All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We are having a problem with maintenance windows in Splunk IT Service Intelligence. We have a common service that two other services are dependent on, on top of those two there are other services de... See more...
We are having a problem with maintenance windows in Splunk IT Service Intelligence. We have a common service that two other services are dependent on, on top of those two there are other services dependent on them. Service a                                  Service b Service in maintenance     Service not in maintenance                              Common Service   With the current implementation in ITSI, we are forced to put "Service in maintenance" and "Common Service" in maintenance mode to avoid getting wrong healthscores in "Service a". This creates a problem for us, if an error occurs in "Common Service" during the maintenance window, as it won't reflect correctly in "Service not in maintenance", hence we will not be able to detect failures that affect our users. We tried raising a ticket, that correctly stated the this is works as designed and documented. We have an idea ITSIID-I-359, but so far it hasn't been upvoted. Kind regards
Hi as @gcusello said you have performance issue on your splunk system. Quite probably it's on indexer side. Another place could be SH side if you have too small splunk var directory.  I suppose tha... See more...
Hi as @gcusello said you have performance issue on your splunk system. Quite probably it's on indexer side. Another place could be SH side if you have too small splunk var directory.  I suppose that you have MC on place? Then use it for monitoring your environment.  You could look this https://conf.splunk.com/files/2021/slides/TRU1172B.pdf and there are also some other MC and CMC presentations and those contains links to other resources and instructions. If those didn't help, then ask help from PS or some Splunk architect. r. Ismo
How much of this is real? For example, do you really have hyphens in the host name of the address? Are they the only place where hyphens occur apart from the end part? Are there any other representa... See more...
How much of this is real? For example, do you really have hyphens in the host name of the address? Are they the only place where hyphens occur apart from the end part? Are there any other representative examples you wish to be considered?
Hi @Tron-spectron47, everything in Splunk is a search, so you have to learn how to create a search, both using indexes or Data Models. When you'll be able to create a search, you can save it in a d... See more...
Hi @Tron-spectron47, everything in Splunk is a search, so you have to learn how to create a search, both using indexes or Data Models. When you'll be able to create a search, you can save it in a dashboard or an alert or a report, but the starting point is always a search. To start, you could follow the Splunk Search Tutorial https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe
Hi if/when admin can use it and regular user didn't then quite probably user hasn't permission to use it. Ask that your admin check those permissions. It should be shared (at least) app level and gi... See more...
Hi if/when admin can use it and regular user didn't then quite probably user hasn't permission to use it. Ask that your admin check those permissions. It should be shared (at least) app level and given read access to all needed roles or to everyone. If/when it has shared as app level then users must use it inside that app not from any other app. If it need to access from any app then it must shared globally. r. Ismo
Hi you must use valid email address on from field. Currently most email servers require that those senders must be within valid and permitted domains. Depending on your configuration it could be tha... See more...
Hi you must use valid email address on from field. Currently most email servers require that those senders must be within valid and permitted domains. Depending on your configuration it could be that you can use only that from field and user which are configured into your splunk and given by email provider. r. Ismo
I wanted to see what i captured is in right direction its for own sake,can i say like that like there are two ways for creating dashboard understand through inputs and other through data models?
Hi you must use transforms to get this done.  Create Field transformations on your app e.g. get_directory_from_linux_audit_source Type regex-based Regular expression like: /log/([^/]+)/ Format... See more...
Hi you must use transforms to get this done.  Create Field transformations on your app e.g. get_directory_from_linux_audit_source Type regex-based Regular expression like: /log/([^/]+)/ Format: directory::$1 Source key: source Save and give needed permissions like app and roles which can use it Create Field extractions  Name: <what ever you want to call it> Apply to: sourcetype named: e.g. linux_audit or what ever this is in your node Type: Uses transforms Extraction/Transforms: <from above like get_directory_from_linux_audit_source> Save and give needed permission like above Wait that this will be applied to all needed places on SCP Use it like: index=<your index> sourcetype=<your sourcetype> <Your field name>=* r. Ismo
thank you - this hasn't worked .. I'm still getting all 158 problem details although now renamed as problem_classification  but i think i understand that logic and will play around with it.   
Hi Im trying to follow this tutorial https://splunkui.splunk.com/Create/ComponentTutorial and i have a problem when i start the demo. The steps that im following are: Navigate to an empty dir... See more...
