Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-22-2024
08:52 AM
Hello, How do i provide access to a limited email address on a dashboard through the backend
Labels
- Labels:
-
panel
02-22-2024
08:50 AM
i can see the business transactions 0 of 10 happening but i cant see the transactions and the application flow map. what could be the reason for it.
02-22-2024
08:41 AM
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, how...
See more...
I am trying to configure the distributed monitoring console without the UI (for automation purposes). It seems that I have gotten most things right - all instances show up the way I want them to, however they are all marked as "unreachable". It seems that I must do the step where I provide credentials for the mc host to login to the monitored host. However I cannot figure out what this step actually does. Also I cannot find anything that hints to the credentials being stored anywhere. So what does this login process actually do, and how can I mimic that bevhaviour for the mc from the commandline/ via config files? Any insight on how the setup process works behind the scene would be appreciated.
Labels
- Labels:
-
monitoring console
02-22-2024
08:27 AM
I have an application that I am trying to monitor. There is a specific event code for when the tool is opened to modify the tool (EventCode=250). There is an EventCode for when it is closed (EventC...
See more...
I have an application that I am trying to monitor. There is a specific event code for when the tool is opened to modify the tool (EventCode=250). There is an EventCode for when it is closed (EventCode=100). These two codes display a user name, but the events between them do not. How can I write a search to look for these two events then display the changes between them with the username who completed the change? | from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80
| eval user = coalesce(User, Active_User)
| eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P")
| table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription Event_Time host user Device_Added Device_SN Device_ID EventCode 02/22/24 08:49:44 am Test-Com xxxxx 100 02/21/24 03:59:12 pm Test-Com xxxxx 250 02/21/24 03:56:08 pm Test-Com xxxxx 100 02/21/24 03:56:00 pm Test-Com USB 1 12345 PID_1 70 02/21/24 03:56:00 pm Test-Com USB 2 6789 PID_2 70 02/21/24 03:51:10 pm Test-Com USB 1 12345 PID_1 80 02/21/24 03:50:44 pm Test-Com xxxxx 250
02-22-2024
08:14 AM
Hi I want to change font size label (to bold) in pie chart please help me with code
02-22-2024
07:52 AM
This question has been asked and answered many times For example: Re: How to color the columns based on previous co... - Splunk Community which you could adapt for your usecase You could have found...
See more...
This question has been asked and answered many times For example: Re: How to color the columns based on previous co... - Splunk Community which you could adapt for your usecase You could have found this with a simple search Search - Splunk Community
02-22-2024
07:51 AM
Hi @shakti, if you are in violation, you receive a message from your Splunk and you can enable an alert that sends yoo an email when this occurs or when it's near. You can find this search in your ...
See more...
Hi @shakti, if you are in violation, you receive a message from your Splunk and you can enable an alert that sends yoo an email when this occurs or when it's near. You can find this search in your Monitoring Console alerts. Ciao. Giuseppe
02-22-2024
07:45 AM
1 Karma
Try NOT as the capitalise version is a recognised word (similarly for OR and AND)
02-22-2024
07:34 AM
Hi, I am looking to grab all windows events of successful NTLM logins without using Kerberos. Here is my query so far. "eventcode=4776" "Error Code: 0x0" ntlm I think this is working as of ...
See more...
Hi, I am looking to grab all windows events of successful NTLM logins without using Kerberos. Here is my query so far. "eventcode=4776" "Error Code: 0x0" ntlm I think this is working as of now, however it brings results including the value of Kerberos, I tried using the value, Not "Kerberos" , however it completely broke my search result. I am looking to grab only the value of "Account Name:" and "Source Network Address:" then export it to a csv file every week. Is this something I can do with Splunk? If so any help would be appreciated. Thanks.
Labels
- Labels:
-
lookup
02-22-2024
07:18 AM
You would utilize the stats command to find an average of the diff_seconds field using a by-field of search_name. Something like this (following the search I shared before) index=notable
...
See more...
You would utilize the stats command to find an average of the diff_seconds field using a by-field of search_name. Something like this (following the search I shared before) index=notable
| eval
event_epoch=if(
NOT isnum(event_time),
strptime(event_time, "%m/%d/%Y %H:%M:%S"),
'event_time'
),
orig_epoch=if(
NOT isnum(orig_time),
strptime(orig_time, "%m/%d/%Y %H:%M:%S"),
'orig_time'
)
| eval
event_epoch_standardized=coalesce(event_epoch, orig_epoch),
diff_seconds='_time'-'event_epoch_standardized'
| fields + _time, search_name, event_time, diff_seconds
| stats
count as sample_size,
min(diff_seconds) as min_diff_seconds,
max(diff_seconds) as max_diff_seconds,
avg(diff_seconds) as avg_diff_seconds
by search_name
| eval
avg_diff=tostring(avg_diff_seconds, "duration")
02-22-2024
07:15 AM
Verify the inputs.conf and outputs.conf files are the same in all three regions. Make sure they all have the latest Splunk Cloud certificate. Confirm there are no firewalls blocking traffic between...
See more...
Verify the inputs.conf and outputs.conf files are the same in all three regions. Make sure they all have the latest Splunk Cloud certificate. Confirm there are no firewalls blocking traffic between the third forwarder and Splunk Cloud. When you looked at splunkd.log, were you looking on the forwarder or in the indexed logs. It should be the former.
02-22-2024
07:00 AM
Hi @jovnice , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
02-22-2024
06:57 AM
Hi i have stats table with following
Labels
- Labels:
-
chart
02-22-2024
06:55 AM
The props.conf settings are missing TIME_FORMAT. Other settings may need to be changed, but we need to see the raw data (the CSV file before it gets to Splunk) to determine that.
02-22-2024
06:39 AM
AFAIK, indexer queues are not configurable. You can, however, use maxQueueSize in outputs.conf on the forwarders to set the size of the output queue. That's the queue where packets are stored if th...
See more...
AFAIK, indexer queues are not configurable. You can, however, use maxQueueSize in outputs.conf on the forwarders to set the size of the output queue. That's the queue where packets are stored if the destination becomes unavailable. In the case of HEC inputs, it's the responsibility of the client to retry any request that gets a non-200 (OK) response code ("server is busy" in this case).
02-22-2024
06:39 AM
<your index> [| inputlookup <your lookup> | table ClientName] "Certificate was successfully validated"
02-22-2024
06:30 AM
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY VMware I have an index with ASA Firewall log which I want to search and find events for ...
See more...
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY VMware I have an index with ASA Firewall log which I want to search and find events for all the ClientNme in the CSV 234654252.234 %ASA-3-2352552: Certificate was successfully validated. serial number: 1123423SSDDG23442234234DSGSGSGGSSG8, subject name: CN=BD-K-027EY.bl.emea.something.com. Between the CSV lookup file and event the common is the ClientName and a portion of the subject name. If I look for successfully and provide a single client name i get the event I want, but I am struggling to look it up for all the clients and make it uniqe. At the end I just want a list of ClientName for which the even was logged. thanks
Labels
- Labels:
-
lookup
02-22-2024
06:27 AM
You could construct your search so that each row has a field with the name of the recipients. Then set up the alert so that it triggers for every result. Then use the $row.field$ token as the recipie...
See more...
You could construct your search so that each row has a field with the name of the recipients. Then set up the alert so that it triggers for every result. Then use the $row.field$ token as the recipient in the trigger action. Note that this will mean that the recipients will get multiple emails if their address appears in more than one row of the report.
02-22-2024
06:01 AM
The closest thing you have in Studio at the moment are markdown blocks but I suspect this will not give you what you need.
