Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-08-2024
04:10 AM
Here is the response: CONNECTED(00000005)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certifica...
See more...
Here is the response: CONNECTED(00000005)
depth=1 C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
write W BLOCK
Certificate chain
0 s:/CN=SplunkServerDefaultCert/O=SplunkUser
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
1 s:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
i:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com Yes, the certs are from Splunk. Thank you
04-08-2024
03:19 AM
Hello All, we plan to use a Splunk OVA for VMware Metrics (5096) in combination with Splunk on Windows. I can't find any information how this OVA will be supported. E.g Operating System and Splunk ...
See more...
Hello All, we plan to use a Splunk OVA for VMware Metrics (5096) in combination with Splunk on Windows. I can't find any information how this OVA will be supported. E.g Operating System and Splunk updates. Does anyone know this? Regards, Bernhard
Labels
- Labels:
-
upgrade
04-08-2024
03:14 AM
Try without the search <input type="dropdown" token="color" depends="$color_dropdown_token$" searchWhenChanged="false">
<label>Color</label>
<choice value="*">All</choice>
<choice ...
See more...
Try without the search <input type="dropdown" token="color" depends="$color_dropdown_token$" searchWhenChanged="false">
<label>Color</label>
<choice value="*">All</choice>
<choice value="Green">Green</choice>
<choice value="Orange">Orange</choice>
<choice value="Red">Red</choice>
<initialValue>*</initialValue>
</input>
04-08-2024
03:14 AM
Hi, thanks for the reply, But meanwhile I found another solution, I will try this solution next to see if it works.
04-08-2024
03:04 AM
i am using below to load colur in drop downlist . Data loading propertly. but it always shows - Could not create search - No Search query provided <input type="dropdown" token="color" depends="$c...
See more...
i am using below to load colur in drop downlist . Data loading propertly. but it always shows - Could not create search - No Search query provided <input type="dropdown" token="color" depends="$color_dropdown_token$" searchWhenChanged="false">
<label>Color</label>
<choice value="*">All</choice>
<choice value="Green">Green</choice>
<choice value="Orange">Orange</choice>
<choice value="Red">Red</choice>
<initialValue>*</initialValue>
<search>
<query/>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
</search>
</input>
Labels
- Labels:
-
lookup
04-08-2024
02:40 AM
As I explained earlier, you don't need to just look back further and further. The "issue" is to do with indexing lag. Whenever that lag spans a report time period boundary, you have the potential for...
See more...
As I explained earlier, you don't need to just look back further and further. The "issue" is to do with indexing lag. Whenever that lag spans a report time period boundary, you have the potential for missed events. To mitigate this, you could use overlapping time periods, and use some sort of deduplication scheme, such as a summary index, if you want to avoid multiple alerts for the same event.
04-08-2024
02:35 AM
Thanks for your answer KothariSurbhi After some debugging Ive discovered that Splunk pulled logs again from many buckets from all kinds of different dates on February 23rd. It seems that logs who h...
See more...
Thanks for your answer KothariSurbhi After some debugging Ive discovered that Splunk pulled logs again from many buckets from all kinds of different dates on February 23rd. It seems that logs who had already entered Splunk in 2023 entered again on February 23, 2024 for a reason that is still unclear. Nothing happened on the AWS side and the s3 buckets looks perfectly fine.
04-08-2024
02:32 AM
I will try to search in the last 60 min by doing a throttle of the incidentId
04-08-2024
02:29 AM
Hello @matoulas Can you please elaborate the question? One liner isn't seems to define the actual problem
04-08-2024
02:26 AM
1 Karma
Hello @alexspunkshell, below search should give you list of all CIM Indexes Macro Definition - | rest /servicesNS/-/-/admin/macros count=0 splunk_server=local
| search title=cim*indexes
| table tit...
See more...
Hello @alexspunkshell, below search should give you list of all CIM Indexes Macro Definition - | rest /servicesNS/-/-/admin/macros count=0 splunk_server=local
| search title=cim*indexes
| table title definition Please accept the solution and hit Karma, if this helps!
04-08-2024
02:25 AM
If your report runs every 15 minutes looking back 15 minutes, there will be boundary conditions where the event has a timestamp in the 15 minutes prior to the reported one, which didn't get indexed u...
See more...
If your report runs every 15 minutes looking back 15 minutes, there will be boundary conditions where the event has a timestamp in the 15 minutes prior to the reported one, which didn't get indexed until this time period and therefore is missed
04-08-2024
02:10 AM
2 Karma
Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missi...
See more...
Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missing from your final result.
04-08-2024
02:08 AM
You need to investigate your settings for your report and determine why you are missing alerts.
04-08-2024
01:59 AM
Initially I was facing error. I passed token inside the quotes "$token$". That worked for me. Thanks a lot.
04-08-2024
01:58 AM
Have a nice day! I have several Splunk instances and often see the message below: WorkloadsHandler [111560 TcpChannelThread] - Workload mgmt is not supported on this system. I know that the ...
See more...
Have a nice day! I have several Splunk instances and often see the message below: WorkloadsHandler [111560 TcpChannelThread] - Workload mgmt is not supported on this system. I know that the workload feature is not supported on the windows system, and it is obviously disabled How can I get rid of this annoying message in the splunkd.log?
Labels
- Labels:
-
administration
-
troubleshooting
04-08-2024
01:52 AM
Below are the CIM Macros where i am using and there are different indexes mapped in individual macros. I want to get the list of all indexes mapped in all the CIM Macros. Hence i did a scheduled se...
See more...
Below are the CIM Macros where i am using and there are different indexes mapped in individual macros. I want to get the list of all indexes mapped in all the CIM Macros. Hence i did a scheduled search which runs and check all the macros. But it is utilizing lot of memory and even searches are failing. Please help me with a better way to get the list of all indexes mapped in CIM Macros. cim_Authentication_indexes
cim_Alerts_indexes
cim_Change_indexes
cim_Endpoint_indexes
cim_Intrusion_Detection_indexes
cim_Malware_indexes
cim_Network_Resolution_indexes
cim_Network_Sessions_indexes
cim_Network_Traffic_indexes
cim_Vulnerabilities_indexes
cim_Web_indexes
04-08-2024
01:38 AM
and what can be the problem when the difference is 4-5 min between the indexing time and the _time, and the alert runs every 15 min and looks at the last 15 min.
04-08-2024
01:19 AM
@ITWhisperer Can I please get you guidance.
04-08-2024
12:27 AM
Yes you understand correctly, I have two different log types ABC and EFG in the same index, but the sourcetype is different in both logs so the condition is when there will be error it will be calcu...
See more...
Yes you understand correctly, I have two different log types ABC and EFG in the same index, but the sourcetype is different in both logs so the condition is when there will be error it will be calculated from the ABC log but the details which it is containing it is in EFG log that is in other sourcetype and I will also fetch the details of that log but what I want is when I got total error is ABC is 5 then when I should search the ABC and EFG together it should show me 5 errors only related to the correlationid. I hope you understand my query from this .
