All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should ... See more...
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should take only latest log with status per test (e.g. I have Login test (id 151), it has couple events/logs with different statuses, and I would like to take for that test last log/event with latest status.  I have a problem to combine 'latest' and 'distinct_count' with timechart.  When I do following search, I get duplicates of logs for test (e.g. I should have every day count of 62 (tests) for all statuses):  basesearch | timechart span=1d distinct_count(test) as tests by status e.g. on day 2025-05-26 test 'Login test (id 151)' have one event with status 'OK' and another one with status 'Blad', and the duplicate is shown here. When I want to combine 'latest' to timechart I get distinct_count results only for last day: basesearch | stats latest(status) as statuses latest(test) as tests latest(_time) as myTime by test | eval _time=myTime | timechart span=1d distinct_count(tests) by statuses   I appreciate help how to combine timechart, distinct_count and latest all together.  
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D... See more...
Hi @Ashish0405 , you have to follow the same process. or copy the option  <format type="color" field="Severity"> <colorPalette type="map"> {"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format> obviously changing the values of the Severity field. Ciao. Giuseppe
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to sta... See more...
Hi Team, I have added Red & Green color to Status column, I want to add the same to severity column as well. Can some one suggest me some commands   I have used below commands to add color to status field.   <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format>  
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.sp... See more...
Hi @Nrsch , if the hostnames that you would to use in the host field are in the logs, you can override this value using a regex on the Heavy Forwarder following the instructions at: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Overridedefaulthostassignments in props.conf: [<your_sourcetype>] TRANSFORMS-override_host = override_host in transforms.conf: [override_host] REGEX = <your_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host beware in defining your regex that you must use in the FORMAT option the group containing the hostname. Ciao. Giuseppe
Hello, im on splunk enterprise  Im facing with this error on my Dashboard : Failed to load source for JointJS Diagram visualization   Did you have any idea about this ? Regards.
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the c... See more...
I have a serious problem, please help me.   We have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. The problem is that HAProxy replaces the client's IP address with its own (in TCP). The question is: how can we have the client's IP address for each log in the Splunk Heavy Forwarder?
hi @livehybrid , thks for reply. I wil try this.   Regards
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "spl... See more...
"viz_is5FtVR7": {             "dataSources": {                 "primary": "ds_gVYGLUPs"             },             "title": "Hits Received by HTTP Error Response Code",             "type": "splunk.area"         },         "viz_sE6SurJU": {             "dataSources": {                 "primary": "ds_FXWuV3ZX_ds_search_1"             },             "title": "Light Gateway Start History",             "type": "splunk.pie"         },         "viz_tXWYyMRx": {             "dataSources": {                 "primary": "ds_3LhTiLOu"             },             "description": "",             "options": {                 "y2": "> primary | frameBySeriesNames('')"             },             "title": "UAT Inbound URL Path",             "type": "splunk.bar"         }     },
Hi Hamed, I'm facing the exact same issue. Were you able to resolve it? Thanks in advance! @hamed_khosrawi1 
require([     'splunkjs/mvc',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc/tableview',     'splunkjs/mvc/simplexml/ready!',     'jquery' ], function(mvc, SearchManager, TableView, ignore... See more...
require([     'splunkjs/mvc',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc/tableview',     'splunkjs/mvc/simplexml/ready!',     'jquery' ], function(mvc, SearchManager, TableView, ignored, $) {       // Define a simple cell renderer with a button     var ActionButtonRenderer = TableView.BaseCellRenderer.extend({         canRender: function(cell) {             return cell.field === 'rowKey';          },         render: function($td, cell) {             $td.addClass('button-cell');                var rowKey = cell.value             var $btn = $('<button class="btn btn-success">Mark Solved</button>');               $btn.on('click', function(e) {                 e.preventDefault();                 e.stopPropagation();                   var searchQuery = `| inputlookup sbc_warning.csv                     | eval rowKey=tostring(rowKey)                     | eval solved=if(rowKey="${rowKey}", "1", solved)                     | outputlookup sbc_warning.csv`;                   var writeSearch = new SearchManager({                     id: "writeSearch_" + Math.floor(Math.random() * 100000),                     search: searchQuery,                     autostart: true                 });                   writeSearch.on('search:done', function() {                     console.log("Search completed and lookup updated");                     var panelSearch = mvc.Components.get('panel_search_id');                     if (panelSearch) {                         panelSearch.startSearch();                         console.log("Panel search restarted");                     }                 });             });               $td.append($btn);         }     });       // Apply the renderer to the specified table     var tableComponent = mvc.Components.get('sbc_warning_table');     if (tableComponent) {         tableComponent.getVisualization(function(tableView) {             tableView.table.addCellRenderer(new ActionButtonRenderer());             tableView.table.render();         });     } }); in this i want name of the button to be "unsolved" initially and when somebody clicks it the name should change to solved
@tinatan There is no way to import an existing deployed add-on back into the Add-on Builder as a project for further editing. You can, however, reconstruct the add-on by copying over the code and con... See more...
@tinatan There is no way to import an existing deployed add-on back into the Add-on Builder as a project for further editing. You can, however, reconstruct the add-on by copying over the code and configuration files into a new project, but you will lose the Add-on Builder’s UI metadata.
@berrybob Most probably App may be referencing an environment variable or configuration value that is unset or empty, defaulting to 0 based on the given message. Or may be incompatibility in the v... See more...
