All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host... See more...
Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host recognition regex for each one. About IP address instead of hostname, it depends on the presence of this field in the log: if it's present, you can assign it to the host field using a regex, if not present, it isn't so easy. Ciao. Giuseppe
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change ... See more...
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change to any configuration. 
Hi @Benny87 , check if this eventtype is shared at App or Global level: it must be Global. you can do this at [settings > Eventtypes]. Ciao. Giuseppe
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the... See more...
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the error "Eventtype 'wineventlog_security' does not exist or is disabled"   search example:  Index=firewall  The question is why when I search an completly unrelated index to windows it shows the error from the eventtype from the Windows-TA ? and also it doesn´t show any results.
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again ... See more...
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again to extract other fields depending on the log type? Also, is it possible to extract the host IP address instead of the hostname? Thank you very much for your help.
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should ... See more...
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should take only latest log with status per test (e.g. I have Login test (id 151), it has couple events/logs with different statuses, and I would like to take for that test last log/event with latest status.  I have a problem to combine 'latest' and 'distinct_count' with timechart.  When I do following search, I get duplicates of logs for test (e.g. I should have every day count of 62 (tests) for all statuses):  basesearch | timechart span=1d distinct_count(test) as tests by status e.g. on day 2025-05-26 test 'Login test (id 151)' have one event with status 'OK' and another one with status 'Blad', and the duplicate is shown here. When I want to combine 'latest' to timechart I get distinct_count results only for last day: basesearch | stats latest(status) as statuses latest(test) as tests latest(_time) as myTime by test | eval _time=myTime | timechart span=1d distinct_count(tests) by statuses   I appreciate help how to combine timechart, distinct_count and latest all together.  
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D... See more...
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format> obviously changing the values of the Severity field. Ciao. Giuseppe
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to sta... See more...
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to status field.   <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format>  
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.sp... See more...
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Overridedefaulthostassignments in props.conf: [<your_sourcetype>] TRANSFORMS-override_host = override_host in transforms.conf: [override_host] REGEX = <your_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host beware in defining your regex that you must use in the FORMAT option the group containing the hostname. Ciao. Giuseppe
Hello, im on splunk enterprise  Im facing with this error on my Dashboard : Failed to load source for JointJS Diagram visualization   Did you have any idea about this ? Regards.
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the c... See more...
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the client's IP address with its own (in TCP). The question is: how can we have the client's IP address for each log in the Splunk Heavy Forwarder?
hi @livehybrid , thks for reply. I wil try this.   Regards
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "spl... See more...
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "splunk.area"         },         "viz_sE6SurJU": {             "dataSources": {                 "primary": "ds_FXWuV3ZX_ds_search_1"             },             "title": "Light Gateway Start History",             "type": "splunk.pie"         },         "viz_tXWYyMRx": {             "dataSources": {                 "primary": "ds_3LhTiLOu"             },             "description": "",             "options": {                 "y2": "> primary | frameBySeriesNames('')"             },             "title": "UAT Inbound URL Path",             "type": "splunk.bar"         }     },
Hi Hamed, I'm facing the exact same issue. Were you able to resolve it? Thanks in advance! @hamed_khosrawi1 
require([     'splunkjs/mvc',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc/tableview',     'splunkjs/mvc/simplexml/ready!',     'jquery' ], function(mvc, SearchManager, TableView, ignore... See more...
