All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have y... See more...
I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have you found a workaround (assuming you've seen this)?
With Splunk Enterprise 9.2.1 there's no issue any more. This issue is defintively related to the builds of Splunk Enterprise.
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @louisss, I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Hi, I wanted to create a table as below. I am extracting Status and Reason using rex. How can I create this. Count column should count the events- I used stats count by ..  
@karthi2809 - Dashboard filters values shows in the URL, so once you get right URL, that should work.   I hope this helps!!!!
HI @Ben.Howl, Thanks for asking your question on the Community. It's been a few days and the Community has not jumped in, I wanted to let you know you can always contact AppD Support or even your A... See more...
HI @Ben.Howl, Thanks for asking your question on the Community. It's been a few days and the Community has not jumped in, I wanted to let you know you can always contact AppD Support or even your AppD CSM. How do I submit a Support ticket? An FAQ  If you find a solution or any other bit of help to this question, it would be helpful if you could come back and share that as a reply. 
Hello, So I have the following issue... Let's say I have a Splunk table, where is a rename on the end. The tokens can have different value, so the final header column is dynamic, as it depends on t... See more...
Hello, So I have the following issue... Let's say I have a Splunk table, where is a rename on the end. The tokens can have different value, so the final header column is dynamic, as it depends on the token.   | table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc, 3_aaa, 3_bbb, 3_ccc | rename 1_aaa as "1. $aaa$", 1_bbb as "1. $bbb$", 1_ccc as "1. $ccc$", 2_aaa as "2. $aaa$", 2_bbb as "2. $bbb$", 2_ccc as "2. $ccc$", 3_aaa as "3. $aaa$", 3_bbb as "3. $bbb$", 3_ccc as "3. $ccc$"   The formatting is working properly:   <format type="color" field="1. $aaa$"> <colorPalette type="list">[#5b708f]</colorPalette> </format>   But the drilldown not. I tried the below conditions, but without success.   <drilldown> <condition match="$click.name2$ = 1. $aaa$"> <condition match="$click.name2$ = &quot;1. $aaa$&quot;"> <condition match="$click.name2$ = &quot;1. &quot;$aaa$"> <condition match="match('click.name2', 1. $aaa$)"> <condition match="match('click.name2', &quot;1. $aaa$&quot;)"> <condition match="match('click.name2', &quot;1. &quot;$aaa$)"> <condition match="match('click.name2', '1. $aaa$')">   Is there a way to do it somehow with such a combination? P.S.: As a possible workaround, without a combination of string&token it works properly, but I rather go without it as then I unnecessarily need to create a separate token for each column:   <set token="1_aaa">1. $result.aaa$</set> <set token="1_bbb">1. $result.bbb$</set> <set token="1_ccc">1. $result.ccc$</set> ... | table 1_aaa, 1_bbb, 1_ccc, 2_aaa, 2_bbb, 2_ccc | rename 1_aaa as "$1_aaa$", 1_bbb as "$1_bbb$", 1_ccc as "$1_ccc$", 2_aaa as "$2_aaa$", 2_bbb as "$2_bbb$", 2_ccc as "$2_ccc$", 3_aaa as "$3_aaa$", 3_bbb as "$3_bbb$", 3_ccc as "$3_ccc$" ... <format type="color" field="$1_aaa$"> <colorPalette type="list">[#5b708f]</colorPalette> </format> ... <drilldown> <condition match="$click.name2$ = $1_aaa$">  
The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essen... See more...
The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essentially, Splunk can only find information that you choose to keep.
Hi @Jared.Botha, Did the information from @Terence.Chen help? 
Ok, then it’s best to wait resolution for your P2 case.
I have OS log data coming from Windows/linux into splunk. I have a particular field with values unseparated.  Sample log data representation. _time parameter value x a c b x1 x a c... See more...
I have OS log data coming from Windows/linux into splunk. I have a particular field with values unseparated.  Sample log data representation. _time parameter value x a c b x1 x a c b x2 x a c b x3 y d e y1 y d e y2   I would want to splint the parameter field's values in such a way that each parameter field will have one of the group values, in same order. Sample output :  _time parameter value x a x1 x c x2 x b x3 y d y1 y e y2   Can someone please help?
You are going to have to be more expansive about what worked, what didn't work, which events didn't get counted, etc.
Hey, thank you for your answer. Unfortunately, I have forgotten what exactly this was referring to, but I think i got it sorted out, as i havnt heard anything else about it. Not sure what the fix was... See more...
Hey, thank you for your answer. Unfortunately, I have forgotten what exactly this was referring to, but I think i got it sorted out, as i havnt heard anything else about it. Not sure what the fix was.    Thank you nonetheless. 
Can you give any sanitized sample data? It's enough that fields are extracted, but not need to index those in ingesting phase?
Hi ITWhisperer, Thank you for your message. This has worked partially. But we are unable to get the full count of those jobs with State ENDED NOTOK. Please help me out on this.
Were you able to get this resolved?  We are seeing the same issue with some of our users after upgrade to v9.1.2.   Thanks!
@Yoavast Up, I'm facing a similar issue. Do you have any specific instructional documentation available?          
Is there currently a capability in Splunk that will allow us search and compare the previous version of an input lookup to the current version of the input lookup to identify what has changed between... See more...
Is there currently a capability in Splunk that will allow us search and compare the previous version of an input lookup to the current version of the input lookup to identify what has changed between the two?  In search is there a parameter we can pass the  input lookup command to specify the version what we want to evaluate?  
Hi Bowesmana, I want to say I really appreciated the level of detail you have provided and it will prove useful for future people who lands here from google searches.  So I actually found the probl... See more...
Hi Bowesmana, I want to say I really appreciated the level of detail you have provided and it will prove useful for future people who lands here from google searches.  So I actually found the problem: I use the Splunk Cloud product so we use a series of API calls to populate objects in the cloud, since we do not have access to the directories on their EC2 instances. I found the Splunk App for Lookup File Editing API that our CI/CD process uses may have not supported kvStore acceleration options. On github, I had the following collections.conf in our master branch – so I incorrectly assumed this was production: [qualys_kb_kvstore] accelerated_fields.QID_accel = {"QID": 1, "PATCHABLE": 1} replicate = true I tested the Splunk KVstore API against Splunk cloud, and discovered the two lines accelerated_fields and replicate was not there. It was not getting applied. Our CI/CD process was NOT getting the acceleration options applied. I used the Splunk KVstore API instead to get acceleration options to apply, and it worked. The lookup is now accelerated as expected. The lookup time was cut from 165 seconds to just 20 seconds.
| rex max_match=0 "\\\\\\\"jobname\\\\\\\":\s*\\\\\\\"(?<Name>[^\\\]+).*?\\\\\\\"status\\\\\\\":\s*\\\\\\\"(?<State>ENDED NOTOK).*?Timestamp\\\\\\\": \\\\\\\"(?<TIME>\d+\s*\d+\:\d+\:\d+)"