@berrybob Most probably App may be referencing an environment variable or configuration value that is unset or empty, defaulting to 0 based on the given message. Or may be incompatibility in the version of ESCU or its dependencies with your openshift.
@Lien  You cannot remove or increase the 500MB/day indexing limit on the Splunk Enterprise Trial or Free license Contact Splunk Sales: For larger-scale testing, request a temporary sales trial ... See more...
@Lien  You cannot remove or increase the 500MB/day indexing limit on the Splunk Enterprise Trial or Free license Contact Splunk Sales: For larger-scale testing, request a temporary sales trial or dev/test license, which can provide a much higher daily limit
Hi @LASALEM  Are you able to check for any other logs in <php_agent_install>/logs that might be relevant? Are there any errors/warnings? I assume you've seen this, but incase you havent its worth c... See more...
Hi @LASALEM  Are you able to check for any other logs in <php_agent_install>/logs that might be relevant? Are there any errors/warnings? I assume you've seen this, but incase you havent its worth checking https://docs.appdynamics.com/appd/23.x/latest/en/application-monitoring/install-app-server-agents/php-agent/install-the-php-agent/resolve-php-agent-installation-issues too  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Lien  To conduct performance/stress testing with a higher data ingest limit, you need to obtain a valid commercial license from Splunk or connect with your Splunk sales representative to request... See more...
Hi @Lien  To conduct performance/stress testing with a higher data ingest limit, you need to obtain a valid commercial license from Splunk or connect with your Splunk sales representative to request an extended or evaluation license specifically for testing purposes.  The trial license is intended for evaluation only, and methods to circumvent the limit is not supported or permitted, but as mentioned you should be able to get a higher ingest license from Sales to perform a proof of concept or longer evaluation.  There are others license types available, however these do have varying terms restricting their use for certain purposes. As mentioned by @kiran_panchavat  - there are Dev/Test licenses (which require an existing commercial agreement to be in place) and App Developer Licenses (for app developers under the Splunk Developer Agreement) however "Splunk developer licenses are for development and testing of content for use with Splunk and cannot be used for production use cases". Testing in this scenario is testing of apps developed for Splunk rather than evaluation of Splunk itself. The best options here to request an extended trial / pre-sale / Proof Of Concept license from Sales as this will be a fully featured license which would match the type of license you would have for a production environment.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
@Lien  The 500 MB/day indexing limit in the Splunk Enterprise Trial license is a fixed constraint and cannot be removed or reset through reinstallation. Trial License Limitations The 500 MB/day l... See more...
@Lien  The 500 MB/day indexing limit in the Splunk Enterprise Trial license is a fixed constraint and cannot be removed or reset through reinstallation. Trial License Limitations The 500 MB/day limit is strictly enforced. If you exceed the limit for more than 5 days in a 30-day period, Splunk will disable search functionality until the license is reset or upgraded More About Free License:  https://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree?  Dev/Test  Splunk customers can now acquire personalized Dev/Test Licenses for internal, non-production use. Each license is limited to 50 GB/day and a six-month term. The program enables individual users within your organization to experiment with new data sources, as well as encourage others in the organization to try the Splunk platform in a frictionless manner. https://community.splunk.com/t5/Installation/How-can-I-get-a-Splunk-Dev-Test-license/m-p/207898  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html?locale=en_us  https://community.splunk.com/t5/Installation/Why-doesn-t-the-new-50gb-Dev-License-support-being-a-remote/m-p/208917  Production For large-scale testing needs, you can reach out to Splunk Sales to request a customized trial license with higher indexing limits or extended duration. This is particularly useful for evaluating Splunk in scenarios that mirror your production environment. https://docs.splunk.com/Documentation/Splunk/latest/Admin/TypesofSplunklicenses  NOTE: Developer License: Splunk offers a Developer License that allows indexing up to 10 GB per day. This license is intended for app development and testing purposes. You can request this license through the Splunk Developer Program.
Doing a performance/stress test using Enterprise Trial license. I wonder if there is a way to get rid of 500MB/day limit. If no, what would be a good practice to do the test with larger limitation?... See more...
Doing a performance/stress test using Enterprise Trial license. I wonder if there is a way to get rid of 500MB/day limit. If no, what would be a good practice to do the test with larger limitation? Does a new installation of Splunk can reset the limit?
Can you share your dashboard XML for the panel that is not visible.
@pwoehl Did this worked? Just curious if its resolved and if you found the solution.
Hello AppDynamics Support, We are experiencing a persistent issue integrating the PHP Agent on a Red Hat 9.5 server running PHP 8.3. Below are the technical details and steps we've already taken.  ... See more...
Hello AppDynamics Support, We are experiencing a persistent issue integrating the PHP Agent on a Red Hat 9.5 server running PHP 8.3. Below are the technical details and steps we've already taken.    Technical Information PHP Agent version: 24.11.0.1340 PHP version: 8.3 OS: Red Hat Enterprise Linux 9.5 Apache MPM: event Controller:xxx:443 HTTP Proxy: xxx:3128    Problem Description The agent initializes properly and correctly detects all necessary settings (controller host, account name, node, etc.). However, the following error is always present in the logs: [config.ConfigChannel] could not send config request This prevents the agent from registering or communicating with the controller.   Troubleshooting Steps Already Taken controller-info.xml file is valid and in place DNS resolution of the controller is working HTTPS connection via proxy tested and successful SSL certificate is valid Ports (443) are open and reachable via proxy Apache/PHP-FPM restarted cleanly