All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The simple answer is no - what is your usecase? what are you trying to achieve? There may be another way
I want to call lookup within case statement. if possible, please share sample query.
Cool - you obviously have more (unshared) knowledge about your events, which I could not easily have guessed at!
Thanks @ITWhisperer .  [^\"] worked for me.
Use a character class - it looks like this is hexadecimal with some hyphens thrown in so try [a-f0-9-]
@damodeI have the same issue in a Windows machine after changing Splunk from Local account to domain account. Did you find a solution?
Hi, I have the same problem, did you find a solution? My exe runs a scheduled task with a parameter and I don't have it as a service.
Thank you @Richfez  and @tscroggins for your solutions! For my use case the one given by @tscroggins suits best though. If I understand correctly, in order to be able to display the data this way, i... See more...
Thank you @Richfez  and @tscroggins for your solutions! For my use case the one given by @tscroggins suits best though. If I understand correctly, in order to be able to display the data this way, it is a must that the data is ordered so that there is one record per workday with each event timestamp in it's own column. In your data example, the timestamps are each in a new column. So when we would have a 100 events in 7 days, it means 100 different columns. Is it doable to manipulate the data so that for each day, the timestamps are inserted starting at event01?  Below is an example of what the data looks like, followed by how I would like it to be. Any suggestions on how to achieve this?   For others reading along, I use dashboard studio and was able to replicate the visualization by adding this to the visualization code:  "overlayFields": "event01, event02, event03, event04, event05, event06, event07, event08, event09, event10, event11, event12"  
Need help with the extraction of an alpha numeric field. E.G. : ea37c31d-f4df-48ab-b0b7-276ade5c5312
Hi ,  I have two searches joined using join command. The first search i need to run earliest=-60mins and the second search is using summary index here i need to fetch all the results in summary inde... See more...
Hi ,  I have two searches joined using join command. The first search i need to run earliest=-60mins and the second search is using summary index here i need to fetch all the results in summary index so I need to check and run summary index for "all time" . How can this be done? I am giving earliest=-60min in my first search and time range as "all time" while scheduling the report consisting of this two searches but it is not working. I have not used any time in my summary index. Search to populate my summary index index=testapp sourcetype=test_appresourceowners earliest=-24h latest=now | table sys_id, dv_manager, dv_syncenabled, dv_resource, dv_recordactive | collect addtime=false index=summaryindex source=testapp. my scheduled report search  index=index1 earlies=-60m | join host [| search index=summaryindex earliest="alltime"] | tablehost field1 field2
Hi @YJ, please try this: [monitor://C:\Program Files\somepath\folderA*\*] index=someindex sourcetype=somesourcetype Ciao. Giuseppe
Referring to the below inputs.conf for one of my windows server , as you can see, there is some whitespace at the end of the first line before the closing bracket. The "folderA" is the folder where ... See more...
Referring to the below inputs.conf for one of my windows server , as you can see, there is some whitespace at the end of the first line before the closing bracket. The "folderA" is the folder where the contents, splunk should be ingesting but is not (there are multiple log files inside). Is there a possibility that because of this whitespace Splunk may not be ingesting the logs? And if yes, any explanation on this so that we can explain/advise to the client. " [monitor://C:\Program Files\somepath\folderA ] index=someindex sourcetype=somesourcetype "
I'm trying to migrate kvstore on a v8.2 installation on Windows, but it fails early in the process. splunk migrate kvstore-storage-engine --target-engine wiredTiger ERROR: Cannot get the size of ... See more...
I'm trying to migrate kvstore on a v8.2 installation on Windows, but it fails early in the process. splunk migrate kvstore-storage-engine --target-engine wiredTiger ERROR: Cannot get the size of the KVStore folder at=E:\Splunk\Indexes\kvstore\mongo, due to reason=3 errors occurred. Description for first 3: [{operation:"failed to stat file", error:"Access is denied.", file:"E:\Splunk\Indexes\kvstore\mongo"}, {operation:"failed to stat file", error:"Access is denied.", file:"E:\Splunk\Indexes\kvstore\mongo"}, {operation:"failed to stat file", error:"Access is denied.", file:"E:\Splunk\Indexes\kvstore\mongo"}]  I've tried to do file operations on the folder and subfolders of E:\spunk\indexes\kvstore\mongo and everything seems ok. The mongod.log does not contain any rows from the migration. Any nudges in the right direction? Can I upgrade to 9.1 without migrating the store?  
Removed the eval statement and got it working. 
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average val... See more...
Thanks. And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average value.
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:2... See more...
<panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;"> <h3>Message:</h3> </div> <div class="modal-body" style="padding:30%"> <p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p> </div> </div> </html> </panel>   I have created this code which displays the pop up but the splunk dashboard is still working on the background ...Can anyone please help  me with an  idea about any script that I can add in this code to make the dashboard stop working in the background as well as the pop up should also display...      
Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed... See more...
Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed on servers
Hello Kiran, <panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; p... See more...
Hello Kiran, <panel> <html> <div class="modal $tokShowModel$" id="myModal" style="border-top-left-radius:25px; border-top-right-radius:25px;"> <div class="modal-header" style="background:#e1e6eb; padding:20px; height:10px;"> <h3>Message:</h3> </div> <div class="modal-body" style="padding:30%"> <p style="color:blue;font-size:16px;"> This dashboard has been moved to azure. Kindly visit the following link - <a href="https://mse-svsplunkm01.emea.duerr.int:8000/en-US/app/GermanISMS/kpi_global_v5">Go here </a> </p> </div> </div> </html> </panel> I have created this code which displays the pop up but the dashboard is still working on the background ...do you have any idea about any script that I can add in this code to make the dashboard stop working in the background.
You are probably entering private IPs - or see this for Splunk's private IPs https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages