All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, How do i provide access to a limited email address on a dashboard through the backend 
i can see the business transactions 0 of 10 happening but i cant see the transactions and the application flow map. what could be the reason for it.
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, how... See more...
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, however they are all marked as "unreachable". It seems that I must do the step where I provide credentials for the mc host to login to the monitored host. However I cannot figure out what this step actually does. Also I cannot find anything that hints to the credentials being stored anywhere. So what does this login process actually do, and how can I mimic that bevhaviour for the mc from the commandline/ via config files? Any insight on how the setup process works behind the scene would be appreciated.
I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventC... See more...
I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventCode=100).  These two codes display a user name, but the events between them do not.  How can I write a search to look for these two events then display the changes between them with the username who completed the change?   | from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80 | eval user = coalesce(User, Active_User) | eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P") | table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription Event_Time                        host              user      Device_Added      Device_SN       Device_ID      EventCode  02/22/24 08:49:44 am Test-Com   xxxxx                                                                                                 100 02/21/24 03:59:12 pm Test-Com   xxxxx                                                                                                  250 02/21/24 03:56:08 pm Test-Com   xxxxx                                                                                                  100 02/21/24 03:56:00 pm Test-Com                            USB 1                   12345          PID_1                   70  02/21/24 03:56:00 pm Test-Com                            USB 2                    6789            PID_2                   70  02/21/24 03:51:10 pm Test-Com                            USB 1                   12345          PID_1                   80   02/21/24 03:50:44 pm Test-Com     xxxxx                                                                                                  250
Hi   I want to change font size label (to bold) in pie chart please help me with code      
This question has been asked and answered many times For example: Re: How to color the columns based on previous co... - Splunk Community which you could adapt for your usecase You could have found... See more...
This question has been asked and answered many times For example: Re: How to color the columns based on previous co... - Splunk Community which you could adapt for your usecase You could have found this with a simple search Search - Splunk Community
Hi @shakti, if you are in violation, you receive a message from your Splunk and you can enable an alert that sends yoo an email when this occurs or when it's near. You can find this search in your ... See more...
Hi @shakti, if you are in violation, you receive a message from your Splunk and you can enable an alert that sends yoo an email when this occurs or when it's near. You can find this search in your Monitoring Console alerts. Ciao. Giuseppe
Try NOT as the capitalise version is a recognised word (similarly for OR and AND)
Hi, I am looking to grab all windows events of successful NTLM logins without using Kerberos. Here is my query so far.     "eventcode=4776" "Error Code: 0x0" ntlm   I think this is working as of ... See more...
Hi, I am looking to grab all windows events of successful NTLM logins without using Kerberos. Here is my query so far.     "eventcode=4776" "Error Code: 0x0" ntlm   I think this is working as of now, however it brings results including the value of Kerberos, I tried using the value, Not "Kerberos" , however it completely broke my search result.   I am looking to grab only the value of "Account Name:" and "Source Network Address:" then export it to a csv file every week.    Is this something I can do with Splunk? If so any help would be appreciated. Thanks.
You would utilize the stats command to find an average of the  diff_seconds field using a by-field of search_name. Something like this (following the search I shared before) index=notable ... See more...
You would utilize the stats command to find an average of the  diff_seconds field using a by-field of search_name. Something like this (following the search I shared before) index=notable | eval event_epoch=if( NOT isnum(event_time), strptime(event_time, "%m/%d/%Y %H:%M:%S"), 'event_time' ), orig_epoch=if( NOT isnum(orig_time), strptime(orig_time, "%m/%d/%Y %H:%M:%S"), 'orig_time' ) | eval event_epoch_standardized=coalesce(event_epoch, orig_epoch), diff_seconds='_time'-'event_epoch_standardized' | fields + _time, search_name, event_time, diff_seconds | stats count as sample_size, min(diff_seconds) as min_diff_seconds, max(diff_seconds) as max_diff_seconds, avg(diff_seconds) as avg_diff_seconds by search_name | eval avg_diff=tostring(avg_diff_seconds, "duration")  
Verify the inputs.conf and outputs.conf files are the same in all three regions.  Make sure they all have the latest Splunk Cloud certificate. Confirm there are no firewalls blocking traffic between... See more...
Verify the inputs.conf and outputs.conf files are the same in all three regions.  Make sure they all have the latest Splunk Cloud certificate. Confirm there are no firewalls blocking traffic between the third forwarder and Splunk Cloud. When you looked at splunkd.log, were you looking on the forwarder or in the indexed logs.  It should be the former.
Hi @jovnice , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi i have stats table with following     
The props.conf settings are missing TIME_FORMAT.  Other settings may need to be changed, but we need to see the raw data (the CSV file before it gets to Splunk) to determine that.
Thank you. It works.
AFAIK, indexer queues are not configurable.  You can, however, use maxQueueSize in outputs.conf on the forwarders to set the size of the output queue.  That's the queue where packets are stored if th... See more...
AFAIK, indexer queues are not configurable.  You can, however, use maxQueueSize in outputs.conf on the forwarders to set the size of the output queue.  That's the queue where packets are stored if the destination becomes unavailable. In the case of HEC inputs, it's the responsibility of the client to retry any request that gets a non-200 (OK) response code ("server is busy" in this case).
<your index> [| inputlookup <your lookup> | table ClientName] "Certificate was successfully validated"
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY     VMware I have an index with ASA Firewall log which I want to search and find events for ... See more...
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY     VMware I have an index with ASA Firewall log which I want to search and find events for all the ClientNme in the CSV 234654252.234 %ASA-3-2352552: Certificate was successfully validated. serial number: 1123423SSDDG23442234234DSGSGSGGSSG8, subject name: CN=BD-K-027EY.bl.emea.something.com. Between the CSV lookup file and event the common is the ClientName and a portion of the subject name. If I look for successfully and provide a single client name i get the event I want, but I am struggling to look it up for all the clients and make it uniqe. At the end I just want a list of ClientName for which the even was logged. thanks  
You could construct your search so that each row has a field with the name of the recipients. Then set up the alert so that it triggers for every result. Then use the $row.field$ token as the recipie... See more...
You could construct your search so that each row has a field with the name of the recipients. Then set up the alert so that it triggers for every result. Then use the $row.field$ token as the recipient in the trigger action. Note that this will mean that the recipients will get multiple emails if their address appears in more than one row of the report.
The closest thing you have in Studio at the moment are markdown blocks but I suspect this will not give you what you need.