All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi this should works https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582549 r. Ismo
Sure thing, you can use the mvfilter eval function to get rid of the unwanted value in the multivalue field   | eval yourfield = mvfilter(yourfield != "null")
Do you mean something like this? | eval errormsg=mvfilter(errormsg!="null")
You have two identical questions!  See the answer from that another one. https://community.splunk.com/t5/Alerting/Knowledge-Object/m-p/680852#M15802
Try something like this - note that the case function has to all be on one line for it to parse correctly <form version="1.1" theme="dark"> <label>My dashboard</label> <fieldset submitButton="fa... See more...
Try something like this - note that the case function has to all be on one line for it to parse correctly <form version="1.1" theme="dark"> <label>My dashboard</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="server" searchWhenChanged="true"> <label>server</label> <choice value="All">All</choice> <search> <query>| inputlookup server_lookup.csv</query> </search> <fieldForLabel>server</fieldForLabel> <fieldForValue>server</fieldForValue> <prefix>(</prefix> <valuePrefix>server_used ="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <suffix>)</suffix> <default>All</default> <change> <eval token="form.server">case(mvcount('form.server')=0,"All",mvcount('form.server')&gt;1 AND mvfind('form.server',"All")&gt;0,"All",mvcount('form.server')&gt;1 AND mvfind('form.server',"All")=0,mvfilter('form.server'!="All"),1==1,'form.server')</eval> <eval token="server_choice">if(mvfind('form.server',"All")=0,"server_used=*",$server$)</eval> </change> </input> </fieldset> <row> <panel> <title>Some panel</title> <chart> <search> <query>index=* $server_choice$ | stats median(some_value)</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">radialGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.rangeValues">[0,10,30,100]</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </form>
Hi You could try this https://github.com/harsmarvania57/splunk-ko-change But usually it’s easier and faster to do that via GUI. Just use Settings-> All objects -> Change ownership (or something lik... See more...
Hi You could try this https://github.com/harsmarvania57/splunk-ko-change But usually it’s easier and faster to do that via GUI. Just use Settings-> All objects -> Change ownership (or something like those, I can’t remember exact names). If that doesn’t work (there are some cases when this cannot change all KOs), you should use previous script. r. Ismo  
Hi Ryan, I have a Saas controller. The problem here is my machine agent is not associated to any application and my healthrule which needs to trigger the remediation action is created under Server m... See more...
Hi Ryan, I have a Saas controller. The problem here is my machine agent is not associated to any application and my healthrule which needs to trigger the remediation action is created under Server module. Ideally when healthrule violates I want the to run the script. Can you suggest any way for this. Regards, Gopikrishnan R.
Hi it’s like @Richfez said. UF hasn’t any UI component. Earlier it has management port enabled, but currently even it is disabled by default. Why you are thinking that you need a GUI on UF? Usually... See more...
Hi it’s like @Richfez said. UF hasn’t any UI component. Earlier it has management port enabled, but currently even it is disabled by default. Why you are thinking that you need a GUI on UF? Usually it has configured by DS or other tool wit apps. r. Ismo
Are you saying that the add-on is not worth using?
The Universal Forwarder has no UI.  Splunk Web isn't available on it, so there's no http site to go to. https://docs.splunk.com/Documentation/Splunk/9.2.0/Forwarding/Typesofforwarders To get a UI l... See more...
The Universal Forwarder has no UI.  Splunk Web isn't available on it, so there's no http site to go to. https://docs.splunk.com/Documentation/Splunk/9.2.0/Forwarding/Typesofforwarders To get a UI like that *on a forwarder* you'll need to install a Heavy Forwarder which is actually just the full Splunk server installation - what makes it a HF instead of just "Regular Splunk" is how it's configured later to both receive and 'forward' data in to another Splunk instance. Or just an install of the full Splunk installation.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
I'm trying to create what is effectively a "server" dropdown in a dashboard, where I want to allow people to filter on one or more servers from a lookup.  By default, I want the visualization to show... See more...
I'm trying to create what is effectively a "server" dropdown in a dashboard, where I want to allow people to filter on one or more servers from a lookup.  By default, I want the visualization to show for all servers.  I have the lookup pulling values, but I'm stuck trying to figure out how to make it so that they don't have to unselect a default "*" value.  Ideally, the input is empty by default (or it can show some value like "*" or "all") but once they start selecting individual servers that "all" option is removed.  Conversely, if they remove all servers from the filter, it should once again act like "*". Here's a stripped-down version of what I'm trying to do:     <form version="1.1" theme="dark"> <label>My dashboard</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="server" searchWhenChanged="true"> <label>server</label> <search> <query>| inputlookup server_lookup.csv</query> </search> <fieldForLabel>server</fieldForLabel> <fieldForValue>server</fieldForValue> <delimiter>, </delimiter> <default>*</default> </input> </fieldset> <row> <panel> <title>Some panel</title> <chart> <search> <query>index=* server_used IN ($server$) | stats median(some_value)</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">radialGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.rangeValues">[0,10,30,100]</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.gaugeColors">["0x118832","0xcba700","0xd41f1f"]</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </form>    
Gents. Thank you very much. Proper placement of camas and double quotes solved the issue ------------
I install Splunk universal Forwarder and ran it, it started but i am not able to access the http site after entering the ip with port number on linux
I wanted to use MLTK k-cluster algorithm to differentiate indexes which are slow usage growth as a cluster and sudden usage growth as a cluster and also predict indexe usages for next year  did some... See more...
I wanted to use MLTK k-cluster algorithm to differentiate indexes which are slow usage growth as a cluster and sudden usage growth as a cluster and also predict indexe usages for next year  did someone already did and exp
Hi I couldn't found anything special for SPC ingest calculation for now. My expectation is that those events and metrics are calculated just as in onprem enterprise version. Ingestion contains some ... See more...
Hi I couldn't found anything special for SPC ingest calculation for now. My expectation is that those events and metrics are calculated just as in onprem enterprise version. Ingestion contains some information about ingestion in SCP. Usually ingestion based license are sold only if you have max. couple of hundreds GB/day data amount. Quite soon (latest 400GB/d or even earlier) Splunk offer you a SVC based licenses which are calculated by infra (SH+IDX cores+memory) resources. r. Ismo
Hi @whitecat001, You have to go in the $SPLUNK_HOME/etc/apps/yur_app/metadata/local.meta and manually update the owners of the files. I'd use the GUI! Ciao. Giuseppe
Hello to all, I have a multivalue field with a content.errormsg with values and also with a null value. If the null value in the fields it will not showing any results in the output example: ... See more...
Hello to all, I have a multivalue field with a content.errormsg with values and also with a null value. If the null value in the fields it will not showing any results in the output example: errormsg closed connection Empty String null needed result: errormsg closed connection Empty String
I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there.   I need to filter out the languagelist entry, just can't get the... See more...
I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there.   I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries? I need to filter out this entry. HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist
Hi @Dalia.Alaa, Here is a link to search results from AppDynamics Docs  please see if there is anything there that can help.