Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-26-2024
07:07 AM
Hello! We actually noticed different results in two dashboard panels. 1-With the first, We have used the fields command to specify the fields we needed to work with, then applied a count. 2-In the...
See more...
Hello! We actually noticed different results in two dashboard panels. 1-With the first, We have used the fields command to specify the fields we needed to work with, then applied a count. 2-In the second, The same query was used with the table command instead of fields and then applying a count We have noticed different results in count, query number 2 , gave a correct and complete result. Can someone please explain the difference between the two commands table and fields , and why fiels seems to give missing results Thank you
Labels
- Labels:
-
saved search
02-26-2024
07:04 AM
You probably need to use external scripting such as python to solve your algo processing needs as it falls outside simple text pattern matching. By design Splunk itself is more designed for data retr...
See more...
You probably need to use external scripting such as python to solve your algo processing needs as it falls outside simple text pattern matching. By design Splunk itself is more designed for data retrieval, aggregation and general text operations which I would consider the typical use case of Splunk.
02-26-2024
06:51 AM
I do have data on my _internal index for much longer then. At least from sourcetype splunkd
02-26-2024
06:44 AM
Hi @altink , the issue isn't in the dashboard that's correct, the issue is on the Data retention that is less than 60 days. If you want 60 days report,you have to enlarge the _internal retention. ...
See more...
Hi @altink , the issue isn't in the dashboard that's correct, the issue is on the Data retention that is less than 60 days. If you want 60 days report,you have to enlarge the _internal retention. Ciao. Giuseppe
02-26-2024
06:44 AM
Hi Folks,
I am trying to get Splunk response from java using below method
----------------
public String executeSearch(String searchQuery) throws IOException {
//String apiUrl = hostName + ...
See more...
Hi Folks,
I am trying to get Splunk response from java using below method
----------------
public String executeSearch(String searchQuery) throws IOException {
//String apiUrl = hostName + "/__raw/services/search/jobs/export?search=" + URLEncoder.encode(searchQuery, "UTF-8").replace("+", "%20");
String apiUrl = hostName + "/__raw/services/search/jobs/export?search=" + URLEncoder.encode(searchQuery, "UTF-8")
.replace("+", "%2B")
.replace("%3D", "=")
.replace("%20", "+")
.replace("%2A", "*")
.replace("%3F", "?")
.replace("%40", "@")
.replace("%2C", ",");
URL url = new URL(apiUrl);
System.out.println("Value of Splunk URL is " + url);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
String credentials = userName + ":" + password;
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
connection.setRequestProperty("Authorization", "Basic " + encodedCredentials);
StringBuilder response = new StringBuilder();
try (BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()))) {
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println("Response Line: " + inputLine); // Print each line of the response
response.append(inputLine);
}
}
return response.toString();
}
public static void main(String[] args) {
if (args.length < 10) {
System.out.println("Insufficient arguments provided. Please provide all required arguments.");
System.exit(1); // Exit with error code 1
}
String hostName = args[0];
String userName = args[1];
String password = args[2];
String query = args[3];
String logFileLocation = args[4];
String fileName = args[5];
String fileType = args[6];
String startDate = args[7];
String endDate = args[8];
String time = args[9];
try {
SplunkRestClient client = new SplunkRestClient(hostName, userName, password);
String searchResult = client.executeSearch(query);
System.out.println(searchResult);
// Write search result to file
String filePath = logFileLocation + File.separator + fileName + "." + fileType;
Files.write(Paths.get(filePath), searchResult.getBytes());
// Check if file is empty
File file = new File(filePath);
if (file.length() == 0) {
System.out.println("File is empty. Deleting...");
if (file.delete()) {
System.out.println("File deleted successfully.");
} else {
System.out.println("Failed to delete file.");
