All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

So you have previous alerts which send email successfully, but when you make new alerts, they do not send email?
Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user Make an eventtype with search string: <yoursearch> | search object_type=user ```Or pu... See more...
Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user Make an eventtype with search string: <yoursearch> | search object_type=user ```Or put the above search filter in the first line of your search``` And set the tags to "change,account" Then you can make the action field cim-compliant by making a calculated field: Name: action Eval expression: case(action="create","created",action="delete","deleted",1=1,action)
I am getting a message that our splunk certificate is expired when I scan our systems. However, I cannot find the certicate anywhere in Windows Certificates. I also searched C:\Program Files\Splunk\e... See more...
I am getting a message that our splunk certificate is expired when I scan our systems. However, I cannot find the certicate anywhere in Windows Certificates. I also searched C:\Program Files\Splunk\etc\auth\mycerts and it is empy also the config in Checked \Splunk\etc\system\local and the webconfig doesnt have anything about a cert in there. How can I find this cert and where is it coming from? It's on our web port.
I am trying to set some token values when a dashboard loads or when the page is refreshed.   The documentation gives the following example: "defaults": { "dataSources": { "ds.search": { ... See more...
I am trying to set some token values when a dashboard loads or when the page is refreshed.   The documentation gives the following example: "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "tokens": { "default": { "tokenName": { "value": "1986" } } } }, This my code: "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "tokens": { "default": { "Slot1_TailNum": { "value": "false" } } } }, Which is not working.  I am using the "Interactions" Set tokens to set the value of the "Slot1_TailNum" token to something other than false to hide/show a table, which works fine.  However when reloading the Dashboard or refreshing the page the table is still displayed, it does not seem to be setting the value to false when loading. Any help would be greatly appreciated, I can run a zoom if required it you want/need to see.   Thanks David  
We want to add a host drop down in a dashboard  please find the host details below. dev1 appdev1host logdev1host cordev1host dev2  appdev2host logdev2host cordev2host dev3 appdev3hos... See more...
We want to add a host drop down in a dashboard  please find the host details below. dev1 appdev1host logdev1host cordev1host dev2  appdev2host logdev2host cordev2host dev3 appdev3host logdev3host cordev4host dev4 appdev4host logdev4host cordev4host sit1 appsit1host logsit1host corsit1host sit2 appsit2host logsit2host corsit2host sit3 appsit3host logsit3host corsit3host sit4 appsit4host logsit4host corsit4host drop down in dashboard should  have only 8 drop downs . For example: if i choose dev1 it should capture all the hosts mentioned for dev1(appdev1host, logdev1host,cordev1host) dev1 dev2 dev3 dev4 sit1 sit2 sit3 sit4
I have some JSON output that is in key value structure (protobuf3 formatted--this is OTLP data going into Splunk Enterprise events) and it has multiple values in each field. There are multiple key va... See more...
I have some JSON output that is in key value structure (protobuf3 formatted--this is OTLP data going into Splunk Enterprise events) and it has multiple values in each field. There are multiple key value attributes stored under an attributes parent, and then its fields are under a metric parent. I want to take the host.name attribute and map it to every metrics value I see. Here is working example of the raw json:     { "resourceMetrics": [ { "resource": { "attributes": [ { "key": "host.name", "value": { "stringValue": "myname1" } }, { "key": "telemetry.sdk.name", "value": { "stringValue": "my_sdk" } } ] }, "scopeMetrics": [ { "metrics": [ { "name": "hw.host.energy", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030986039000", "asDouble": 359 } ] } }, { "name": "hw.host.power", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030986039000", "asDouble": 26 } ] } } ] } ] }, { "resource": { "attributes": [ { "key": "host.name", "value": { "stringValue": "myname2" } }, { "key": "telemetry.sdk.name", "value": { "stringValue": "my_sdk" } } ] }, "scopeMetrics": [ { "metrics": [ { "name": "hw.host.energy", "gauge": { "dataPoints": [ { "timeUnixNano": "1712951030987780000", "asDouble": 211 } ] } } ] } ] } ] }     There may be multiple attributes, in various order, but I am only interested in grabbing the host.name value from there, and then associating host.name to all metrics under the metrics parent within the resource parent. The metrics parent may contain multiple metrics in the array. And then new resources (with new host.name and new metrics) would show up as the next resource entry in the resources array. So what I want is something like this in a row-based format of host.name.value > metric: host.name metric host.name,myname1 hw.host.energy,359 host.name,myname1 hw.host.power,26 host.name,myname2 hw.host.energy,211   The problem I am having is I don't want the other attributes from the attribute parent, which in the example is the telemetry.sdk.name key and value. But since they are there, I can't figure out how to zip and expand properly, as the telemetry.sdk.name value gets associated to legit metrics, looking something like below, which would mean if I drop row 2 I lose the power metric = 26 for myname1. Parsing some spaths, the structure looks something like this: attr_zip metric_zip