All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @joelsz, Using Splunk 9.1.0 I set up 3 dashboards: dash_a, dash_b, dash_c When you click a button it loads the corresponding dashboard, and that's all.  I've added some starter CSS to pretty up... See more...
Hi @joelsz, Using Splunk 9.1.0 I set up 3 dashboards: dash_a, dash_b, dash_c When you click a button it loads the corresponding dashboard, and that's all.  I've added some starter CSS to pretty up the buttons: <form version="1.1" theme="light"> <label>Dash_C</label> <fieldset submitButton="false"> <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash_a">Dashboard 1 ↗</choice> <choice value="dash_b">Dashboard 2 ↗</choice> <choice value="dash_c">Dashboard 3 ↗</choice> <change> <condition value="dash_a"> <link target="_blank">/app/search/dash_a</link> </condition> <condition value="dash_b"> <link target="_blank">/app/search/dash_b</link> </condition> <condition value="dash_c"> <link target="_blank">/app/search/dash_c</link> </condition> </change> </input> </fieldset> <row><panel depends="$CSS$"><html><style> .splunk-linklist{ width:fit-content!important; } .splunk-linklist button{ min-width: 120px; } .splunk-linklist button span{ -webkit-box-pack: left; justify-content: left; -webkit-box-align: left; align-items: left; } .splunk-linklist button{ background-color: #dddddd82; margin: 4px 2px 0px 0px; transition: 0.3s; } .splunk-linklist button:hover { background-color: #007abd!important; color: white!important; } </style></html></panel> </row> </form> Note that if you click a button, then go back to the original dashboard and click edit then cancel, it will load the second dashboard again. If you want to avoid that then update the links and remove target="_blank" .
This question is too vague - yes, some auto-scaling can be done under certain circumstances, but whether is is possible for your usecase is yet to be determined. Perhaps you could share some sample e... See more...
This question is too vague - yes, some auto-scaling can be done under certain circumstances, but whether is is possible for your usecase is yet to be determined. Perhaps you could share some sample events, the searches you are using and your current dashboard designs. Also, include what you have tried so far, and a mock up of what you would like it to look like (if possible).
Since your sample data doesn't show more than one host or user for each ip address, guessing that list would be useful to get what you needed was beyond my knowledge. Perhaps you could provide a more... See more...
Since your sample data doesn't show more than one host or user for each ip address, guessing that list would be useful to get what you needed was beyond my knowledge. Perhaps you could provide a more representative example of the events you are dealing with next time so we might be able to suggest a suitable solution (hopefully avoiding memory issues if possible).
Hi @deepdive100., You can create the column name based on what the field "name" is set to using by: |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) by name ... See more...
Hi @deepdive100., You can create the column name based on what the field "name" is set to using by: |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) by name This creates a table with columns: _time, C. If the values are less or more than 100, there'll be an additional column "N/A" If you have a dashboard and you want to pick which column is displayed, you could do something like: |makeresults |eval sample="100" |eval name=if(sample=100,"$DROPDOWN_TOKEN$",N/A) |timechart max(sample) by name And set up an input that sets the token $DROPDOWN_TOKEN$.  
Hi @PickleRick , sorry it was a typo erro Are you sure you wanted old value of get as old_put? --- sorry it was a typo error   Also, you can just do your condition as | where command to find on... See more...
Hi @PickleRick , sorry it was a typo erro Are you sure you wanted old value of get as old_put? --- sorry it was a typo error   Also, you can just do your condition as | where command to find only those matching results. Then you'd trigger alert only if you had any results at all.-- soory I used where condition but it's not working |Where getperct>50 |Where putperct>10 |Where deleteperct>80 I want to receive error even if any one condition match, but I am not getting Can u pls help  
Please create a new question as this one is already solved and you seems to have some different requirements.
I have a timechart that I want a column name to reflect a field name like how a variable or token would be used.     ```Example``` |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A)... See more...
I have a timechart that I want a column name to reflect a field name like how a variable or token would be used.     ```Example``` |makeresults |eval sample="100" |eval name=if(sample=100,"C",N/A) |timechart max(sample) as $name$ ```Expected Outcome would by a timechart with column named "C"```       Is this possible?
Our team in is the same boat, we have to move our cluster off of RHEL7 to RHEL8. We also have to use the same IP addresses of the current peers to "mimic" the old instance to the new instance. Sin... See more...