}
} else {
// Validate file contents (assuming JSON data)
try {
new JSONObject(new String(Files.readAllBytes(Paths.get(filePath))));
System.out.println("File contents are valid JSON.");
} catch (Exception e) {
System.out.println("File is corrupt. Deleting...");
/*if (file.delete()) {
System.out.println("Corrupt file deleted successfully.");
} else {
System.out.println("Failed to delete corrupt file.");
}*/
}
}
} catch (IOException e) {
System.out.println("Error occurred while executing search: " + e.getMessage());
System.exit(2); // Exit with error code 2
}
}
-------------------------------
I am calling this java file using bat file
:: All Splunk host name
set host_nam=https://log01.oss.mykronos.com/en-US/app/search/search?earliest=@d&latest=now
set host_cfn=https://cfn-log01.oss.mykronos.com/en-US/app/search/search?earliest=@d&latest=now
set host_dcust=https://koss01-log01.oss.mykronos.com/en-US/app/search/search?earliest=@d&latest=now
:: Splunk user name
set username=********
:: Splunk user password
set password=********
:: Splunk search query for CAN, AUS, EUR
set query_kpi=index=*kpi* level=ERROR logger=KPI*
set query_wfm=index=*wfm* level=ERROR logger=KPI*
set file_type="JSON"
set start_date=""
set end_Date=""
set time="3600"
%JAVA_PATH% com.kronos.hca.daily.monitoring.processor.SplunkRestClient %host_nam% %username% %password% "%query_nam_kpi%" "%logFileLocation%" "%file_name_nam_kpi%" %file_type% %start_date% %end_Date% %time%,
Labels
- Labels:
-
rest API
02-26-2024
06:35 AM
@Keerthi , you need only the dedup for the field to listù, the other dedup isn't required. in few words, you should run something like this: <your_search>
| dedup Time
| sort Time
| table Time C...
See more...
@Keerthi , you need only the dedup for the field to listù, the other dedup isn't required. in few words, you should run something like this: <your_search>
| dedup Time
| sort Time
| table Time Ciao. Giuseppe
02-26-2024
06:33 AM
This is a Splunk's form, not mine, not of any third party app (be this Splunk supported). If a label on a form says last 60 days, then the respective dashboards should be showing the last 60 days ...
See more...
This is a Splunk's form, not mine, not of any third party app (be this Splunk supported). If a label on a form says last 60 days, then the respective dashboards should be showing the last 60 days - ad not less. Ps. at my _internal index there are data much earlier then 30 days. Ex. can search data from early November 2023. Didn't try earlier. regards Altin
02-26-2024
06:32 AM
Repeating the OP does not answer my questions. Please use different words to explain what you are looking for. Perhaps the _configtracker index has the information you seek.
Is there any possible queries to get the list of new created use case from ES and the fine tuned use cases and the non triggered use cases for the last 7 days. I have searched over internet but unfo...
See more...
Is there any possible queries to get the list of new created use case from ES and the fine tuned use cases and the non triggered use cases for the last 7 days. I have searched over internet but unfortunately did not found as I have found only the list of enabled disabled and triggered use cases.
02-26-2024
05:22 AM
Added to previous question , for those machine agent Unique host ID is showing in controller UI as <hostname>-java-MA
02-26-2024
05:21 AM
What exactly do you mean by "new created use cases" and "fine tuned use cases"? What queries have you tried? How did those queries not meet expectations?
02-26-2024
05:20 AM
Mine was failing also until I added the parameter above and install went through fine.
02-26-2024
05:17 AM
Hai @richgalloway , Using Splunk Web, I go to 'Data inputs' > 'Local performance monitoring' > Selected the input that are created I see the following errors: Failed to fetch data: Admin handler ...
See more...
Hai @richgalloway , Using Splunk Web, I go to 'Data inputs' > 'Local performance monitoring' > Selected the input that are created I see the following errors: Failed to fetch data: Admin handler 'win-perfmon-find-collection' not found. This error is displayed for 'Available objects', 'Counters', 'Instances' How can I resolve this error? Thanks
02-26-2024
05:13 AM
Hi @gcusello @ Splunk dashboard performance Issue Let me explain my requirement properly. I have message field and i need to extract multiple values from message fileds .for...
