All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks for the quick response but i will like to achieve this through  the cli and also the user changed her name and will want the new name to be applied to the knowledge object
Hi @n3wbi3, you have to create a new search using a regex to extract fields: | rex "type\=\\\"(?<type>[^\\]+)" the problem is that the log contains backslash and this is a provlem because in the s... See more...
Hi @n3wbi3, you have to create a new search using a regex to extract fields: | rex "type\=\\\"(?<type>[^\\]+)" the problem is that the log contains backslash and this is a provlem because in the search you have to use the above command or the following: | rex "type\=\\\\\"(?<type>[^\\]+)" Ciao. Giuseppe
Hi @whitecat001, you have to go in [Settings > All Configuration ] then you have to select the app where the knowledge object are, select the ones to reassign, click on the Reassign Knowldge Ob... See more...
Hi @whitecat001, you have to go in [Settings > All Configuration ] then you have to select the app where the knowledge object are, select the ones to reassign, click on the Reassign Knowldge Objects button (top right). Ciao. Giuseppe
So the logs changed from typical jason to this ...   "message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx" so splunk extracts for type this "\"   Now the searches do... See more...
So the logs changed from typical jason to this ...   "message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx" so splunk extracts for type this "\"   Now the searches do not work anymore
Hi all, I'm looking at volume of indexes and how much they ingest to calculate the volumes of licenses. I am aware I could find this answer straight away but I like to investigate further     I'm ... See more...
Hi all, I'm looking at volume of indexes and how much they ingest to calculate the volumes of licenses. I am aware I could find this answer straight away but I like to investigate further     I'm not sure on how to construct a SPL search that looks at just metrics indexes and checks how much volume they use up of the daily licesning quota per day   Anyone can help me with this?
Hello, There was a user name that was changed and want to transfer ownership of splunk knowledge Object (Alerts) to her new account name . Pls how will i go about effecting this change 
Hi all, could someone please explain how licensing works for both Events and Metrics in Splunk Cloud. I've looked at other posts in the Splunk Community but they don't really make sense.    Would l... See more...
Hi all, could someone please explain how licensing works for both Events and Metrics in Splunk Cloud. I've looked at other posts in the Splunk Community but they don't really make sense.    Would love a fresh answer to see if there are any differences/updated explanations     Cheers
I'm on Splunk Enterprise 9.1.3, and I've configured the add-on (no proxy) with the SolarWinds server name, port, and credentials.  I've configured the inputs, and I see nothing.  Running tcpdump show... See more...
I'm on Splunk Enterprise 9.1.3, and I've configured the add-on (no proxy) with the SolarWinds server name, port, and credentials.  I've configured the inputs, and I see nothing.  Running tcpdump shows no traffic to the SolarWinds server or the configured port. This is what I see in the log:   2024-03-14 19:55:48,630 +0000 log_level=ERROR, pid=3098123, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=113 | [stanza_name="ics_query"] Failed to index data Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 109, in index_data self._do_safe_index() File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 129, in _do_safe_index self._client = self._create_data_client() File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/data_collection/ta_data_collector.py", line 99, in _create_data_client self._data_loader.get_event_writer()) File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/splunktacollectorlib/ta_cloud_connect_client.py", line 20, in __init__ from ..core.pipemgr import PipeManager File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/__init__.py", line 1, in <module> from .engine import CloudConnectEngine File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/engine.py", line 6, in <module> from .http import HttpClient File "/opt/splunk/etc/apps/Splunk_TA_SolarWinds/bin/splunk_ta_solarwinds/aob_py3/cloudconnectlib/core/http.py", line 26, in <module> 'http_no_tunnel': socks.PROXY_TYPE_HTTP_NO_TUNNEL, AttributeError: module 'socks' has no attribute 'PROXY_TYPE_HTTP_NO_TUNNEL' I'd appreciate any help in getting this working.  
Have you tried putting quotes around the group names? | eval GR=case(host=5087, "GR2", host=7750, "GR1", host=7751, "GR1", host=7752, "GR2") | stats count by GR
Hi @bigll, use quotes in eval: | eval GR=case(host="5087", "GR2", host="7750", "GR1", host="7751", "GR1", host="7752", "GR2") | stats count by GR. Ciao. Giuseppe
Working now with exactperc, thanks, which give the actual value.
