All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

But what if the splunk index itself is missing in splunk, wont it give me any error while writing the queries to retrieve the data?
@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Ma... See more...
@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Make sure that the data from the Universal Forwarders is being routed to the correct index for performance metrics. Refer the below documents.  https://community.splunk.com/t5/All-Apps-and-Add-ons/What-is-the-best-way-to-migrate-Windows-performance-monitoring/td-p/424349?_ga=2.129088268.1417683299.1710177855-984040655.1703927739&_gl=1*1j7oven*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2NDUuMC4wLjA.  https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration?_gl=1*41uap*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2MjcuMC4wLjA.&_ga=2.129088268.1417683299.1710177855-984040655.1703927739#Collect_perfmon_data_and_wmi:uptime_data_in_metric_index 
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table... See more...
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table host]
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we ca... See more...
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we can see the internal logs and Windows Events in our index cluster. This issue is with the Windows Performance Metrics which aren't in our performance metrics indexes. I can see the Universal Forwarders are collecting the metrics from the Internal logs as these are being forwarded successfully.  Any suggestions would be helpful
@Stives Have you gone through this troubleshooting service now add-on document? https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting 
Hi @sireesha.vadlamuru, Thank you for asking your question on the Community. I'm not sure what you mean by the 'upgraded license file' - can you provide more info? 
Hi @Osama.Abbas, I have shared your feedback with the Docs team. I will report back when I hear from them. 
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |... See more...
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |search NOT <field>="The ess service entered the running state." |table host
hello all, I would need the logs to be sent to my S3 bucket smartstorage after 1 month from my security index, but they should still be accessible for another 5 months.
Hi,  app        https://splunkbase.splunk.com/app/5530       shows that it's cloud compatible but failing the vetting process while installation.   
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be l... See more...
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be logged Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? Any server out of 25, if the service is not running, then need alert Are events generated when the service is up, and how regularly do these events occur? As soon the service started an event will be generated, "The ess Service entered into running state" Can there be periods when no events are generated but the service is still to be considered up? No, there will be definitely an event will be generated once the service brought up
@richgalloway .Please check your inbox
Who told you to create a new token? What problem are you trying to solve?  I think I need a bigger picture so I understand what is happening and how to get it to work.
"its not working" doesn't tell me what's wrong so it's hard to offer a fix.  It's possible, however, the regex needs improvement.  Please try my updated answer.
This is not working for my case , still i can see the duplication values in Verbrose mode  and in configured all 2 settings in props.conf newly 
@richgalloway Its not working
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick  and @tscr... See more...
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick  and @tscroggins 
So how can i use <change> condition in my case. Any example queries would be greatly appreciated @richgalloway . They told to create a new token and pass it to filter and row.
I mean structured in terms of each line in the log following a defined structure (space delimited fields) that lends itself to easy parsing.
Try something like this | spath custom_attributes output=custom_attributes | spath input=custom_attributes | eval combined=mvzip('entity-internal-id{}','lead-id{}') | mvexpand combined | eval entity... See more...
Try something like this | spath custom_attributes output=custom_attributes | spath input=custom_attributes | eval combined=mvzip('entity-internal-id{}','lead-id{}') | mvexpand combined | eval entity_internal_id = mvindex(split(combined,","),0) | eval lead_id = mvindex(split(combined,","),1)