Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-27-2024
07:34 AM
2 Karma
Again - your problem is not with the value of the field but with the visualizaiton and the visual effect you want to achieve. The values are trimmed for displaying and it has nothing to do with value...
See more...
Again - your problem is not with the value of the field but with the visualizaiton and the visual effect you want to achieve. The values are trimmed for displaying and it has nothing to do with values themselves. Also, formatting output with spaces is a no-no. We're not in the '80s anymore.
02-27-2024
07:31 AM
Thanks. That worked.
02-27-2024
07:27 AM
Hello, In our unique environment, we face some limitations. We cannot directly install Splunk forwarders on the database servers, nor can we create a Splunk user account within the databases. Here’...
See more...
Hello, In our unique environment, we face some limitations. We cannot directly install Splunk forwarders on the database servers, nor can we create a Splunk user account within the databases. Here’s the situation: Server A (DB server): Our databases generate SQLAudit files. Server B (Relay): These SQLAudit files are transmitted from server A to a different 'relay' server (let’s call it Server B). Unfortunately, Server B also cannot accommodate Splunk forwarders. Server C (Universal Forwarder): From Server B, the audit files are further transmitted to another server (Server C). On Server C, we have a Splunk Universal forwarder that should upload the SQLAudit files to our Splunk Cloud instance. The challenge lies in the fact that SQLAudit files are in a native format that Splunk cannot directly interpret. While the ideal solution would be to install forwarders directly on the original DB servers (which is not feasible for us), we also recognize that using DB connect and creating a Splunk account on the DB is not an option. Given these constraints, are there any other viable options we can explore? Best regards,
Labels
- Labels:
-
configuration
02-27-2024
06:54 AM
@yuanliu I was trying to display on a single value panel as mentioned to the title. I added your suggestion to Single value panel searches, the space didn't push the text to the left like the ...
See more...
@yuanliu I was trying to display on a single value panel as mentioned to the title. I added your suggestion to Single value panel searches, the space didn't push the text to the left like the dot did. Thanks Please also see my response to @PickleRick
02-27-2024
06:46 AM
I need to create a dashboard in which dropdown will have two values "Yesterday" and "last week" (basically compares today's data with "Yesterday" and "last week" -- this part is completed). Now I n...
See more...
I need to create a dashboard in which dropdown will have two values "Yesterday" and "last week" (basically compares today's data with "Yesterday" and "last week" -- this part is completed). Now I need to display only today's data in panels before user selects any input from drop-down menu. How can I achieve that ?
- Tags:
- Splunk Data
Labels
- Labels:
-
Classic dashboard
02-27-2024
06:42 AM
Hello @PickleRick , I tried your solution, it did not display the space as you can see the grey dot is still on the center. Note that I was trying to do it on a Single value Panel. Please sugges...
See more...
Hello @PickleRick , I tried your solution, it did not display the space as you can see the grey dot is still on the center. Note that I was trying to do it on a Single value Panel. Please suggest. Thank you for your help. If I used the dot, instead of spaces, it worked. See the grey dot is in the center | makeresults
| eval f1="test"
| eval f1l=len(f1)
| eval f2="test............"
| eval f2l=len(f2)
| table f2
02-27-2024
06:29 AM
3 Karma
Hi Splunkers, Just an update on the original post, if you are finding this thread. So after back and forth with support, a few things was fixed: First in 9.1.1 they fixed that the owner was for...
See more...
Hi Splunkers, Just an update on the original post, if you are finding this thread. So after back and forth with support, a few things was fixed: First in 9.1.1 they fixed that the owner was forcefully changed to "splunkfwd" from "splunk" during an upgrade. But that version gave 1000+ warnings about the user splunk being absent. Then in 9.1.2 the warnings was fixed on a fresh install, but they came back when upgrading. Everything should now be fixed in 9.2.0 and later On top of that, they have implemented that if the user "splunk" exist upon installation, "splunk" will be the owner and not "splunkfwd". So that said, your automation scripts needs to ensure that the "splunk" user exist prior to installation and then everything should be as it use to be. So it is still a change to all the automation out there, but a small one i believe. Now tell me again why this stunt was necessary, since the "splunk" user will be present if Splunk Enterprise is already installed.... EDIT: A few packages have been released since this post was created. I want to correct some of my misunderstandings. I still believe this is a huge mistake, but now the warnings are gone and what will happen during installation and upgrade is bit more clear: RPM Installation: The forwarder will use splunkfwd as the owner, no matter what. You can chown the installation folder and change splunk-launch.conf to revert to splunk as the owner. But you have to do it in your script after the rpm installation. RPM Update: The forwarder will retain splunk as the owner if the previous forwarder installation was owned by splunk.
02-27-2024
06:25 AM
Hi, Can you help?
02-27-2024
06:23 AM
Hi Rick, My apologize for that. I am not aware of this. We are actually rushing on this issue bcz its on priority in our PROD environment. I dnt know how to tag people earlier i have posted withou...
See more...