require([     'splunkjs/mvc',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc/tableview',     'splunkjs/mvc/simplexml/ready!',     'jquery' ], function(mvc, SearchManager, TableView, ignored, $) {       // Define a simple cell renderer with a button     var ActionButtonRenderer = TableView.BaseCellRenderer.extend({         canRender: function(cell) {             return cell.field === 'rowKey';          },         render: function($td, cell) {             $td.addClass('button-cell');                var rowKey = cell.value             var $btn = $('<button class="btn btn-success">Mark Solved</button>');               $btn.on('click', function(e) {                 e.preventDefault();                 e.stopPropagation();                   var searchQuery = `| inputlookup sbc_warning.csv                     | eval rowKey=tostring(rowKey)                     | eval solved=if(rowKey="${rowKey}", "1", solved)                     | outputlookup sbc_warning.csv`;                   var writeSearch = new SearchManager({                     id: "writeSearch_" + Math.floor(Math.random() * 100000),                     search: searchQuery,                     autostart: true                 });                   writeSearch.on('search:done', function() {                     console.log("Search completed and lookup updated");                     var panelSearch = mvc.Components.get('panel_search_id');                     if (panelSearch) {                         panelSearch.startSearch();                         console.log("Panel search restarted");                     }                 });             });               $td.append($btn);         }     });       // Apply the renderer to the specified table     var tableComponent = mvc.Components.get('sbc_warning_table');     if (tableComponent) {         tableComponent.getVisualization(function(tableView) {             tableView.table.addCellRenderer(new ActionButtonRenderer());             tableView.table.render();         });     } }); in this i want name of the button to be "unsolved" initially and when somebody clicks it the name should change to solved
@tinatan There is no way to import an existing deployed add-on back into the Add-on Builder as a project for further editing. You can, however, reconstruct the add-on by copying over the code and con... See more...
@tinatan There is no way to import an existing deployed add-on back into the Add-on Builder as a project for further editing. You can, however, reconstruct the add-on by copying over the code and configuration files into a new project, but you will lose the Add-on Builder’s UI metadata.
@berrybob Most probably App may be referencing an environment variable or configuration value that is unset or empty, defaulting to 0 based on the given message. Or may be incompatibility in the v... See more...
@berrybob Most probably App may be referencing an environment variable or configuration value that is unset or empty, defaulting to 0 based on the given message. Or may be incompatibility in the version of ESCU or its dependencies with your openshift.
@Lien  You cannot remove or increase the 500MB/day indexing limit on the Splunk Enterprise Trial or Free license Contact Splunk Sales: For larger-scale testing, request a temporary sales trial ... See more...
@Lien  You cannot remove or increase the 500MB/day indexing limit on the Splunk Enterprise Trial or Free license Contact Splunk Sales: For larger-scale testing, request a temporary sales trial or dev/test license, which can provide a much higher daily limit
Hi @LASALEM  Are you able to check for any other logs in <php_agent_install>/logs that might be relevant? Are there any errors/warnings? I assume you've seen this, but incase you havent its worth c... See more...
Hi @LASALEM  Are you able to check for any other logs in <php_agent_install>/logs that might be relevant? Are there any errors/warnings? I assume you've seen this, but incase you havent its worth checking https://docs.appdynamics.com/appd/23.x/latest/en/application-monitoring/install-app-server-agents/php-agent/install-the-php-agent/resolve-php-agent-installation-issues too  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Lien  To conduct performance/stress testing with a higher data ingest limit, you need to obtain a valid commercial license from Splunk or connect with your Splunk sales representative to request... See more...
Hi @Lien  To conduct performance/stress testing with a higher data ingest limit, you need to obtain a valid commercial license from Splunk or connect with your Splunk sales representative to request an extended or evaluation license specifically for testing purposes.  The trial license is intended for evaluation only, and methods to circumvent the limit is not supported or permitted, but as mentioned you should be able to get a higher ingest license from Sales to perform a proof of concept or longer evaluation.  There are others license types available, however these do have varying terms restricting their use for certain purposes. As mentioned by @kiran_panchavat  - there are Dev/Test licenses (which require an existing commercial agreement to be in place) and App Developer Licenses (for app developers under the Splunk Developer Agreement) however "Splunk developer licenses are for development and testing of content for use with Splunk and cannot be used for production use cases". Testing in this scenario is testing of apps developed for Splunk rather than evaluation of Splunk itself. The best options here to request an extended trial / pre-sale / Proof Of Concept license from Sales as this will be a fully featured license which would match the type of license you would have for a production environment.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing