured with the following fields :  guid (uniqueid), property (name of a property ), value ( value link to the property name). i have 4 specific properties that I received separately on different events and the key is the guid to consolidate the information property/value by guid i make a search => search xxx | table  guid , property , value i m able to have all the events in a table in this way guid   property value 1   start  1 1   end  2 1   duration 1 1   status  OK 2  start  1 2   end  3 2   duration 2 2   status  KO  I try to transpose the result in this way  => search xxx | table  guid , property , value | transpose 0 header_field="property" tho have a result like this : guid start end duration status 1 1 2 1 OK 2 1 3 2 KO but the result is not good, is there a way to easily search and display in a readable table this kind of structured events? Other need, how to simply display by guid the status and duration ? Thanks for your help regards Laurent
We currently have a report that will be emailed on a nightly basis, It will send and email with an attachment that includes an XLS and a PDF that contains the xls.  The PDF exports as expected, but w... See more...
We currently have a report that will be emailed on a nightly basis, It will send and email with an attachment that includes an XLS and a PDF that contains the xls.  The PDF exports as expected, but when Splunk emails the PDF, it says "No Matching Events found".  When we send the XLS as part of the communication, it contains the contents of the report as expected.  It was working fine up until a few weeks back, then the PDF stopped producing results while the XLS continues to function as expected.   I have searched the logs and have found no errors that would prevent the report from being generated, not sure where to  look at this point to determine why PDF is not producing results.   Splunk Cloud Version:  9.1.2308.203 build d153a0fad666
@ravir_jbp , Did you try fillnull https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull OR  replace in case its a literal value NULL https://docs.splunk.com/Documentation/... See more...
@ravir_jbp , Did you try fillnull https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull OR  replace in case its a literal value NULL https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace   
Hi @karthi2809, there's a strange thing in your inputs: in the search you have the field APPLICATION_NAME, but in the fieldForLabel you have a different field ApplicationName and in prefix another ... See more...
Hi @karthi2809, there's a strange thing in your inputs: in the search you have the field APPLICATION_NAME, but in the fieldForLabel you have a different field ApplicationName and in prefix another one applicationName. same thing in the second input. What's the field name? you must use the same in all the above tags. You can have different values between FieldForLabel and FieldForvalue if you have two fields in the search, but you have only one. So what's the correct one? Supponing that the correct one is the one in uppercase, please try this: <input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME </query> </search> <fieldForLabel>APPLICATION_NAME</fieldForLabel> <fieldForValue>APPLICATION_NAME</fieldForValue> <default>*</default> <prefix>APPLICATION_NAME="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort INTERFACE_NAME | table INTERFACE_NAME </query> </search> <fieldForLabel>INTERFACE_NAME</fieldForLabel> <fieldForValue>INTERFACE_NAME</fieldForValue> <default>*</default> <prefix>INTERFACE_NAME="</prefix> <suffix>"</suffix> </input> Then, does your inputs run withouth the depends condition? Ciao. Giuseppe
Hi All,  I am using depedent dropdown in my splunk dashboard .But the second dropdown not working.Could you pls what is the exact error .And screen shot is attached.And my inputlookup with below val... See more...
Hi All,  I am using depedent dropdown in my splunk dashboard .But the second dropdown not working.Could you pls what is the exact error .And screen shot is attached.And my inputlookup with below values. <input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME </query> </search> <fieldForLabel>ApplicationName</fieldForLabel> <fieldForValue>APPLICATION_NAME</fieldForValue> <default>*</default> <prefix>applicationName="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort INTERFACE_NAME | table INTERFACE_NAME </query> </search> <fieldForLabel>InterfaceName</fieldForLabel> <fieldForValue>INTERFACE_NAME</fieldForValue> <default>*</default> <prefix>InterfaceName="</prefix> <suffix>"</suffix> </input> INTERFACE_NAME APPLICATION_NAME APPLICATION_NAME INTERFACE_NAME p-oracle-fin-processor-2 HSBC_NA_AP_ACH p-oracle-fin-processor USBANK_AP_ACH p-oracle-fin-processor-2 AMEX_AP_GL1025_PCARD_CCTRANS p-oracle-api APEX_VENDORPORTAL_HR_APO_EMPLOYEE_OUT p-oracle-fin-processor-2 AVALARA_TAX_VAT_REPORTING p-oracle-fin-processor-2 BOA_KING_KYRIBA_CE_BANKSTMTS_BFA_GLOBAL p-oracle-fin-processor-2 HSBC_APAC_CE_BANKSTMTS p-oracle-fin-processor-2 HSBC_NA_CE_BANKSTMTS