Hi Im trying to follow this tutorial https://splunkui.splunk.com/Create/ComponentTutorial and i have a problem when i start the demo. The steps that im following are: Navigate to an empty directory of your choice and invoke Create: mkdir -p ~/Code/MyTodoList && cd ~/Code/MyTodoList npx @splunk/create (I choose A monorepo with a React Component) Run setup and start the component in demo mode yarn run setup cd packages/react-todo-list yarn run start:demo This bring me back the following errors: ERROR in ../../node_modules/@splunk/splunk-utils/url.js 11:19-41 Module not found: Error: Can't resolve 'querystring' in 'c SPLUNK\Code\MyTodoList\node_modules\@splunk\splunk-utils' BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default. This is no longer the case. Verify if you need this module and configure a polyfill for it. If you want to include a polyfill, you need to: - add a fallback 'resolve.fallback: { "querystring": require.resolve("querystring-es3") }' - install 'querystring-es3' If you don't want to include a polyfill, you can use an empty module like this: resolve.fallback: { "querystring": false } ow can i handle this? Thx in advance. node -v v20.11.1 npm -v 10.2.4 yarn -v 1.22.22 I did that: npm install querystring-es3 And this is the fallback on webpack.config.js: const path = require('path'); const { merge: webpackMerge } = require('webpack-merge'); const baseComponentConfig = require('@splunk/webpack-configs/component.config').default; module.exports = webpackMerge(baseComponentConfig, {     resolve: {         fallback: { "querystring": require.resolve("querystring-es3") }     },     entry: {         ReactTodoList: path.join(__dirname, 'src/ReactTodoList.jsx'),     },     output: {         path: path.join(__dirname),     } });   But the error is the same.
Working 
Hi unfortunately there is no common mechanism for getting this information or at least I don't know it. You could look this page https://advisory.splunk.com/?301=/en_us/product-security.html to get... See more...
Hi unfortunately there is no common mechanism for getting this information or at least I don't know it. You could look this page https://advisory.splunk.com/?301=/en_us/product-security.html to get information if there is any security issues which usually means that a new version has released. On that page there are possibility to subscribe RSS feed also.  Other option is look when there is a new version in docs.splunk.com. And if/when you have Splunk instance which have access to internet (some splunk sites) and you have admin rights into it, you could can see Messages when a new version and/or release has launched. r. Ismo 
Thanks a lot! This regex works for the given example.  I've another pattern like this "address":"http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg... See more...
Thanks a lot! This regex works for the given example.  I've another pattern like this "address":"http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg" for which I'm trying to implement the regex you've given by modifying slightly but couldn't achieve the same result. Can you please help here? Also can you please break down the regex for my better understanding.
Try something like this |rex field=message max_match=0 "API: START: /v1/expense/extract/demand/(?<oneField>[^\/]+)\/(?<anotherField>\S+)"
Hi @karthi2809, if the first field is called app and the second is called OnDemandFileName, you can use this regex: |rex field=message max_match=0 "API: START: \/v1\/expense\/extract\/demand\/(?<ap... See more...
Hi @karthi2809, if the first field is called app and the second is called OnDemandFileName, you can use this regex: |rex field=message max_match=0 "API: START: \/v1\/expense\/extract\/demand\/(?<app>[^\/]+)\/(?<OnDemandFileName>.*)" that you can test at https://regex101.com/r/uifAqM/1 Ciao. Giuseppe
How to extract the two fields from the message ? In this need to extract after API: START: /v1/expense/extract/demand/ nagl as one field . demand _con.csv in another field I am extracting  |rex ... See more...
How to extract the two fields from the message ? In this need to extract after API: START: /v1/expense/extract/demand/ nagl as one field . demand _con.csv in another field I am extracting  |rex field=message max_match=0 "API: START: /v1/expense/extract/odemand/ (?<OnDemandFileName>[^\n]\w+\S+)"   API: START: /v1/expense/extract/demand/nagl/demand_con.csv    
We have had a second instance of this happening overnight. Last nights update is 4.18.24020.7 The previous update that caused this issue was 4.18.23110.3   Both are showing up in event viewer as ... See more...
We have had a second instance of this happening overnight. Last nights update is 4.18.24020.7 The previous update that caused this issue was 4.18.23110.3   Both are showing up in event viewer as event ID: 2014
I know this Question is old and probably not relevant for you anymore, however I stumbled over the same Issue and wanted to share a possible solution. I could not find any documentation on why mvind... See more...
I know this Question is old and probably not relevant for you anymore, however I stumbled over the same Issue and wanted to share a possible solution. I could not find any documentation on why mvindex is not working with negative values in the Dasboards, however there is a workaround.   <eval token="mvIndexValue">mvcount(<mvfield>)-1</eval> <eval token="lastValue">mvindex(<mvfield>, $mvIndexValue$)</eval>   I think it's pretty ugly, but so far I have not found a better solution
Hi @spkriyaz , Could you please share the detailed step by step procedure to apply this solution? 
When adding a Time Range Picker on Dashboard Studio the formatting for Date and Time range is month day year, how do I change this formatting to day month year?   How it shows: How I want it t... See more...
When adding a Time Range Picker on Dashboard Studio the formatting for Date and Time range is month day year, how do I change this formatting to day month year?   How it shows: How I want it to show: