All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Help Needed: SA-cim_validator Returns No Results

by in All Apps and Add-ons
‎03-11-2024 03:16 PM
‎03-11-2024 03:16 PM
Thanks for replying Marnall. It is indeed very strange that the CIM Validator does not return any results. Especially since as you mentioned, at the bottom of the page there is a table labelled "Eve... See more...
Thanks for replying Marnall. It is indeed very strange that the CIM Validator does not return any results. Especially since as you mentioned, at the bottom of the page there is a table labelled "Events" that does return results. I do not recall if this issue was present last week, but trying to click on the "Search type" drop down menu and clicking on "datamodel" no longer saves that selection. It is permanently stuck on "_raw". Clicking on all the magnifying glasses of each search, the results are almost always the same: - "Total fields" always returns a count of zero. - The rest all return the data model that I have selected. I've added several screenshots to showing what I see. I hope there will be more suggestions for troubleshooting. No CIM Validation results despite the "Events" table being populated. "Open in Search" result from "Issue Fields"

Create Dynamic Drop-down

by in Splunk Search
‎03-11-2024 02:39 PM
‎03-11-2024 02:39 PM
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I... See more...
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search? 2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search? 3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?     <form version="1.1" theme="light"> <label>GP Errors</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats values(EventCode)</query> <earliest>-90m@m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$ | table host, EventCode, Message, _time | rename host AS Host, EventCode AS EventID | sort _time desc</query> <earliest>-90m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>    

Re: send log to bucket s3

by SplunkTrust in Getting Data In
‎03-11-2024 01:20 PM
‎03-11-2024 01:20 PM
Indexers will automatically copy buckets from local storage to SmartStore/S3 when they roll from hot to warm.  You can try to tune the hot bucket lifetime to 30 days, but I don't recommend it.  Let t... See more...
Indexers will automatically copy buckets from local storage to SmartStore/S3 when they roll from hot to warm.  You can try to tune the hot bucket lifetime to 30 days, but I don't recommend it.  Let them roll normally and size your SmartStore cache so it's large enough to hold 30 days' of data. Use the frozenTimePeriodInSecs setting in indexes.conf to specify the lifetime of the data.  Buckets will be removed from S3 when the newest event in the bucket is older than the specified time.

Re: Nothing shows up in always on profilin in Splunk observability. using 14 day free trial

by Splunk Employee in Splunk Observability Cloud
‎03-11-2024 12:44 PM
‎03-11-2024 12:44 PM
Hi, Here is something you could check. I see in your command line, you have  -javaagent:splunk-otel-javaagent.jar   That probably works as long as your current working directory is where that jar... See more...
Hi, Here is something you could check. I see in your command line, you have  -javaagent:splunk-otel-javaagent.jar   That probably works as long as your current working directory is where that jar file lives. You could try specifying the full path there instead to be sure. Then, you'll want to make sure that the user that is running your Java app has read/write permissions to that directory where the splunk-otel-javaagent.jar lives because that will be the default location of the profiler reading and writing the jfr files. I assume you've already confirmed that the OTel collector is running and sending other types of data to the Observability Cloud (such as host metrics).

Re: Filter tokens based on Row depends and Row Rejects

by SplunkTrust in Dashboards & Visualizations
‎03-11-2024 12:23 PM
‎03-11-2024 12:23 PM
I'm having 5 filters in that, I've two filters called group and class for group token=$group$ and for class=$class$. For group and class filters only one specific row that is SQL having values, othe... See more...
I'm having 5 filters in that, I've two filters called group and class for group token=$group$ and for class=$class$. For group and class filters only one specific row that is SQL having values, others rows does not have values. if i pass token $class$ and $group$ in SQL. I'm getting results, but when i pass these tokens to other rows, it will be zero, because there is no values for class and group.  But i want to show other rows also but $class$ and $group$ token should be rejected because other filter having values for these rows also. So only i'm asking we can use depends or rejects. Please I need your help to solve this. The depends and rejects options control the layout of the dashboard; they have no effect on the content of the dashboard panels. Can you share the code in which the tokens are being used?  That may help with my understanding of the problem and allow me to make a useful suggestion.

Re: how to get the list of hostname in one index that are not in another index in splunk

by SplunkTrust in Knowledge Management
‎03-11-2024 11:55 AM
‎03-11-2024 11:55 AM
Hi. Your search is so close to what I do.. change search -> where   | tstats count where index=aws by host | table host | where NOT [| tstats count where index=windows by host | table host]

Re: Splunk and openshift integration flow

by in Other Usage
‎03-11-2024 11:43 AM
‎03-11-2024 11:43 AM
But what if the splunk index itself is missing in splunk, wont it give me any error while writing the queries to retrieve the data?

