Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-11-2024
08:36 AM
This is not working for my case , still i can see the duplication values in Verbrose mode and in configured all 2 settings in props.conf newly
03-11-2024
08:35 AM
@richgalloway Its not working
03-11-2024
08:22 AM
1 Karma
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick and @tscr...
See more...
OK got it so basically: UF gathers a lines and send to heavy forwarder/indexer Indexer drops all lines except those not matched by the reg ex. I'll give it a whirl! Thanks @PickleRick and @tscroggins
03-11-2024
08:20 AM
So how can i use <change> condition in my case. Any example queries would be greatly appreciated @richgalloway . They told to create a new token and pass it to filter and row.
03-11-2024
08:20 AM
I mean structured in terms of each line in the log following a defined structure (space delimited fields) that lends itself to easy parsing.
03-11-2024
08:15 AM
1 Karma
Try something like this | spath custom_attributes output=custom_attributes
| spath input=custom_attributes
| eval combined=mvzip('entity-internal-id{}','lead-id{}')
| mvexpand combined
| eval entity...
See more...
Try something like this | spath custom_attributes output=custom_attributes
| spath input=custom_attributes
| eval combined=mvzip('entity-internal-id{}','lead-id{}')
| mvexpand combined
| eval entity_internal_id = mvindex(split(combined,","),0)
| eval lead_id = mvindex(split(combined,","),1)
03-11-2024
07:54 AM
Hi @dorHerbesman - I would recommend opening a case with support, they’ll be able to help you troubleshoot what’s going on!
03-11-2024
07:47 AM
How long are you prepared to wait for the service to come up again? Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? A...
See more...
How long are you prepared to wait for the service to come up again? Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? Are events generated when the service is up, and how regularly do these events occur? Can there be periods when no events are generated but the service is still to be considered up?
03-11-2024
07:44 AM
In Advanced XML, all tokens are global in scope so there is no need to "pass" them.
03-11-2024
07:44 AM
Hi @marnall I tried your suggestion, but the _time always set to info_min_time My search time is this morning: Mar 11 2024 10:12:00 EDT Time Frame is: last 30 day, so info_min_time (start t...
See more...
Hi @marnall I tried your suggestion, but the _time always set to info_min_time My search time is this morning: Mar 11 2024 10:12:00 EDT Time Frame is: last 30 day, so info_min_time (start time: Feb 10 2024 00:00:00 EST) info_max_time (end time: Mar 11 2024 00:00:00 EDT) _time is set to info_min_time as seen below Can you set your search time to to last 30 day and run the collect command with testmode=true and share your results? | collect index= summary testmode=true addtime=true file=summary_test_1.stash_new name="summary_test_1" marker="report=\"summary_test_1\"" You should have _raw field that contains all the fields, including _time before getting pushed by collect command. See my below output. Please share yours.. Thanks
03-11-2024
07:44 AM
I thought I would pop in and let you all know the resolution from Splunk.
:\d{2}\s+(?P<Successful>\d+)\s+(?P<Failed>\d+)\s+(?P<Percentage>\S+) IN bodyPreview
03-11-2024
07:43 AM
As I understand it, you want the tstats command to look only for process names in the lookup file. You can do that with a subsearch | tstats `summariesonly` count from datamodel=Endpoint.Processes ...
See more...
As I understand it, you want the tstats command to look only for process names in the lookup file. You can do that with a subsearch | tstats `summariesonly` count from datamodel=Endpoint.Processes where [|inputlookup is_windows_system_file"
| fields filename
| rename filename as "Processes.process_name"
| format] by Processes.aid Processes.dest Processes.process_name Processes.process _time
03-11-2024
07:35 AM
Hey there @elizabethl_splu after reading this thread i tried this setting on my splunk 9.1.2 environment and it dosen't work.
i opened a file named web-features.conf with the stanze
[feature:...
See more...
Hey there @elizabethl_splu after reading this thread i tried this setting on my splunk 9.1.2 environment and it dosen't work.
i opened a file named web-features.conf with the stanze
[feature:dashboards_csp]
enable_dashboards_redirection_restriction=false
under /opt/splunk/etc/shcluster/apps/ADMIN_CONF (folder i created to disterbute conf files and updates) and still getting this warning, can you think of anything im doing wrong? thanks in advanced!
03-11-2024
07:24 AM
I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is r...
See more...
I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is recorded in splunk. But the service ess is really down, and never entered into running state we need to be alerted. I want to write splunk to alert only when the service ess went into stopped state but never entered into running state for 25 hosts. Same service is running on 25 hosts and all servers has network glitches.
Labels
- Labels:
-
indexer
-
search head
03-11-2024
06:59 AM
Thanks @ITWhisperer - It worked for me
03-11-2024
06:57 AM
Thanks! I'd say Splunk is way behind on updating its Python.
03-11-2024
06:55 AM
Ok. Thanks. Splunk is way behind on updating its Python.
03-11-2024
06:51 AM
Hi @Harish2 , no it's the easiest and flexible way, but why you don't want to use the hours and minutes in the search? you can also create a macro to call instead adding all the conditions to your ...
See more...
Hi @Harish2 , no it's the easiest and flexible way, but why you don't want to use the hours and minutes in the search? you can also create a macro to call instead adding all the conditions to your searches. Ciao. Giuseppe
03-11-2024
06:28 AM
@dnavara please have a look on my explanation here: https://community.splunk.com/t5/Getting-Data-In/Why-has-the-index-process-paused-data-flow-How-to-handle-too/m-p/631226/highlight/true#M108187