I want to create statistic per group of device rather than individual devices. I tried eval, but it produced no result. | eval GR=case (host=5087, GR2, host=7750, GR1, host=7751, GR1, host=7752, G... See more...
I want to create statistic per group of device rather than individual devices. I tried eval, but it produced no result. | eval GR=case (host=5087, GR2, host=7750, GR1, host=7751, GR1, host=7752, GR2) | stats count by GR. TIA, Leon
I have shown you how to do this, with a runanywhere example included. If this isn't working for you, you need to provide some example events (in raw source format) where it is not working, because wh... See more...
I have shown you how to do this, with a runanywhere example included. If this isn't working for you, you need to provide some example events (in raw source format) where it is not working, because what you have provided so far has been shown to work.
Hi @dataisbeautiful, never use All Time! choose a correct time range and use it, Ciao. Giuseppe
@niketn can you please guide about whitespaces removal.
trim did not make any difference.
Hello,   I am receiving these errors and my HF is not working properly. I think that it is something related to the SSL intercepction and the intermediate and root CA but I am not discovering it.... See more...
Hello,   I am receiving these errors and my HF is not working properly. I think that it is something related to the SSL intercepction and the intermediate and root CA but I am not discovering it. Root Cause(s): More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct. Last 50 related messages: 03-15-2024 08:14:15.748 -0400 WARN AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Applying quarantine to ip=34.216.133.150 port=9997 connid=0 _numberOfFailures=2 03-15-2024 08:14:15.530 -0400 WARN AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Applying quarantine to ip=35.162.96.25 port=9997 connid=0 _numberOfFailures=2 03-15-2024 08:14:15.296 -0400 WARN AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Applying quarantine to ip=44.231.134.204 port=9997 connid=0 _numberOfFailures=2 03-15-2024 08:14:14.425 -0400 INFO AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Removing quarantine from idx=44.231.134.204:9997 connid=0 03-15-2024 08:14:14.425 -0400 INFO AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Removing quarantine from idx=35.162.96.25:9997 connid=0 03-15-2024 08:14:14.425 -0400 INFO AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Removing quarantine from idx=34.216.133.150:9997 connid=0 03-15-2024 08:12:56.049 -0400 WARN AutoLoadBalancedConnectionStrategy [61817 TcpOutEloop] - Applying quarantine to ip=35.162.96.25 port=9997 connid=0 _numberOfFailures=2 This is my outputsconf [tcpout] defaultGroup = indexers [tcpout:indexers] server = inputs1.tenant.splunkcloud.com:9997, inputs2.tenant.splunkcloud.com:9997, inputs3.tenant.splunkcloud.com:9997, inputs4.tenant.splunkcloud.com:9997, inputs5.tenant.splunkcloud.com:9997, inputs6.tenant.splunkcloud.com:9997, inputs7.tenant.splunkcloud.com:9997, inputs8.tenant.splunkcloud.com:9997, inputs9.tenant.splunkcloud.com:9997, inputs10.tenant.splunkcloud.com:9997, inputs11.tenant.splunkcloud.com:9997, inputs12.tenant.splunkcloud.com:9997, inputs13.tenant.splunkcloud.com:9997, inputs14.tenant.splunkcloud.com:9997, inputs15.tenant.splunkcloud.com:9997 forceTimebasedAutoLB = true autoLBFrequency = 40  
While the commonId fields look like they might match, they obviously don't. This could be due to "invisible" white spaces. Try trimming the commonId field before the stats command
The short answer is probably no. However, it may depend on your data, your applications doing the logging, your infrastructure, your networking, etc. None of this information is available to me. If ... See more...
The short answer is probably no. However, it may depend on your data, your applications doing the logging, your infrastructure, your networking, etc. None of this information is available to me. If there are delays built into any of these, there may be ways to work around them.
The raw data that I have provided is what the two log events look like. But when I run your search I do not get all data  This is what the result looks like