All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @gcusello , I have the same scenerio in which i have architecture as follow: Fortinet analyzer> syslog forwarder(UF installed on it)>Deployment server>search head/indexer Could you confirm h... See more...
Hello @gcusello , I have the same scenerio in which i have architecture as follow: Fortinet analyzer> syslog forwarder(UF installed on it)>Deployment server>search head/indexer Could you confirm how we can install Fortinet add-on  on UF?
Hi @bowesmana, index="index A"  | table _time, Audit | addtotals fieldname=Total | foreach * [eval Audit=round (('Audit'/Total*100),2)] above is my query that i have created based on your idea, ... See more...
Hi @bowesmana, index="index A"  | table _time, Audit | addtotals fieldname=Total | foreach * [eval Audit=round (('Audit'/Total*100),2)] above is my query that i have created based on your idea, but seems not working. Below screenshot is the result for above query. the values not showing in percentage.    
Hi @KendallW, it's not working, it just staking the value of the bar chart.
That's true. Remember that docs pages have feedback form on the bottom. You can use it to... provide feedback. And yes, this feedback (of course if precise and reasonable, not just "I don't like this... See more...
That's true. Remember that docs pages have feedback form on the bottom. You can use it to... provide feedback. And yes, this feedback (of course if precise and reasonable, not just "I don't like this page" ;-)) is read and the docs pages do get better in time because of that.
Current documentation is very light regarding httpout, hope it will be improved in next versions
Which email provider are you planning to use? Do you have your own email server, or are you using gmail or another online email service?
"Connection refused" typically indicates that the target server is not listening on the target port. This would make sense if your splunk server is using "localhost" as the mail server hostname and y... See more...
"Connection refused" typically indicates that the target server is not listening on the target port. This would make sense if your splunk server is using "localhost" as the mail server hostname and you are not running an email server on your Splunk machine. If you would like to use an external mail server, then yes you should change the mail server hostname in email settings to match the external mail server.
Hello,   I am facing same issue as you ...I am not receiving email alerts from splunk ....Instead of localhost what name should I kept for  mail server host name?  Could you please suggest
@marnall   after using your query I am  getting error message as " connection refused" in my search results.. Should I change my localhost to something else in the mail server hostname in email sett... See more...
@marnall   after using your query I am  getting error message as " connection refused" in my search results.. Should I change my localhost to something else in the mail server hostname in email settings in splunk UI ?Please do let me know
Hi @maede_yavari , the message means that you have to copy the app.conf from the default folder to the local one. Then, there's an error in outputs.conf: check it, if you want share it, eventually ... See more...
Hi @maede_yavari , the message means that you have to copy the app.conf from the default folder to the local one. Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses. Ciao. Giuseppe
Hi @NoSpaces, You can reduce the log level of WorkloadsHandler in %SPLUNK_HOME%\etc\log-local.cfg. Create the file if it does not exist and add the following: [splunkd] category.WorkloadsHandler=FA... See more...
Hi @NoSpaces, You can reduce the log level of WorkloadsHandler in %SPLUNK_HOME%\etc\log-local.cfg. Create the file if it does not exist and add the following: [splunkd] category.WorkloadsHandler=FATAL Restart Splunk to allow the change to take effect. You can temporarily change the active level on a running instance from Settings > Server settings > Server logging > WorkloadsHandler or using the REST API: curl -k -u admin https://localhost:8089/services/server/logger/WorkloadsHandler -d level=FATAL curl is shipped with all modern releases of Windows, but you can use whichever HTTP client you prefer.
From your description, it seems like the upgrade of RH from 7 to 9 has disrupted Splunk's assumptions about the full DNS name.  You could try being more specific in the configuration files until Spl... See more...
From your description, it seems like the upgrade of RH from 7 to 9 has disrupted Splunk's assumptions about the full DNS name.  You could try being more specific in the configuration files until Splunk starts sending emails properly. E.g. you could set the from= field in alert_action.conf to be a full email address so that Splunk does not have to figure out the hostname to tack on with the ampersand. NOTE:  alert_actions.conf is plural (alert_actions, not alert_action)  #/opt/splunk/etc/system/local/alert_actions.conf [email] from = yoursplunkemail@yourdomain.com You could also try a direct sendemail command: | sendemail from="youremail@place.com" to="targetemail@place.com" subject="Test Email" If you have different emails per alert, you could edit the alert in the Advanced Settings to explicitly set the from= field to a full email address.
Hi gcusello,   I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:   No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf Checki... See more...
Hi gcusello,   I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:   No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf Checking: /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf Invalid key in stanza [general] in /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf, line 2: site (value: site2).   By the way, the mentioned  architecture is multi site cluster and we want all of the  Splunk Universal Forwarder send data to site 2.   Many Thanks.
The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them. To add the ".shop" tld,... See more...
The UT toolbox app relies on some .dat files in the $SPLUNKDIR$/etc/apps/utbox/bin/ directory which list the known TLD suffixes. Unfortunately, ".shop" is not listed in them. To add the ".shop" tld, you can edit the suffix_list_custom.dat file at: $SPLUNKDIR$/etc/apps/utbox/bin/suffix_list_custom.dat and add a line containing "shop". A restart is not required to apply this change. Then try your query again and the ut_domain field value should now be "somethin.shop" as desired.
Do you find any error logs if you search the _internal logs for "Sendemail"? (note the e, as in "send email" -> "sendemail", not "sendmail"                                           ) index=_interna... See more...
Do you find any error logs if you search the _internal logs for "Sendemail"? (note the e, as in "send email" -> "sendemail", not "sendmail"                                           ) index=_internal sendemail NOT sourcetype=splunkd_ui_access   If you get a lot of random messages, try filtering the source for python and splunkd: index=_internal sendemail NOT sourcetype=splunkd_ui_access source IN ("/opt/splunk/var/log/splunk/python.log","/opt/splunk/var/log/splunk/splunkd.log")  
Thanks for your reply. Yes, reinstallation works.
If you would just like to make a timechart, then the timechart command should fit your need better than the sitimechart command. The sitimechart is intended for preparing the data to insert into a ... See more...
If you would just like to make a timechart, then the timechart command should fit your need better than the sitimechart command. The sitimechart is intended for preparing the data to insert into a summary index so that later on it can be timecharted from the summary index. Using just timechart:   <your search> | timechart span=1d avg(errorPercentage) as errorPercentage by Process   If you would like to gather data now into a summary index to produce a timechart very quickly in a later search, you can use sitimechart:   <your search> | sitimechart span=1d avg(errorPercentage) as errorPercentage by Process | collect index=yoursummaryindex   Then in a later search:   index = yoursummaryindex <some filter, e.g. for Process=*> | timechart span=1d avg(errorPercentage) as errorPercentage by Process   The docs page describes the sitimechart usage, but does not explain the meaning of the created fields: https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Sitimechart
Hello, While using sitimechart instead of timechart - The data has been changed. I would like to calculate an error percentage but the system shows 0 or fields count. Thanks!    
Thank you for your reply ...   The email settings are fine  and in internal logs I don't see any error related to "sendemail"...Could you please suggest what else could be done?
Hi @shakti , did you configured the email relay in [Settings > Server Settings > Email Settings] ? did you open all the routes between the Search Head and the eMail host? You can troubleshoot the ... See more...
Hi @shakti , did you configured the email relay in [Settings > Server Settings > Email Settings] ? did you open all the routes between the Search Head and the eMail host? You can troubleshoot the connection searching in _internal the word "Sendmail". Ciao. Giuseppe