host.name,myname1 hw.host.energy,359 telemetry.sdk.name,my_sdk hw.host.power,26 host.name,myname2 hw.host.energy,211 telemetry.sdk.name,my_sdk     I looked at mvfilter but can't seem to find a way to handle a variable amount of attributes that may show up in the left column attr_zip, as it seems I ned to know how many values I fill down in the field, and I am not sure how to get a count of the values fro the right column metric_zip to know how many values down in attr_zip to fill. In JSON, all the metrics values share the same resource so I should logically be able to reference the parent resource.attribute.host.name.value, and concatenate that to every metric value. Here's my current SPL, where I can get the columns concatenated properly, but would need to drop the rows in attr_zip that don't match the key of host.name:     | spath output=host_name path=resourceMetrics{}.resource.attributes{} | mvexpand host_name | spath output=attribute path=resourceMetrics{}.resource.attributes{}.key | spath output=attribute_value path=resourceMetrics{}.resource.attributes{}.value.stringValue | spath output=time resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.timeUnixNano | spath output=metric_name resourceMetrics{}.scopeMetrics{}.metrics{}.name | spath output=metric_value resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.asDouble | eval attr_zip=mvzip(attribute, attribute_value) | eval metric_zip=mvzip(metric_name, metric_value) | table attribute,attribute_value, attr_zip, metric_zip       Anyone able to offer some guidance?
It's a race condition between two threads trying to  create snapshot. The error is harmless as all it's indicating is that snapshot already exists( as other thread already created).
Fixed by 9.1.4/9.2.1
I have signed up and validated my account but I cannot get access to the free trial. When I click on the free trial button, it says they are gonna send me an email but I am not receiving anything, I ... See more...
I have signed up and validated my account but I cannot get access to the free trial. When I click on the free trial button, it says they are gonna send me an email but I am not receiving anything, I have checked my spam box.
Thanks @ITWhisperer . I also found an issue, if I run this query for yesterday I am getting the result as 44Million count but when I run the search for last 7 days I am getting only 23Million resul... See more...
Thanks @ITWhisperer . I also found an issue, if I run this query for yesterday I am getting the result as 44Million count but when I run the search for last 7 days I am getting only 23Million results. Any suggestion to fix? index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Hi, I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot. Note: Panel A and ... See more...
Hi, I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot. Note: Panel A and Panel B i have enabled the set token ( basically tic marked "Use search results or job status as tokens") Also, please suggest how to draw line not just horizontally but also vertically or custom? SPL: | makeresults | eval variance=$A:result.count$ - $B:result.count$ | table variance Error:   Thanks, Selvam.
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query  .........| stats count by srcip,dstip,title Result : srcip        dstip           title s... See more...
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query  .........| stats count by srcip,dstip,title Result : srcip        dstip           title srcip1     dstip1         title srcip1     dstip2       title srcip2     dstip2        title1 srcip2      dstip3       title1 srcip1       dstip2       title2   So we required to alert separate on basis title values.  For all events of one title, there should be one alert. So above example there should be trigger 3 separate alerts .   Thank you ! in Advance  
Is there anybody who can help me here ?
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But ... See more...
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But if you want to send multiple sourcetypes over a single connection, that can be tricky to separate on the receiving side. You could send multiple sourcetypes using multiple tokens so they are received into separate indexes/with separate sourcetypes but it's getting complicated and - as I said before - needs proper configuration on the logstash side. Anyway - it's still up to logstash to filter events before sending.
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$La... See more...
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Assuming you already have the fields extracted: <your index search> | stats count by Name Version host | eventstats count by Name Version | eventstats max(count) as top | where count=top
Hi, if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input. Please could you advise? index=hello sourcety... See more...
Hi, if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input. Please could you advise? index=hello sourcetype=welcome | stats max(DATETIME) as LatestTime | map search="search index=hello sourcetype=welcome DATETIME=$LatestTime$" | stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count Thanks, selvam.
[2024-04-17 10:23:37] [Lane 0] Application ID: Name=Unified Payment Platform Version=06.80.06-0032    
Please share some anonymised representative events in raw format in a code block </>
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts.  The line I am searching may populate multiple times depending on if th... See more...
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts.  The line I am searching may populate multiple times depending on if the device was rebooted. The search I need:  - list all the versions, but only one count from each host  - if possible, the list the hosts on the version