See more...
Hi @gcusello @ Splunk dashboard performance Issue Let me explain my requirement properly. I have message field and i need to extract multiple values from message fileds .for that is used multiple joins so its dashboard taking time to load fast. So as you mention in the answer use stats command .I tried to used stats but i cant able to get it in table . In real time senario: I am giving field with keywords Three are two jobtype xxx and yyy Message : "concur ondemand" and "expense" --- Started Successfuly. Message : "Error " ---Error Message : Progress completed ------ completed and we have unique correlationID.Based on correlation ID we need find out the result. I will copy paste that you suggested to using stats but i am not well in that can you please help to fix the issue. index="xxx" applicationName="api" environment=DEV timestamp correlationId tracePoint message ("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName : AP/GL Extract V.3.0*") OR (trace=ERROR) OR ("Before Calling flow archive-Concur*") OR (message="Concur AP/GL File/s Process Status*")|dedup correlationId
| rename content.SourceFileName as SourceFileName content.JobName as JobName
| eval "FileName/JobName"= coalesce(SourceFileName,JobName)
| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint message as Message
| eval JobType=case(like('Message',"%Concur Ondemand Started%"), "OnDemand", like('Message',"%Expense Extract Process started for jobName : *%"), "Scheduled")
| eval Message=trim(Message,"\"")
| rename correlationId as CorrelationId tracePoint as TracePoint message as Message
| rename content.loggerPayload.archiveFileName AS ArchivedFileName
| eval Status=case(like('Message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('TracePoint',"%EXCEPTION%"),"ERROR")
| eval Response= coalesce(Response,Message)
| eval Status=if(TracePoint="ERROR","ERROR",Status)
| join CorrelationId type=left
[ search index="xxx" applicationName="api" | stats
earliest(timestamp) AS Timestamp
values(TracePoint) AS TracePoint
values(Response) AS Response
values(JobType) AS JobType
values(Status) AS Status
values("FileName/JobName") AS "FileName/JobName"
values(Message) AS Message
BY CorrelationId] Status FileName/JobNam JobType ArchivedFileName CorrelationId Timestamp SUCCESS karthi xxx test1 2essrfsf4dgs SUCCESS priya yyy test2 46dsfh68
02-26-2024
04:48 AM
Problem solved. Many thanks for your help.
02-26-2024
04:14 AM
From the syntax `Exempted_Dark_Devices`, it's a macro. Look in the macro definitions and you should be able to find the expansion of this macro https://docs.splunk.com/Documentation/Splunk/9.2.0/Kn...
See more...
From the syntax `Exempted_Dark_Devices`, it's a macro. Look in the macro definitions and you should be able to find the expansion of this macro https://docs.splunk.com/Documentation/Splunk/9.2.0/Knowledge/Definesearchmacros
02-26-2024
04:12 AM
Labels
- Labels:
-
Accounts and Admin
02-26-2024
04:03 AM
"encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) en...
See more...
"encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ClientConnectionId: Any suggestions?
Labels
- Labels:
-
configuration
02-26-2024
03:49 AM
I have inherited a Splunk system and this is one of the alerts
| metadata index=index-cc* type=hosts | eval age = now()-lastTime | where age > 86400 | sort age d | convert ctime(lastTime) | fields ...
See more...
I have inherited a Splunk system and this is one of the alerts
| metadata index=index-cc* type=hosts | eval age = now()-lastTime | where age > 86400 | sort age d | convert ctime(lastTime) | fields lastTime,host,source,age | rename age as "Seconds Since Last Event" | search `Exempted_Dark_Devices`
How do I find the file Exempted_Dark_Devices?
Thank you
Labels
- Labels:
-
blacklist
02-26-2024
03:48 AM
In my keystore directory, there´s only default.jks, could you please help what data is required in cert.jks