Re: Intermediate Forwarder not sending Windows Metrics

by in Splunk Enterprise
‎03-11-2024 10:55 AM
‎03-11-2024 10:55 AM
@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Ma... See more...
@Jordan1 Hey Jordan, Can you please check your inputs.conf configuration files are properly configured to collect and forward these metrics. If it is possible, can you paste your inputs.conf here. Make sure that the data from the Universal Forwarders is being routed to the correct index for performance metrics. Refer the below documents.  https://community.splunk.com/t5/All-Apps-and-Add-ons/What-is-the-best-way-to-migrate-Windows-performance-monitoring/td-p/424349?_ga=2.129088268.1417683299.1710177855-984040655.1703927739&_gl=1*1j7oven*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2NDUuMC4wLjA.  https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration?_gl=1*41uap*_ga*OTg0MDQwNjU1LjE3MDM5Mjc3Mzk.*_ga_GS7YF8S63Y*MTcxMDE3Nzg1NS4yOS4xLjE3MTAxNzk0NjQuNjAuMC4w*_ga_5EPM2P39FV*MTcxMDE3Nzg1NC4zMC4xLjE3MTAxNzk2MjcuMC4wLjA.&_ga=2.129088268.1417683299.1710177855-984040655.1703927739#Collect_perfmon_data_and_wmi:uptime_data_in_metric_index 

how to get the list of hostname in one index that are not in another index in splunk

by in Knowledge Management
‎03-11-2024 10:40 AM
‎03-11-2024 10:40 AM
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table... See more...
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table host]

Intermediate Forwarder not sending Windows Metrics

by in Splunk Enterprise
‎03-11-2024 10:39 AM
‎03-11-2024 10:39 AM
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we ca... See more...
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we can see the internal logs and Windows Events in our index cluster. This issue is with the Windows Performance Metrics which aren't in our performance metrics indexes. I can see the Universal Forwarders are collecting the metrics from the Internal logs as these are being forwarded successfully.  Any suggestions would be helpful

Re: Service No add-on

by in All Apps and Add-ons
‎03-11-2024 10:38 AM
‎03-11-2024 10:38 AM
@Stives Have you gone through this troubleshooting service now add-on document? https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting 

Re: licence expiry

by Community Manager in Splunk AppDynamics
‎03-11-2024 10:35 AM
‎03-11-2024 10:35 AM
Hi @sireesha.vadlamuru, Thank you for asking your question on the Community. I'm not sure what you mean by the 'upgraded license file' - can you provide more info? 

Re: MSSQL Always-On Availability Group

by Community Manager in Splunk AppDynamics
‎03-11-2024 10:30 AM
1 Karma
‎03-11-2024 10:30 AM
1 Karma
Hi @Osama.Abbas, I have shared your feedback with the Docs team. I will report back when I hear from them. 

Re: How to find stopped service ?

by in Deployment Architecture
‎03-11-2024 10:29 AM
1 Karma
‎03-11-2024 10:29 AM
1 Karma
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |... See more...
Try something below: index=<indexname> ("ess service") |transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m |search NOT <field>="The ess service entered the running state." |table host

send log to bucket s3

by in Getting Data In
‎03-11-2024 10:27 AM
‎03-11-2024 10:27 AM
hello all, I would need the logs to be sent to my S3 bucket smartstorage after 1 month from my security index, but they should still be accessible for another 5 months.
Labels

Errors while App vetting process

by in All Apps and Add-ons
‎03-11-2024 10:21 AM
‎03-11-2024 10:21 AM
Hi,  app        https://splunkbase.splunk.com/app/5530       shows that it's cloud compatible but failing the vetting process while installation.   
Labels

Re: How to find stopped service ?

by in Deployment Architecture
‎03-11-2024 09:51 AM
‎03-11-2024 09:51 AM
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be l... See more...
How long are you prepared to wait for the service to come up again? - Within 10min, if service is not coming up then need alert. i.e. an event "The ess service entered into running state" will be logged Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? Any server out of 25, if the service is not running, then need alert Are events generated when the service is up, and how regularly do these events occur? As soon the service started an event will be generated, "The ess Service entered into running state" Can there be periods when no events are generated but the service is still to be considered up? No, there will be definitely an event will be generated once the service brought up

Re: Filter tokens based on Row depends and Row Rejects

by in Dashboards & Visualizations
‎03-11-2024 09:47 AM
‎03-11-2024 09:47 AM
@richgalloway .Please check your inbox

Re: Filter tokens based on Row depends and Row Rejects

by SplunkTrust in Dashboards & Visualizations
‎03-11-2024 09:25 AM
‎03-11-2024 09:25 AM
Who told you to create a new token? What problem are you trying to solve?  I think I need a bigger picture so I understand what is happening and how to get it to work.

Re: How to use wildcard in case like condition?

by SplunkTrust in Splunk Search
‎03-11-2024 09:17 AM
‎03-11-2024 09:17 AM
"its not working" doesn't tell me what's wrong so it's hard to offer a fix.  It's possible, however, the regex needs improvement.  Please try my updated answer.