All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

See further up if there are any files from those directories listed.
The missing one will be the one that is only on one of the indexers. What to do - well, it will depend on the reason for the bucket not being properly replicated.  
Same here
Hi @bhall_2 .. there are two forwarders - Splunk Universal forwarder(UF) and Splunk heavy forwarder(HF). (the old legacy forwarder is called as Splunk Light forwarder). maybe if you could update us... See more...
Hi @bhall_2 .. there are two forwarders - Splunk Universal forwarder(UF) and Splunk heavy forwarder(HF). (the old legacy forwarder is called as Splunk Light forwarder). maybe if you could update us more details about the requirement( more details about "you can control through biometics the flow of data" ), we can suggest you better. thanks   Best Regards Sekar
Hi @dm2 .. the SPL looks good and working fine also(as per the image).  the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered.... See more...
Hi @dm2 .. the SPL looks good and working fine also(as per the image).  the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered.  are you saying that, when the result is greater than 4 also the trigger condition not triggering?
Hi @mtrochym  Could you pls check these: https://splunkbase.splunk.com/app/2878/ https://splunkbase.splunk.com/app/3525/ https://github.com/splunk/slack-alerts  
I dont know how to identify the missing bucket and what to do after I identified that.
@PickleRick Does the highlighted things are related to permission related issue ?
Permissions issue?
When I extracted the Field from the Event Log and I named it as "ClientName" it started to work.
Hi All, I am fetching dashboards using REST Command  | rest /servicesNS/-/-/data/ui/views   Not all the dashboards returned from this command are seen in Splunk UI.  Can anyone help me t... See more...
Hi All, I am fetching dashboards using REST Command  | rest /servicesNS/-/-/data/ui/views   Not all the dashboards returned from this command are seen in Splunk UI.  Can anyone help me to know why is this happening ? Regards, PNV
I was wondering if I can send a Splunk alert directly to an individual in slack. I know can @mention them in a channel with their <@islackid> etc, but I am looking to send an alert directly to an ind... See more...
I was wondering if I can send a Splunk alert directly to an individual in slack. I know can @mention them in a channel with their <@islackid> etc, but I am looking to send an alert directly to an individual (or individuals) from Splunk, instead of sending it directly to a channel. Something like: or? (neither work).     Thanks.
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block R... See more...
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"
@PickleRick  I am getting below issues while executing your suggested command "splunk list inputstatus" . Can you please tell me what issue you can see by referring to below screenshot?  
Hi @dm2, please, share your search in text mode, otherwise it's more difficoult to help you. You can insert the text using the "Insert/Edit code sample" button. Ciao. Giuseppe
Hi @bhall_2 , are you speaking of Edge Processor? if yes, you an find documentation at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/EdgeProcessor/AboutEdgeProcessorSolution Ciao. Gi... See more...
Hi @bhall_2 , are you speaking of Edge Processor? if yes, you an find documentation at https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/EdgeProcessor/AboutEdgeProcessorSolution Ciao. Giuseppe
I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work. Is there something I can add to the query ?   
Honestly - I have no idea what you are talking about. Could you elaborate a bit more what such thing would do? Maybe it's possible to implement it using existing components. Or maybe it's simply imp... See more...
Honestly - I have no idea what you are talking about. Could you elaborate a bit more what such thing would do? Maybe it's possible to implement it using existing components. Or maybe it's simply impossible. But to answer such question it's necessary to understand it first
Unfortunately, at the moment Splunk cannot automatically extract the structured data if it's not the whole event (as in your case - the json part is preceeded by non-json header). There is an open i... See more...
Unfortunately, at the moment Splunk cannot automatically extract the structured data if it's not the whole event (as in your case - the json part is preceeded by non-json header). There is an open idea for that https://ideas.splunk.com/ideas/EID-I-208 So far you can either parse the json part in search with help of the spath command as @VatsalJagani already showed or cut away the header part using SEDCMD or INGEST_EVAL (possibly extracting indexed fields if needed prior to removing the non-structured part). As a side note - you should _not_ use the _json sourcetype. Define your own
You have a search element within a search element. If you see here https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/PanelreferenceforSimplifiedXML#search search element is not allowed as a chi... See more...
You have a search element within a search element. If you see here https://docs.splunk.com/Documentation/Splunk/9.2.0/Viz/PanelreferenceforSimplifiedXML#search search element is not allowed as a child of a search element.