Our team in is the same boat, we have to move our cluster off of RHEL7 to RHEL8. We also have to use the same IP addresses of the current peers to "mimic" the old instance to the new instance. Since we have a multi-site cluster, we are going to take a peer from site1 down using splunk offline, then rsync the entire /opt/splunk dir to the new VM, ensure all network settings match and rejoin it to the cluster. Rinse and Repeat.. From the splunk docs, I'm confused on which step needs to happen first.  @Glasses2 Which step did you perform first, did you install splunk rpm package on the new server? Or did you rsync the old instance to the new server first and then install splunk? -siemless
Hello @Ryan.Paredez  I created the suggestion here - "Create environment variables to pyagent Proxy and Watchdog Log Level"  Thanks, Felipe
Hi @Felipe.Windmoller, You can submit feature requests on the Idea Exchange or reach out to your AppDynamics CSM. 
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the... See more...
Hi Team, I extracted each webpage details which is dynamic based on the time range for one of our application. Is it possible to auto scale up/down the visualization panel (like single value) in the splunk dashboard based on the output of the splunk query? For example, if suppose dev team added/removed the webpage or functionality, the visualization panel should be created/deleted automatically. Thank you in advance.
Still good after all these years
Yes, the list function is resource-intensive.  It makes a list of every value for the specified field so that takes time and memory.
So, @ITWhisperer and @richgalloway.  I combined both offered solutions into the following which did end up working: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) ... See more...
So, @ITWhisperer and @richgalloway.  I combined both offered solutions into the following which did end up working: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.external_ip as exip | rename aip as agentip | eval external_ip = coalesce(agentip, exip) | eventstats list(jsonevent.hostname) as Hostnames, list(jsonevent.Username) as Users by external_ip | eval hostuser = mvzip(Hostnames, Users) | mvexpand hostuser | eval HostUser = split(hostuser, ",") | eval Hostnames=mvindex(HostUser, 0), Users=mvindex(HostUser, 1) | rename AppVendor as Vendors, AppName as Applications, AppVersion as Version | where isnotnull(Vendors) | search Hostnames=*, Users=* | table external_ip, Hostnames, Users, Vendors, Applications, Version This gave me the result I wanted, but I also ended up with a caution that the list command reached a limit of 100 and had to truncate some events, and the search as a whole slows to a crawl. Is the list command that resource intensive?
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( names... See more...
I am showing index info(the following info) from mongodb log to splunk. namespace : tmp.agg_out.a35455454-f452-343434-b3eb-32630f67312b msg : Index build: done building   What does it mean( namespace and msg) ?   
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has ... See more...
Our Ubuntu VMs are not reporting disk I/O and other metrics, and the "Partition Metric Name" shows up as "Unknown".  Further investigation suggest that the disk stats section of "linux-stats.sh" has a regex that requires the device to end in a number, whereas the / mount uses "/dev/root".  Is anyone aware of an updated script that work with the newer OS or has anyone been able to modify the script to correlate correctly?
@pm2012Try this. We can do it in multiple ways.          
@Ryan.Paredez  I would like to make the suggestion of versioning the appdynamics Python module to allow us to pass the Proxy and Watch dog log levels as environment variables. Thanks
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is... See more...
Hi, I have the following Link List input to provide a shortcut to other dashboards, when any of them are selected it would open a new tab to the specified dashboard. The issue is that when a link is selected it's being added as a parameter to the url, so the next time the page is refreshed it would trigger an input "change" and will immediately open a new tab to the link. What would be the best way to trigger only when it was selected? I've tried adding <set> and <unset> the input token after the <link> tag so it should be removed from the url once the new tab was opened, but it had no effect. <input id="linkToOtherDash" type="link" token="link_dash"> <label>View other Dashboard:</label> <choice value="dash1">Dashboard 1 ↗</choice> <choice value="dash2">Dashboard 2 ↗</choice> <choice value="dash3">Dashboard 3 ↗</choice> <change> <condition value="dash1"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash2"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> <condition value="dash3"> <link target="_blank">https://example.com/dash1</link> <set token="link_dash">.</set> </condition> </change> </input>  
@sahityasweety  Check the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your... See more...
@sahityasweety  Check the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your errors is to open a plain search window and do a search like: index=_internal error Review your search query to ensure it is correctly formulated. Check for any typos, missing keywords, or syntax errors. Verify that the time range specified in your search covers the relevant data. Ensure that you are searching within the appropriate indexes. Check the Splunk logs (such as splunkd.log and search.log) for any errors or warnings related to your search. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Searching_and_Reporting/Troubleshooting_and_investigating_searches https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/ViewsearchjobpropertieswiththeJobInspector If this reply helps you, Karma would be appreciated.