Hi Rick, My apologize for that. I am not aware of this. We are actually rushing on this issue bcz its on priority in our PROD environment. I dnt know how to tag people earlier i have posted without tagging. I won't repeat this again. Regards, Siva
02-27-2024
06:16 AM
1 Karma
Not every bug get's added there as each release will have hundreds of issues. I will get this added to https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/Fixedissues You can reach ou...
See more...
Not every bug get's added there as each release will have hundreds of issues. I will get this added to https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/Fixedissues You can reach out to support and get official confirmation about fixed version.
02-27-2024
06:08 AM
Thanks, but I looked at both links below and see no mention of it...should I be looking somewhere else? https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/Knownissues https://docs.spl...
See more...
Thanks, but I looked at both links below and see no mention of it...should I be looking somewhere else? https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/Knownissues https://docs.splunk.com/Documentation/Splunk/9.1.3/ReleaseNotes/KnownIssues
02-27-2024
05:58 AM
@PickleRick I restarted the Splunk standalone server where I put the files.
02-27-2024
05:57 AM
1. You posted the same question twice already. 2. Calling out specific people to help you is simply rude. 3. It's a case for support.
02-27-2024
05:49 AM
We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see a...
See more...
We got the email alert notifications running in Splunk and the configuration the same across all of the alerts but only some of them actually send an email. We have a separate page where we can see all of the alerts but we don't see all of them come across our emails. All of the alerts are configured the same way as seen below: I'm not understanding why the email notifications only work for certain alerts when we can see all of the alerts on our dashboard and they're all configured the same.
- Tags:
- alerts
02-27-2024
05:48 AM
OK. 1. I assume you restarted the UF after doing all those config changes. 2. Do you get any other data from this forwarder?
02-27-2024
05:43 AM
Trying to uninstalling old version of splunk forwarder, but the msi isn't on the machine. When attempting to unistall, it asks to be pointed to the msi and then fails due to it not being present. I ...
See more...
Trying to uninstalling old version of splunk forwarder, but the msi isn't on the machine. When attempting to unistall, it asks to be pointed to the msi and then fails due to it not being present. I looked at the older versions on the website and it only goes to 7. Any ideas as to what I can do?
Labels
- Labels:
-
universal forwarder
02-27-2024
05:40 AM
My cluster has one issue with data durability, everything else seems fine. All Indexers are online and running, even the healthchecks return a somewhat good result. What I noticed is one peer has 920...
See more...
My cluster has one issue with data durability, everything else seems fine. All Indexers are online and running, even the healthchecks return a somewhat good result. What I noticed is one peer has 920 buckets and the other has 919 buckets, is that the issue? What should I do?
Labels
- Labels:
-
indexer
-
indexer clustering
02-27-2024
05:32 AM
2 Karma
Here is a run anywhere example. One of the columns is defined as _hidden so that it wont be displayed in the table. _fields are considered to be internal fields and there is an option to hide them....
See more...
Here is a run anywhere example. One of the columns is defined as _hidden so that it wont be displayed in the table. _fields are considered to be internal fields and there is an option to hide them. The second panel displays the value of the taken while clicking on each row {
"visualizations": {
"viz_oIMuXymL": {
"type": "splunk.table",
"dataSources": {
"primary": "ds_yjf97sDt"
},
"options": {
"showInternalFields": false
},
"eventHandlers": [
{
"type": "drilldown.setToken",
"options": {
"tokens": [
{
"token": "HiddenValue",
"key": "row._hidden.value"
}
]
}
}
],
"title": ""
},
"viz_gyqHTdIv": {
"type": "splunk.markdown",
"options": {
"markdown": "**Value of Clicked row : $HiddenValue$**",
"backgroundColor": "#ffffff",
"fontFamily": "Times New Roman",
"fontSize": "extraLarge"
}
}
},
"dataSources": {
"ds_yjf97sDt": {
"type": "ds.search",
"options": {
"query": "| makeresults count=5\n| streamstats count\n| eval value=\"Value\".count\n| eval _hidden=\"Hidden\".count\n| fields - count",
"queryParameters": {
"earliest": "-24h@h",
"latest": "now"
}
},
"name": "Search_1"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
},
"inputs": {},
"layout": {
"type": "grid",
"options": {
"width": 1440,
"height": 960
},
"structure": [
{
"item": "viz_oIMuXymL",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 1440,
"h": 400
}
},
{
"item": "viz_gyqHTdIv",
"type": "block",
"position": {
"x": 0,
"y": 400,
"w": 1440,
"h": 400
}
}
],
"globalInputs": []
},
"description": "",
"title": "drilldown_studio"
}
02-27-2024
05:27 AM
1 Karma
It's not added to release notes. But addressed by 9.1.3(released) and 9.21(not yet released)
02-27-2024
05:26 AM
1 Karma
I would recommend an in-place upgrade to version 9 and then copy Splunk to the new server. In general, one should not copy an entire built-in app (like search) between instances. Transfer only the ...
See more...
I would recommend an in-place upgrade to version 9 and then copy Splunk to the new server. In general, one should not copy an entire built-in app (like search) between instances. Transfer only the local folder.
